Overview

overview

10

Static

static

3

advanced_i...er.exe

windows7-x64

10

advanced_i...er.exe

windows10-2004-x64

10

Resubmissions

16-10-2024 22:56

241016-2wvlws1ekm 10

10-10-2024 09:23

241010-lcmh6ssgnc 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    241009-q53s3sxb3d_pw_infected.zip

  • Size

    2.5MB

  • Sample

    241010-lcmh6ssgnc

  • MD5

    05e1a946c58f8ed8ed2febc64e70c227

  • SHA1

    a589dc36206208d4ce81519e8681ff4fbbd71cd8

  • SHA256

    7f71461dac1a8e89a643fd4874268068332e98bc526936b9a7a4aa1a5d394778

  • SHA512

    9176a2411c8944039fe587da19e13f08eb4f394bac0b1c607b24ebcd58dfba06d614c67c8f968b798589e7ed8bd43edf60f689ec5bf53c24525487608f98347f

  • SSDEEP

    49152:QqkhdPgQ60QQQBHMj0XzD6WfSZ8qJwXtmxSHQt50/d4f:Qq8VTzQHBE0fddNExSi50/d4f

Score
10/10
mimicdiscoveryevasionexecutionpersistenceransomwaretrojan

Malware Config

Targets

    • Target

      advanced_ip_scanner.exe

    • Size

      2.6MB

    • MD5

      85921539592aeaff3fbe0e104f344db0

    • SHA1

      2ca28c946d6632f70c70e555afa8d9a072039d79

    • SHA256

      ad640f32617bf57f7b4547fc686cc3e0a9875811ef6be1cb257a0607c391fdb8

    • SHA512

      76f07e5d36dabeb56ffc9301cc82c32a975f4e83ad5d165cc8631e1809675011eba85e3d542e8fd2b6b3ae3a9228f4ca5e7ff953fb1446559879c081aa94fbfb

    • SSDEEP

      49152:wgwR1ifu1DBgutBPNUF+zTR3HLHaY2UtKvu5vgmAbjNFAF5hcb:wgwR1vguPPocHHfcJbJFAe

    Score
    10/10
    mimicdiscoveryevasionexecutionpersistenceransomwaretrojan

    • Detects Mimic ransomware

    • Mimic

      Ransomware family was first exploited in the wild in 2022.

      ransomwaremimic

    • Modifies security service

      evasion

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (9177) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Power Settings

1
T1653

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

5
T1112

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks