Summary:
CYFIRMA has identified a sophisticated dropper binary associated with the βELPACO-teamβ ransomware, a new variant of the βMIMICβ ransomware family. This malware employs both malicious and legitimate tools to disable system defenses, encrypt various file types, and ensure persistence, posing a significant threat to individuals and organizations.
Keypoints:
- The main binary ELPACO-teamv.exe is a 32-bit Windows executable acting as a dropper.
- Utilizes tools like 7za.exe to extract additional payloads, including legitimate utilities and malicious ransom payloads.
- The main ransomware payload, ELPACO-team.exe, disguises itself as svhostss.exe.
- Upon execution, the malware drops files into %Temp% and creates a new folder in %LOCALAPPDATA%.
- Disables system recovery features and alters system configurations.
- Encrypts various file types with the extension ELPACO-team while excluding essential system files.
- Modifies the registry for persistence and uses legitimate tools to manipulate system settings.
- Employs stealth techniques to hinder forensic analysis and recovery efforts.
- Utilizes multiple command-line commands and PowerShell scripts to execute malicious operations.
- Identified as part of the Mimic ransomware family, specifically Mimic 6.3 version.
MITRE Techniques
- Initial Access (TA0001): Utilizes phishing and exploits public-facing applications.
- Execution (TA0002): Relies on user execution and exploitation for client execution.
- Persistence (TA0003): Modifies registry run keys for boot or logon autostart execution.
- Defense Evasion (TA0005): Deletes indicators of compromise through file deletion.
- Discovery (TA0007): Conducts system information, file, and network configuration discovery.
- Collection (TA0009): Collects data from the local system.
- Impact (TA0040): Encrypts data for impact.
IoC:
- [MD5 File Hash] 33eeeb25f834e0b180f960ecb9518ea0
- [MD5 File Hash] B93EB0A48C91A53BDA6A1A074A4B431E
- [MD5 File Hash] AC34BA84A5054CD701EFAD5DD14645C9
- [MD5 File Hash] 0BF7C0D8E3E02A6B879EFAB5DEAB013C
- [MD5 File Hash] C44487CE1827CE26AC4699432D15B42A
- [MD5 File Hash] 742C2400F2DE964D0CCE4A8DABADD708
- [MD5 File Hash] 51014C0C06ACDD80F9AE4469E7D30A9E
- [MD5 File Hash] 3B03324537327811BBBAFF4AAFA4D75B
- [MD5 File Hash] 245FB739C4CB3C944C11EF43CDDD8D57
- [MD5 File Hash] 1B37DC212E98A04576AAC40D7CE7D06A
- [MD5 File Hash] 26F59BB93F02D5A65538981BBC2DA9CC
- [MD5 File Hash] 03A63C096B9757439264B57E4FDF49D1
- [MD5 File Hash] 57850A4490A6AFD1EF682EB93EA45E65
- [MD5 File Hash] FADE75EDBF62291FBB99C937AFC9792C
- [MD5 File Hash] B951E50264F9C5244592DFB0A859EC41
Full Research: https://www.cyfirma.com/research/elpaco-team-ransomware-a-new-variant-of-the-mimic-ransomware-family/