General

  • Target

    241009-q53s3sxb3d_pw_infected.zip

  • Size

    2.5MB

  • Sample

    241010-lpmdyayemp

  • MD5

    05e1a946c58f8ed8ed2febc64e70c227

  • SHA1

    a589dc36206208d4ce81519e8681ff4fbbd71cd8

  • SHA256

    7f71461dac1a8e89a643fd4874268068332e98bc526936b9a7a4aa1a5d394778

  • SHA512

    9176a2411c8944039fe587da19e13f08eb4f394bac0b1c607b24ebcd58dfba06d614c67c8f968b798589e7ed8bd43edf60f689ec5bf53c24525487608f98347f

  • SSDEEP

    49152:QqkhdPgQ60QQQBHMj0XzD6WfSZ8qJwXtmxSHQt50/d4f:Qq8VTzQHBE0fddNExSi50/d4f

Malware Config

Targets

    • Target

      advanced_ip_scanner.exe

    • Size

      2.6MB

    • MD5

      85921539592aeaff3fbe0e104f344db0

    • SHA1

      2ca28c946d6632f70c70e555afa8d9a072039d79

    • SHA256

      ad640f32617bf57f7b4547fc686cc3e0a9875811ef6be1cb257a0607c391fdb8

    • SHA512

      76f07e5d36dabeb56ffc9301cc82c32a975f4e83ad5d165cc8631e1809675011eba85e3d542e8fd2b6b3ae3a9228f4ca5e7ff953fb1446559879c081aa94fbfb

    • SSDEEP

      49152:wgwR1ifu1DBgutBPNUF+zTR3HLHaY2UtKvu5vgmAbjNFAF5hcb:wgwR1vguPPocHHfcJbJFAe

    • Detects Mimic ransomware

    • Mimic

      Ransomware family was first exploited in the wild in 2022.

    • Modifies security service

    • Modifies boot configuration data using bcdedit

    • Renames multiple (7567) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Windows security modification

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks