General

  • Target

    1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca.exe

  • Size

    2.6MB

  • Sample

    240523-bg1w9afh3v

  • MD5

    88d00427a014f1fdb88383a6a8ab97a5

  • SHA1

    d8c5d3ab8e11aa9dd5236625b610837b5cbbfd27

  • SHA256

    1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca

  • SHA512

    764319cdf3423a0c38f9050694bd936f2081d1ae34580aa055171ac84ae4b77d488422a68a5e607d2df6ba2627835990fba93a8a405d29cd88c1cde828ce3531

  • SSDEEP

    49152:wgwR0ifu1DBgutBPNw6m+sqFrDCcTeL7dzXVeH0Bl1nzBJ6GDaJP:wgwR0vguPPK6GkDC7hv1zeP

Malware Config

Targets

    • Target

      1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca.exe

    • Size

      2.6MB

    • MD5

      88d00427a014f1fdb88383a6a8ab97a5

    • SHA1

      d8c5d3ab8e11aa9dd5236625b610837b5cbbfd27

    • SHA256

      1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca

    • SHA512

      764319cdf3423a0c38f9050694bd936f2081d1ae34580aa055171ac84ae4b77d488422a68a5e607d2df6ba2627835990fba93a8a405d29cd88c1cde828ce3531

    • SSDEEP

      49152:wgwR0ifu1DBgutBPNw6m+sqFrDCcTeL7dzXVeH0Bl1nzBJ6GDaJP:wgwR0vguPPK6GkDC7hv1zeP

    • Detects Mimic ransomware

    • Mimic

      Ransomware family was first exploited in the wild in 2022.

    • Modifies security service

    • UAC bypass

    • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

    • Detects command variations typically used by ransomware

    • Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware

    • Detects executables containing commands for clearing Windows Event Logs

    • Modifies boot configuration data using bcdedit

    • Renames multiple (6288) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.