Analysis Overview
SHA256
f23542f7ee78d204034cb11a48c97b04e447fc17535133414da453fadd4738cb
Threat Level: Known bad
The file MimicBuilder.exe was found to be: Known bad.
Malicious Activity Summary
Mimic
Detects Mimic ransomware
Mimic family
Clears Windows event logs
Deletes itself
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Modifies system executable filetype association
Adds Run key to start application
Enumerates connected drives
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-26 14:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-26 14:19
Reported
2025-02-26 14:20
Platform
win7-20241010-en
Max time kernel
23s
Max time network
21s
Command Line
Signatures
Detects Mimic ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Mimic
Mimic family
Clears Windows event logs
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\gui40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Everything.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MimicBuilder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MimicBuilder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MimicBuilder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\exefile\shell\open\command | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\exefile\shell | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\exefile\shell\open | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Datadecrypt = "\"C:\\Users\\Admin\\AppData\\Local\\BC57CE41-27D7-C825-6CB7-A6508B063C81\\Datadecrypt.exe\" " | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MimicBuilder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Everything.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wevtutil.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\exefile\shell\open\command | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\exefile | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\exefile\shell | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\exefile\shell\open | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Everything.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MimicBuilder.exe
"C:\Users\Admin\AppData\Local\Temp\MimicBuilder.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p2683527442232016684 Everything64.dll
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe"
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe
"C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe"
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\gui40.exe
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\gui40.exe
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Everything.exe
"C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Everything.exe" -startup
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl application
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.29:445 | tcp | |
| N/A | 10.127.0.30:445 | tcp | |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.33:445 | tcp | |
| N/A | 10.127.0.34:445 | tcp | |
| N/A | 10.127.0.35:445 | tcp | |
| N/A | 10.127.0.36:445 | tcp | |
| N/A | 10.127.0.37:445 | tcp | |
| N/A | 10.127.0.38:445 | tcp | |
| N/A | 10.127.0.39:445 | tcp | |
| N/A | 10.127.0.40:445 | tcp | |
| N/A | 10.127.0.41:445 | tcp | |
| N/A | 10.127.0.42:445 | tcp | |
| N/A | 10.127.0.43:445 | tcp | |
| N/A | 10.127.0.44:445 | tcp | |
| N/A | 10.127.0.45:445 | tcp | |
| N/A | 10.127.0.46:445 | tcp | |
| N/A | 10.127.0.47:445 | tcp | |
| N/A | 10.127.0.48:445 | tcp | |
| N/A | 10.127.0.49:445 | tcp | |
| N/A | 10.127.0.50:445 | tcp | |
| N/A | 10.127.0.51:445 | tcp | |
| N/A | 10.127.0.52:445 | tcp | |
| N/A | 10.127.0.53:445 | tcp | |
| N/A | 10.127.0.54:445 | tcp | |
| N/A | 10.127.0.55:445 | tcp | |
| N/A | 10.127.0.56:445 | tcp | |
| N/A | 10.127.0.57:445 | tcp | |
| N/A | 10.127.0.58:445 | tcp | |
| N/A | 10.127.0.59:445 | tcp | |
| N/A | 10.127.0.60:445 | tcp | |
| N/A | 10.127.0.61:445 | tcp | |
| N/A | 10.127.0.62:445 | tcp | |
| N/A | 10.127.0.63:445 | tcp | |
| N/A | 10.127.0.64:445 | tcp | |
| N/A | 10.127.0.65:445 | tcp | |
| N/A | 10.127.0.66:445 | tcp | |
| N/A | 10.127.0.67:445 | tcp | |
| N/A | 10.127.0.68:445 | tcp | |
| N/A | 10.127.0.69:445 | tcp | |
| N/A | 10.127.0.70:445 | tcp | |
| N/A | 10.127.0.71:445 | tcp | |
| N/A | 10.127.0.72:445 | tcp | |
| N/A | 10.127.0.73:445 | tcp | |
| N/A | 10.127.0.74:445 | tcp | |
| N/A | 10.127.0.75:445 | tcp | |
| N/A | 10.127.0.76:445 | tcp | |
| N/A | 10.127.0.77:445 | tcp | |
| N/A | 10.127.0.78:445 | tcp | |
| N/A | 10.127.0.79:445 | tcp | |
| N/A | 10.127.0.80:445 | tcp | |
| N/A | 10.127.0.81:445 | tcp | |
| N/A | 10.127.0.82:445 | tcp | |
| N/A | 10.127.0.83:445 | tcp | |
| N/A | 10.127.0.84:445 | tcp | |
| N/A | 10.127.0.85:445 | tcp | |
| N/A | 10.127.0.86:445 | tcp | |
| N/A | 10.127.0.87:445 | tcp | |
| N/A | 10.127.0.88:445 | tcp | |
| N/A | 10.127.0.89:445 | tcp | |
| N/A | 10.127.0.90:445 | tcp | |
| N/A | 10.127.0.91:445 | tcp | |
| N/A | 10.127.0.92:445 | tcp | |
| N/A | 10.127.0.93:445 | tcp | |
| N/A | 10.127.0.94:445 | tcp | |
| N/A | 10.127.0.95:445 | tcp | |
| N/A | 10.127.0.96:445 | tcp | |
| N/A | 10.127.0.97:445 | tcp | |
| N/A | 10.127.0.98:445 | tcp | |
| N/A | 10.127.0.99:445 | tcp | |
| N/A | 10.127.0.100:445 | tcp | |
| N/A | 10.127.0.101:445 | tcp | |
| N/A | 10.127.0.102:445 | tcp | |
| N/A | 10.127.0.103:445 | tcp | |
| N/A | 10.127.0.104:445 | tcp | |
| N/A | 10.127.0.105:445 | tcp | |
| N/A | 10.127.0.106:445 | tcp | |
| N/A | 10.127.0.107:445 | tcp | |
| N/A | 10.127.0.108:445 | tcp | |
| N/A | 10.127.0.109:445 | tcp | |
| N/A | 10.127.0.110:445 | tcp | |
| N/A | 10.127.0.111:445 | tcp | |
| N/A | 10.127.0.112:445 | tcp | |
| N/A | 10.127.0.113:445 | tcp | |
| N/A | 10.127.0.114:445 | tcp | |
| N/A | 10.127.0.115:445 | tcp | |
| N/A | 10.127.0.116:445 | tcp | |
| N/A | 10.127.0.117:445 | tcp | |
| N/A | 10.127.0.118:445 | tcp | |
| N/A | 10.127.0.119:445 | tcp | |
| N/A | 10.127.0.120:445 | tcp | |
| N/A | 10.127.0.121:445 | tcp | |
| N/A | 10.127.0.122:445 | tcp | |
| N/A | 10.127.0.123:445 | tcp | |
| N/A | 10.127.0.124:445 | tcp | |
| N/A | 10.127.0.125:445 | tcp | |
| N/A | 10.127.0.126:445 | tcp | |
| N/A | 10.127.0.127:445 | tcp | |
| N/A | 10.127.0.128:445 | tcp | |
| N/A | 10.127.0.129:445 | tcp | |
| N/A | 10.127.0.130:445 | tcp | |
| N/A | 10.127.0.131:445 | tcp | |
| N/A | 10.127.0.132:445 | tcp | |
| N/A | 10.127.0.133:445 | tcp | |
| N/A | 10.127.0.134:445 | tcp | |
| N/A | 10.127.0.135:445 | tcp | |
| N/A | 10.127.0.136:445 | tcp | |
| N/A | 10.127.0.137:445 | tcp | |
| N/A | 10.127.0.138:445 | tcp | |
| N/A | 10.127.0.139:445 | tcp | |
| N/A | 10.127.0.140:445 | tcp | |
| N/A | 10.127.0.141:445 | tcp | |
| N/A | 10.127.0.142:445 | tcp | |
| N/A | 10.127.0.143:445 | tcp | |
| N/A | 10.127.0.144:445 | tcp | |
| N/A | 10.127.0.145:445 | tcp | |
| N/A | 10.127.0.146:445 | tcp | |
| N/A | 10.127.0.147:445 | tcp | |
| N/A | 10.127.0.148:445 | tcp | |
| N/A | 10.127.0.149:445 | tcp | |
| N/A | 10.127.0.150:445 | tcp | |
| N/A | 10.127.0.151:445 | tcp | |
| N/A | 10.127.0.152:445 | tcp | |
| N/A | 10.127.0.153:445 | tcp | |
| N/A | 10.127.0.154:445 | tcp | |
| N/A | 10.127.0.155:445 | tcp | |
| N/A | 10.127.0.156:445 | tcp | |
| N/A | 10.127.0.157:445 | tcp | |
| N/A | 10.127.0.158:445 | tcp | |
| N/A | 10.127.0.159:445 | tcp | |
| N/A | 10.127.0.160:445 | tcp | |
| N/A | 10.127.0.161:445 | tcp | |
| N/A | 10.127.0.162:445 | tcp | |
| N/A | 10.127.0.163:445 | tcp | |
| N/A | 10.127.0.164:445 | tcp | |
| N/A | 10.127.0.165:445 | tcp | |
| N/A | 10.127.0.166:445 | tcp | |
| N/A | 10.127.0.167:445 | tcp | |
| N/A | 10.127.0.168:445 | tcp | |
| N/A | 10.127.0.169:445 | tcp | |
| N/A | 10.127.0.170:445 | tcp | |
| N/A | 10.127.0.171:445 | tcp | |
| N/A | 10.127.0.172:445 | tcp | |
| N/A | 10.127.0.173:445 | tcp | |
| N/A | 10.127.0.174:445 | tcp | |
| N/A | 10.127.0.175:445 | tcp | |
| N/A | 10.127.0.176:445 | tcp | |
| N/A | 10.127.0.177:445 | tcp | |
| N/A | 10.127.0.178:445 | tcp | |
| N/A | 10.127.0.179:445 | tcp | |
| N/A | 10.127.0.180:445 | tcp | |
| N/A | 10.127.0.181:445 | tcp | |
| N/A | 10.127.0.182:445 | tcp | |
| N/A | 10.127.0.183:445 | tcp | |
| N/A | 10.127.0.184:445 | tcp | |
| N/A | 10.127.0.185:445 | tcp | |
| N/A | 10.127.0.186:445 | tcp | |
| N/A | 10.127.0.187:445 | tcp | |
| N/A | 10.127.0.188:445 | tcp | |
| N/A | 10.127.0.189:445 | tcp | |
| N/A | 10.127.0.190:445 | tcp | |
| N/A | 10.127.0.191:445 | tcp | |
| N/A | 10.127.0.192:445 | tcp | |
| N/A | 10.127.0.193:445 | tcp | |
| N/A | 10.127.0.194:445 | tcp | |
| N/A | 10.127.0.195:445 | tcp | |
| N/A | 10.127.0.196:445 | tcp | |
| N/A | 10.127.0.197:445 | tcp | |
| N/A | 10.127.0.198:445 | tcp | |
| N/A | 10.127.0.199:445 | tcp | |
| N/A | 10.127.0.200:445 | tcp | |
| N/A | 10.127.0.201:445 | tcp | |
| N/A | 10.127.0.202:445 | tcp | |
| N/A | 10.127.0.203:445 | tcp | |
| N/A | 10.127.0.204:445 | tcp | |
| N/A | 10.127.0.205:445 | tcp | |
| N/A | 10.127.0.206:445 | tcp | |
| N/A | 10.127.0.207:445 | tcp | |
| N/A | 10.127.0.208:445 | tcp | |
| N/A | 10.127.0.209:445 | tcp | |
| N/A | 10.127.0.210:445 | tcp | |
| N/A | 10.127.0.211:445 | tcp | |
| N/A | 10.127.0.212:445 | tcp | |
| N/A | 10.127.0.213:445 | tcp | |
| N/A | 10.127.0.214:445 | tcp | |
| N/A | 10.127.0.215:445 | tcp | |
| N/A | 10.127.0.216:445 | tcp | |
| N/A | 10.127.0.217:445 | tcp | |
| N/A | 10.127.0.218:445 | tcp | |
| N/A | 10.127.0.219:445 | tcp | |
| N/A | 10.127.0.220:445 | tcp | |
| N/A | 10.127.0.221:445 | tcp | |
| N/A | 10.127.0.222:445 | tcp | |
| N/A | 10.127.0.223:445 | tcp | |
| N/A | 10.127.0.224:445 | tcp | |
| N/A | 10.127.0.225:445 | tcp | |
| N/A | 10.127.0.226:445 | tcp | |
| N/A | 10.127.0.227:445 | tcp | |
| N/A | 10.127.0.228:445 | tcp | |
| N/A | 10.127.0.229:445 | tcp | |
| N/A | 10.127.0.230:445 | tcp | |
| N/A | 10.127.0.231:445 | tcp | |
| N/A | 10.127.0.232:445 | tcp | |
| N/A | 10.127.0.233:445 | tcp | |
| N/A | 10.127.0.234:445 | tcp | |
| N/A | 10.127.0.235:445 | tcp | |
| N/A | 10.127.0.236:445 | tcp | |
| N/A | 10.127.0.237:445 | tcp | |
| N/A | 10.127.0.238:445 | tcp | |
| N/A | 10.127.0.239:445 | tcp | |
| N/A | 10.127.0.240:445 | tcp | |
| N/A | 10.127.0.241:445 | tcp | |
| N/A | 10.127.0.242:445 | tcp | |
| N/A | 10.127.0.243:445 | tcp | |
| N/A | 10.127.0.244:445 | tcp | |
| N/A | 10.127.0.245:445 | tcp | |
| N/A | 10.127.0.246:445 | tcp | |
| N/A | 10.127.0.247:445 | tcp | |
| N/A | 10.127.0.248:445 | tcp | |
| N/A | 10.127.0.249:445 | tcp | |
| N/A | 10.127.0.250:445 | tcp | |
| N/A | 10.127.0.251:445 | tcp | |
| N/A | 10.127.0.252:445 | tcp | |
| N/A | 10.127.0.253:445 | tcp | |
| N/A | 10.127.0.254:445 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
| MD5 | b93eb0a48c91a53bda6a1a074a4b431e |
| SHA1 | ac693a14c697b1a8ee80318e260e817b8ee2aa86 |
| SHA256 | ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142 |
| SHA512 | 732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll
| MD5 | 6beaabdcebd1819dd160b0137b8d68e0 |
| SHA1 | 354dbc5877c6a24a4b83211b695077e28aaea060 |
| SHA256 | 0da80dffc602b64b17f47a1b82f38f75a2222234d83ffda4131f8ad3ae99682e |
| SHA512 | 481ef0a44580a713af5f5169fc2ab20ad943dda3b3477e14d4bc92f1131ad6afb629874d0beda72fc3852274f00e3cb4c2c30a6c81bd7d25f89e3f7c29e34a54 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe
| MD5 | 6b81003a9aa0f8925e010211048c1035 |
| SHA1 | 9e229a278a72b13c59331bac4baab7373a59d2e6 |
| SHA256 | c3c77f6f43c24ce810a71f6a3174c5de6e8be398479e5f8207e94c802890cf7c |
| SHA512 | 2833dd94fc7146776a7a3e11c8fcd681080762a24f525682228d533b93f3b9ecdc9c665a036d7fb9fef034db29f6e64e92b20c2cff731eaea44701e34c7b7a43 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll
| MD5 | 3b03324537327811bbbaff4aafa4d75b |
| SHA1 | 1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7 |
| SHA256 | 8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880 |
| SHA512 | ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DC.exe
| MD5 | ac34ba84a5054cd701efad5dd14645c9 |
| SHA1 | dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b |
| SHA256 | c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e |
| SHA512 | df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe
| MD5 | c44487ce1827ce26ac4699432d15b42a |
| SHA1 | 8434080fad778057a50607364fee8b481f0feef8 |
| SHA256 | 4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405 |
| SHA512 | a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini
| MD5 | 742c2400f2de964d0cce4a8dabadd708 |
| SHA1 | c452d8d4c3a82af4bc57ca8a76e4407aaf90deca |
| SHA256 | 2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01 |
| SHA512 | 63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini
| MD5 | 51014c0c06acdd80f9ae4469e7d30a9e |
| SHA1 | 204e6a57c44242fad874377851b13099dfe60176 |
| SHA256 | 89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5 |
| SHA512 | 79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\global_options.ini
| MD5 | 26f59bb93f02d5a65538981bbc2da9cc |
| SHA1 | 5e99a311784301637638c02401925a89694f463d |
| SHA256 | 14f93a82d99cd2bf3da0aba73b162a7bb183eded695cffff47a05c1290d2a2fa |
| SHA512 | e48f20a62bb2d5de686a7328a682a84821c83c8c4d836287adffbe464a8b4a0ba8ca728a35438c58f142686047b153c9c3f722c0431db620e3ef3479215b9016 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gui35.exe
| MD5 | 03a63c096b9757439264b57e4fdf49d1 |
| SHA1 | a5007873ce19a398274aec9f61e1f90e9b45cc81 |
| SHA256 | 22ea129b0f57184f30b1771c62a3233ba92e581c1f111b4e8abfa318dc92cc46 |
| SHA512 | 0d656d807572f6be4574024e2bbcf0cbd291fe13a1adeb86a333177ee38db16b06da9a18509e599db0d2cf8206b84f6856a9674dba29a2cbeb844a216cb45ddd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gui40.exe
| MD5 | 57850a4490a6afd1ef682eb93ea45e65 |
| SHA1 | 338d147711c56e8a1e75e64a075e5e2984aa0c05 |
| SHA256 | 31feff32d23728b39ed813c1e7dc5fe6a87dcd4d10aa995446a8c5eb5da58615 |
| SHA512 | 15cf499077e0c8f3421b95e09a18ae5468ae20a7b3a263f01cc8e6d445d54f09ca8a3189ecb40c87d0e6277c99b504424cdd0e35bbe493a1b0849900d21bccf8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe
| MD5 | 803df907d936e08fbbd06020c411be93 |
| SHA1 | 4aa4b498ae037a2b0479659374a5c3af5f6b8d97 |
| SHA256 | e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c |
| SHA512 | 5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532 |
memory/1656-89-0x0000000000160000-0x00000000001AE000-memory.dmp
memory/1656-90-0x0000000000150000-0x0000000000156000-memory.dmp
memory/1656-91-0x0000000000640000-0x0000000000694000-memory.dmp
memory/1656-96-0x0000000000490000-0x0000000000496000-memory.dmp
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\global_options.ini
| MD5 | cabb8d121bcb0f8b3471f9fe81c7718d |
| SHA1 | b7b5ef9de59cf40f986058e05e7f8971055fbb7e |
| SHA256 | 9d66907c6b9ec6ec5e61c8f367c3ae05e93037ac576c60162e7329bb78ce496f |
| SHA512 | 76fac20f7b604d9e35f5ca2fb9e146fe23def51f92b4d488b83633d5e6559357479216ba8d17bc540dcdfda8ed23c468ea33e4f40d515f3d6991aec70d7bc54d |
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
| MD5 | 32a79aba4eeb9fa9e1693b106367c4ef |
| SHA1 | e830778969f69b703f625b085336243730d6c960 |
| SHA256 | 87943f487afe6305652c4205771b0a438290e351cc6cc9b877dc6bbd8fa42c8c |
| SHA512 | 1a1fbbfd1a4a26e49e5ceaa1909ca7d3e07db879fff54cfa9221e860aa265481dcea7d6221e06c1ffec14364ee5714284e1fb98db8a57ef02160ae19557a4293 |
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Everything.db
| MD5 | 03626863ea8e70964c30c64044b573c4 |
| SHA1 | 37f94642549c53daad1927ae893a955afc3d810e |
| SHA256 | df097037625e93cca24fa47c796d5904df8d4f60f98e3f692b5e4fb9fb51ea85 |
| SHA512 | a5da98aad03f2d4db439884bd0e54e6dd364a94e3a6603601f9758dba3c26d4fe8003e43a940ce8fbc891d628b535db4edc4104b921f575046cf5bd1c7c9c608 |
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Everything.ini
| MD5 | 67fe18568f0b5132b76b23aeb28f1c9f |
| SHA1 | c94eee5a10e091a35fed0471be2df1864f9e0d4f |
| SHA256 | 8af4f700631164ebe95da18db4d6c0fe24c151e02669f0df78c21292aaf94505 |
| SHA512 | 185a09c17d75edef2a7c487d1d4ca134cc69c8ce30ec78bc5aa12caef5978871bad12f60cdcad6f0d010325f23cd428ffc32bcb7f021e7ee72622f70e83219d0 |
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\session.tmp
| MD5 | 78c3aa88f42336f09a309222fe86120b |
| SHA1 | 53d93ad5a9d906e9bb4079bc93ff62d003a86cd3 |
| SHA256 | 7ee7a4d55f01e7f9950c31707a985b3a1dc6dc727902da642ee6ec57b88b5198 |
| SHA512 | da1a2d35df7b9b046ae80208c1ca3dc31e21b3e43c31a1f038ebfb07c6126c2a6fb2b50acff9e8fb0b75ee182fa0948382ea5df277884928e96d22cc7257177f |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-26 14:19
Reported
2025-02-26 14:20
Platform
win10v2004-20250217-en
Max time kernel
15s
Max time network
17s
Command Line
Signatures
Detects Mimic ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Mimic
Mimic family
Clears Windows event logs
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wevtutil.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MimicBuilder.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\gui40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Everything.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\exefile\shell | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\exefile\shell\open | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Datadecrypt = "\"C:\\Users\\Admin\\AppData\\Local\\BC57CE41-27D7-C825-6CB7-A6508B063C81\\Datadecrypt.exe\" " | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wevtutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MimicBuilder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Everything.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\exefile | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\exefile\shell | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\exefile\shell\open | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Everything.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MimicBuilder.exe
"C:\Users\Admin\AppData\Local\Temp\MimicBuilder.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p2683527442232016684 Everything64.dll
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe"
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe
"C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Datadecrypt.exe"
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\gui40.exe
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\gui40.exe
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Everything.exe
"C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Everything.exe" -startup
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
| MD5 | b93eb0a48c91a53bda6a1a074a4b431e |
| SHA1 | ac693a14c697b1a8ee80318e260e817b8ee2aa86 |
| SHA256 | ab15a9b27ee2d69a8bc8c8d1f5f40f28cd568f5cbb28d36ed938110203f8d142 |
| SHA512 | 732cb0dcb2b1dac1a7462554c256cec27de243734f79b7f87026e9f5fbae6d5d8a5f14a702d2af0b65897b6abad70a9eff1905dc851ce267d221ddcdd9e640c5 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dll
| MD5 | 6beaabdcebd1819dd160b0137b8d68e0 |
| SHA1 | 354dbc5877c6a24a4b83211b695077e28aaea060 |
| SHA256 | 0da80dffc602b64b17f47a1b82f38f75a2222234d83ffda4131f8ad3ae99682e |
| SHA512 | 481ef0a44580a713af5f5169fc2ab20ad943dda3b3477e14d4bc92f1131ad6afb629874d0beda72fc3852274f00e3cb4c2c30a6c81bd7d25f89e3f7c29e34a54 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\datadecrypt.exe
| MD5 | 6b81003a9aa0f8925e010211048c1035 |
| SHA1 | 9e229a278a72b13c59331bac4baab7373a59d2e6 |
| SHA256 | c3c77f6f43c24ce810a71f6a3174c5de6e8be398479e5f8207e94c802890cf7c |
| SHA512 | 2833dd94fc7146776a7a3e11c8fcd681080762a24f525682228d533b93f3b9ecdc9c665a036d7fb9fef034db29f6e64e92b20c2cff731eaea44701e34c7b7a43 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dll
| MD5 | 3b03324537327811bbbaff4aafa4d75b |
| SHA1 | 1218bd8165a2e0ec56a88b5a8bb4b27e52b564e7 |
| SHA256 | 8cae8a9740d466e17f16481e68de9cbd58265863c3924d66596048edfd87e880 |
| SHA512 | ba5312e1836bac0bb05b133b2b938be98b28646c8b8fc45804d7f252cd2e1a191667bfa8ba979bf2a07d49053114234b78cca83ef28aecf105d7169a3ec3dc62 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.exe
| MD5 | c44487ce1827ce26ac4699432d15b42a |
| SHA1 | 8434080fad778057a50607364fee8b481f0feef8 |
| SHA256 | 4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405 |
| SHA512 | a0ea698333c21e59b5bc79d79ff39d185a019cede394dbd8b2eb72c4230001685a90098a691c296aeab27db6751eef56c4261cf00f790de2e9e9efc0e7f7c808 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DC.exe
| MD5 | ac34ba84a5054cd701efad5dd14645c9 |
| SHA1 | dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b |
| SHA256 | c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e |
| SHA512 | df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything.ini
| MD5 | 742c2400f2de964d0cce4a8dabadd708 |
| SHA1 | c452d8d4c3a82af4bc57ca8a76e4407aaf90deca |
| SHA256 | 2fefb69e4b2310be5e09d329e8cf1bebd1f9e18884c8c2a38af8d7ea46bd5e01 |
| SHA512 | 63a7f1482dc15d558e1a26d1214fcecca14df6db78c88735a67d1a89185c05210edc38b38e3e014dac817df88968aaf47beb40e8298777fbb5308abfe16479e4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Everything2.ini
| MD5 | 51014c0c06acdd80f9ae4469e7d30a9e |
| SHA1 | 204e6a57c44242fad874377851b13099dfe60176 |
| SHA256 | 89ad2164717bd5f5f93fbb4cebf0efeb473097408fddfc7fc7b924d790514dc5 |
| SHA512 | 79b5e2727cce5cd9f6d2e886f93b22b72ec0ad4a6b9ad47205d7cf283606280665ead729ab3921d7e84409cfc09a94e749a68918130f0172856626f5f7af010c |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gui35.exe
| MD5 | 03a63c096b9757439264b57e4fdf49d1 |
| SHA1 | a5007873ce19a398274aec9f61e1f90e9b45cc81 |
| SHA256 | 22ea129b0f57184f30b1771c62a3233ba92e581c1f111b4e8abfa318dc92cc46 |
| SHA512 | 0d656d807572f6be4574024e2bbcf0cbd291fe13a1adeb86a333177ee38db16b06da9a18509e599db0d2cf8206b84f6856a9674dba29a2cbeb844a216cb45ddd |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\global_options.ini
| MD5 | 26f59bb93f02d5a65538981bbc2da9cc |
| SHA1 | 5e99a311784301637638c02401925a89694f463d |
| SHA256 | 14f93a82d99cd2bf3da0aba73b162a7bb183eded695cffff47a05c1290d2a2fa |
| SHA512 | e48f20a62bb2d5de686a7328a682a84821c83c8c4d836287adffbe464a8b4a0ba8ca728a35438c58f142686047b153c9c3f722c0431db620e3ef3479215b9016 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gui40.exe
| MD5 | 57850a4490a6afd1ef682eb93ea45e65 |
| SHA1 | 338d147711c56e8a1e75e64a075e5e2984aa0c05 |
| SHA256 | 31feff32d23728b39ed813c1e7dc5fe6a87dcd4d10aa995446a8c5eb5da58615 |
| SHA512 | 15cf499077e0c8f3421b95e09a18ae5468ae20a7b3a263f01cc8e6d445d54f09ca8a3189ecb40c87d0e6277c99b504424cdd0e35bbe493a1b0849900d21bccf8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\xdel.exe
| MD5 | 803df907d936e08fbbd06020c411be93 |
| SHA1 | 4aa4b498ae037a2b0479659374a5c3af5f6b8d97 |
| SHA256 | e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c |
| SHA512 | 5b9c44b4ed68b632360c66b35442722d2797807c88555c9fde9c176581d410e4f6ed433fabdcd9ee614db458158e6055a9f7f526ebfbc8e7f5f3d388f5de4532 |
memory/2708-93-0x0000000000A90000-0x0000000000ADE000-memory.dmp
memory/2708-94-0x0000000001370000-0x0000000001376000-memory.dmp
memory/2708-95-0x0000000002E10000-0x0000000002E64000-memory.dmp
memory/2708-96-0x0000000001380000-0x0000000001386000-memory.dmp
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\global_options.ini
| MD5 | 33fc202e6618a81e6e1e98182cbb0c3d |
| SHA1 | b7d6be7ad86dda631d8f1e73c7e3ae6546d98d52 |
| SHA256 | 88ae91e383adaeb357b32bd304aadf3586dbe65c02b1057ec85ae094ba1585ea |
| SHA512 | 4f48a01ec561b8db0d3b8ac60fbaa4063520afab7a6a622bb50446f71e8316afc50180fcf6a5688eb3914e29c522850ff817db3789e8aac0f3bc29eb4e8f268c |
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\global_options.ini
| MD5 | 332d5aa422c1544e0e1ff3bdbf8fec72 |
| SHA1 | dd98000b077827d868b7a0b4f45a0a334dbc214e |
| SHA256 | 0cabb626c989e1fff223d0d5d891dfa148c1337a2d80bc8a48f7990a1aec3357 |
| SHA512 | 627408279f8d2d1b0c0e239f04d1107cafeac31d44b44dae78ec0396cc82fe900eedcbe481e8cb8f4d866d910e05961779c663d782953256bb8009c373bd6b7b |
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
| MD5 | 32a79aba4eeb9fa9e1693b106367c4ef |
| SHA1 | e830778969f69b703f625b085336243730d6c960 |
| SHA256 | 87943f487afe6305652c4205771b0a438290e351cc6cc9b877dc6bbd8fa42c8c |
| SHA512 | 1a1fbbfd1a4a26e49e5ceaa1909ca7d3e07db879fff54cfa9221e860aa265481dcea7d6221e06c1ffec14364ee5714284e1fb98db8a57ef02160ae19557a4293 |
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\session.tmp
| MD5 | 38555061bb87a9599a87c9c01e15d1c6 |
| SHA1 | ffe9aeca1df76cd961b01a51c2158946adc23ecb |
| SHA256 | ca0e66926de2b2645dffbdee58d630583a7dab0342bf6b8202b0bbf00bb0fcc4 |
| SHA512 | 13419e2fc555dc97923ee7d14cd425a75fbb4f18ece98216c66ccab5a94bad418d9d74e600ef3afc21144f9ea19505571d3eb9756a249518046d757799d33cde |
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Everything.db
| MD5 | 5ea469de24b6ad33138f025ea3511e1a |
| SHA1 | 1eda74fb036ef0b47cfc5ec8e541fcc5a79936d3 |
| SHA256 | 75b771081c614ec2a2ac3291ddedb0cc4026770f1046b286507ca995a24c3cf2 |
| SHA512 | 6f9232ab43ec49dda38bee6c1cf350298a8c14e59b15b2bc1b9f85af43be1ca0ba7a04c0d47308826a353c6189062ccd8e5afc852b5952928e89b1df16a54c53 |
C:\Users\Admin\AppData\Local\BC57CE41-27D7-C825-6CB7-A6508B063C81\Everything.ini
| MD5 | 2912918b8786de783c1108e9bba32b46 |
| SHA1 | ba41ac41bdd293ba4e38f64c4e91b79daf48598a |
| SHA256 | 2e778518f6fd08a7694fbebe4afe93b224b1f9e3243065923f466e8db33a7cc3 |
| SHA512 | 9e53c5a44bfb55d11d41df87b7578490dad3277929d1c868e65093698136a718de71406de5f52c9c03049639d038e271a4e79368cb2acd869356148a5ccc9009 |