mimic

General

Target

9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f
Size

3.6MB
Sample

241208-dex4patqcq
MD5

33eeeb25f834e0b180f960ecb9518ea0
SHA1

61f73e692e9549ad8bc9b965e25d2da683d56dc1
SHA256

9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f
SHA512

aaa4583b37c08a8baebac026a1b5fdca865b1c0f6760e7ade19181a28426340285dbeeb65d55bc9e222d6863645a7bf719384a1e0d3593207882619c234c9292
SSDEEP

98304:ngwRMbvguPPou2Bzg1jGE5FS3E/HrmP9Aji:ng/bv25jEKU/HrmP9AO

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\global_options.ini

Ransom Note

26=ELPACO-team 27=TIB;sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt;4dd;4dl;abcddb;abs;abx;accdb;accdc;accde;accdr;accdt;accdw;accft;ade;adf;adn;adp;alf;arc;ask;bacpac;bdf;btr;cat;cdb;chck;ckp;cma;cpd;dacpac;dad;dadiagrams;daschema;db-shm;db-wal;db2;dbc;dbt;dcb;dct;dcx;ddl;dlis;dp1;dqy;dsk;dsn;dtsx;dxl;eco;ecx;epim;fcd;fic;fm5;fmp;fmp12;fmpsl;fol;fp3;fp4;fp5;fp7;fpt;frm;gdb;grdb;gwi;hdb;his;hjt;ib;icg;icr;ihx;itdb;itw;jet;jtx;kdb;kexi;kexic;kexis;lgc;lut;lwx;maf;maq;mar;mas;mav;maw;mdn;mdt;mrg;mud;mwb;ndf;nnt;nrmlib;ns2;ns3;ns4;nsf;nv;nv2;nwdb;nyf;oqy;ora;orx;owc;p96;p97;pan;pdb;pdm;pnz;qry;qvd;rbf;rctd;rod;rodx;rpd;rsd;s2db;sas7bdat;sbf;scx;sdb;sdc;sdf;sis;sl3;spq;sqlite2;te;temx;tmd;tps;trc;trm;udl;usr;v12;vis;vpd;vvv;wdb;wmdb;wrk;xdb;xld;xmlff;7z; 28=386;cmd;deskthemepack;diagcab;diagcfg;diagpkg;dll;info;mui;sys;theme;tmp; 29=steamapps;Cache;Boot;Chrome;Firefox;Mozilla;Mozilla Firefox;MicrosoftEdge;Internet Explorer;Tor Browser;Opera;Opera Software;Common Files;Config.Msi;Intel;Microsoft;Microsoft Shared;Microsoft.NET;MSBuild;MSOCache;Packages;PerfLogs;ProgramData;System Volume Information;tmp;Temp;USOShared;Windows;Windows Defender;Windows Journal;Windows NT;Windows Photo Viewer;Windows Security;Windows.old;WindowsApps;WindowsPowerShell;WINNT;$RECYCLE.BIN;$WINDOWS.~BT;$Windows.~WS;:\Users\Public\;:\Users\Default\; 30=desktop.ini;iconcache.db;thumbs.db; 31= 32= 33=reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AllowMultipleTSSessions" /t REG_DWORD /d 0x1 /f;reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fSingleSessionPerUser" /t REG_DWORD /d 0x0 /f;reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "c:\windows\system32\cmd.exe"; 34=1 35=2 36=0 37=0 38=0 39=1 40=0 41=1 42=1 43=1 44=1 45=1 46=1 47=0 48=1 49=0 50=0 51=0 53=1 54=0 55=1 56=1 57=1 58=1 59=1 60=1 61=1 62=1 63=Hello my dear friend (Do not scan the files with antivirus in any case. In case of data loss, the consequences are yours)\nYour data is encrypted\nYour decryption ID is ID_PLACEHOLDER\nUnfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\nIf you want to recover your files, write us\n1) eMail - [email protected]\n2) Telegram - @DataSupport911 or https://t.me/DataSupport911\n\nAttention!\n\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software - it may cause permanent data loss. \nWe are always ready to cooperate and find the best way to solve your problem. \nThe faster you write - the more favorable conditions will be for you. \nOur company values its reputation. We give all guarantees of your files decryption. 66=1

Emails

[email protected]\n2

URLs

https://t.me/DataSupport911\n\nAttention!\n\nDo

Extracted

Path

C:\Users\Admin\AppData\Local\Decryption_INFO.txt

Ransom Note

Hello my dear friend (Do not scan the files with antivirus in any case. In case of data loss, the consequences are yours) Your data is encrypted Your decryption ID is B4gVAcIJcsCdtZuN_V3dtP7_Ab1mqrzz0gnJkznWkHo*ELPACO-team Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted The only method of recovering files is to purchase decrypt tool and unique key for you. If you want to recover your files, write us 1) eMail - [email protected] 2) Telegram - @DataSupport911 or https://t.me/DataSupport911 Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software - it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write - the more favorable conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption.

Emails

[email protected]

URLs

https://t.me/DataSupport911

Targets

- Target
  
  9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f
- Size
  
  3.6MB
- MD5
  
  33eeeb25f834e0b180f960ecb9518ea0
- SHA1
  
  61f73e692e9549ad8bc9b965e25d2da683d56dc1
- SHA256
  
  9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f
- SHA512
  
  aaa4583b37c08a8baebac026a1b5fdca865b1c0f6760e7ade19181a28426340285dbeeb65d55bc9e222d6863645a7bf719384a1e0d3593207882619c234c9292
- SSDEEP
  
  98304:ngwRMbvguPPou2Bzg1jGE5FS3E/HrmP9Aji:ng/bv25jEKU/HrmP9AO
Score

10^/10

mimic discovery evasion execution persistence privilege_escalation ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- Mimic family
  mimic
- Modifies security service
  evasion
- UAC bypass
  evasion trojan
- Clears Windows event logs
  evasion ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (3409) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
behavioral1 behavioral2