Introduction
Mimic ransomware was discovered in June 2022 by the researchers at cyber security company Trend Micro.[1] Trend Micro researchers also found that this malware uses DLL functions of a legitimate tool called “Everything”. Everything is freeware tool created by a company called “voidtools”[2]. This tool creates a real-time index of all files on a drive, enabling system administrators to quickly search through files on a drive using minimal system resources. The use of this DLL allows Mimic ransomware to quickly search for files with a desired extension and then encrypt them. Prior to encrypting files Mimic performs several preparation functions such as deleting shadow copies, terminating multiple services and applications including Microsoft Defender, and unpacking third party tools it uses as part of its execution. The purpose of this article is to demonstrate how FortiEDR detects and prevents execution of this malware and its associated preparation and encryption behavior to mitigate associated risk. This article will also demonstrate what FortiEDR Threat Hunting telemetry is generated by this ransomware if observed in a FortiEDR protected environment and how this telemetry can be leveraged using threat hunting queries.
Figure 1. Attack diagram of Mimic Ransomware
Analysis
Primary Loader:
Upon execution the primary loader exe of the Mimic malware drops multiple EXE and DLL files into folder “C:\Users\<USER>\AppData\Local\Temp\7ZipSfx.000\”. First the primary loader drops 7za.exe which is 7zip (file archiver with a high compression ratio) executable file. Then it also drops the legitimate files of “Everything” application (Everything.exe and Everything32.dll) into the above mentioned “7ZipSfx.000” folder. A file named as “Everything64.dll” is extracted, but this file is not a DLL file. This file is password protected 7zip file which contains second level malicious payloads. The primary loader extracts this “Everything64.dll” file using following command where parameter “20475326413135730160” specifies the password for this Everything64.dll file:
"C:\Users\<USER>\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p20475326413135730160 Everything64.dll
The following Table below describes the function of each of the files in the unzipped folder.
File Name |
Description |
7za.exe |
Legitimate 7zip file used by first stage loader to extract payloads |
Everything.exe |
Legitimate Everything Application executable file |
Everything32.dll |
Legitimate Everything Application DLL file |
Everything64.dll |
Password protected 7zip file which contain Malicious payload and other 3rd party executables |
Mc_virus.exe |
Malicious secondary payload which was extracted from Everything64.dll |
sdel.exe |
Sysinternal secure delete utility executable, Secure delete applications overwrite a deleted files on-disk data using techniques that are shown to make disk data unrecoverable. This file was extracted from Everything64.dll |
Sdel64.exe |
64 Bit Application of above mentioned Sysinternals secure delete utility. This file was extracted from Everything64.dll |
DC.exe |
Defender Controller is a third-party application that can enable or disable Windows Defender[3]. This file was extracted from Everything64.dll |
Everything.ini |
Everything software configuration file. This file was extracted from Everything64.dll |
Everything2.ini |
Everything software configuration file. This file was extracted from Everything64.dll |
Table 1. List of files dropped by the main payload and secondary payload.
The primary loader executable is identified as a malicious file by FortiEDR as it has a known FortiGuard AV signature and it's execution is blocked if EDR is configured in Prevention mode. For analysis of this malware, we disabled Prevention mode to allow unrestricted execution so we can observe further activities of malware. The event of blocking the malicious primary loader can be seen in the Figure 2 below.
Figure 2. FortiEDR detects primary loader of Mimic Ransomware as malicious.
After extraction of all these files the primary loader now executes the Mc_virus.exe which is the second stage malicious payload of Mimic Ransomware. When we checked the hash of this file in the FortiGuard Central Threat System (CTS), we found that Mc_virus.exe is flagged as malicious and identified as a known Mimic ransomware executable. This can be observed in the screenshots of CTS system below:
Figure 3. FortiGuard CTS showing malicious indicator for Mc_virus.exe
After executing the Mc_virus.exe the primary loader deletes the files dropped in the %TEMP%\7ZipSfx.000 folder. Then the primary loader creates a file “7ZSfx000.cmd” in the folder “C:\Users\<USER>\AppData\Local\Temp\”. This file has following contents:
Figure 4. Content of 7ZSfx00.cmd file dropped by payload to delete its original executable file
This content is a set of cmd commands. The commands provide instructions to delete the primary executable file from a specified path, then after deletion of primary executable file the .cmd file will delete itself. Once this .cmd file has been written to disk it is executed by primary loader using the following command:
C:\Windows\system32\cmd.exe /c "C:\Users\<USER>\AppData\Local\Temp\7ZSfx000.cmd"
Secondary Loader
Following the above behavior, the primary loader executes the “MC_virus.exe” executable which is the second stage loader for the Mimic ransomware payload. When the second stage loader is executed, it extracts the same files extracted by the first stage payload but in a different folder, Users\<username>\AppData\Local\{ECD7344E-DB25-<alphanum>-009E-<alphanum>}\. This secondary payload Mc_virus.exe is also detected as malicious by the FortiEDR and is prevented from execution when FortiEDR is in prevention mode.
As well as executing the main ransomware payload, the secondary loader also adds a run key registry value for the file “bestplacetolive.exe” to create persistence in the victim machine (T1547.001). This registry entry is created in the following path “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” with the value set to the location of the “bestplacetolive.exe” file ("C:\Users\user1\AppData\Local\{ECD7344E-DB25-8B38-009E-175BDB26EC3D}\bestplacetolive.exe"). The secondary loader also creates a file, “session.tmp” under the path (Users\<username>\AppData\Local\{ECD7344E-DB25-8B38-009E-175BDB26EC3D) that it uses for internal session management . After this the secondary payload executes the main ransomware payload which is the previously created “bestplacetolive.exe” executable.
Main Payload
The “bestplacetolive.exe” is the main payload of Mimic ransomware. Like the majority of other malware families the Mimic ransomware payload performs a number or preparation functions prior to beginning encryption. These functions include disabling security tools (T1562.001), create power configurations, prevent access to shutdown commands, creates monitoring a process, stops services (T1489) and kills processes that might hamper complete file encryption. These functions are described in further detail in this section.
Malware self-protection:
The “bestplacetolive.exe” disables the security tool Windows Defender by using the open-source tool Defender Control.[4] This tool is dropped as DC.exe by previous stage payload of the malware. It executes “DC.exe” by calling cmd.exe with following command:
cmd.exe /c DC.exe /D
The “bestplacetolive.exe” also creates a copy of itself for monitoring own process with passing the process id of the first process and passing arguments “-e watch -pid <first_instance_pid> -!”. We believe it is a watchdog process to restart the “bestplacetolive.exe” if it gets killed.
Anti-shutdown activities
Afterward performing these defense evasion techniques the “bestplacetolive.exe” process creates a new power configuration plan and applies it so that the victim computer would not sleep or shutdown. The process creates this power configuration using windows tool “powerfg.exe”. The “bestplacetolive.exe” process also kills any existing logoff.exe, shutdown.exe and powercfg.exe processes but this only occurs on initial execution, there was not check found to keep killing these processes after initial execution. It also creates multiple registry entries which remove visual buttons for shutdown and logoff features through the Windows Explorer GUI. The purpose of each of the modified registry entries are described in Table 2 below.
Registry Key |
Value |
Description |
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ HidePowerOptions |
1 |
shutdown, restart, sleep, and hibernate commands are removed from the Start menu |
HKCU\\ Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ HidePowerOptions |
1 |
shutdown, restart, sleep, and hibernate commands are removed from the Start menu |
HKLM\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ shutdownwithoutlogon |
0 |
The Shutdown button is disabled from logon screen |
HKCU\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ NoClose |
1 |
The Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. |
HKCU\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ StartMenuLogOff |
1 |
Removes the Log Off user-name item from the Start menu |
Table 2. Registry entries performed by the main Mimic ransomware payload that aim to prevent the system user from manually shutting down a compromised endpoint using the GUI during the encryption process.
Unlock in-use files:
The “bestplacetolive.exe” starts three child processes of itself with parameters “-e ul1”, “-e ul2” and “-startup”. The main “bestplacetolive.exe” process stops multiple services and processes which might interfere with the encryption process as they lock the files they use during operation. The list of the services stopped is provided in Table 3 below. Along with these services the malware also kills multiple processes in its predefined list. The list of processes killed by malware are shown in the Table 4 below.
Service |
Description |
WSearch |
Windows Search (WSearch) service that supports the Instant Search feature |
pla |
Performance Logs and Alerts (PLA) |
DusmSvc |
Data Usage (DusmSvc) Service |
defragsvc |
Optimize drives (defragsvc) Service |
DoSvc |
Delivery Optimization Service |
wercplsupport |
Problem Reports and Solutions Control Panel Support service |
SDRSVC |
Provides Windows Backup and Restore capabilities |
TroubleshootingSvc |
Troubleshooting Service |
Wecsvc |
Windows Event Collector (Wecsvc) service |
fhsvc |
File History Service |
wbengine |
Windows Backup and recovery service |
PcaSvc |
Program Compatibility Assistant Service |
WerSvc |
Windows Error Reporting Service |
SENS |
System Event Notification Service |
AppIDSvc |
Application Identity (AppIDSvc) service |
BITS |
Background Intelligent Transfer Service (BITS) |
wuauserv |
Windows Update Service, |
SysMain |
Superfetch, called SysMain after the Windows 10 1809 update |
DiagTrack |
Diagnostics Tracking |
diagnosticshub.standardcollector.service |
Service collects and processes real time ETW events |
dmwappushservice |
Routes Wireless Application Protocol Push messages |
WMPNetworkSvc |
Helps windows media player to share its library with network |
DiagTrack |
Tracking service collects data about functional issues in Windows |
Table 3. Services killed by the Mimic Malware Payload.
Process Killed |
Description |
SearchIndexer.exe |
Windows search indexer that indexes files so that searches can be returned more quickly. |
SearchProtocolHost.exe |
Application that other applications interface with to gain access to data indexed by SearchIndexer.exe. |
SearchApp.exe |
Application used to provide results from SearchIndexer.exe to user. |
CompatTelRunner.exe |
Part of the Microsoft Windows telemetry system |
wsqmcons.exe |
Windows Customer Experience Improvement application |
taskmgr.exe |
Windows Task Manager |
tasklist.exe |
Task listing command line tool |
taskkill.exe |
Task killing command line tool |
perfmon.exe |
Main Windows application used for performance monitoring |
logoff.exe |
Windows executable that executes the user logoff process. |
shutdown.exe |
Windows executable that executes the shutdown and restart processes. |
Table 4. Processes killed by the Mimic Malware payload.
Delete backups:
The malware then stops any virtual machines running on the system, then gets all the VHD (Virtual Hard Disk) objects of each hosted virtual machine and then dismounts any associated VHD disks. The VHD are dismounted so that the VHD files on the machine can be encrypted properly without any other software accessing them. We can observe these events in the following taken from the FortiEDR Threat Hunting page.
Figure 5. Threat Hunting Page of FortiEDR showing commands executed by malware to stop virtual machine and dismount virtual Hard-disks
The main ransomware process gets a list of disk volumes on the victim machine and also unmounts these disk volumes. We believe that malware is unmounting removable drives to make encryption process quicker. The main ransomware process then deletes the backup files and system backups using the windows system utilities ‘bcdedit.exe’ and ‘wbadmin.exe’. Boot Configuration Data (BCD) files provide a store that is used to describe boot applications and boot application settings. BCDEdit is a command-line tool for managing BCD.[5] It can be used for a variety of purposes, including creating new stores, modifying existing stores, and adding boot menu options. In the case of ransomware “bcdedit.exe” is typically used to disable Windows recovery. The malware executes the following commands to perform these functions.
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
wbadmin.exe DELETE SYSTEMSTATEBACKUP
wbadmin.exe delete catalog -quiet
FortiEDR detects and mitigates the ransomware’s attempt to use wbadmin.exe as a “Service Access” event under the “Exfiltration Prevention” rule group. Figure 7 below shows a sample event where FortiEDR effectively blocked “bestplacetolive.exe” from employing wbadmin.exe in this way.
Figure 6. FortiEDR detects attempts by the main Mimic ransomware process (bestplacetolive.exe) from executing wbadmin.exe to delete backups.
The ransomware’s attempts to execute bcdedit.exe are also detected and blocked by FortiEDR as a “Malicious File Detected” in the “Execution Prevention” security policy. An example of this security event can be observed in Figure 7 below. We can also observe that the “bestplacetolive.exe” is detected as threat name “Filecoder_Mimic.A!tr.ransom” by the FortiEDR, this signature is taken from FortiGuard AV signatures.
Figure 7 FortiEDR blocks malware from accessing system utility bcdedit.exe
File Encryption Process:
The “bestplacetolive.exe” creates two instances of the “Everything.exe” process with the parameter “-startup”. This option indicates “Run Everything in the background”[6] meaning, these processes will run in the background and create indexes of files on the system. The malware later queries the generated index through the Everything executable using API calls. As highlighted above, after deleting backups, the malware unmounts all drives and Virtual Machine Hard disks. Once these functions are completed the ransomware starts encryption of files on the victim machine by first overwriting the original files with encrypted content then renaming them with the ".QUIETPLACE” file extension. This behavior triggers the “File Encryptor -Suspicious File Modification” rule which is part of the “Ransomware Prevention” security policy in the FortiEDR. This can be observed in Figure 8 below.
Figure 8. FortiEDR blocks file encryption attempt by Mimic Ransomware
After the malware has finished the encryption of the files, it executes Microsoft SysInternals tool Sdelete to clean up the free space on drives that have been encrypted. The malware has dropped copy of 32-bit and 64-bit version of the tool Sdelete as sdel.exe and sdel64.exe respectively and executes the corresponding executable depending on the operating system. In our case it used following command:
sdel64.exe -accepteula -p 1 -c C:\
This specifies clean free space with single overwrite pass.[7] The ransomware performs this secure delete in order to prevent recovery of the original files encrypted by the malware that may be retrievable from slack space.
As with all ransomware, once encryption is completed the main process drops a ransom note file in the location “C:\Users\<USERNAME>\AppData\Local\Decrypt_me.txt”. Then it launches notepad.exe with this parameter to show user the ransom note. A screenshot of the ransom note can be observed in the Figure 9 below.
Figure 9. Ransom note created by the Mimic ransomware sample analyzed in this article.
Conclusion
Mimic Ransomware is very quick to index the files in the victim computer as it was using this multi process indexing utility of software “Everything”. One prominent difference we noticed compared to other ransomware families is heavy and brazen use of various command line and third-party administrative utilities. Starting from third party 7z executable to extract archived files which are dropped, using Everything.exe to index and search files on victim computer, using Defender Control (DC.exe) to disable Windows Defender, using Windows utilities(powercfg.exe, PowerShell, wbadmin.exe, bcdedit.exe), up to the use of SysInternals tool sdelete (sdel64.exe) to clean up free space on drive after encryption. Seeing such prevalent use of administrative utilities we suspect that the malware author might have previous background in the IT administration area.
Another prominent difference in Mimic ransomware is that it is very “loud” in terms of events and commands it executes on the victim machine. This contrasts to many other ransomware families that obfuscate the behavior performed by their malware or perform many of these preparation functions within the core ransomware code rather than using third party tools. On analyzing the assembly code of the main ransomware executable we identified multiple plaintext comments being sent to internal logs. Again this differs to many other ransomware families that remove or obfuscate many of these artifacts. This also supports our theory that malware author might be from IT background previously.
As highlighted in this article, FortiEDR effectively detects and mitigates the risk of Mimic ransomware execution and subsequent behavior. In the analysis outlined in this article FortiEDR was configured in ‘Log Only’ mode to demonstrate detection capabilities against all stages of Mimic ransomware execution. We have seen that FortiEDR detects the multiple stages of this malware’s execution, blocking service access and blocking the file encryption process. Some threat hunting queries are included below to allow organizations to put additional detections in place to identify some behaviors associated with Mimic ransomware execution to assist with triaging potential intrusions.
Threat Hunting
The Everything64.dll file extraction performed by the primary loader of Mimic ransomware can be detected with the following Threat Hunting query. It is possible that for future versions of malware the author might change the password string used in the extraction command. In that scenario this query won’t be able to detect this type of event although the query could be modified to omit the password component of the command line for greater utility but with a higher risk of false positives.
Type: ("Process Creation") AND Target.Process.File.Name:7za.exe Target.Process.CommandLine:("x -y -p20475326413135730160 Everything64.dll")
The following query can be used to find execution of script 7ZSfx000.cmd. As mentioned previously, this script deletes temporary files dropped by malware in AppData/Local/Temp directory. Note that malware author may change the name of this script in future that would stop this query from finding these events.
Type: ("Process Creation") AND Target.Process.Name:cmd.exe AND Target.Process.CommandLine:("7ZSfx000.cmd")
The primary loader drops the secondary loader "Mc_virus.exe" using the 7z utility executable. File Create events related to this behavior can be found using following Threat Hunting query:
Type: ("File Create") AND Source.Process.Name:7za.exe AND Target.File.Name: ("Mc_virus.exe")
The secondary loader drops a number of third party executables in to AppData folder. File Creation events associated with this behavior can be found using following Threat Hunting query:
Type: ("File Create") AND Source.Process.Name:Mc_virus.exe AND Target.File.Name: ("sdel64.exe" OR "sdel.exe" OR "DC.exe" OR "session.tmp" OR "bestplacetolive.exe" OR "Everything2.ini" OR "Everything.ini")
The secondary loader executes the main payload "bestplacetolive.exe". Related Process Creation events can be found using the following Threat Hunting query:
Type: ("Process Creation") and Source.Process.Name:mc_virus.exe AND Target.Process.Name:bestplacetolive.exe
The main Mimic ransomware process executes a PowerShell command to find and stop all the Virtual machine hosted on a victim endpoint. Related Process Creation events can be found using following Threat Hunting query:
Type: ("Process Creation") and Source.Process.Name:bestplacetolive.exe AND Target.Process.Name:powershell.exe AND Target.Process.CommandLine:"-ExecutionPolicy Bypass \"Get-VM | Stop-VM\""
The main Mimic ransomware process executes a PowerShell command to find and dismount Virtual machine disks hosted on a victim endpoint. Related Process Creation events can be found using following Threat Hunting query:
Type: ("Process Creation") and Source.Process.Name:bestplacetolive.exe AND Target.Process.Name:powershell.exe AND Target.Process.CommandLine:"-ExecutionPolicy Bypass \"Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage\""
The main Mimic ransomware process executes a PowerShell command to dismount the disk volumes on the victim endpoint. Related Process Creation events can be found using following Threat Hunting query:
Type: ("Process Creation") and Source.Process.Name:bestplacetolive.exe AND Target.Process.Name:powershell.exe AND Target.Process.CommandLine:"-ExecutionPolicy Bypass \"Get-Volume | Get-DiskImage | Dismount-DiskImage\""
Persistence (Auto run entry) created for bestplacetolive.exe in registry can be found using following query which will return associated Value Created events.
Type: ("Value Created") AND Registry.Path:"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" AND Registry.Data:bestplacetolive.exe
MITRE ATT&CK Mapping
TA0002 - Execution
Technique ID |
Technique Description |
Observed Activity |
T1059.001 |
PowerShell |
Bypasses PowerShell execution policy and executes PowerShell commands to unmount drives and virtual hard-disks |
TA0003 - Persistence
Technique ID |
Technique Description |
Observed Activity |
T1547.001 |
Registry Run Keys / Startup Folder |
Creates an entry in the current users run keys for main ransomware payload “bestplacetolive.exe”. |
TA0005 - Defense Evasion
Technique ID |
Technique Description |
Observed Activity |
T1027 |
Obfuscated Files or Information |
Dropped files are extracted from encrypted/password protected 7zip file. Threat actor drops their own 7za application to unzip internal files as part of execution. |
T1562.001 |
Disable or Modify Tools |
1) Modifies Group Policy settings (Disable AllowTelemetry from policy SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection) |
T1562.006 |
Impair Defenses: Indicator Blocking |
Malware process bestplacetolive.exe disables telemetry policy in the Data Collection group in registry using RegCreateKeyExW (Disable AllowTelemetry from policy SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection) |
T1497 |
Virtualization/Sandbox Evasion |
Contains long sleeps to evade Sandbox detection. Sleeps are implemented within the loaders and main executable. |
T1630.002 |
Indicator Removal on Host: File Deletion |
The malware deletes its primary loader file. |
TA0007 - Discovery
Technique ID |
Technique Description |
Observed Activity |
T1518.001 |
Security Software Discovery |
Checks for and disables Windows Defender software |
T1057 |
Process Discovery |
Queries a list of running processes and kills processes from predefined list in malware |
T1082 |
System Information Discovery |
1) List drive volumes to dismount them |
T1083 |
File and Directory Discovery |
Get list of files and folder using third party utility Everything.exe. |
T1120 |
Peripheral Device Discovery |
Checks for available system drives to get files for encryption. |
TA0040 - Impact
Technique ID |
Technique Description |
Observed Activity |
T1486 |
Data Encrypted for Impact |
1) Encrypts user documents and files. Encryption is performed by the main ransomware process. Files are overwritten with encrypted content then renamed. |
T1489 |
Service Stop |
Malware stops multiple Windows services on the victim machine. Services are stopped directly by the malware and a full list of services targeted are provides in Table 3 above. |
T1490 |
Inhibit System Recovery |
Malware uses wbadmin.exe an bcdedit.exe to delete backup and disable recovery option in windows. |
IOCs
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
Malicious Executable |
4b53652574ce6ded87c9884bc88b491424e83e79 |
SHA1 Hash |
Installation |
Primary Payload of Mimic Ransomware |
2022-12-12 |
Malicious Executable |
b7581da9c48e1b514664d560f866899745620b82 |
SHA1 Hash |
Installation |
Secondary Payload of Mimic Ransomware |
2023-01-27 |
Malicious zip |
f204bcdf564eb2a5bdfa74745ce53263c8f6476f |
SHA1 Hash |
Installation |
Encrypted 7zip file which contains malicious payload |
2022-12-12 |
Executable used by malware |
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b |
SHA1 Hash |
Execution |
Software to disable Windows Defender |
2021-06-19 |
[1] https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-e...
[2] https://www.voidtools.com/faq/
[3] https://www.sordum.org/9480/defender-control-v2-1/
[4] https://github.com/qtkite/defender-control
[5] https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdedit-command-line-options?...
[6] https://www.voidtools.com/support/everything/command_line_options/
[7] https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.