The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Mimic Ransomware

Feb 7, 2023 12:25:08 PM / by The Hivemind

MIMICRelated Families: Conti

Executive Summary

Trend Micro recently reported on Mimic ransomware, a ransomware family that abuses Everything APIs.

Key Takeaways

  • Mimic ransomware abuses Everything APIs. 
  • Everything is a legitimate tool developed by Voidtools.
  • Mimic has multiple components, including the legitimate 7zip application, the legitimate Everything application, and a password-protected archive containing the malicious payload. 
  • Some of Mimic’s code appears to be based on the Conti builder leaked in early 2022. 

What is Mimic?

Mimic ransomware is a ransomware family that abuses Everything APIs. Everything is a legitimate Windows filename search engine that allows quick searching and real-time updates using minimal resources. Everything was developed by Voidtools.

Mimic ransomware was active in the wild as early as June 2022 and is known to target English and Russian-speaking users. It has the ability to delete shadow copies, terminate applications and services, and abuse Everything32.dll functions. Mimic is contained in an executable that drops multiple binaries, including a password-protected archive disguised as Everything64.dll. This archive contains the ransomware payload. Mimic uses multiple threads with the CreateThread function for faster encryption, making analysis more difficult.

Mimic ransomware components include the following:

7za.exe - a legitimate 7zip file, which is used to extract the payload

Everything.exe and Everything32.dll - files associated with the legitimate Everything application

Everything64.dll - a password-protected archive containing malicious payloads

Mimic includes a variety of capabilities, such as a collection of system information, creating persistence, bypassing UAC, disabling Windows Defender and telemetry, activating anti-shutdown and anti-kill measures, unmounting virtual drives, terminating services and processes, disabling sleep mode and system shutdown, removing indicators, and inhibiting System Recovery.

According to Trend Micro, some of the code Mimic is based on shares similarities with the Conti ransomware builder leaked in March 2022.

IOCs

PolySwarm has multiple samples associated with Mimic.

7ae4c5caf6cda7fa8862f64a74bd7f821b50d855d6403bde7bcbd7398b2c7d99

A1eeeeae0eb365ff9a00717846c4806785d55ed20f3f5cbf71cf6710d7913c51

B0c75e92e1fe98715f90b29475de998d0c8c50ca80ce1c141fc09d10a7b8e7ee

1dea642abe3e27fd91c3db4e0293fb1f7510e14aed73e4ea36bf7299fd8e6506

4a6f8bf2b989fa60daa6c720b2d388651dd8e4c60d0be04aaed4de0c3c064c8f

B68f469ed8d9deea15af325efc1a56ca8cb5c2b42f2423837a51160456ce0db5

480fb2f6bcb1f394dc171ecbce88b9fa64df1491ec65859ee108f2e787b26e03

2e96b55980a827011a7e0784ab95dcee53958a1bb19f5397080a434041bbeeea

136d05b5132adafc4c7616cd6902700de59f3f326c6931eb6b2f3b1f458c7457

c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

 

You can use the following CLI command to search for all Mimic samples in our portal:

$ polyswarm link list -f Mimic


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports



Topics: Threat Bulletin, Ransomware, Mimic, Everything.exe, Conti

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts