mimic

General

Target

mimic.exe
Size

2.5MB
Sample

241113-qph4qsskbs
MD5

6e5c33671c42d3c85f7b629a50ae7d9b
SHA1

0bb791b555684804334bcf75a5013d9625b9edb6
SHA256

279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9
SHA512

015c1ccf3c3a3f0b3749fc9d7e9e26bbc63f92f5b5613293a19594fd785792f10f37a628e4c40deb601913fde67b89f84536e96331dc2863dabec7dd454928d7
SSDEEP

49152:wgwRVifu1DBgutBPNkByRxgX6kzTbcPIMpD+fTVR8u:wgwRVvguPPm0RDuXfTVRl

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\CONTACT.txt

Ransom Note

I encrypted your system with a vulnerability in your system. If you want your information, you must pay us. The ransomware project I use on your system is a completely private project. it cannot be broken. unsolvable. People who say they can help you often come to us and they ask us for help on your behalf . In this case, you have to pay more than what you normally pay. If you contact us directly, the fee you will pay will be lower. You may not trust us . but we are trying our best to help you. We can direct you to a company whose data we opened and helped within 48 hours. We want you to know that we have references all over the world. We do not work in a specific region or country. The company we will direct you to can be from any part of the world. We may also share various images and videos with you. We will open the encrypted data. this is our job. We get paid and we help. We cover your vulnerabilities. We ensure your safety and give advice. It is not just your data that you will buy from us. also your safety Our aim is to return the hacked systems back to you. But we want to be rewarded for our services. The most important thing we want from you. be quick . Respond quickly when communicating and quickly conclude the case. We don't want to waste time. We can prove to you that we can open encrypted data. You can send the sample file you want with .png ,jpg,avi,pdf file extensions that are not important to you. We will send the file back to you in working condition. Our file limit is 3 . we can't open more for you for free. You can send us your database files. After we have your database file working, we can send you a screenshot of the table you want. If you want to talk to us instantly, you can contact us via qtox. qtox program address: https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe My qtox address is: E12919AB09D54CB3F6903091580F0C4AADFB6396B1E6C7B8520D878275F56E7803D963E639AE Email address: [email protected] Dcrypter ID : waXdZsM0IV2hyptEewgc8TbdZM67aBLIYLwrxLwkcXA*EncryptedDATA ONE When you contact us, share your contact number with us.

Emails

[email protected]

URLs

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe

Extracted

Path

C:\Users\Admin\AppData\Local\CONTACT.txt

Ransom Note

I encrypted your system with a vulnerability in your system. If you want your information, you must pay us. The ransomware project I use on your system is a completely private project. it cannot be broken. unsolvable. People who say they can help you often come to us and they ask us for help on your behalf . In this case, you have to pay more than what you normally pay. If you contact us directly, the fee you will pay will be lower. You may not trust us . but we are trying our best to help you. We can direct you to a company whose data we opened and helped within 48 hours. We want you to know that we have references all over the world. We do not work in a specific region or country. The company we will direct you to can be from any part of the world. We may also share various images and videos with you. We will open the encrypted data. this is our job. We get paid and we help. We cover your vulnerabilities. We ensure your safety and give advice. It is not just your data that you will buy from us. also your safety Our aim is to return the hacked systems back to you. But we want to be rewarded for our services. The most important thing we want from you. be quick . Respond quickly when communicating and quickly conclude the case. We don't want to waste time. We can prove to you that we can open encrypted data. You can send the sample file you want with .png ,jpg,avi,pdf file extensions that are not important to you. We will send the file back to you in working condition. Our file limit is 3 . we can't open more for you for free. You can send us your database files. After we have your database file working, we can send you a screenshot of the table you want. If you want to talk to us instantly, you can contact us via qtox. qtox program address: https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe My qtox address is: E12919AB09D54CB3F6903091580F0C4AADFB6396B1E6C7B8520D878275F56E7803D963E639AE Email address: [email protected] Dcrypter ID : DqLx5ShfxKDM0kdePE9zd89T2OuKYMsM700PVpJps00*EncryptedDATA ONE When you contact us, share your contact number with us.

Emails

[email protected]

URLs

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe

Targets

- Target
  
  mimic.exe
- Size
  
  2.5MB
- MD5
  
  6e5c33671c42d3c85f7b629a50ae7d9b
- SHA1
  
  0bb791b555684804334bcf75a5013d9625b9edb6
- SHA256
  
  279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9
- SHA512
  
  015c1ccf3c3a3f0b3749fc9d7e9e26bbc63f92f5b5613293a19594fd785792f10f37a628e4c40deb601913fde67b89f84536e96331dc2863dabec7dd454928d7
- SSDEEP
  
  49152:wgwRVifu1DBgutBPNkByRxgX6kzTbcPIMpD+fTVR8u:wgwRVvguPPm0RDuXfTVRl
Score

10^/10

mimic discovery evasion execution persistence ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- Mimic family
  mimic
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (170) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
behavioral1 behavioral2