General
-
Target
1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca.exe
-
Size
2.6MB
-
Sample
240523-bg1w9afh3v
-
MD5
88d00427a014f1fdb88383a6a8ab97a5
-
SHA1
d8c5d3ab8e11aa9dd5236625b610837b5cbbfd27
-
SHA256
1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca
-
SHA512
764319cdf3423a0c38f9050694bd936f2081d1ae34580aa055171ac84ae4b77d488422a68a5e607d2df6ba2627835990fba93a8a405d29cd88c1cde828ce3531
-
SSDEEP
49152:wgwR0ifu1DBgutBPNw6m+sqFrDCcTeL7dzXVeH0Bl1nzBJ6GDaJP:wgwR0vguPPK6GkDC7hv1zeP
Malware Config
Targets
-
-
Target
1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca.exe
-
Size
2.6MB
-
MD5
88d00427a014f1fdb88383a6a8ab97a5
-
SHA1
d8c5d3ab8e11aa9dd5236625b610837b5cbbfd27
-
SHA256
1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca
-
SHA512
764319cdf3423a0c38f9050694bd936f2081d1ae34580aa055171ac84ae4b77d488422a68a5e607d2df6ba2627835990fba93a8a405d29cd88c1cde828ce3531
-
SSDEEP
49152:wgwR0ifu1DBgutBPNw6m+sqFrDCcTeL7dzXVeH0Bl1nzBJ6GDaJP:wgwR0vguPPK6GkDC7hv1zeP
Score10/10-
Detects Mimic ransomware
-
Mimic
Ransomware family was first exploited in the wild in 2022.
-
Modifies security service
-
UAC bypass
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
-
Detects command variations typically used by ransomware
-
Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware
-
Detects executables containing commands for clearing Windows Event Logs
-
Modifies boot configuration data using bcdedit
-
Renames multiple (6288) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes System State backups
Uses wbadmin.exe to inhibit system recovery.
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
1File Deletion
1