mimic

General

Target

279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9.zip
Size

2.4MB
Sample

250126-szhxtsvpft
MD5

e4281dfec22cfb0592ea795031588266
SHA1

a774636da789779a06a6a3afc4c88fd702332d1e
SHA256

a4046873a46f49ff3e18ad802b763aec71272ae18edef31fd1a2e4de4813a742
SHA512

b03648eddf2ce56efe590292b22984f55b14625ddb08c5fff91e1a6a6208c5c856bccdefb9a87c5e28f7d0d98a6c8e125c4d794f04a0e0f28a9fae8e4d224025
SSDEEP

49152:efVSguEh9RPDaaIdceUq/BIC5cuehrDcOjupGgK7s5cOmA/SchZzLJ1hg/:WVSktfeUD+cue14OjupSSGSSGRdre

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\CONTACT.txt

Ransom Note

I encrypted your system with a vulnerability in your system. If you want your information, you must pay us. The ransomware project I use on your system is a completely private project. it cannot be broken. unsolvable. People who say they can help you often come to us and they ask us for help on your behalf . In this case, you have to pay more than what you normally pay. If you contact us directly, the fee you will pay will be lower. You may not trust us . but we are trying our best to help you. We can direct you to a company whose data we opened and helped within 48 hours. We want you to know that we have references all over the world. We do not work in a specific region or country. The company we will direct you to can be from any part of the world. We may also share various images and videos with you. We will open the encrypted data. this is our job. We get paid and we help. We cover your vulnerabilities. We ensure your safety and give advice. It is not just your data that you will buy from us. also your safety Our aim is to return the hacked systems back to you. But we want to be rewarded for our services. The most important thing we want from you. be quick . Respond quickly when communicating and quickly conclude the case. We don't want to waste time. We can prove to you that we can open encrypted data. You can send the sample file you want with .png ,jpg,avi,pdf file extensions that are not important to you. We will send the file back to you in working condition. Our file limit is 3 . we can't open more for you for free. You can send us your database files. After we have your database file working, we can send you a screenshot of the table you want. If you want to talk to us instantly, you can contact us via qtox. qtox program address: https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe My qtox address is: E12919AB09D54CB3F6903091580F0C4AADFB6396B1E6C7B8520D878275F56E7803D963E639AE Email address: [email protected] Dcrypter ID : HZPygGKM5wSxZfweKaOo5i1IeRR-MR-RdS68Fu-lBz8*EncryptedDATA ONE When you contact us, share your contact number with us.

Emails

[email protected]

URLs

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe

Extracted

Path

C:\Users\Admin\AppData\Local\CONTACT.txt

Ransom Note

I encrypted your system with a vulnerability in your system. If you want your information, you must pay us. The ransomware project I use on your system is a completely private project. it cannot be broken. unsolvable. People who say they can help you often come to us and they ask us for help on your behalf . In this case, you have to pay more than what you normally pay. If you contact us directly, the fee you will pay will be lower. You may not trust us . but we are trying our best to help you. We can direct you to a company whose data we opened and helped within 48 hours. We want you to know that we have references all over the world. We do not work in a specific region or country. The company we will direct you to can be from any part of the world. We may also share various images and videos with you. We will open the encrypted data. this is our job. We get paid and we help. We cover your vulnerabilities. We ensure your safety and give advice. It is not just your data that you will buy from us. also your safety Our aim is to return the hacked systems back to you. But we want to be rewarded for our services. The most important thing we want from you. be quick . Respond quickly when communicating and quickly conclude the case. We don't want to waste time. We can prove to you that we can open encrypted data. You can send the sample file you want with .png ,jpg,avi,pdf file extensions that are not important to you. We will send the file back to you in working condition. Our file limit is 3 . we can't open more for you for free. You can send us your database files. After we have your database file working, we can send you a screenshot of the table you want. If you want to talk to us instantly, you can contact us via qtox. qtox program address: https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe My qtox address is: E12919AB09D54CB3F6903091580F0C4AADFB6396B1E6C7B8520D878275F56E7803D963E639AE Email address: [email protected] Dcrypter ID : 7VmqcXsVVj8URb9uaZSEYySIyROlydquyzk0j_Lcdmg*EncryptedDATA ONE When you contact us, share your contact number with us.

Emails

[email protected]

URLs

https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe

Targets

- Target
  
  279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9.exe
- Size
  
  2.5MB
- MD5
  
  6e5c33671c42d3c85f7b629a50ae7d9b
- SHA1
  
  0bb791b555684804334bcf75a5013d9625b9edb6
- SHA256
  
  279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9
- SHA512
  
  015c1ccf3c3a3f0b3749fc9d7e9e26bbc63f92f5b5613293a19594fd785792f10f37a628e4c40deb601913fde67b89f84536e96331dc2863dabec7dd454928d7
- SSDEEP
  
  49152:wgwRVifu1DBgutBPNkByRxgX6kzTbcPIMpD+fTVR8u:wgwRVvguPPm0RDuXfTVRl
Score

10^/10

mimic defense_evasion discovery evasion execution persistence ransomware trojan
- Detects Mimic ransomware
- Mimic
  Ransomware family was first exploited in the wild in 2022.
  ransomware mimic
- Mimic family
  mimic
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies security service
  defense_evasion
- UAC bypass
  defense_evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (157) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Deletes System State backups
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
behavioral1 behavioral2