General

  • Target

    279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9.exe

  • Size

    2.5MB

  • Sample

    241114-cn99yasmaw

  • MD5

    6e5c33671c42d3c85f7b629a50ae7d9b

  • SHA1

    0bb791b555684804334bcf75a5013d9625b9edb6

  • SHA256

    279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9

  • SHA512

    015c1ccf3c3a3f0b3749fc9d7e9e26bbc63f92f5b5613293a19594fd785792f10f37a628e4c40deb601913fde67b89f84536e96331dc2863dabec7dd454928d7

  • SSDEEP

    49152:wgwRVifu1DBgutBPNkByRxgX6kzTbcPIMpD+fTVR8u:wgwRVvguPPm0RDuXfTVRl

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\CONTACT.txt

Ransom Note
I encrypted your system with a vulnerability in your system. If you want your information, you must pay us. The ransomware project I use on your system is a completely private project. it cannot be broken. unsolvable. People who say they can help you often come to us and they ask us for help on your behalf . In this case, you have to pay more than what you normally pay. If you contact us directly, the fee you will pay will be lower. You may not trust us . but we are trying our best to help you. We can direct you to a company whose data we opened and helped within 48 hours. We want you to know that we have references all over the world. We do not work in a specific region or country. The company we will direct you to can be from any part of the world. We may also share various images and videos with you. We will open the encrypted data. this is our job. We get paid and we help. We cover your vulnerabilities. We ensure your safety and give advice. It is not just your data that you will buy from us. also your safety Our aim is to return the hacked systems back to you. But we want to be rewarded for our services. The most important thing we want from you. be quick . Respond quickly when communicating and quickly conclude the case. We don't want to waste time. We can prove to you that we can open encrypted data. You can send the sample file you want with .png ,jpg,avi,pdf file extensions that are not important to you. We will send the file back to you in working condition. Our file limit is 3 . we can't open more for you for free. You can send us your database files. After we have your database file working, we can send you a screenshot of the table you want. If you want to talk to us instantly, you can contact us via qtox. qtox program address: https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe My qtox address is: E12919AB09D54CB3F6903091580F0C4AADFB6396B1E6C7B8520D878275F56E7803D963E639AE Email address: [email protected] Dcrypter ID : ax34gAmewQ_2ETBGj0bkvDBbNQnQ9wxffOIuhKwRRBQ*EncryptedDATA ONE When you contact us, share your contact number with us.
URLs

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe

Extracted

Path

C:\Users\Admin\AppData\Local\CONTACT.txt

Ransom Note
I encrypted your system with a vulnerability in your system. If you want your information, you must pay us. The ransomware project I use on your system is a completely private project. it cannot be broken. unsolvable. People who say they can help you often come to us and they ask us for help on your behalf . In this case, you have to pay more than what you normally pay. If you contact us directly, the fee you will pay will be lower. You may not trust us . but we are trying our best to help you. We can direct you to a company whose data we opened and helped within 48 hours. We want you to know that we have references all over the world. We do not work in a specific region or country. The company we will direct you to can be from any part of the world. We may also share various images and videos with you. We will open the encrypted data. this is our job. We get paid and we help. We cover your vulnerabilities. We ensure your safety and give advice. It is not just your data that you will buy from us. also your safety Our aim is to return the hacked systems back to you. But we want to be rewarded for our services. The most important thing we want from you. be quick . Respond quickly when communicating and quickly conclude the case. We don't want to waste time. We can prove to you that we can open encrypted data. You can send the sample file you want with .png ,jpg,avi,pdf file extensions that are not important to you. We will send the file back to you in working condition. Our file limit is 3 . we can't open more for you for free. You can send us your database files. After we have your database file working, we can send you a screenshot of the table you want. If you want to talk to us instantly, you can contact us via qtox. qtox program address: https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe My qtox address is: E12919AB09D54CB3F6903091580F0C4AADFB6396B1E6C7B8520D878275F56E7803D963E639AE Email address: [email protected] Dcrypter ID : 7gd10gdVwbxVPw1p8Npn_ZHaOJNyVK2TGmFa7n5Of0E*EncryptedDATA ONE When you contact us, share your contact number with us.
URLs

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe

Targets

    • Target

      279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9.exe

    • Size

      2.5MB

    • MD5

      6e5c33671c42d3c85f7b629a50ae7d9b

    • SHA1

      0bb791b555684804334bcf75a5013d9625b9edb6

    • SHA256

      279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9

    • SHA512

      015c1ccf3c3a3f0b3749fc9d7e9e26bbc63f92f5b5613293a19594fd785792f10f37a628e4c40deb601913fde67b89f84536e96331dc2863dabec7dd454928d7

    • SSDEEP

      49152:wgwRVifu1DBgutBPNkByRxgX6kzTbcPIMpD+fTVR8u:wgwRVvguPPm0RDuXfTVRl

    • Detects Mimic ransomware

    • Mimic

      Ransomware family was first exploited in the wild in 2022.

    • Mimic family

    • Modifies security service

    • UAC bypass

    • Modifies boot configuration data using bcdedit

    • Renames multiple (159) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks