FYI:New Mimic ransomware abuses ‘Everything’ Windows search tool

General discussion related to "Everything".
Post Reply
horst.epp
Posts: 1448
Joined: Fri Apr 04, 2014 3:24 pm

Re: FYI:New Mimic ransomware abuses ‘Everything’ Windows search tool

Post by horst.epp »

There s nothing special on this and no way to prevent it from Everything.
Users have to follow the known rules to prevent their system from being hacked or abused.
NotNull
Posts: 5461
Joined: Wed May 24, 2017 9:22 pm

Re: FYI:New Mimic ransomware abuses ‘Everything’ Windows search tool

Post by NotNull »

Those ransomware dudes are getting cleverer by the day ...

Luckily, we have Everything, so we can search for
ext:QUIETPLACE
to see if we are affected/infected.
therube
Posts: 4985
Joined: Thu Sep 03, 2009 6:48 pm

Re: FYI:New Mimic ransomware abuses ‘Everything’ Windows search tool

Post by therube »

Trend doesn't say, but I wonder if "sdel.exe" isn't (Sysinternals) SDelete.
NotNull
Posts: 5461
Joined: Wed May 24, 2017 9:22 pm

Re: FYI:New Mimic ransomware abuses ‘Everything’ Windows search tool

Post by NotNull »

From the bleepingcomputer forums:
7za.exe (no signature)
DC.exe (closes Defender, sordum.org signature)
Everything.exe (voidtools signature)
Everything.ini
Everything2.ini
Everything32.dll (voidtools signature)
Everything64.dll (no signature)
sdel.exe (appears to be a renamed Sysinternals Secure File delete / sdelete with Microsoft Signature)
sdel64.exe (appears to be a renamed Sysinternals Secure File delete / sdelete with Microsoft Signature)

session.tmp (I think this is personalized)
systemi64.exe (malware)
therube
Posts: 4985
Joined: Thu Sep 03, 2009 6:48 pm

Re: FYI:New Mimic ransomware abuses ‘Everything’ Windows search tool

Post by therube »

Odd then that Trend didn't specifically mention that (as it should be easy to determine).

(Any recent Sysinternals program, on first invocation, would give a UAC prompt [I think it was a UAC prompt - at least some prompt] - older, unsigned versions did not. And of course, the malware could override UAC too.)
NotNull
Posts: 5461
Joined: Wed May 24, 2017 9:22 pm

Re: FYI:New Mimic ransomware abuses ‘Everything’ Windows search tool

Post by NotNull »

therube wrote: Wed Feb 01, 2023 4:48 pm And of course, the malware could override UAC too.)
It does. From the original article:
The new ransomware family features several capabilities seen in modern strains, such as:
Collecting system information
Creating persistence via the RUN key
Bypassing User Account Control (UAC)
[...]
BTW:
UAC is not meant as a security measure. It's more to force developers to write 'good' software.
Bypassing UAC is not very hard. I even wrote my own script to do so (long ago)
(Was quite proud of myself, only to find out after a websearch that there were already 17 different methods available. Mine was even among them ...)
raccoon
Posts: 1017
Joined: Thu Oct 18, 2018 1:24 am

Re: FYI:New Mimic ransomware abuses ‘Everything’ Windows search tool

Post by raccoon »

Does anyone know where we can find a specimen of their everything.ini and everything2.ini file contents? I would like to see what files they are seeking with what filters and keywords.
NotNull
Posts: 5461
Joined: Wed May 24, 2017 9:22 pm

Re: FYI:New Mimic ransomware abuses ‘Everything’ Windows search tool

Post by NotNull »

The search is for databases (including xls and doc files) thereby excluding regular Windows and browser operation (to go undetected as long as possible, I guess)
The search feels like a ransomware-kit that was bought off-the-shelf and after that modified to add entries for this specific malware (different styles)

Anyway, the search:
file:<ext:;sql;sqlite;sqlite3;sqlitedb;mdf;mdb;adb;db;db3;dbf;dbs;udb;dbv;dbx;edb;exb;1cd;fdb;idb;mpd;myd;odb;xls;xlsx;doc;docx;bac;bak;back;zip;rar;dt> file:<!endwith:QUIETPLACE> <!"\steamapps\" !"\Cache\" !"\Boot\" !"\Chrome\" !"\Firefox\" !"\Mozilla\" !"\Mozilla Firefox\" !"\MicrosoftEdge\" !"\Internet Explorer\" !"\Tor Browser\" !"\Opera\" !"\Opera Software\" !"\Common Files\" !"\Config.Msi\" !"\Intel\" !"\Microsoft\" !"\Microsoft Shared\" !"\Microsoft.NET\" !"\MSBuild\" !"\MSOCache\" !"\Packages\" !"\PerfLogs\" !"\ProgramData\" !"\System Volume Information\" !"\tmp\" !"\Temp\" !"\USOShared\" !"\Windows\" !"\Windows Defender\" !"\Windows Journal\" !"\Windows NT\" !"\Windows Photo Viewer\" !"\Windows Security\" !"\Windows.old\" !"\WindowsApps\" !"\WindowsPowerShell\" !"\WINNT\" !"\$WINDOWS.~BT\" !"\$Windows.~WS\" !":\Users\Public\" !":\Users\Default\" !"C:\Users\Win7x32\AppData\Local\{ECD7344E-DB25-8B38-009E-175BDB26EC3D}" !"NTUSER.DAT"> wholefilename:<!"restore-my-files.txt" !"boot.ini" !"bootfont.bin" !"desktop.ini" !"iconcache.db" !"io.sys" !"ntdetect.com" !"ntldr" !"ntuser.dat" !"ntuser.ini" !"thumbs.db" !"session.tmp" !"Decrypt_me.txt"> <!size:0>
Post Reply