Ransom.Win32.MIMIC.D

该勒索软件通过两种途径侵入系统：一是被其他恶意软件作为文件植入，二是用户访问恶意网站时在不知情的情况下下载的文件。

它不具备任何传播功能。

它不具备任何后门功能。

它会收集受感染计算机上的特定信息。

它会释放勒索说明文件作为赎金票据，并避免加密具有以下扩展名的文件：

Arrival Details

该勒索软件通过两种途径侵入系统：一是被其他恶意软件作为文件植入，二是用户访问恶意网站时在不知情的情况下下载的文件。

Installation

该勒索软件会释放以下文件：

• %User Temp%\7ZipSfx.000\7za.exe → legitimate 7zip application, deleted afterwards
• %User Temp%\7ZipSfx.000\DC.exe → detected as HackTool.Win32.DEFENDERCONTROL.Z, deleted afterwards
• %User Temp%\7ZipSfx.000\ENC_default_default_2024-09-01_14-25-56=ELENOR-corp.exe → Mimic ransomware, deleted afterwards
• %User Temp%\7ZipSfx.000\Everything.exe → legitimate Everything application, deleted afterwards
• %User Temp%\7ZipSfx.000\Everything.ini → deleted afterwards
• %User Temp%\7ZipSfx.000\Everything2.ini → deleted afterwards
• %User Temp%\7ZipSfx.000\Everything32.dll → legitimate dll used by Everything.exe, deleted afterwards
• %User Temp%\7ZipSfx.000\Everything64.dll → password protected archive containing malicious payload, deleted afterwards
• %User Temp%\7ZipSfx.000\gui35.exe → deleted afterwards
• %User Temp%\7ZipSfx.000\gui40.exe → GUI used by Mimic ransomware, deleted afterwards
• %User Temp%\7ZipSfx.000\xdel.exe → legitimate sdelete application, deleted afterwards
• %User Temp%\7ZSfx000.cmd → used to delete the sample and itself
• Copy of files dropped in %User Temp%\7ZipSfx.000:
  • %AppDataLocal%\{Generated GUID}\7za.exe
  • %AppDataLocal%\{Generated GUID}\DC.exe
  • %AppDataLocal%\{Generated GUID}\Everything.exe
  • %AppDataLocal%\{Generated GUID}\Everything.ini
  • %AppDataLocal%\{Generated GUID}\Everything2.ini
  • %AppDataLocal%\{Generated GUID}\Everything32.dll
  • %AppDataLocal%\{Generated GUID}\Everything64.dll
  • %AppDataLocal%\{Generated GUID}\gui35.exe
  • %AppDataLocal%\{Generated GUID}\gui40.exe
  • %AppDataLocal%\{Generated GUID}\systemsg.exe → copy of ENC_default_default_2024-09-01_14-25-56=ELENOR-corp.exe
  • %AppDataLocal%\{Generated GUID}\xdel.exe
• %AppDataLocal%\{Generated GUID}\session.tmp
• %AppDataLocal%\{Generated GUID}\global_options.ini
• %System%\GroupPolicy\Machine\Registry.pol
• %System%\GroupPolicy\gpt.ini
• %System Root%\temp\session.tmp

它会添加以下进程：

• %User Temp%\7ZipSfx.000\7za.exe i
• %User Temp%\7ZipSfx.000\7za.exe x -y -p{Archive File Password} Everything64.dll
• %User Temp%\7ZipSfx.000\ENC_default_default_2024-09-01_14-25-56=ELENOR-corp.exe
• cmd /c "%User Temp%\7ZSfx000.cmd"
• %AppDataLocal%\{Generated GUID}\systemsg.exe
• %AppDataLocal%\{Generated GUID}\gui40.exe
• %Program Files%\Everything\Everything.exe" -startup
• %AppDataLocal%\{Generated GUID}\DC.exe /D
• %AppDataLocal%\{Generated GUID}\systemsg.exe -e watch -pid {Current Process PID} -!
• %AppDataLocal%\{Generated GUID}\systemsg.exe" -e ul1;
• %AppDataLocal%\{Generated GUID}\systemsg.exe" -e ul2;
• powercfg.exe -H off
• powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
• powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
• powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
• powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
• powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
• powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
• powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
• powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
• powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
• powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
• powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
• powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
• powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
• powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
• ping 127.2 -n 5 & fsutil file setZeroData offset=0 length=20000000 \"%s\" & cd /d \"%s\" & Del /f /q /a *.exe *.bat
• ping 127.2 -n 5 & fsutil file setZeroData offset=0 length=20000000 \"%s\" & cd /d \"%s\" & Del /f /q /a *.exe *.ini *.dll *.bat *.db
• powershell.exe -ExecutionPolicy Bypass \"Get-VM | Stop-VM\"
• powershell.exe -ExecutionPolicy Bypass \"Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage\"
• powershell.exe -ExecutionPolicy Bypass \"Get-Volume | Get-DiskImage | Dismount-DiskImage\"
• bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
• bcdedit.exe /set {default} recoveryenabled no
• wbadmin.exe DELETE SYSTEMSTATEBACKUP
• wbadmin.exe delete catalog -quiet
• reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AllowMultipleTSSessions" /t REG_DWORD /d 0x1 /f
• reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fSingleSessionPerUser" /t REG_DWORD /d 0x0 /f
• reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "c:\windows\system32\cmd.exe"
• notepad.exe %AppDataLocal%\Decrypt_ELENOR-corp_info.txt
• %AppDataLocal%\{Generated GUID}\xdel.exe -accepteula -p 1 -c {Encrypted Drive}
• wevtutil.exe cl security
• wevtutil.exe cl system
• wevtutil.exe cl application
• cmd.exe /d /c "ping 127.2 -n 5 & fsutil file setZeroData offset=0 length=20000000 "%AppDataLocal%\{Generated GUID}\systemsg.exe" & cd /d "%AppDataLocal%\{Generated GUID}" & Del /f /q /a *.exe *.ini *.dll *.bat *.db"

(Note: %User Temp% 是当前用户的临时文件夹,通常位于此路径 C:\Documents and Settings\{user name}\Local Settings\Temp 在Windows 2000（32位）、XP及Server 2003（32位）系统上，或 C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %AppDataLocal% 是本地应用程序数据文件夹, 通常位于此路径 C:\Documents and Settings\{user name}\Local Settings\Application Data 在Windows 2000（32位）、XP及Server 2003（32位）系统上，或 C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Program Files% 是默认的程序安装文件夹, 通常位于此路径 C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

它会创建以下文件夹：

• %User Temp%\7ZipSfx.000
• %AppDataLocal%\{Generated GUID} →File attribute set to HIDDEN and SYSTEM
• %System Root%\temp

(Note: %User Temp% 是当前用户的临时文件夹,通常位于此路径 C:\Documents and Settings\{user name}\Local Settings\Temp 在Windows 2000（32位）、XP及Server 2003（32位）系统上，或 C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %AppDataLocal% 是本地应用程序数据文件夹, 通常位于此路径 C:\Documents and Settings\{user name}\Local Settings\Application Data 在Windows 2000（32位）、XP及Server 2003（32位）系统上，或 C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System Root% 此处指Windows系统根目录，其通常位于 C:\ 适用于所有Windows操作系统版本。）

它会添加以下互斥量，以确保在任何时候只有一个副本在运行：

• {Derived from the string "WhosYourBunny"}

Autostart Technique

该勒索软件会添加以下注册表项，以实现每次系统启动时自动执行：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
systemsg = %AppDataLocal%\{Generated GUID}\systemsg.exe

其他系统修改

该勒索软件会添加以下注册表项：

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
exefile\shell\open\
command
(Default) = "%1" %*

HKEY_USER\S-1-5-21-2019512041-4230814187-3178073052-1000_CLASSES\exefile\
shell\open\command
(Default) = "%1" %*

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Real-Time Protection
DisableRealtimeMonitoring = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
HidePowerOptions = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
HidePowerOptions = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoClose = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
StartMenuLogOff = 1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
LongPathsEnabled = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
DataCollection
AllowTelemetry = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
AllowMultipleTSSessions = 1

HKEY_LOCAL_MACHINE\system\CurrentControlSet\
Control\Terminal Server
fSingleSessionPerUser = 0

HKEY_LOCAL_MACHINE\Software\Classes\
mimicfile\shell\open\
command
(Default) = notepad.exe %AppDataLocal%\Decrypt_ELENOR-corp_info.txt

HKEY_LOCAL_MACHINE\Software\Classes\
.ELENOR-corp-{Victim ID}
(Default) = mimicfile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
systemsg.exe = notepad.exe %AppDataLocal%\Decrypt_ELENOR-corp_info.txt

该程序会修改以下注册表项：

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = 1

注：该注册表项的默认值为 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender
DisableAntiSpyware = 1

注：该注册表项的默认值为 0.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\WinDefend
Start = 3

注：该注册表项的默认值为 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Service with "sql","backup", or "database" in its Name}
Start = 4

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
shutdownwithoutlogon = 0

注：该注册表项的默认值为 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
ConsentPromptBehaviorAdmin = 5

注：该注册表项的默认值为 5.)

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Windows\CurrentVersion\Policies\
System
legalnoticetext = {Contents of Ransom Note}

注：该注册表项的默认值为 {Empty}.)

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Windows\CurrentVersion\Policies\
System
legalnoticecaption = {Space}

注：该注册表项的默认值为 {Empty}.)

它会删除以下注册表项：

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows\System
DisableCmd =

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\System
DisableCmd =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
systemsg.exe =

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
systemsg.exe =

Propagation

该勒索软件不具备任何传播功能。

Backdoor Routine

该勒索软件不具备任何后门功能。

Rootkit Capabilities

该勒索软件不具备Rootkit功能。

进程终止

若在受感染系统上发现以下服务，该勒索软件会将其终止：

• WSearch
• pla
• DusmSvc
• defragsvc
• DoSvc
• wercplsupport
• SDRSVC
• TroubleshootingSvc
• Wecsvc
• fhsvc
• wbengine
• PcaSvc
• WerSvc
• SENS
• AppIDSvc
• BITS
• wuauserv
• SysMain
• DiagTrack
• diagnosticshub.standalonecollector.service
• dmwappushservice
• WMPNetworkSvc

若在受感染系统的内存中发现以下进程正在运行，该勒索软件会将其终止：

• taskmgr.exe
• tasklist.exe
• taskkill.exe
• perfmon.exe
• Everything.exe

It terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• sql
• backup
• database

Information Theft

This Ransomware gathers the following information on the affected computer:

• Processor architecture
• Number of processors
• RAM information
• OS version
• Username
• Computer name
• If executed with elevated privileges or not
• User groups
• Affected machine IP address
• Network adapter name
• Network shares
• Network drives
• If the full version of .NET Framework 4 is installed on the affected system or not

其他信息

该勒索软件会对以下扩展名的文件进行加密：

• tib
• sql
• sqlite
• sqlite3
• sqlitedb
• mdf
• mdb
• adb
• db
• db3
• dbf
• dbs
• udb
• dbv
• dbx
• edb
• exb
• 1cd
• fdb
• idb
• mpd
• myd
• odb
• xls
• xlsx
• doc
• docx
• bac
• bak
• back
• zip
• rar
• dt
• 4dd
• 4dl
• abcddb
• abs
• abx
• accdb
• accdc
• accde
• accdr
• accdt
• accdw
• accft
• ade
• adf
• adn
• adp
• alf
• arc
• ask
• bacpac
• bdf
• btr
• cat
• cdb
• chck
• ckp
• cma
• cpd
• dacpac
• dad
• dadiagrams
• daschema
• db-shm
• db-wal
• db2
• dbc
• dbt
• dcb
• dct
• dcx
• ddl
• dlis
• dp1
• dqy
• dsk
• dsn
• dtsx
• dxl
• eco
• ecx
• epim
• fcd
• fic
• fm5
• fmp
• fmp12
• fmpsl
• fol
• fp3
• fp4
• fp5
• fp7
• fpt
• frm
• gdb
• grdb
• gwi
• hdb
• his
• hjt
• ib
• icg
• icr
• ihx
• itdb
• itw
• jet
• jtx
• kdb
• kexi
• kexic
• kexis
• lgc
• lut
• lwx
• maf
• maq
• mar
• mas
• mav
• maw
• mdn
• mdt
• mrg
• mud
• mwb
• ndf
• nnt
• nrmlib
• ns2
• ns3
• ns4
• nsf
• nv
• nv2
• nwdb
• nyf
• oqy
• ora
• orx
• owc
• p96
• p97
• pan
• pdb
• pdm
• pnz
• qry
• qvd
• rbf
• rctd
• rod
• rodx
• rpd
• rsd
• s2db
• sas7bdat
• sbf
• scx
• sdb
• sdc
• sdf
• sis
• sl3
• spq
• sqlite2
• te
• temx
• tmd
• tps
• trc
• trm
• udl
• usr
• v12
• vis
• vpd
• vvv
• wdb
• wmdb
• wrk
• xdb
• data
• xld
• xmlff
• 7z

它会执行以下操作：

• It does not proceed with its behavior when the affected system's operating system is Windows XP or older.
• It uses the following GUI to control the operation of the ransomware:
  
  
  
  
• It encrypts fixed and removable drives and network shares.
• It abuses Everything APIs to search for files to encrypt.
• It stores a session key in %AppDataLocal%\{Generated GUID}\session.tmp to resume encryption if the process is interrupted.
• It disables Windows Defender.
• It disables the affected system's ability to sleep, hibernate, or enter power-saving mode.
• It uses Powershell to stop all running VMs, identify VHDs associated with VMs and unmounts them.
• It empties the recycle bin.
• It uses WQL to delete volume shadow copies.
• It enables multiple remote desktop sessions to the affected system.
• It sets sethc.exe (Sticky Keys) to open cmd.exe.
• It clears security, system, and applicaiton event logs.
• It disables Windows telemetry.
• It sets itself to be one of the last processes terminated during system shutdown.

它接受以下参数：

• -dir → directory for encryption
• -e all → encrypt all (default)
• -e local → encrypt local files
• -e net → encrypt files on network drives
• -e watch
• -e share → encrypt files on network shares
• -e ul1 → unlock certain memory addresses from another process
• -e ul2 → unlock certain memory addresses from another process
• -prot → protects the ransomware from being killed
• -pid → process identifier (PID) of the previously-running ransomware
• -tail

它不会利用任何漏洞。

Ransomware Routine

此勒索软件会避免加密文件路径中包含以下字符串的文件：

• desktop.ini
• iconcache.db
• thumbs.db
• ntuser.ini
• boot.ini
• ntdetect.com
• ntldr
• NTUSER.DAT
• bootmgr
• BOOTNXT
• BOOTTGT
• session.tmp
• Decrypt_ELENOR-corp_info.txt

它会避免加密以下文件夹中的文件：

• steamapps
• Cache
• Boot
• Chrome
• Firefox
• Mozilla
• Mozilla Firefox
• MicrosoftEdge
• Internet Explorer
• TorBrowser
• Opera
• Opera Software
• Common Files
• Config.Msi
• Intel
• Microsoft
• Microsoft Shared
• Microsoft.NET
• MSBuild
• MSOCache
• Packages
• PerfLogs
• Program Files
• Program Files (x86)
• ProgramData
• System Volume Information
• tmp
• Temp
• USOShared
• Windows
• Windows Defender
• Windows Journal
• Windows NT
• Windows Photo Viewer
• Windows Security
• Windows.old
• WindowsApps
• WindowsPowerShell
• WINNT
• $RECYCLE.BIN
• $WINDOWS.~BT
• $Windows.~WS
• :\Users\Public\
• :\Users\Default\
• %AppDataLocal%\{Generated GUID}

(Note: %AppDataLocal% 是本地应用程序数据文件夹, 通常位于此路径 C:\Documents and Settings\{user name}\Local Settings\Application Data 在Windows 2000（32位）、XP及Server 2003（32位）系统上，或 C:\Users\{user name}\AppData\Local 在Windows Vista、7、8、8.1、2008（64位）、2012（64位）及10（64位）系统上。）

它会为加密文件的文件名添加以下扩展名：

• .ELENOR-corp-{Victim ID}

它会释放以下文件作为勒索信：

• {Root of Encrypted Path}\Decrypt_ELENOR-corp_info.txt
• %Desktop%\Decrypt_ELENOR-corp_info.txt
  

它会避免加密具有以下文件扩展名的文件：

• ELENOR-corp-{Victim ID}
• dat
• ut
• 386
• adv
• ani
• ape
• apk
• app
• asf
• assets
• bik
• bin
• cas
• cfg
• chm
• cmd
• com
• cpl
• cur
• dds
• deskthemepack
• diagcab
• diagcfg
• diagpkg
• dll
• dmp
• drv
• dsf
• epub
• exe
• fnt
• fon
• gif
• hlp
• hta
• htm
• html
• ico
• ics
• idx
• inf
• info
• ini
• ipch
• lib
• log
• manifest
• mid
• mod
• msc
• msi
• msp
• msstyles
• msu
• mui
• mxf
• nls
• nomedia
• ocx
• otf
• pak
• pif
• ps1
• py
• rc
• reg
• resource
• ress
• rgss3a
• rm
• rmvb
• rom
• rpa
• rpgmvo
• rpgmvp
• rpy
• rpyc
• rtf
• rtp
• rvdata2
• sfcache
• shs
• snd
• so
• swf
• sys
• tak
• theme
• themepack
• tiger
• tmp
• torrent
• ts
• ttc
• ttf
• h
• cpp
• unity3d
• usm
• vbs
• vob
• vsix
• wav
• winmd
• woff
• wpx
• wv
• xex
• xml