Introduction In a recent incident response case, we discovered a new and notable ransomware family in active use by the attackers, which we named "Ymir". The artifact has interesting features for evading detection, including a large set of operations performed in memory with the help of the malloc , memmove and memcmp function calls. In the case we analyzed, the attacker was able to gain access to the system via PowerShell remote control commands. After that, they installed multiple tools for malicious actions, such as Process Hacker and Advanced IP Scanner. Eventually, after reducing system security, the adversary ran Ymir to achieve their goals. In this post, we provide a detailed analysis of the Ymir ransomware, as well the tactics, techniques and procedures (TTPs) employed by the attackers. Analysis Static analysis Our analysis began with a basic inspection of the artifact. We started by analyzing its properties, such as the file type, and relevant strings and capabilities, as shown in the table and images below. Hash | Value —|— MD5 | 12acbb05741a218a1c83eaa1cfc2401f SHA-1 | 3648359ebae8ce7cacae1e631103659f5a8c630e SHA-256 | cb88edd192d49db12f444f764c3bdc287703666167a4ca8d533d51f86ba428d8 File type identification Although the binary does not raise suspicions of being packed, as its entropy is not high enough, the presence of API calls to functions like malloc , memmove and memcmp indicates that it can allocate memory to insert malicious code. Calls…Read More