General

  • Target

    4.7z

  • Size

    4.0MB

  • Sample

    241030-x9klmazgjq

  • MD5

    dfda7f6db6e19993c685dcb5a69f72bf

  • SHA1

    fa424edb2ed8c94c79f9f54c6329f8b5c1e6bfaf

  • SHA256

    11ca7dde1ceb9acfcb147f100deb4654f2586f1f2af2727e8c40be8f9ca794d9

  • SHA512

    7c666e0c32c94b40eb4804e35fc70395137ac39357af46dcb03b32fa6806d12dd321d897effea97c6fa17d7d6e8bda1acf69eca41eff3950d066ef0b2a77528d

  • SSDEEP

    98304:VuQW6/ukf3zzcLP3ElVmNiyZav0ZYTJfWimxfIyeLrEO84Gm+awwp:VtWOfXcsqiyZel+dhgEO8Rawwp

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\IMPORTANT_NOTICE.txt

Ransom Note
Greetings, There was a serious security breach in your systems and this was detected during our scans. We encrypt your data that you see important in your system by processing twice. As encryption is done as SHA256 and AES256, we would like to remind you that you can not restore your data with known data recovery methods. If you want to use data recovery companies or programs on your side, please do not worry about your actual files, process and / or make copies of them. Corruption of the original files may cause irretrievable damage to your data. If you wish, you can contact us via the following communication to resolve this issue. YOUR REFERENCE CODE dSrpj5gFWMP-ll0U7Vt6Joc3PAlyDzpjngpVXxmV0UA*[email protected] [email protected] [email protected]
Emails

dSrpj5gFWMP-ll0U7Vt6Joc3PAlyDzpjngpVXxmV0UA*[email protected]

[email protected]

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\IMPORTANT_NOTICE.txt

Ransom Note
Greetings, There was a serious security breach in your systems and this was detected during our scans. We encrypt your data that you see important in your system by processing twice. As encryption is done as SHA256 and AES256, we would like to remind you that you can not restore your data with known data recovery methods. If you want to use data recovery companies or programs on your side, please do not worry about your actual files, process and / or make copies of them. Corruption of the original files may cause irretrievable damage to your data. If you wish, you can contact us via the following communication to resolve this issue. YOUR REFERENCE CODE IR4beVNncsM8-Z9mwBnn79YzSumzz2csRQ_Nn7Z80ns*[email protected] [email protected] [email protected]
Emails

IR4beVNncsM8-Z9mwBnn79YzSumzz2csRQ_Nn7Z80ns*[email protected]

[email protected]

[email protected]

Targets

    • Target

      1.exe

    • Size

      2.5MB

    • MD5

      b6871cef458a765d51e3b0a1ae324e60

    • SHA1

      b62dda6efcc41ef4fdf6b3990b64ff54f08f2e56

    • SHA256

      a5182257daef1abde3a971ed1c3d9c3bee6d74fa3d4b0bcb379e5a9dd57340ea

    • SHA512

      b11376ecfba8c3b03afc03ac001619769b6e3284518b199413b0f0403a7e71a977337a11d2c5afd0f023141bf609df22b8a7dd3f91f7c198aba91387c4e76d7f

    • SSDEEP

      49152:QgwRqifu1DBgutBPNeSGIB10SvOGbRrPas8L5pBWBm7dziiM:QgwRqvguPPCbSzris8LfBWBPp

    • Detects Mimic ransomware

    • Mimic

      Ransomware family was first exploited in the wild in 2022.

    • Mimic family

    • Modifies security service

    • UAC bypass

    • Modifies boot configuration data using bcdedit

    • Renames multiple (5803) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Target

      2.exe

    • Size

      2.5MB

    • MD5

      b4448ceddd85ec0f061f53ab1a977b5e

    • SHA1

      96c63c3c423e4b1117e0c82e5796dcd5f1c0d683

    • SHA256

      d7c50dce5f77ae0f144843e8eaf3e29034e14f6ac9293f0dbdf59fd2fc257452

    • SHA512

      29f1c8f4d1e551e31d453c455bddb1e9fe8d74bca35338757ab9d3b31110c460b69ed06d5b452376b57afa4a82f5d4b2cdab7dfa8e636cb800d0a3fcded4b1f3

    • SSDEEP

      49152:QgwR+ifu1DBgutBPN2q1dNnzbpz7Mwulf+qV8L77hpe3D04dtaa7P:QgwR+vguPP/7NzRMwulF8L/hpe3YI

    • Detects Mimic ransomware

    • Mimic

      Ransomware family was first exploited in the wild in 2022.

    • Mimic family

    • Modifies security service

    • UAC bypass

    • Modifies boot configuration data using bcdedit

    • Renames multiple (3385) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Target

      3.exe

    • Size

      2.5MB

    • MD5

      937e0ce2cea3458236b6048250f341da

    • SHA1

      9f28ec0fbc4254eab70799d62ae297df1bf5e0c7

    • SHA256

      50080976f722a7c65fedbf8ce187521117714e1728ddbaf1153fbca950bee0fb

    • SHA512

      afbcf1201bc438f8f572879d67241421d1234f1dd622b9c783d93f800749290a82e7ad53c5127eacef71bf8bdb02056e62b9d0352a9ef636120aa00d60cf0759

    • SSDEEP

      49152:QgwRqifu1DBgutBPNeSGIB10SvOGbRrPas8L5pBWBm7dziiv:QgwRqvguPPCbSzris8LfBWBPK

    • Detects Mimic ransomware

    • Mimic

      Ransomware family was first exploited in the wild in 2022.

    • Mimic family

    • Modifies security service

    • UAC bypass

    • Modifies boot configuration data using bcdedit

    • Renames multiple (5778) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Target

      4.exe

    • Size

      2.5MB

    • MD5

      079610302f0c449bb454fbd348326fa3

    • SHA1

      35355d776ed07c193243e6eb24d45718a021b835

    • SHA256

      e4249546f902dfcf2a13540b5e843f33e622937d89b081b9959257642bc9e661

    • SHA512

      d9b0bf9bae684a18ced71feaa1ae6019eeab2f7af7008b5f040b730ef44d80e1e6d6b4aed03d75129e9f044b0a8e37bbc7861f4352052888e1836c443d5064e2

    • SSDEEP

      49152:QgwR+ifu1DBgutBPN2q1dNnzbpz7Mwulf+qV8L77hpe3D04dtaa7X:QgwR+vguPP/7NzRMwulF8L/hpe3YM

    • Detects Mimic ransomware

    • Mimic

      Ransomware family was first exploited in the wild in 2022.

    • Mimic family

    • Modifies security service

    • UAC bypass

    • Modifies boot configuration data using bcdedit

    • Renames multiple (3360) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks