Summary:
CYFIRMA has identified a sophisticated dropper binary associated with the “ELPACO-team” ransomware, a new variant of the “MIMIC” ransomware family. This malware employs both malicious and legitimate tools to disable system defenses, encrypt various file types, and ensure persistence, posing a significant threat to individuals and organizations.
Keypoints:
The main binary ELPACO-teamv.exe is a 32-bit Windows executable acting as a dropper.
Utilizes tools like 7za.exe to extract additional payloads, including legitimate utilities and malicious ransom payloads.
The main ransomware payload, ELPACO-team.exe, disguises itself as svhostss.exe.
Upon execution, the malware drops files into %Temp% and creates a new folder in %LOCALAPPDATA%.
Disables system recovery features and alters system configurations.
Encrypts various file types with the extension ELPACO-team while excluding essential system files.
Modifies the registry for persistence and uses legitimate tools to manipulate system settings.
Employs stealth techniques to hinder forensic analysis and recovery efforts.
Utilizes multiple command-line commands and PowerShell scripts to execute malicious operations.
Identified as part of the Mimic ransomware family, specifically Mimic 6.3 version.
MITRE Techniques
Initial Access (TA0001): Utilizes phishing and exploits public-facing applications.
Execution (TA0002): Relies on user execution and exploitation for client execution.
Persistence (TA0003): Modifies registry run keys for boot or logon autostart execution.
Defense Evasion (TA0005): Deletes indicators of compromise through file deletion.
Discovery (TA0007): Conducts system information, file, and network configuration discovery.
Collection (TA0009): Collects data from the local system.
Impact (TA0040): Encrypts data for impact.
IoC:
[MD5 File Hash] 33eeeb25f834e0b180f960ecb9518ea0
[MD5 File Hash] B93EB0A48C91A53BDA6A1A074A4B431E
[MD5 File Hash] AC34BA84A5054CD701EFAD5DD14645C9
[MD5 File Hash] 0BF7C0D8E3E02A6B879EFAB5DEAB013C
[MD5 File Hash] C44487CE1827CE26AC4699432D15B42A
[MD5 File Hash] 742C2400F2DE964D0CCE4A8DABADD708
[MD5 File Hash] 51014C0C06ACDD80F9AE4469E7D30A9E
[MD5 File Hash] 3B03324537327811BBBAFF4AAFA4D75B
[MD5 File Hash] 245FB739C4CB3C944C11EF43CDDD8D57
[MD5 File Hash] 1B37DC212E98A04576AAC40D7CE7D06A
[MD5 File Hash] 26F59BB93F02D5A65538981BBC2DA9CC
[MD5 File Hash] 03A63C096B9757439264B57E4FDF49D1
[MD5 File Hash] 57850A4490A6AFD1EF682EB93EA45E65
[MD5 File Hash] FADE75EDBF62291FBB99C937AFC9792C
[MD5 File Hash] B951E50264F9C5244592DFB0A859EC41
Full Research: https://www.cyfirma.com/research/elpaco-team-ransomware-a-new-variant-of-the-mimic-ransomware-family/