Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 08:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
mimicransomware_enc_infected.exe
Resource
win7-20240221-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral2
Sample
mimicransomware_enc_infected.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
mimicransomware_enc_infected.exe
-
Size
2.4MB
-
MD5
2a613d677cc3e2991dcd954e9413c40c
-
SHA1
26f49090585d31dca8dde83106c0a851f00f2f18
-
SHA256
c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b
-
SHA512
b3edc9f56aa9c1f3685bb7e14d7dad27f23346bb1f21618acb3091c2031c1c5f48f77f375d97763b2da1b4658efd12a1147114bd65190b9f8c772d302d0f7a44
-
SSDEEP
49152:I/oSNzCxuPz3v/EekOEQ5ZlC2WQcyDJFD6BaKAjB8eJMv+8KwXkZx+jau:I/oCCQv/EeJESlC2WbyDukrBDJMGXjG
Score
10/10
Malware Config
Signatures
-
Detects Mimic ransomware 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016cf5-5.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" encrypt.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 2864 wevtutil.exe 3052 wevtutil.exe 1108 wevtutil.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 640 bcdedit.exe 596 bcdedit.exe -
pid Process 1404 wbadmin.exe -
pid Process 2320 wbadmin.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpython.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlwriter.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon64.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbirdconfig.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-opt.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\r.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServer.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isqlplussvc.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgrN.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdhost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgr.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_x64.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopqos.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_w32.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe -
Executes dropped EXE 5 IoCs
pid Process 2924 encrypt.exe 2616 encrypt.exe 2388 encrypt.exe 2684 encrypt.exe 2792 encrypt.exe -
Loads dropped DLL 9 IoCs
pid Process 1936 mimicransomware_enc_infected.exe 1936 mimicransomware_enc_infected.exe 1936 mimicransomware_enc_infected.exe 2924 encrypt.exe 2924 encrypt.exe 2616 encrypt.exe 2388 encrypt.exe 2684 encrypt.exe 2792 encrypt.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\exefile\shell encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\exefile\shell\open encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\exefile\shell\open\command encrypt.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt = "\"C:\\Users\\Admin\\AppData\\Local\\encrypt\\encrypt.exe\" " encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt.exe = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\HACKLENDINIZ.txt\"" encrypt.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: encrypt.exe File opened (read-only) \??\E: encrypt.exe File opened (read-only) \??\O: encrypt.exe File opened (read-only) \??\R: encrypt.exe File opened (read-only) \??\X: encrypt.exe File opened (read-only) \??\K: encrypt.exe File opened (read-only) \??\L: encrypt.exe File opened (read-only) \??\M: encrypt.exe File opened (read-only) \??\T: encrypt.exe File opened (read-only) \??\A: encrypt.exe File opened (read-only) \??\G: encrypt.exe File opened (read-only) \??\H: encrypt.exe File opened (read-only) \??\I: encrypt.exe File opened (read-only) \??\V: encrypt.exe File opened (read-only) \??\W: encrypt.exe File opened (read-only) \??\Z: encrypt.exe File opened (read-only) \??\B: encrypt.exe File opened (read-only) \??\N: encrypt.exe File opened (read-only) \??\Q: encrypt.exe File opened (read-only) \??\J: encrypt.exe File opened (read-only) \??\P: encrypt.exe File opened (read-only) \??\S: encrypt.exe File opened (read-only) \??\U: encrypt.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\exefile\shell encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\exefile encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\exefile\shell\open encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2680 notepad.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2388 encrypt.exe 2792 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe 2616 encrypt.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2924 encrypt.exe Token: SeSecurityPrivilege 2924 encrypt.exe Token: SeTakeOwnershipPrivilege 2924 encrypt.exe Token: SeLoadDriverPrivilege 2924 encrypt.exe Token: SeSystemProfilePrivilege 2924 encrypt.exe Token: SeSystemtimePrivilege 2924 encrypt.exe Token: SeProfSingleProcessPrivilege 2924 encrypt.exe Token: SeIncBasePriorityPrivilege 2924 encrypt.exe Token: SeCreatePagefilePrivilege 2924 encrypt.exe Token: SeBackupPrivilege 2924 encrypt.exe Token: SeRestorePrivilege 2924 encrypt.exe Token: SeShutdownPrivilege 2924 encrypt.exe Token: SeDebugPrivilege 2924 encrypt.exe Token: SeSystemEnvironmentPrivilege 2924 encrypt.exe Token: SeChangeNotifyPrivilege 2924 encrypt.exe Token: SeRemoteShutdownPrivilege 2924 encrypt.exe Token: SeUndockPrivilege 2924 encrypt.exe Token: SeManageVolumePrivilege 2924 encrypt.exe Token: SeImpersonatePrivilege 2924 encrypt.exe Token: SeCreateGlobalPrivilege 2924 encrypt.exe Token: 33 2924 encrypt.exe Token: 34 2924 encrypt.exe Token: 35 2924 encrypt.exe Token: SeIncreaseQuotaPrivilege 2616 encrypt.exe Token: SeSecurityPrivilege 2616 encrypt.exe Token: SeTakeOwnershipPrivilege 2616 encrypt.exe Token: SeLoadDriverPrivilege 2616 encrypt.exe Token: SeSystemProfilePrivilege 2616 encrypt.exe Token: SeSystemtimePrivilege 2616 encrypt.exe Token: SeProfSingleProcessPrivilege 2616 encrypt.exe Token: SeIncBasePriorityPrivilege 2616 encrypt.exe Token: SeCreatePagefilePrivilege 2616 encrypt.exe Token: SeBackupPrivilege 2616 encrypt.exe Token: SeRestorePrivilege 2616 encrypt.exe Token: SeShutdownPrivilege 2616 encrypt.exe Token: SeDebugPrivilege 2616 encrypt.exe Token: SeSystemEnvironmentPrivilege 2616 encrypt.exe Token: SeChangeNotifyPrivilege 2616 encrypt.exe Token: SeRemoteShutdownPrivilege 2616 encrypt.exe Token: SeUndockPrivilege 2616 encrypt.exe Token: SeManageVolumePrivilege 2616 encrypt.exe Token: SeImpersonatePrivilege 2616 encrypt.exe Token: SeCreateGlobalPrivilege 2616 encrypt.exe Token: 33 2616 encrypt.exe Token: 34 2616 encrypt.exe Token: 35 2616 encrypt.exe Token: SeIncreaseQuotaPrivilege 2388 encrypt.exe Token: SeSecurityPrivilege 2388 encrypt.exe Token: SeTakeOwnershipPrivilege 2388 encrypt.exe Token: SeLoadDriverPrivilege 2388 encrypt.exe Token: SeSystemProfilePrivilege 2388 encrypt.exe Token: SeSystemtimePrivilege 2388 encrypt.exe Token: SeIncreaseQuotaPrivilege 2684 encrypt.exe Token: SeSecurityPrivilege 2684 encrypt.exe Token: SeTakeOwnershipPrivilege 2684 encrypt.exe Token: SeLoadDriverPrivilege 2684 encrypt.exe Token: SeSystemProfilePrivilege 2684 encrypt.exe Token: SeSystemtimePrivilege 2684 encrypt.exe Token: SeProfSingleProcessPrivilege 2684 encrypt.exe Token: SeIncBasePriorityPrivilege 2684 encrypt.exe Token: SeCreatePagefilePrivilege 2684 encrypt.exe Token: SeBackupPrivilege 2684 encrypt.exe Token: SeRestorePrivilege 2684 encrypt.exe Token: SeShutdownPrivilege 2684 encrypt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2924 1936 mimicransomware_enc_infected.exe 28 PID 1936 wrote to memory of 2924 1936 mimicransomware_enc_infected.exe 28 PID 1936 wrote to memory of 2924 1936 mimicransomware_enc_infected.exe 28 PID 1936 wrote to memory of 2924 1936 mimicransomware_enc_infected.exe 28 PID 2924 wrote to memory of 2616 2924 encrypt.exe 29 PID 2924 wrote to memory of 2616 2924 encrypt.exe 29 PID 2924 wrote to memory of 2616 2924 encrypt.exe 29 PID 2924 wrote to memory of 2616 2924 encrypt.exe 29 PID 2616 wrote to memory of 2684 2616 encrypt.exe 30 PID 2616 wrote to memory of 2684 2616 encrypt.exe 30 PID 2616 wrote to memory of 2684 2616 encrypt.exe 30 PID 2616 wrote to memory of 2684 2616 encrypt.exe 30 PID 2616 wrote to memory of 2388 2616 encrypt.exe 31 PID 2616 wrote to memory of 2388 2616 encrypt.exe 31 PID 2616 wrote to memory of 2388 2616 encrypt.exe 31 PID 2616 wrote to memory of 2388 2616 encrypt.exe 31 PID 2616 wrote to memory of 2792 2616 encrypt.exe 32 PID 2616 wrote to memory of 2792 2616 encrypt.exe 32 PID 2616 wrote to memory of 2792 2616 encrypt.exe 32 PID 2616 wrote to memory of 2792 2616 encrypt.exe 32 PID 2616 wrote to memory of 632 2616 encrypt.exe 33 PID 2616 wrote to memory of 632 2616 encrypt.exe 33 PID 2616 wrote to memory of 632 2616 encrypt.exe 33 PID 2616 wrote to memory of 632 2616 encrypt.exe 33 PID 2616 wrote to memory of 2108 2616 encrypt.exe 34 PID 2616 wrote to memory of 2108 2616 encrypt.exe 34 PID 2616 wrote to memory of 2108 2616 encrypt.exe 34 PID 2616 wrote to memory of 2108 2616 encrypt.exe 34 PID 2616 wrote to memory of 1252 2616 encrypt.exe 35 PID 2616 wrote to memory of 1252 2616 encrypt.exe 35 PID 2616 wrote to memory of 1252 2616 encrypt.exe 35 PID 2616 wrote to memory of 1252 2616 encrypt.exe 35 PID 2616 wrote to memory of 1368 2616 encrypt.exe 36 PID 2616 wrote to memory of 1368 2616 encrypt.exe 36 PID 2616 wrote to memory of 1368 2616 encrypt.exe 36 PID 2616 wrote to memory of 1368 2616 encrypt.exe 36 PID 2616 wrote to memory of 1664 2616 encrypt.exe 37 PID 2616 wrote to memory of 1664 2616 encrypt.exe 37 PID 2616 wrote to memory of 1664 2616 encrypt.exe 37 PID 2616 wrote to memory of 1664 2616 encrypt.exe 37 PID 2616 wrote to memory of 1248 2616 encrypt.exe 38 PID 2616 wrote to memory of 1248 2616 encrypt.exe 38 PID 2616 wrote to memory of 1248 2616 encrypt.exe 38 PID 2616 wrote to memory of 1248 2616 encrypt.exe 38 PID 2616 wrote to memory of 1240 2616 encrypt.exe 39 PID 2616 wrote to memory of 1240 2616 encrypt.exe 39 PID 2616 wrote to memory of 1240 2616 encrypt.exe 39 PID 2616 wrote to memory of 1240 2616 encrypt.exe 39 PID 2616 wrote to memory of 2432 2616 encrypt.exe 40 PID 2616 wrote to memory of 2432 2616 encrypt.exe 40 PID 2616 wrote to memory of 2432 2616 encrypt.exe 40 PID 2616 wrote to memory of 2432 2616 encrypt.exe 40 PID 2616 wrote to memory of 2592 2616 encrypt.exe 41 PID 2616 wrote to memory of 2592 2616 encrypt.exe 41 PID 2616 wrote to memory of 2592 2616 encrypt.exe 41 PID 2616 wrote to memory of 2592 2616 encrypt.exe 41 PID 2616 wrote to memory of 2608 2616 encrypt.exe 42 PID 2616 wrote to memory of 2608 2616 encrypt.exe 42 PID 2616 wrote to memory of 2608 2616 encrypt.exe 42 PID 2616 wrote to memory of 2608 2616 encrypt.exe 42 PID 2616 wrote to memory of 2660 2616 encrypt.exe 43 PID 2616 wrote to memory of 2660 2616 encrypt.exe 43 PID 2616 wrote to memory of 2660 2616 encrypt.exe 43 PID 2616 wrote to memory of 2660 2616 encrypt.exe 43 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" encrypt.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\mimicransomware_enc_infected.exe"C:\Users\Admin\AppData\Local\Temp\mimicransomware_enc_infected.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\tempcrc\encrypt.exe"C:\tempcrc\encrypt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"3⤵
- Modifies security service
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2616 -
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e watch -pid 2616 -!4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2792
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -H off4⤵PID:632
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:2108
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:1252
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:1368
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:1664
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:1248
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:1240
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:2432
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:2592
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:2608
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:2660
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:1232
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:2672
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c4⤵PID:2148
-
-
C:\Windows\system32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb614⤵PID:112
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:640
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:596
-
-
C:\Windows\system32\wbadmin.exewbadmin.exe DELETE SYSTEMSTATEBACKUP4⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1404
-
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet4⤵
- Deletes backup catalog
PID:2320
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\AppData\Local\HACKLENDINIZ.txt"4⤵
- Opens file in notepad (likely ransom note)
PID:2680
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security4⤵
- Clears Windows event logs
PID:1108
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system4⤵
- Clears Windows event logs
PID:2864
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application4⤵
- Clears Windows event logs
PID:3052
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:860
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:2716
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2004
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1740
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD559286c73a9a08cec30b5de12872c5770
SHA1209b358c5ad3fb82be959570b5410b40f584c579
SHA2567077eae8b4501535eb30d6b75bac239fd14106f27e2229bd1742f8cb2616242b
SHA512404065c0d431993c2cb2fdacbe07196698cf181967fd08da03ca2c4b0f25b9f5adc58d5228a45763d43c05d20ddbc8509ca7ef8a06703e50a593de4015c1b269
-
Filesize
32B
MD52a336fd6b20edf1cd20a13535edcbd38
SHA1acf7086749e77eb3e396a6868078b9d2b4514761
SHA2569b649f742a9442640f7c874c39b0651aef25abc16583a34fa5489f103691ea05
SHA51282e77a3eda6ebe844019564c356752b3d7424b91118d9ffa015dc9699041d2958bae8d77976317e03ed4630eb7abfc3df4e5f5ca82c233a773b7b298485cf5a2
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
3.0MB
MD5a48ee000e248741247c24dc70fa2f936
SHA14c814fe7c94e6fb4d1d89cdae7e6e83905c459d7
SHA256bb28adc32ff1b9dcfaac6b7017b4896d2807b48080f9e6720afde3f89d69676c
SHA5128bdd60732bf105b9ade5d4dbc5c722a866119e0a284692afc1bd5b530a4afc3954536a14946a87f72213c92020def2ac7b5c1cbcc51b6e0ad5671b7c58543f34