New Mimic Ransomware Abuses Everything APIs for its Encryption Process

Ransomware

By: Nathaniel Morales, Earle Maui Earnshaw, Don Ovid Ladores, Nick Dai, Nathaniel Gregory Ragasa

January 26, 2023

Read time: ( words)

Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage. This ransomware (which we named Mimic based on a string we found in its binaries), was first observed in the wild in June 2022 and targets Russian and English-speaking users. It is equipped with multiple capabilities such as deleting shadow copies, terminating multiple applications and services, and abusing Everything32.dll functions to query target files that are to be encrypted.

In this blog entry, we will take a closer look at the Mimic ransomware, its components and functions, and its connection to the Conti builder that was leaked in early 2022.

Arrival and components

Mimic arrives as an executable that drops multiple binaries and a password-protected archive (disguised as Everything64.dll) which when extracted, contains the ransomware payload. It also includes tools that are used for turning off Windows defender and legitimate sdel binaries.

Figure 1. The Mimic ransomware components

Filename	Description
7za.exe	Legitimate 7zip file that is used to extract the payload
Everything.exe	Legitimate Everything application
Everything32.dll	Legitimate Everything application
Everything64.dll	Password protected archive that contains the malicious payloads

Table 1. Details of the Mimic ransomware components

When executed, it will first drop its components to the %Temp%/7zipSfx folder. It will then extract the password protected Everything64.dll to the same directory using the dropped 7za.exe via the following command:

%Temp%7ZipSfx.0007za.exe” x -y -p20475326413135730160 Everything64.dll

Figure 2. Mimic ransomware’s dropped components

It will also drop the session key file session.tmp to the same directory, which will be used for continuing the encryption in case the process is interrupted.

It will then copy the dropped files to “%LocalAppData%{Random GUID}”, after which the ransomware will be renamed to bestplacetolive.exe and the original files deleted from the %Temp% directory.

Based on our analysis, Mimic supports other command line arguments as shown in table 2.

Cmdline option	Acceptable values	Description
-dir	File path to be encrypted	Directory for encryption
-e	all local net watch ul1 ul2	Encrypt all (Default) Encrypt Local files Encrypt files on Network shares ul:unlocker Creates a thread with interprocess communication and tries to unlock certain memory addresses from another process
-prot		Protects the ransomware from being killed
-pid	<integer>	The process identifier (PID) of the previously-running ransomware.

Table 2. Arguments accepted by Mimic ransomware

Mimic ransomware consists of multiple threads that employ the CreateThread function for faster encryption and render analysis more challenging for security researchers.

When executed, it will first register a hotkey (Ctrl + F1, using the RegisterHotKey API) that displays the status logs being performed by the ransomware.

Figure 4. The function used for registering the hotkey

Figure 5. Sample logs that are shown when Ctrl +F1 is pressed

The ransomware’s config is located at its overlay and is decrypted using the NOT Operation.

Figure 6. Decryption function for the config

Figure 7. Snippet from a decrypted config

Figure 8 shows a more thorough look at the config and its values.

Figure 8. Mimic ransomware config details

Mimic ransomware possesses a plethora of capabilities, including the following:

Collecting system information
Creating persistence via the RUN key
Bypassing User Account Control (UAC)
Disabling Windows Defender
Disabling Windows telemetry
Activating anti-shutdown measures
Activating anti-kill measures
Unmounting Virtual Drives
Terminating processes and services
Disabling sleep mode and shutdown of the system
Removing indicators
Inhibiting System Recovery

Mimic uses Everything32.dll, a legitimate Windows filename search engine that can return real time results for queries, in its routine. It abuses the tool by querying certain file extensions and filenames using Everything’s APIs to retrieve the file’s path for encryption.

Figure 9. Overview of the function that utilizes Everything API

It uses the Everything_SetSearchW function to search for files to be encrypted or avoided using the following search format:

file:<ext:{list of extension}>file:<!endwith:{list of files/directory to avoid}>wholefilename<!{list of files to avoid}>

The following query is used by Mimic to search for files to be encrypted or avoided:

file:<ext:;sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt> file:<!endwith:QUIETPLACE> <!”steamapps” !”Cache” !”Boot” !”Chrome” !”Firefox” !”Mozilla” !”Mozilla Firefox” !”MicrosoftEdge” !”Internet Explorer” !”Tor Browser” !”Opera” !”Opera Software” !”Common Files” !”Config.Msi” !”Intel” !”Microsoft” !”Microsoft Shared” !”Microsoft.NET” !”MSBuild” !”MSOCache” !”Packages” !”PerfLogs” !”ProgramData” !”System Volume Information” !”tmp” !”Temp” !”USOShared” !”Windows” !”Windows Defender” !”Windows Journal” !”Windows NT” !”Windows Photo Viewer” !”Windows Security” !”Windows.old” !”WindowsApps” !”WindowsPowerShell” !”WINNT” !”$WINDOWS.~BT” !”$Windows.~WS” !”:UsersPublic” !”:UsersDefault” !”C:UsersWin7x32AppDataLocal{ECD7344E-DB25-8B38-009E-175BDB26EC3D}” !”NTUSER.DAT”> wholefilename:<!”restore-my-files.txt” !”boot.ini” !”bootfont.bin” !”desktop.ini” !”iconcache.db” !”io.sys” !”ntdetect.com” !”ntldr” !”ntuser.dat” !”ntuser.ini” !”thumbs.db” !”session.tmp” !”Decrypt_me.txt”> <!size:0>

Figure 10. The Everything_SetSearchW API used by Mimic ransomware

It then appends the .QUIETPLACE file extension to the encrypted files and, finally, displays the ransom note.

Figure 11. Files that were encrypted by the Mimic ransomware

From our analysis, some parts of the code seemed to be based on, and share several similarities with the Conti ransomware builder that was leaked in March 2022. For example, the enumeration of the encryption modes shares the same integer for both Mimic and Conti.

Figure 12. Similarities between Mimic (top) and the leaked Conti builder (bottom)

Figure 13. Similarities between Mimic (top) and the leaked Conti builder (bottom)

The code related to argument net is also based on Conti. It will use the GetIpNetTable function to read the Address Resolution Protocol (ARP) cache and check if IP addresses contain “172.”, “192.168”, “10.”, or “169.” Mimic added a filter to exclude IP addresses that contain “169.254”, which is the IP range of Automatic Private IP Addressing (APIPA).

Figure 13. Comparison of the Mimic (top) and the leaked Conti builder (bottom) “net” argument

Figure 14. Comparison of the Mimic (top) and the leaked Conti builder (bottom) “net” argument

Mimic also uses the Conti code in Windows Share Enumeration, where it employs the NetShareEnum function to enumerate all shares on the gathered IP addresses.

Figure 14. Comparison of the Mimic (top) and the leaked Conti (bottom) Share Enumeration function

Figure 15. Comparison of the Mimic (top) and the leaked Conti (bottom) Share Enumeration function

Finally, Mimic’s port scanning is also based on the Conti builder.

Figure 15. Comparison of the Mimic (top) and leaked Conti builder (bottom) port scanning function

Figure 16. Comparison of the Mimic (top) and leaked Conti builder (bottom) port scanning function

More information about the behavior of Mimic ransomware can be found in this report.

Mimic ransomware, with its multiple bundled capabilities, seems to implement a new approach to speeding up its routine by combining multiple running threads and abusing Everything’s APIs for its encryption (minimizing resource usage, therefore resulting in more efficient execution). Furthermore, the threat actor behind Mimic seems to be resourceful and technically adept, using a leaked ransomware builder to capitalize on its various features, and even improve on it for more effective attacks.

To protect systems from ransomware attacks, we recommend that both individual users and organizations implement best practices such as applying data protection, backup, and recovery measures to secure data from possible encryption or erasure. Conducting regular vulnerability assessments and patching systems in a timely manner can also minimize the damage dealt by ransomware that abuse exploits.

A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). The right security solutions can also detect malicious components and suspicious behavior to protect enterprises.

Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before the ransomware can do irreversible damage to the system.
Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.

SHA-256	Version	Detection name
08f8ae7f25949a742c7896cb76e37fb88c6a7a32398693ec6c2b3d9b488114be	1.1	Ransom.Win32.MIMIC.SMZTJJ-A
9c16211296f88e12538792124b62eb00830d0961e9ab24b825edb61bda8f564f	1.13	Ransom.Win32.MIMIC.SMZTJJ-A
e67d3682910cf1e7ece356860179ada8e847637a86c1e5f6898c48c956f04590	1.14	Ransom.Win32.MIMIC.THLBGBB
c634378691a675acbf57e611b220e676eb19aa190f617c41a56f43ac48ae14c7	3	Ransom.Win32.MIMIC.THLBGBB
c71ce482cf50d59c92cfb1eae560711d47600541b2835182d6e46e0de302ca6c	3	Ransom.Win32.MIMIC.THLBGBB
7ae4c5caf6cda7fa8862f64a74bd7f821b50d855d6403bde7bcbd7398b2c7d99	3.3	Ransom.Win32.MIMIC.THHAABB
a1eeeeae0eb365ff9a00717846c4806785d55ed20f3f5cbf71cf6710d7913c51	3.3	Ransom.Win32.MIMIC.SMZTJJ-A
b0c75e92e1fe98715f90b29475de998d0c8c50ca80ce1c141fc09d10a7b8e7ee	3.3	Ransom.Win32.MIMIC.SMZTJJ-A
1dea642abe3e27fd91c3db4e0293fb1f7510e14aed73e4ea36bf7299fd8e6506	3.4	Ransom.Win32.MIMIC.SMZTJJ-A
4a6f8bf2b989fa60daa6c720b2d388651dd8e4c60d0be04aaed4de0c3c064c8f	3.4	Ransom.Win32.MIMIC.THLBGBB
b68f469ed8d9deea15af325efc1a56ca8cb5c2b42f2423837a51160456ce0db5	3.4	Ransom.Win32.MIMIC.SMZTJJ-A
bb28adc32ff1b9dcfaac6b7017b4896d2807b48080f9e6720afde3f89d69676c	3.4	Ransom.Win32.MIMIC.SMZTJJ-A
bf6fa9b06115a8a4ff3982427ddc12215bd1a3d759ac84895b5fb66eaa568bff	3.4	Ransom.Win32.MIMIC.SMZTJJ-A
ed6cf30ee11b169a65c2a27c4178c5a07ff3515daa339033bf83041faa6f49c1	3.4	Ransom.Win32.MIMIC.THLBGBB
480fb2f6bcb1f394dc171ecbce88b9fa64df1491ec65859ee108f2e787b26e03	3.7	Ransom.Win32.MIMIC.SMZTJJ-A
30f2fe10229863c57d9aab97ec8b7a157ad3ff9ab0b2110bbb4859694b56923f	3.9	Ransom.Win32.MIMIC.SMZTJJ-A
2e96b55980a827011a7e0784ab95dcee53958a1bb19f5397080a434041bbeeea	4	Ransom.Win32.MIMIC.SMZTJJ-A
136d05b5132adafc4c7616cd6902700de59f3f326c6931eb6b2f3b1f458c7457	4.2	Ransom.Win32.MIMIC.SMZTJJ-A
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e		HackTool.Win32.DEFENDERCONTROL.Z

New Mimic Ransomware Abuses Everything APIs for its Encryption Process

Table 1. Details of the Mimic ransomware components

Table 2. Arguments accepted by Mimic ransomware

VMWARE

Helping Public Sector Organisations Define Cloud Strategy

How to change the VLAN ID of the Service Console in ESX from the command line/console

Cisco UCS and Vmware Interfaces (Vnics) HA Design Considerations

Troubleshooting network and TCP/UDP port connectivity issues on ESX/ESXi(2020669)

vSphere Client Parameters

Configuration Templates

CUE Licenses

Trouble shooting Unity Express with Call Manager Integeration & Operational Issues

CME Configuration Example: SIP Trunks to Viatalk and VoIP.ms

SIP Phone registration – CME Configuration

CUE Voicemail + VPIM networking (CUE to unity)

Related Post

VMWARE

Configuration Templates