mimic

General

Target

malware.zip
Size

19.0MB
Sample

240818-kbzlnsxfnm
MD5

dbe043570af9fefa680af63700077184
SHA1

115e824543c9281399d9670a583ff4b1dde422ef
SHA256

ec0f02edde4086d5f3dad2cd8fe33bbea9d68245f0d75affe2135ae0270a4543
SHA512

1a6b44da4b0cd14c7d482d3e4e717b3ea4a908841ec318bb2a56e8afcf659f2bd5ffba187974de62de07c590a8e55a813493577ce87e826efa52ac9a80a9bc6a
SSDEEP

393216:Fdlmao1Hn7SIRferH0dUmWCb9R8Vi0od6mwLb7Be4H1Cu1m72WEyU6h1+DzXUwCk:XS7SafbUmWCbjQmwLb7Be4H1J1m72WER

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Datadecrypt.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_ Your personal ID: I9AcnWikolOyFit53rbLApU4ddhB1Sc2j8PpuTtQCQQ*Jami_decryptionguy If you want to recover your files, write us 1)Jami messenger (Fastest and anonymous) https://jami.net/ Also you can find it on your phone at google play/app store Install it on your server,phone or tablet Press sign up and do your own nickname And add me/write message - Decryptionguy (use search) 2) TOX messenger (fast and anonymous) https://tox.chat/download.html Install qtox Press sign up Create your own name Press plus Put there our tox ID: E9164A982410EFAEBC451C1D5629A2CBB75DBB6BCDBD6D2BA94F4D0A7B0B616F911496E469FB And add me/write message 3)Mail - [email protected] (USE ONLY IF WE NOT REPLY MORE THEN 24H) Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software - it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption. --------------------------------------------------------------------------------------------------------------------------------------------

Emails

[email protected]

URLs

https://jami.net/

https://tox.chat/download.html

Targets

- Target
  
  malware.zip
- Size
  
  19.0MB
- MD5
  
  dbe043570af9fefa680af63700077184
- SHA1
  
  115e824543c9281399d9670a583ff4b1dde422ef
- SHA256
  
  ec0f02edde4086d5f3dad2cd8fe33bbea9d68245f0d75affe2135ae0270a4543
- SHA512
  
  1a6b44da4b0cd14c7d482d3e4e717b3ea4a908841ec318bb2a56e8afcf659f2bd5ffba187974de62de07c590a8e55a813493577ce87e826efa52ac9a80a9bc6a
- SSDEEP
  
  393216:Fdlmao1Hn7SIRferH0dUmWCb9R8Vi0od6mwLb7Be4H1Cu1m72WEyU6h1+DzXUwCk:XS7SafbUmWCbjQmwLb7Be4H1J1m72WER
Score

10^/10

mimic discovery evasion execution persistence ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
behavioral1