Overview

overview

10

Static

static

3

1fa8b306a9...e9.exe

windows7-x64

10

1fa8b306a9...e9.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe

  • Size

    2.6MB

  • Sample

    241018-bnpgssxfpe

  • MD5

    cf50063a3105d27ba3063575bdf494d6

  • SHA1

    d466e9fb8302c07973e9835b252359fe63e0c999

  • SHA256

    1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9

  • SHA512

    67531b0de8623942929af87f19d10e9945ff599ff04b355643587be7ceac01f6f6273430c70a8e4308a9daee97250334a66e6e52a3ef9c3fda272bdf024eaef9

  • SSDEEP

    49152:wgwRXifu1DBgutBPNv4gYlMiokURXK02xaRQBBKhPyla3Crg1Qew1v4Chp/:wgwRXvguPPl4gYlrokhpxxKhPybrQQPh

Score
10/10
mimicdiscoveryevasionexecutionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\README.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_ Your personal ID: wZC8QBmZDdoNKy1wcvrKnNRp1n0dtw7uXBp98WY8blM*datastore@cyberfear.com-wZC8QBmZDdoNKy1wcvrKnNRp1n0dtw7uXBp98WY8blM If you want to recover your files, write us to our mail 1)[email protected] And add me/write message - Decryptionguy (use search) 2)[email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software - it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption. --------------------------------------------------------------------------------------------------------------------------------------------
Emails

wZC8QBmZDdoNKy1wcvrKnNRp1n0dtw7uXBp98WY8blM*datastore@cyberfear.com-wZC8QBmZDdoNKy1wcvrKnNRp1n0dtw7uXBp98WY8blM

1)[email protected]

2)[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\README.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA4096 More information about the encryption keys using RSA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA4096 Key , both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So , there are two ways you can choose: wait for a _miracle_ and get _your_ PRICE DOUBLED! Or start obtaining *BITCOIN NOW! , and restore _YOUR_ _DATA_ easy way If You have really valuable _DATA_, you better _NOT_ _WASTE_ _YOUR_ _TIME_, because there is _NO_ other way to get your files, except make a _PAYMENT_ Your personal ID: BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8*[email protected]_p_5lIwV4QXk8 If you want to recover your files, write us to our mail 1)[email protected] And add me/write message - Decryptionguy (use search) 2)[email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software - it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption. --------------------------------------------------------------------------------------------------------------------------------------------
Emails

BJYEtQkbFYvJYLGOcb79-CP28IJcRi_p_5lIwV4QXk8*[email protected]_p_5lIwV4QXk8

1)[email protected]

2)[email protected]

Targets

    • Target

      1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9.exe

    • Size

      2.6MB

    • MD5

      cf50063a3105d27ba3063575bdf494d6

    • SHA1

      d466e9fb8302c07973e9835b252359fe63e0c999

    • SHA256

      1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9

    • SHA512

      67531b0de8623942929af87f19d10e9945ff599ff04b355643587be7ceac01f6f6273430c70a8e4308a9daee97250334a66e6e52a3ef9c3fda272bdf024eaef9

    • SSDEEP

      49152:wgwRXifu1DBgutBPNv4gYlMiokURXK02xaRQBBKhPyla3Crg1Qew1v4Chp/:wgwRXvguPPl4gYlrokhpxxKhPybrQQPh

    Score
    10/10
    mimicdiscoveryevasionexecutionpersistenceransomwaretrojan

    • Detects Mimic ransomware

    • Mimic

      Ransomware family was first exploited in the wild in 2022.

      ransomwaremimic

    • Modifies security service

      evasion

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (9133) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Power Settings

1
T1653

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

5
T1112

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks