Overview

overview

10

Static

static

3

9f6a696876...2f.exe

windows7-x64

10

9f6a696876...2f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    01-11-2024 04:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe

  • Size

    3.6MB

  • MD5

    33eeeb25f834e0b180f960ecb9518ea0

  • SHA1

    61f73e692e9549ad8bc9b965e25d2da683d56dc1

  • SHA256

    9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f

  • SHA512

    aaa4583b37c08a8baebac026a1b5fdca865b1c0f6760e7ade19181a28426340285dbeeb65d55bc9e222d6863645a7bf719384a1e0d3593207882619c234c9292

  • SSDEEP

    98304:ngwRMbvguPPou2Bzg1jGE5FS3E/HrmP9Aji:ng/bv25jEKU/HrmP9AO

Score
10/10
mimicdiscoveryevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\global_options.ini

Ransom Note
26=ELPACO-team 27=TIB;sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt;4dd;4dl;abcddb;abs;abx;accdb;accdc;accde;accdr;accdt;accdw;accft;ade;adf;adn;adp;alf;arc;ask;bacpac;bdf;btr;cat;cdb;chck;ckp;cma;cpd;dacpac;dad;dadiagrams;daschema;db-shm;db-wal;db2;dbc;dbt;dcb;dct;dcx;ddl;dlis;dp1;dqy;dsk;dsn;dtsx;dxl;eco;ecx;epim;fcd;fic;fm5;fmp;fmp12;fmpsl;fol;fp3;fp4;fp5;fp7;fpt;frm;gdb;grdb;gwi;hdb;his;hjt;ib;icg;icr;ihx;itdb;itw;jet;jtx;kdb;kexi;kexic;kexis;lgc;lut;lwx;maf;maq;mar;mas;mav;maw;mdn;mdt;mrg;mud;mwb;ndf;nnt;nrmlib;ns2;ns3;ns4;nsf;nv;nv2;nwdb;nyf;oqy;ora;orx;owc;p96;p97;pan;pdb;pdm;pnz;qry;qvd;rbf;rctd;rod;rodx;rpd;rsd;s2db;sas7bdat;sbf;scx;sdb;sdc;sdf;sis;sl3;spq;sqlite2;te;temx;tmd;tps;trc;trm;udl;usr;v12;vis;vpd;vvv;wdb;wmdb;wrk;xdb;xld;xmlff;7z; 28=386;cmd;deskthemepack;diagcab;diagcfg;diagpkg;dll;info;mui;sys;theme;tmp; 29=steamapps;Cache;Boot;Chrome;Firefox;Mozilla;Mozilla Firefox;MicrosoftEdge;Internet Explorer;Tor Browser;Opera;Opera Software;Common Files;Config.Msi;Intel;Microsoft;Microsoft Shared;Microsoft.NET;MSBuild;MSOCache;Packages;PerfLogs;ProgramData;System Volume Information;tmp;Temp;USOShared;Windows;Windows Defender;Windows Journal;Windows NT;Windows Photo Viewer;Windows Security;Windows.old;WindowsApps;WindowsPowerShell;WINNT;$RECYCLE.BIN;$WINDOWS.~BT;$Windows.~WS;:\Users\Public\;:\Users\Default\; 30=desktop.ini;iconcache.db;thumbs.db; 31= 32= 33=reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AllowMultipleTSSessions" /t REG_DWORD /d 0x1 /f;reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fSingleSessionPerUser" /t REG_DWORD /d 0x0 /f;reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "c:\windows\system32\cmd.exe"; 34=1 35=2 36=0 37=0 38=0 39=1 40=0 41=1 42=1 43=1 44=1 45=1 46=1 47=0 48=1 49=0 50=0 51=0 53=1 54=0 55=1 56=1 57=1 58=1 59=1 60=1 61=1 62=1 63=Hello my dear friend (Do not scan the files with antivirus in any case. In case of data loss, the consequences are yours)\nYour data is encrypted\nYour decryption ID is ID_PLACEHOLDER\nUnfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\nIf you want to recover your files, write us\n1) eMail - [email protected]\n2) Telegram - @DataSupport911 or https://t.me/DataSupport911\n\nAttention!\n\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software - it may cause permanent data loss. \nWe are always ready to cooperate and find the best way to solve your problem. \nThe faster you write - the more favorable conditions will be for you. \nOur company values its reputation. We give all guarantees of your files decryption. 66=1
Emails
URLs

https://t.me/DataSupport911\n\nAttention!\n\nDo

Signatures

  • Detects Mimic ransomware 2 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

    ransomwaremimic
  • Mimic family
    mimic
  • Clears Windows event logs 1 TTPs 1 IoCs
    evasionransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies system executable filetype association 2 TTPs 10 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe
    "C:\Users\Admin\AppData\Local\Temp\9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2152
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p7183204373585782 Everything64.dll
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ELPACO-team.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ELPACO-team.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe
        "C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\gui40.exe
          C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\gui40.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1452
        • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.exe
          "C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1764
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil.exe cl security
          4⤵
          • Clears Windows event logs
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:484
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.db
    Filesize

    9.2MB

    MD5

    a4486171c25c317b261f4467aeb11d5b

    SHA1

    4b09ec63f748896ee0f98bc8967a062d90596037

    SHA256

    06e8be80bc5eeaab1013a216aa483486541c877e9e0d87c4cbf8cddb8c9ad08f

    SHA512

    049a7211c2093e664c76aafb7e1ba0ae79ce9353a919c5dbb41f3e02a29bb800e7a93a2af6f7bb8151cad4fc8ddcedee5ee9317f5b114071e136bcaf1daefc90

    Download Submit

  • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.ini
    Filesize

    20KB

    MD5

    7fb1936016f116a92098e7ae908d7183

    SHA1

    d8015feca59de5d9b681a91cb21113df29a97d6d

    SHA256

    1f718f8fa2e92d610b9cbe403d7b7c837e812f6a08c102000641432ab66cf415

    SHA512

    113af1b7e5bd337f7a1aaf3d08468ab652db441681fc99cb4565aeebc08eecb663ed01bf6d467ff18b94fb581428f8e2e8a37d3c073881ffc176ce347fad9193

    Download Submit

  • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\global_options.ini
    Filesize

    6KB

    MD5

    fe070001eee27ba082f18db5e1770cf4

    SHA1

    9d19d53d2bda2a97b3c154c6cd637a26baadddac

    SHA256

    9748326df87d5774da920ab28a2205f0120bfc6568227323b6dccc236fb143ef

    SHA512

    d80277e1bac6c81402c794ced9c0d22792f4c961d392f022d6bc3dc9424672a99e9f970d6b5db53e183f87228151ae3c56e59f1a46e7da2e51e1aaadbe26a762

    Download Submit

  • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\global_options.ini
    Filesize

    5KB

    MD5

    1b37dc212e98a04576aac40d7ce7d06a

    SHA1

    bb02a94617d4d355b1837f50bd50362f37b409a9

    SHA256

    d5ab2b261c3138070a70fa2feeb435162c40f7d0ba8a15f6ac6064d57b6a3545

    SHA512

    3b50f6c82b7e3cfc5bf85a9a26dccad9aab8aa9a2351676bd58c27b3461c0c219a0c0deed09664aa492ba86346bd56605beae0a4eab982afd289611b1ab76ac8

    Download Submit

  • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\session.tmp
    Filesize

    32B

    MD5

    08e18e9b8dbd36564952f66318ba5841

    SHA1

    39268a7ffef57028b44f639a74b8177ea5b6d817

    SHA256

    45d39c81e09054598eef17f51bdefad90582c387b492e4fc0e44cd78ddabc1cb

    SHA512

    03f1c640bcefbbf92f16ca09b37e482042578d0a931f75061e41b101d7d78b3a88e19b1c27d71e2d27029535af6a0595747bbf00d4620e01fb2f7c0082fa366a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
    Filesize

    300B

    MD5

    f31b4d075ad2f1027f66293e5d7d7be3

    SHA1

    5055a7122d9498830e17b017c3fca09a07da7f16

    SHA256

    83710f793fb3fce43cbb6658bb8a4e3d46a678addad385325d32b51526ce939d

    SHA512

    b3ecc61f7efc37850137e5b7c2bcbb1b313bed749aa197ab7dce2f4eded7f5a720e6bfb34bb1237410ec183e5378b8a6d5224b75f9eb211738c28664dad35be5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DC.exe
    Filesize

    802KB

    MD5

    ac34ba84a5054cd701efad5dd14645c9

    SHA1

    dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

    SHA256

    c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

    SHA512

    df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ELPACO-team.exe
    Filesize

    2.4MB

    MD5

    b951e50264f9c5244592dfb0a859ec41

    SHA1

    8af05099986d0b105d8e38f305efe9098a9fbda6

    SHA256

    e160d7d21c917344f010e58dcfc1e19bec6297c294647a06ce60efc7420d3b13

    SHA512

    ae9d85bad1ae0ed2b614fce1b7d3969483a1e39a50bc3aad3e5ba5c8fab56d4d38bf60b3e641c67ee6be29d88e3fbb73dfa39dd3c11a9a01aacdb7c269a7471d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]
    Filesize

    2.4MB

    MD5

    0bf7c0d8e3e02a6b879efab5deab013c

    SHA1

    4f93d2cda84e669eeddcfeb2e2fa2319901059a1

    SHA256

    b600e06f14e29b03f0b1456723a430b5024816518d704a831dde2dc9597ce9c9

    SHA512

    313f9a8ae5a0096488996f51ce0d2049f7040b5cba1f6efd6e7190517accffad9af4d72eb551755978e624f4089b9e5983eae792496b2e8e6da5a6cd7939ae5f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe
    Filesize

    1.7MB

    MD5

    c44487ce1827ce26ac4699432d15b42a

    SHA1

    8434080fad778057a50607364fee8b481f0feef8

    SHA256

    4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

    SHA512

    a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini
    Filesize

    548B

    MD5

    742c2400f2de964d0cce4a8dabadd708

    SHA1

    c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

    SHA256

    2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

    SHA512

    63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini
    Filesize

    550B

    MD5

    51014c0c06acdd80f9ae4469e7d30a9e

    SHA1

    204e6a57c44242fad874377851b13099dfe60176

    SHA256

    89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

    SHA512

    79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll
    Filesize

    84KB

    MD5

    3b03324537327811bbbaff4aafa4d75b

    SHA1

    1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

    SHA256

    8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

    SHA512

    ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll
    Filesize

    2.5MB

    MD5

    245fb739c4cb3c944c11ef43cddd8d57

    SHA1

    435fee4453ac3d3a14d422ac21400c32d792763c

    SHA256

    d180f63148fbbfcfd88aa7938ab88fcea3881402b6617f4f3e152427aeb6c59c

    SHA512

    ee45e53116508b385a9788ce9bfe7d119f4dbf1dd4f31fc940d0dab4ca91eb63c842868ae56782f0bdb807d26895344c6e8aa909c94ddcf2dfe3189d9e24c342

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\global_options.ini
    Filesize

    10B

    MD5

    26f59bb93f02d5a65538981bbc2da9cc

    SHA1

    5e99a311784301637638c02401925a89694f463d

    SHA256

    14f93a82d99cd2bf3da0aba73b162a7bb183eded695cffff47a05c1290d2a2fa

    SHA512

    e48f20a62bb2d5de686a7328a682a84821c83c8c4d836287adffbe464a8b4a0ba8ca728a35438c58f142686047b153c9c3f722c0431db620e3ef3479215b9016

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gui35.exe
    Filesize

    276KB

    MD5

    03a63c096b9757439264b57e4fdf49d1

    SHA1

    a5007873ce19a398274aec9f61e1f90e9b45cc81

    SHA256

    22ea129b0f57184f30b1771c62a3233ba92e581c1f111b4e8abfa318dc92cc46

    SHA512

    0d656d807572f6be4574024e2bbcf0cbd291fe13a1adeb86a333177ee38db16b06da9a18509e599db0d2cf8206b84f6856a9674dba29a2cbeb844a216cb45ddd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gui40.exe
    Filesize

    276KB

    MD5

    57850a4490a6afd1ef682eb93ea45e65

    SHA1

    338d147711c56e8a1e75e64a075e5e2984aa0c05

    SHA256

    31feff32d23728b39ed813c1e7dc5fe6a87dcd4d10aa995446a8c5eb5da58615

    SHA512

    15cf499077e0c8f3421b95e09a18ae5468ae20a7b3a263f01cc8e6d445d54f09ca8a3189ecb40c87d0e6277c99b504424cdd0e35bbe493a1b0849900d21bccf8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe
    Filesize

    350KB

    MD5

    803df907d936e08fbbd06020c411be93

    SHA1

    4aa4b498ae037a2b0479659374a5c3af5f6b8d97

    SHA256

    e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

    SHA512

    5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

    Download Submit

  • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
    Filesize

    772KB

    MD5

    b93eb0a48c91a53bda6a1a074a4b431e

    SHA1

    ac693a14c697b1a8ee80318e260e817b8ee2aa86

    SHA256

    ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

    SHA512

    732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

    Download Submit

  • memory/1452-95-0x00000000003D0000-0x00000000003D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1452-94-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1452-93-0x00000000003C0000-0x00000000003C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1452-92-0x0000000001330000-0x000000000137E000-memory.dmp

    Filesize

    312KB

    Download