Analysis
-
max time kernel
97s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
15-05-2024 19:42
General
-
Target
worm.exe
-
Size
3.7MB
-
MD5
d3b46fbcaac57a146657238ba2b24008
-
SHA1
257acef818f0e80e68db8767b37633d0f12542a7
-
SHA256
73f648f258b8863530f285747a09cdf4909198211ffc6c2df68bf0635160c983
-
SHA512
a61834f7c00ff22eba698aa98c5cf0346e8c6cacce74be13fd4c1dbada5d4e1831261a79724c37f1e85a0c3981d4b2019ec89994af2f23080139f907a165769e
-
SSDEEP
98304:6gwRBDvguPPOPwrHIRwFHO92037ngXAjpDsbs9KMOz:6gMDvFHG92Y5jpYbvMG
Malware Config
Extracted
C:\Users\Admin\AppData\Local\011A427C-D9A5-B6EA-EAF5-8C674D0F8EDC\global_options.ini
[email protected]\nOur
https://t.me/DataSupport911\nCheck
Signatures
-
Detects Mimic ransomware 2 IoCs
-
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies system executable filetype association 2 TTPs 10 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 11 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 54 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\worm.exe"C:\Users\Admin\AppData\Local\Temp\worm.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p1226110605697417788 Everything64.dll2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\worm.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\worm.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\011A427C-D9A5-B6EA-EAF5-8C674D0F8EDC\HORSE.exe"C:\Users\Admin\AppData\Local\011A427C-D9A5-B6EA-EAF5-8C674D0F8EDC\HORSE.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\011A427C-D9A5-B6EA-EAF5-8C674D0F8EDC\gui40.exeC:\Users\Admin\AppData\Local\011A427C-D9A5-B6EA-EAF5-8C674D0F8EDC\gui40.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\011A427C-D9A5-B6EA-EAF5-8C674D0F8EDC\Everything.exe"C:\Users\Admin\AppData\Local\011A427C-D9A5-B6EA-EAF5-8C674D0F8EDC\Everything.exe" -startup4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD50a082e43f11cb3c5fca007d78877f3a5
SHA16fd4063f018a38fa17419783817842e9a82c17ec
SHA256fe597db77e0fc66e966a48c1a72190878d8d8c379efd8c701b449085eec06a2a
SHA5129da8075436f80f191b11d27aad182f9b6201ef6c7a48efb0fdc8c264d5fcca40373b2db5e2f2063df859cfda1dc1dfcd5349f41df3b38d366f7a53da4ae6b7eb
-
Filesize
14KB
MD58b1e7d908f21390cc40a359b84af950a
SHA15cf0465a5c3b7a554c89a70a1e2fc593600e45e3
SHA2564a25903dcda983521f3795b184a307394d208a5bdb8b9ab8d01bc07321511d24
SHA512df79cda2106e4e62a6c203e8bb6191b2afbd91ae1c687a92adc80df0a0ecc2e8860843f9acf42d117387184d3edb6cbee5b1cc385f9a58a3ae523fd0a9d43e7b
-
Filesize
180B
MD5b5a4331feddc6e2c04c9f474fc495dc0
SHA17fc63d53cfc4fe0f37ff7fc86fb048fdeb435c28
SHA256f2cd91cd439f81ac6d3fd996987cb804da8968aa73d4a48497ed920af566ebd3
SHA512535922ffe9dde4ffd950f7141ece3bf0f301d8236269b2d0618ac00738b8116a3e046b02a3d7a63e47a22f3878a97b5cf566045e2f8f7de4dd2bebd9438fd96f
-
Filesize
772KB
MD5b93eb0a48c91a53bda6a1a074a4b431e
SHA1ac693a14c697b1a8ee80318e260e817b8ee2aa86
SHA256ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142
SHA512732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5
-
Filesize
802KB
MD5ac34ba84a5054cd701efad5dd14645c9
SHA1dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a
-
Filesize
2.4MB
MD50bf7c0d8e3e02a6b879efab5deab013c
SHA14f93d2cda84e669eeddcfeb2e2fa2319901059a1
SHA256b600e06f14e29b03f0b1456723a430b5024816518d704a831dde2dc9597ce9c9
SHA512313f9a8ae5a0096488996f51ce0d2049f7040b5cba1f6efd6e7190517accffad9af4d72eb551755978e624f4089b9e5983eae792496b2e8e6da5a6cd7939ae5f
-
Filesize
1.7MB
MD5c44487ce1827ce26ac4699432d15b42a
SHA18434080fad778057a50607364fee8b481f0feef8
SHA2564c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
SHA512a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808
-
Filesize
548B
MD5742c2400f2de964d0cce4a8dabadd708
SHA1c452d8d4c3a82af4bc57ca8a76e4407aaf90deca
SHA2562fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01
SHA51263a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4
-
Filesize
550B
MD551014c0c06acdd80f9ae4469e7d30a9e
SHA1204e6a57c44242fad874377851b13099dfe60176
SHA25689ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5
SHA51279b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c
-
Filesize
84KB
MD53b03324537327811bbbaff4aafa4d75b
SHA11218bd8165a2e0ec56a88b5a8bb4b27e52b564e7
SHA2568cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880
SHA512ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62
-
Filesize
2.5MB
MD533d24c17bf1b9217ed2118e2a5311b1e
SHA1fd3bfc858b35f987a32ad7b31927153145e72c9c
SHA256e22cca265ff8b89d898e9c3986291599c37e89f8358833e7f268638bc982c272
SHA512b92587931dcbb6a6e50b87fab8dbbf0d09c6744ed0a412b3d62fbebd7b5fe5eb56e48b001ef7ea917be43a98c53674cf72b9481c5707ed54887da6cfc7260e0c
-
Filesize
10B
MD526f59bb93f02d5a65538981bbc2da9cc
SHA15e99a311784301637638c02401925a89694f463d
SHA25614f93a82d99cd2bf3da0aba73b162a7bb183eded695cffff47a05c1290d2a2fa
SHA512e48f20a62bb2d5de686a7328a682a84821c83c8c4d836287adffbe464a8b4a0ba8ca728a35438c58f142686047b153c9c3f722c0431db620e3ef3479215b9016
-
Filesize
276KB
MD503a63c096b9757439264b57e4fdf49d1
SHA1a5007873ce19a398274aec9f61e1f90e9b45cc81
SHA25622ea129b0f57184f30b1771c62a3233ba92e581c1f111b4e8abfa318dc92cc46
SHA5120d656d807572f6be4574024e2bbcf0cbd291fe13a1adeb86a333177ee38db16b06da9a18509e599db0d2cf8206b84f6856a9674dba29a2cbeb844a216cb45ddd
-
Filesize
276KB
MD557850a4490a6afd1ef682eb93ea45e65
SHA1338d147711c56e8a1e75e64a075e5e2984aa0c05
SHA25631feff32d23728b39ed813c1e7dc5fe6a87dcd4d10aa995446a8c5eb5da58615
SHA51215cf499077e0c8f3421b95e09a18ae5468ae20a7b3a263f01cc8e6d445d54f09ca8a3189ecb40c87d0e6277c99b504424cdd0e35bbe493a1b0849900d21bccf8
-
Filesize
2.4MB
MD531cd2c757984f252002b8a24901a08f6
SHA1be6f27c9ac51390ab9c91b59dc87f272267e44e3
SHA2566665c2067ba4cfd451f15fc77d13d32a5d4132e2cf70d08398e93ebd6b83f07a
SHA51240484d7c538b8caa135b0fb9ce5c713af60a0ea4c7fbc09165c1dcb334ea5edc02ae4b655e657d4308fc0e68875ca49b1f947fbec8ec843ade820e88aa2b4727
-
Filesize
350KB
MD5803df907d936e08fbbd06020c411be93
SHA14aa4b498ae037a2b0479659374a5c3af5f6b8d97
SHA256e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c
SHA5125b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532
-
Filesize
24KB
-
Filesize
336KB
-
Filesize
24KB
-
Filesize
312KB