General
-
Target
a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe
-
Size
23.2MB
-
Sample
240430-b4rbbshb9t
-
MD5
aabdecc74290221f555bc6400ceef5c6
-
SHA1
6bf8559dfd409bee873f4e147f31ce313d23f2bc
-
SHA256
a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd
-
SHA512
880d741faf049b9276c4ab10e6e3a0817ef28cb05f0e00fa3edf814ebf545d3d316dfac022fcff4b8fee9f95e18542e2cf7e89f02702e30409409f40a5fb6bbe
-
SSDEEP
393216:+/NvciCzO7XohRMU0K611YKvcg7dSVqMXDVZm/3hL1/VYs0tvj1Q3QJrSZ0aP54d:+1ciC6ohRMPK6gKzRctVZmf//VYRtvjR
Malware Config
Targets
-
-
Target
a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd.exe
-
Size
23.2MB
-
MD5
aabdecc74290221f555bc6400ceef5c6
-
SHA1
6bf8559dfd409bee873f4e147f31ce313d23f2bc
-
SHA256
a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd
-
SHA512
880d741faf049b9276c4ab10e6e3a0817ef28cb05f0e00fa3edf814ebf545d3d316dfac022fcff4b8fee9f95e18542e2cf7e89f02702e30409409f40a5fb6bbe
-
SSDEEP
393216:+/NvciCzO7XohRMU0K611YKvcg7dSVqMXDVZm/3hL1/VYs0tvj1Q3QJrSZ0aP54d:+1ciC6ohRMPK6gKzRctVZmf//VYRtvjR
Score10/10-
Detects Mimic ransomware
-
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Modifies security service
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
-
Detects command variations typically used by ransomware
-
Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware
-
Detects executables containing commands for clearing Windows Event Logs
-
Modifies boot configuration data using bcdedit
-
Renames multiple (6742) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes System State backups
Uses wbadmin.exe to inhibit system recovery.
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1