Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 08:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
mimicransomware_enc_infected.exe
Resource
win7-20240221-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral2
Sample
mimicransomware_enc_infected.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
mimicransomware_enc_infected.exe
-
Size
2.4MB
-
MD5
2a613d677cc3e2991dcd954e9413c40c
-
SHA1
26f49090585d31dca8dde83106c0a851f00f2f18
-
SHA256
c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b
-
SHA512
b3edc9f56aa9c1f3685bb7e14d7dad27f23346bb1f21618acb3091c2031c1c5f48f77f375d97763b2da1b4658efd12a1147114bd65190b9f8c772d302d0f7a44
-
SSDEEP
49152:I/oSNzCxuPz3v/EekOEQ5ZlC2WQcyDJFD6BaKAjB8eJMv+8KwXkZx+jau:I/oCCQv/EeJESlC2WbyDukrBDJMGXjG
Score
10/10
Malware Config
Signatures
-
Detects Mimic ransomware 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b8e-6.dat family_mimic -
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" encrypt.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 3480 wevtutil.exe 4996 wevtutil.exe 4080 wevtutil.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3432 bcdedit.exe 1660 bcdedit.exe -
pid Process 3944 wbadmin.exe -
pid Process 2308 wbadmin.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsDtSrvr.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocssd.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pvlsvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vxmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservrs.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oracle.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\node.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgrN.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBIDPService.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlagent.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\r.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseClient.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW32.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msftesql.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-nt.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgrN.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbguard.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qbupdate.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlwriter.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer_Service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdhost.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW64.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlservr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsa_service.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbeng50.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlagent.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlmangr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon64.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServer.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineSettings.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqlmangr.exe encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isqlplussvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe" encrypt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation mimicransomware_enc_infected.exe -
Executes dropped EXE 5 IoCs
pid Process 4612 encrypt.exe 2144 encrypt.exe 3376 encrypt.exe 2372 encrypt.exe 4676 encrypt.exe -
Loads dropped DLL 5 IoCs
pid Process 4612 encrypt.exe 2144 encrypt.exe 3376 encrypt.exe 4676 encrypt.exe 2372 encrypt.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt.exe = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\HACKLENDINIZ.txt\"" encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt = "\"C:\\Users\\Admin\\AppData\\Local\\encrypt\\encrypt.exe\" " encrypt.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: encrypt.exe File opened (read-only) \??\N: encrypt.exe File opened (read-only) \??\O: encrypt.exe File opened (read-only) \??\S: encrypt.exe File opened (read-only) \??\T: encrypt.exe File opened (read-only) \??\V: encrypt.exe File opened (read-only) \??\X: encrypt.exe File opened (read-only) \??\E: encrypt.exe File opened (read-only) \??\U: encrypt.exe File opened (read-only) \??\W: encrypt.exe File opened (read-only) \??\G: encrypt.exe File opened (read-only) \??\K: encrypt.exe File opened (read-only) \??\L: encrypt.exe File opened (read-only) \??\Q: encrypt.exe File opened (read-only) \??\R: encrypt.exe File opened (read-only) \??\Z: encrypt.exe File opened (read-only) \??\A: encrypt.exe File opened (read-only) \??\B: encrypt.exe File opened (read-only) \??\H: encrypt.exe File opened (read-only) \??\I: encrypt.exe File opened (read-only) \??\J: encrypt.exe File opened (read-only) \??\P: encrypt.exe File opened (read-only) \??\Y: encrypt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell encrypt.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open encrypt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command encrypt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" encrypt.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4484 notepad.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2372 encrypt.exe 2372 encrypt.exe 4676 encrypt.exe 4676 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe 2144 encrypt.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4612 encrypt.exe Token: SeSecurityPrivilege 4612 encrypt.exe Token: SeTakeOwnershipPrivilege 4612 encrypt.exe Token: SeLoadDriverPrivilege 4612 encrypt.exe Token: SeSystemProfilePrivilege 4612 encrypt.exe Token: SeSystemtimePrivilege 4612 encrypt.exe Token: SeProfSingleProcessPrivilege 4612 encrypt.exe Token: SeIncBasePriorityPrivilege 4612 encrypt.exe Token: SeCreatePagefilePrivilege 4612 encrypt.exe Token: SeBackupPrivilege 4612 encrypt.exe Token: SeRestorePrivilege 4612 encrypt.exe Token: SeShutdownPrivilege 4612 encrypt.exe Token: SeDebugPrivilege 4612 encrypt.exe Token: SeSystemEnvironmentPrivilege 4612 encrypt.exe Token: SeChangeNotifyPrivilege 4612 encrypt.exe Token: SeRemoteShutdownPrivilege 4612 encrypt.exe Token: SeUndockPrivilege 4612 encrypt.exe Token: SeManageVolumePrivilege 4612 encrypt.exe Token: SeImpersonatePrivilege 4612 encrypt.exe Token: SeCreateGlobalPrivilege 4612 encrypt.exe Token: 33 4612 encrypt.exe Token: 34 4612 encrypt.exe Token: 35 4612 encrypt.exe Token: 36 4612 encrypt.exe Token: SeIncreaseQuotaPrivilege 2144 encrypt.exe Token: SeSecurityPrivilege 2144 encrypt.exe Token: SeTakeOwnershipPrivilege 2144 encrypt.exe Token: SeLoadDriverPrivilege 2144 encrypt.exe Token: SeSystemProfilePrivilege 2144 encrypt.exe Token: SeSystemtimePrivilege 2144 encrypt.exe Token: SeProfSingleProcessPrivilege 2144 encrypt.exe Token: SeIncBasePriorityPrivilege 2144 encrypt.exe Token: SeCreatePagefilePrivilege 2144 encrypt.exe Token: SeBackupPrivilege 2144 encrypt.exe Token: SeRestorePrivilege 2144 encrypt.exe Token: SeShutdownPrivilege 2144 encrypt.exe Token: SeDebugPrivilege 2144 encrypt.exe Token: SeSystemEnvironmentPrivilege 2144 encrypt.exe Token: SeChangeNotifyPrivilege 2144 encrypt.exe Token: SeRemoteShutdownPrivilege 2144 encrypt.exe Token: SeUndockPrivilege 2144 encrypt.exe Token: SeManageVolumePrivilege 2144 encrypt.exe Token: SeImpersonatePrivilege 2144 encrypt.exe Token: SeCreateGlobalPrivilege 2144 encrypt.exe Token: 33 2144 encrypt.exe Token: 34 2144 encrypt.exe Token: 35 2144 encrypt.exe Token: 36 2144 encrypt.exe Token: SeIncreaseQuotaPrivilege 2372 encrypt.exe Token: SeSecurityPrivilege 2372 encrypt.exe Token: SeIncreaseQuotaPrivilege 3376 encrypt.exe Token: SeSecurityPrivilege 3376 encrypt.exe Token: SeTakeOwnershipPrivilege 2372 encrypt.exe Token: SeTakeOwnershipPrivilege 3376 encrypt.exe Token: SeLoadDriverPrivilege 2372 encrypt.exe Token: SeLoadDriverPrivilege 3376 encrypt.exe Token: SeSystemProfilePrivilege 2372 encrypt.exe Token: SeSystemProfilePrivilege 3376 encrypt.exe Token: SeSystemtimePrivilege 2372 encrypt.exe Token: SeSystemtimePrivilege 3376 encrypt.exe Token: SeProfSingleProcessPrivilege 2372 encrypt.exe Token: SeProfSingleProcessPrivilege 3376 encrypt.exe Token: SeIncBasePriorityPrivilege 2372 encrypt.exe Token: SeIncBasePriorityPrivilege 3376 encrypt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1260 wrote to memory of 4612 1260 mimicransomware_enc_infected.exe 83 PID 1260 wrote to memory of 4612 1260 mimicransomware_enc_infected.exe 83 PID 1260 wrote to memory of 4612 1260 mimicransomware_enc_infected.exe 83 PID 4612 wrote to memory of 2144 4612 encrypt.exe 88 PID 4612 wrote to memory of 2144 4612 encrypt.exe 88 PID 4612 wrote to memory of 2144 4612 encrypt.exe 88 PID 2144 wrote to memory of 3376 2144 encrypt.exe 89 PID 2144 wrote to memory of 3376 2144 encrypt.exe 89 PID 2144 wrote to memory of 3376 2144 encrypt.exe 89 PID 2144 wrote to memory of 4676 2144 encrypt.exe 90 PID 2144 wrote to memory of 4676 2144 encrypt.exe 90 PID 2144 wrote to memory of 4676 2144 encrypt.exe 90 PID 2144 wrote to memory of 2372 2144 encrypt.exe 91 PID 2144 wrote to memory of 2372 2144 encrypt.exe 91 PID 2144 wrote to memory of 2372 2144 encrypt.exe 91 PID 2144 wrote to memory of 2060 2144 encrypt.exe 106 PID 2144 wrote to memory of 2060 2144 encrypt.exe 106 PID 2144 wrote to memory of 3632 2144 encrypt.exe 107 PID 2144 wrote to memory of 3632 2144 encrypt.exe 107 PID 2144 wrote to memory of 384 2144 encrypt.exe 108 PID 2144 wrote to memory of 384 2144 encrypt.exe 108 PID 2144 wrote to memory of 3440 2144 encrypt.exe 109 PID 2144 wrote to memory of 3440 2144 encrypt.exe 109 PID 2144 wrote to memory of 3160 2144 encrypt.exe 111 PID 2144 wrote to memory of 3160 2144 encrypt.exe 111 PID 2144 wrote to memory of 1684 2144 encrypt.exe 112 PID 2144 wrote to memory of 1684 2144 encrypt.exe 112 PID 2144 wrote to memory of 4880 2144 encrypt.exe 114 PID 2144 wrote to memory of 4880 2144 encrypt.exe 114 PID 2144 wrote to memory of 4892 2144 encrypt.exe 115 PID 2144 wrote to memory of 4892 2144 encrypt.exe 115 PID 2144 wrote to memory of 3596 2144 encrypt.exe 116 PID 2144 wrote to memory of 3596 2144 encrypt.exe 116 PID 2144 wrote to memory of 3984 2144 encrypt.exe 118 PID 2144 wrote to memory of 3984 2144 encrypt.exe 118 PID 2144 wrote to memory of 4984 2144 encrypt.exe 120 PID 2144 wrote to memory of 4984 2144 encrypt.exe 120 PID 2144 wrote to memory of 1144 2144 encrypt.exe 121 PID 2144 wrote to memory of 1144 2144 encrypt.exe 121 PID 2144 wrote to memory of 3492 2144 encrypt.exe 122 PID 2144 wrote to memory of 3492 2144 encrypt.exe 122 PID 2144 wrote to memory of 4972 2144 encrypt.exe 123 PID 2144 wrote to memory of 4972 2144 encrypt.exe 123 PID 2144 wrote to memory of 3612 2144 encrypt.exe 124 PID 2144 wrote to memory of 3612 2144 encrypt.exe 124 PID 2144 wrote to memory of 1660 2144 encrypt.exe 128 PID 2144 wrote to memory of 1660 2144 encrypt.exe 128 PID 2144 wrote to memory of 3432 2144 encrypt.exe 131 PID 2144 wrote to memory of 3432 2144 encrypt.exe 131 PID 2144 wrote to memory of 3944 2144 encrypt.exe 132 PID 2144 wrote to memory of 3944 2144 encrypt.exe 132 PID 2144 wrote to memory of 2308 2144 encrypt.exe 134 PID 2144 wrote to memory of 2308 2144 encrypt.exe 134 PID 2144 wrote to memory of 4484 2144 encrypt.exe 145 PID 2144 wrote to memory of 4484 2144 encrypt.exe 145 PID 2144 wrote to memory of 4484 2144 encrypt.exe 145 PID 2144 wrote to memory of 4080 2144 encrypt.exe 146 PID 2144 wrote to memory of 4080 2144 encrypt.exe 146 PID 2144 wrote to memory of 4080 2144 encrypt.exe 146 PID 2144 wrote to memory of 4996 2144 encrypt.exe 147 PID 2144 wrote to memory of 4996 2144 encrypt.exe 147 PID 2144 wrote to memory of 4996 2144 encrypt.exe 147 PID 2144 wrote to memory of 3480 2144 encrypt.exe 148 PID 2144 wrote to memory of 3480 2144 encrypt.exe 148 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" encrypt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection encrypt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" encrypt.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\mimicransomware_enc_infected.exe"C:\Users\Admin\AppData\Local\Temp\mimicransomware_enc_infected.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\tempcrc\encrypt.exe"C:\tempcrc\encrypt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"3⤵
- Modifies security service
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2144 -
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e watch -pid 2144 -!4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3376
-
-
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4676
-
-
C:\Users\Admin\AppData\Local\encrypt\encrypt.exe"C:\Users\Admin\AppData\Local\encrypt\encrypt.exe" -e ul24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -H off4⤵PID:2060
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:3632
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:384
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:3440
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:3160
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:1684
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:4880
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:4892
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:3596
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:3984
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 04⤵PID:4984
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 04⤵PID:1144
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 04⤵PID:3492
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c4⤵PID:4972
-
-
C:\Windows\SYSTEM32\powercfg.exepowercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb614⤵PID:3612
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1660
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:3432
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe DELETE SYSTEMSTATEBACKUP4⤵
- Deletes System State backups
PID:3944
-
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin.exe delete catalog -quiet4⤵
- Deletes backup catalog
PID:2308
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\AppData\Local\HACKLENDINIZ.txt"4⤵
- Opens file in notepad (likely ransom note)
PID:4484
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security4⤵
- Clears Windows event logs
PID:4080
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system4⤵
- Clears Windows event logs
PID:4996
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application4⤵
- Clears Windows event logs
PID:3480
-
-
-
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1428
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:5060
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2724
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3948
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:528
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1760
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2832
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4248
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1744
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4756
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:4948
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4696
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:5112
-
C:\Windows\System32\Systray.exeC:\Windows\System32\Systray.exe "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3036
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32B
MD50a982c7fdb1de993644e042deb69be50
SHA1055a7001e453f15cab0b4d665b60f4b11350d7df
SHA256ca9200e6a53eb22808fa9c53b8d043323e827e0b4ba3f5ae0d73c2587238a4a0
SHA51230490c6d8c11c0248a899ecb73fe2729f3178b08afdd9333128d08a33105b6f9ce7f4fb8c0075bf89f05d5f4a7b0ce9c216100ee260d8af5114230d323ff3709
-
Filesize
1KB
MD56a53448e014aa0d7c73fe49af2ff51de
SHA1db9162bafb1d4a2e077fa4c004b83f0558f3beb7
SHA25639605ce0a8df2185b95394999fed4393cf5c28f29fd64aea56eb2981cd94aa60
SHA51214c3716dc23a21eccb4c5c341aeed1c92e5338597a3a2c7c11ab5e8c075ae80426e446aa5b698ee6dc762c3075a4f83fc42c0a8bb988dd3fc736492ce8426524
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
3.0MB
MD5a48ee000e248741247c24dc70fa2f936
SHA14c814fe7c94e6fb4d1d89cdae7e6e83905c459d7
SHA256bb28adc32ff1b9dcfaac6b7017b4896d2807b48080f9e6720afde3f89d69676c
SHA5128bdd60732bf105b9ade5d4dbc5c722a866119e0a284692afc1bd5b530a4afc3954536a14946a87f72213c92020def2ac7b5c1cbcc51b6e0ad5671b7c58543f34