Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 09:30

General

  • Target

    9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe

  • Size

    3.6MB

  • MD5

    33eeeb25f834e0b180f960ecb9518ea0

  • SHA1

    61f73e692e9549ad8bc9b965e25d2da683d56dc1

  • SHA256

    9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f

  • SHA512

    aaa4583b37c08a8baebac026a1b5fdca865b1c0f6760e7ade19181a28426340285dbeeb65d55bc9e222d6863645a7bf719384a1e0d3593207882619c234c9292

  • SSDEEP

    98304:ngwRMbvguPPou2Bzg1jGE5FS3E/HrmP9Aji:ng/bv25jEKU/HrmP9AO

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\global_options.ini

Ransom Note
26=ELPACO-team 27=TIB;sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt;4dd;4dl;abcddb;abs;abx;accdb;accdc;accde;accdr;accdt;accdw;accft;ade;adf;adn;adp;alf;arc;ask;bacpac;bdf;btr;cat;cdb;chck;ckp;cma;cpd;dacpac;dad;dadiagrams;daschema;db-shm;db-wal;db2;dbc;dbt;dcb;dct;dcx;ddl;dlis;dp1;dqy;dsk;dsn;dtsx;dxl;eco;ecx;epim;fcd;fic;fm5;fmp;fmp12;fmpsl;fol;fp3;fp4;fp5;fp7;fpt;frm;gdb;grdb;gwi;hdb;his;hjt;ib;icg;icr;ihx;itdb;itw;jet;jtx;kdb;kexi;kexic;kexis;lgc;lut;lwx;maf;maq;mar;mas;mav;maw;mdn;mdt;mrg;mud;mwb;ndf;nnt;nrmlib;ns2;ns3;ns4;nsf;nv;nv2;nwdb;nyf;oqy;ora;orx;owc;p96;p97;pan;pdb;pdm;pnz;qry;qvd;rbf;rctd;rod;rodx;rpd;rsd;s2db;sas7bdat;sbf;scx;sdb;sdc;sdf;sis;sl3;spq;sqlite2;te;temx;tmd;tps;trc;trm;udl;usr;v12;vis;vpd;vvv;wdb;wmdb;wrk;xdb;xld;xmlff;7z; 28=386;cmd;deskthemepack;diagcab;diagcfg;diagpkg;dll;info;mui;sys;theme;tmp; 29=steamapps;Cache;Boot;Chrome;Firefox;Mozilla;Mozilla Firefox;MicrosoftEdge;Internet Explorer;Tor Browser;Opera;Opera Software;Common Files;Config.Msi;Intel;Microsoft;Microsoft Shared;Microsoft.NET;MSBuild;MSOCache;Packages;PerfLogs;ProgramData;System Volume Information;tmp;Temp;USOShared;Windows;Windows Defender;Windows Journal;Windows NT;Windows Photo Viewer;Windows Security;Windows.old;WindowsApps;WindowsPowerShell;WINNT;$RECYCLE.BIN;$WINDOWS.~BT;$Windows.~WS;:\Users\Public\;:\Users\Default\; 30=desktop.ini;iconcache.db;thumbs.db; 31= 32= 33=reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AllowMultipleTSSessions" /t REG_DWORD /d 0x1 /f;reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fSingleSessionPerUser" /t REG_DWORD /d 0x0 /f;reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "c:\windows\system32\cmd.exe"; 34=1 35=2 36=0 37=0 38=0 39=1 40=0 41=1 42=1 43=1 44=1 45=1 46=1 47=0 48=1 49=0 50=0 51=0 53=1 54=0 55=1 56=1 57=1 58=1 59=1 60=1 61=1 62=1 63=Hello my dear friend (Do not scan the files with antivirus in any case. In case of data loss, the consequences are yours)\nYour data is encrypted\nYour decryption ID is ID_PLACEHOLDER\nUnfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\nIf you want to recover your files, write us\n1) eMail - [email protected]\n2) Telegram - @DataSupport911 or https://t.me/DataSupport911\n\nAttention!\n\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software - it may cause permanent data loss. \nWe are always ready to cooperate and find the best way to solve your problem. \nThe faster you write - the more favorable conditions will be for you. \nOur company values its reputation. We give all guarantees of your files decryption. 66=1
Emails
URLs

https://t.me/DataSupport911\n\nAttention!\n\nDo

Signatures

  • Detects Mimic ransomware 2 IoCs
  • Mimic

    Ransomware family was first exploited in the wild in 2022.

  • Mimic family
  • Clears Windows event logs 1 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe
    "C:\Users\Admin\AppData\Local\Temp\9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4388
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p7183204373585782 Everything64.dll
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2324
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ELPACO-team.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ELPACO-team.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe
        "C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system executable filetype association
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3516
        • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\gui40.exe
          C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\gui40.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3812
        • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.exe
          "C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.exe" -startup
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1760
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil.exe cl security
          4⤵
          • Clears Windows event logs
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3764
        • C:\Windows\SysWOW64\wevtutil.exe
          wevtutil.exe cl system
          4⤵
          • Clears Windows event logs
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1224
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.db

    Filesize

    13.2MB

    MD5

    fc317f634b9112235be8331b8f8832cd

    SHA1

    fa5202d85131713bea7a9dc2e9e370c5a621eddd

    SHA256

    1e6ca07e88a3e10dd04a50b1b7bcd49bd7e87d73051ddd75eae3378672733efa

    SHA512

    1332e5cc996b53bcae3e3b6d695f18f802882c56fc5a4895f5345aafd082c713530931240f683ec22bf8881197f554b550725b9d0d9ab2a59ceb6fa5f3f18169

  • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything.ini

    Filesize

    20KB

    MD5

    4113d40583458535e9a1d227e3e0922d

    SHA1

    d492dba04d5fc14d095d9579fbc2a793f7068478

    SHA256

    7fdf0563fdf9a92f3cd15aa988e183a4b71acaf3529d1021382cf0e18c795289

    SHA512

    dc2fd38ab99db51d7763994e69d2b52a25ca52ba96464711460853024617c94ce3b8dc5a5f7285a8eb446eec5f37b4e92da5391f27781da75b42e17e6b4aa10b

  • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\global_options.ini

    Filesize

    6KB

    MD5

    437863604b6bbb82ece95bf1cc22ebb5

    SHA1

    c25948a3f6923470dfc38d846c3938939fc6853b

    SHA256

    2311120797b4eca936e3a4407058ee23144f44be273dd3857d849698abcb1194

    SHA512

    d4a9409dc517283358937ebd1f0575ed821e497143f8e5a7302f207f30ae20260ee4b4d99495beb84308984e74591bb42ec0f1b7b4958b8e9bf558be139a8e5b

  • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\global_options.ini

    Filesize

    5KB

    MD5

    1b37dc212e98a04576aac40d7ce7d06a

    SHA1

    bb02a94617d4d355b1837f50bd50362f37b409a9

    SHA256

    d5ab2b261c3138070a70fa2feeb435162c40f7d0ba8a15f6ac6064d57b6a3545

    SHA512

    3b50f6c82b7e3cfc5bf85a9a26dccad9aab8aa9a2351676bd58c27b3461c0c219a0c0deed09664aa492ba86346bd56605beae0a4eab982afd289611b1ab76ac8

  • C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\session.tmp

    Filesize

    32B

    MD5

    669e81c6c3b402167358a87f9a06e868

    SHA1

    43ea9856ee30ee8abcad54c52f4cbbc65f0a0407

    SHA256

    909d6511bc106d3e31791639613251ca901097e303cf17036f371b38fc1d62da

    SHA512

    f0d220e48ed014650d272e763b377efad6b74a43eba11c73fa56ee0826ca32087bb01659872161b4bf365754a7805a73ea623e2101ee88cd7223acdaa5ca007b

  • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

    Filesize

    300B

    MD5

    f31b4d075ad2f1027f66293e5d7d7be3

    SHA1

    5055a7122d9498830e17b017c3fca09a07da7f16

    SHA256

    83710f793fb3fce43cbb6658bb8a4e3d46a678addad385325d32b51526ce939d

    SHA512

    b3ecc61f7efc37850137e5b7c2bcbb1b313bed749aa197ab7dce2f4eded7f5a720e6bfb34bb1237410ec183e5378b8a6d5224b75f9eb211738c28664dad35be5

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe

    Filesize

    772KB

    MD5

    b93eb0a48c91a53bda6a1a074a4b431e

    SHA1

    ac693a14c697b1a8ee80318e260e817b8ee2aa86

    SHA256

    ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142

    SHA512

    732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DC.exe

    Filesize

    802KB

    MD5

    ac34ba84a5054cd701efad5dd14645c9

    SHA1

    dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

    SHA256

    c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

    SHA512

    df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ELPACO-team.exe

    Filesize

    2.4MB

    MD5

    b951e50264f9c5244592dfb0a859ec41

    SHA1

    8af05099986d0b105d8e38f305efe9098a9fbda6

    SHA256

    e160d7d21c917344f010e58dcfc1e19bec6297c294647a06ce60efc7420d3b13

    SHA512

    ae9d85bad1ae0ed2b614fce1b7d3969483a1e39a50bc3aad3e5ba5c8fab56d4d38bf60b3e641c67ee6be29d88e3fbb73dfa39dd3c11a9a01aacdb7c269a7471d

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\[email protected]

    Filesize

    2.4MB

    MD5

    0bf7c0d8e3e02a6b879efab5deab013c

    SHA1

    4f93d2cda84e669eeddcfeb2e2fa2319901059a1

    SHA256

    b600e06f14e29b03f0b1456723a430b5024816518d704a831dde2dc9597ce9c9

    SHA512

    313f9a8ae5a0096488996f51ce0d2049f7040b5cba1f6efd6e7190517accffad9af4d72eb551755978e624f4089b9e5983eae792496b2e8e6da5a6cd7939ae5f

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe

    Filesize

    1.7MB

    MD5

    c44487ce1827ce26ac4699432d15b42a

    SHA1

    8434080fad778057a50607364fee8b481f0feef8

    SHA256

    4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405

    SHA512

    a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini

    Filesize

    548B

    MD5

    742c2400f2de964d0cce4a8dabadd708

    SHA1

    c452d8d4c3a82af4bc57ca8a76e4407aaf90deca

    SHA256

    2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01

    SHA512

    63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini

    Filesize

    550B

    MD5

    51014c0c06acdd80f9ae4469e7d30a9e

    SHA1

    204e6a57c44242fad874377851b13099dfe60176

    SHA256

    89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5

    SHA512

    79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll

    Filesize

    84KB

    MD5

    3b03324537327811bbbaff4aafa4d75b

    SHA1

    1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7

    SHA256

    8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880

    SHA512

    ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll

    Filesize

    2.5MB

    MD5

    245fb739c4cb3c944c11ef43cddd8d57

    SHA1

    435fee4453ac3d3a14d422ac21400c32d792763c

    SHA256

    d180f63148fbbfcfd88aa7938ab88fcea3881402b6617f4f3e152427aeb6c59c

    SHA512

    ee45e53116508b385a9788ce9bfe7d119f4dbf1dd4f31fc940d0dab4ca91eb63c842868ae56782f0bdb807d26895344c6e8aa909c94ddcf2dfe3189d9e24c342

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\global_options.ini

    Filesize

    10B

    MD5

    26f59bb93f02d5a65538981bbc2da9cc

    SHA1

    5e99a311784301637638c02401925a89694f463d

    SHA256

    14f93a82d99cd2bf3da0aba73b162a7bb183eded695cffff47a05c1290d2a2fa

    SHA512

    e48f20a62bb2d5de686a7328a682a84821c83c8c4d836287adffbe464a8b4a0ba8ca728a35438c58f142686047b153c9c3f722c0431db620e3ef3479215b9016

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gui35.exe

    Filesize

    276KB

    MD5

    03a63c096b9757439264b57e4fdf49d1

    SHA1

    a5007873ce19a398274aec9f61e1f90e9b45cc81

    SHA256

    22ea129b0f57184f30b1771c62a3233ba92e581c1f111b4e8abfa318dc92cc46

    SHA512

    0d656d807572f6be4574024e2bbcf0cbd291fe13a1adeb86a333177ee38db16b06da9a18509e599db0d2cf8206b84f6856a9674dba29a2cbeb844a216cb45ddd

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gui40.exe

    Filesize

    276KB

    MD5

    57850a4490a6afd1ef682eb93ea45e65

    SHA1

    338d147711c56e8a1e75e64a075e5e2984aa0c05

    SHA256

    31feff32d23728b39ed813c1e7dc5fe6a87dcd4d10aa995446a8c5eb5da58615

    SHA512

    15cf499077e0c8f3421b95e09a18ae5468ae20a7b3a263f01cc8e6d445d54f09ca8a3189ecb40c87d0e6277c99b504424cdd0e35bbe493a1b0849900d21bccf8

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe

    Filesize

    350KB

    MD5

    803df907d936e08fbbd06020c411be93

    SHA1

    4aa4b498ae037a2b0479659374a5c3af5f6b8d97

    SHA256

    e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

    SHA512

    5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532

  • memory/3812-99-0x0000000001650000-0x0000000001656000-memory.dmp

    Filesize

    24KB

  • memory/3812-98-0x0000000001600000-0x0000000001654000-memory.dmp

    Filesize

    336KB

  • memory/3812-97-0x00000000015F0000-0x00000000015F6000-memory.dmp

    Filesize

    24KB

  • memory/3812-96-0x0000000000E10000-0x0000000000E5E000-memory.dmp

    Filesize

    312KB