mimikatz | 5f3916cde8f3852fc370be7442e668f31a0d676f2ae912f88042481f972cc26a

General

Target

23s.exe
Size

71KB
MD5

e79d48bc650a2e1bd36d73f438826b8d
SHA1

191e1644ca6b40fd8469d8013e4f931ac9877c18
SHA256

5f3916cde8f3852fc370be7442e668f31a0d676f2ae912f88042481f972cc26a
SHA512

7451442c8ff56ce0124efe429afbba480c71e56247f5cbebe83a0aa7107e9e3c3f68e891dfa928d1fc47be8c5fd715f59ebd252cf4d3d06f1eb471f6d422948d

Score

10^/10

mimikatz suricata

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1256 created 444 1256 svchost.exe svchost.exe
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
suricata

description	pid	process	target process
PID 1256 created 444	1256	svchost.exe	svchost.exe

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/444-147-0x000002ED1BE00000-0x000002ED1BF6E000-memory.dmp	mimikatz

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4804 444 WerFault.exe svchost.exe

pid	pid_target	process	target process
4804	444	WerFault.exe	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

notepad.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Notepad	notepad.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Notepad\fWindowsOnlyEOL = "0"	notepad.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Notepad\fPasteOriginalEOL = "0"	notepad.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Notepad\fReverse = "0"	notepad.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Notepad\fWrapAround = "0"	notepad.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Notepad\fMatchCase = "0"	notepad.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

svchost.exenotepad.exe

pid process

444 svchost.exe
444 svchost.exe
1968 notepad.exe
444 svchost.exe
444 svchost.exe
444 svchost.exe
444 svchost.exe
444 svchost.exe
444 svchost.exe

pid	process
444	svchost.exe
444	svchost.exe
1968	notepad.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe
444	svchost.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

svchost.exesvchost.exenotepad.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	444	svchost.exe
Token: SeAuditPrivilege	444	svchost.exe
Token: SeBackupPrivilege	444	svchost.exe
Token: SeChangeNotifyPrivilege	444	svchost.exe
Token: SeCreateGlobalPrivilege	444	svchost.exe
Token: SeCreatePagefilePrivilege	444	svchost.exe
Token: SeCreatePermanentPrivilege	444	svchost.exe
Token: 35	444	svchost.exe
Token: SeCreateTokenPrivilege	444	svchost.exe
Token: SeDebugPrivilege	444	svchost.exe
Token: SeEnableDelegationPrivilege	444	svchost.exe
Token: SeImpersonatePrivilege	444	svchost.exe
Token: SeIncBasePriorityPrivilege	444	svchost.exe
Token: SeIncreaseQuotaPrivilege	444	svchost.exe
Token: 33	444	svchost.exe
Token: SeLoadDriverPrivilege	444	svchost.exe
Token: SeLockMemoryPrivilege	444	svchost.exe
Token: SeMachineAccountPrivilege	444	svchost.exe
Token: SeManageVolumePrivilege	444	svchost.exe
Token: SeProfSingleProcessPrivilege	444	svchost.exe
Token: 32	444	svchost.exe
Token: SeRemoteShutdownPrivilege	444	svchost.exe
Token: SeRestorePrivilege	444	svchost.exe
Token: SeSecurityPrivilege	444	svchost.exe
Token: SeShutdownPrivilege	444	svchost.exe
Token: SeSyncAgentPrivilege	444	svchost.exe
Token: SeSystemEnvironmentPrivilege	444	svchost.exe
Token: SeSystemProfilePrivilege	444	svchost.exe
Token: SeSystemtimePrivilege	444	svchost.exe
Token: SeTakeOwnershipPrivilege	444	svchost.exe
Token: SeTcbPrivilege	444	svchost.exe
Token: 34	444	svchost.exe
Token: 31	444	svchost.exe
Token: SeUndockPrivilege	444	svchost.exe
Token: 0	444	svchost.exe
Token: SeDebugPrivilege	444	svchost.exe
Token: SeTcbPrivilege	1256	svchost.exe
Token: SeTcbPrivilege	1256	svchost.exe
Token: SeDebugPrivilege	1968	notepad.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

23s.exesvchost.exesvchost.exe

description	pid	process	target process
PID 3816 wrote to memory of 444	3816	23s.exe	svchost.exe
PID 3816 wrote to memory of 444	3816	23s.exe	svchost.exe
PID 3816 wrote to memory of 444	3816	23s.exe	svchost.exe
PID 1256 wrote to memory of 1968	1256	svchost.exe	notepad.exe
PID 1256 wrote to memory of 1968	1256	svchost.exe	notepad.exe
PID 1256 wrote to memory of 1968	1256	svchost.exe	notepad.exe
PID 1256 wrote to memory of 1968	1256	svchost.exe	notepad.exe
PID 1256 wrote to memory of 1968	1256	svchost.exe	notepad.exe
PID 444 wrote to memory of 1968	444	svchost.exe	notepad.exe
PID 444 wrote to memory of 1968	444	svchost.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\23s.exe
"C:\Users\Admin\AppData\Local\Temp\23s.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\SYSTEM32\svchost.exe
svchost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\SYSTEM32\notepad.exe
notepad.exe
3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 444 -s 872
3⤵
- Program crash
PID:4804

C:\Windows\system32\cmd.exe
cmd.exe /c echo yeajfg > \\.\pipe\yeajfg
1⤵
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 444 -ip 444
1⤵
PID:2072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/444-145-0x000002ED19C9B000-0x000002ED19CBC000-memory.dmp

Filesize
132KB

Download
memory/444-143-0x000002ED1BC02000-0x000002ED1BC5B000-memory.dmp

Filesize
356KB

Download
memory/444-149-0x000002ED19ED0000-0x000002ED19F0B000-memory.dmp

Filesize
236KB

Download
memory/444-133-0x000002ED1BA30000-0x000002ED1BA8F000-memory.dmp

Filesize
380KB

Download
memory/444-134-0x000002ED19C9B000-0x000002ED19CBC000-memory.dmp

Filesize
132KB

Download
memory/444-135-0x000002ED1BA90000-0x000002ED1BAB7000-memory.dmp

Filesize
156KB

Download
memory/444-131-0x000002ED19ED0000-0x000002ED19F0B000-memory.dmp

Filesize
236KB

Download
memory/444-147-0x000002ED1BE00000-0x000002ED1BF6E000-memory.dmp

Filesize
1.4MB

Download
memory/444-146-0x000002ED1C2E0000-0x000002ED1C44A000-memory.dmp

Filesize
1.4MB

Download
memory/444-142-0x000002ED19ED0000-0x000002ED19F0B000-memory.dmp

Filesize
236KB

Download
memory/444-132-0x000002ED1BC02000-0x000002ED1BC5B000-memory.dmp

Filesize
356KB

Download
memory/444-130-0x000002ED19BB0000-0x000002ED19BE5000-memory.dmp

Filesize
212KB

Download
memory/444-144-0x000002ED1BA30000-0x000002ED1BA8F000-memory.dmp

Filesize
380KB

Download
memory/1968-136-0x0000000000000000-mapping.dmp

Download
memory/1968-139-0x000001F077410000-0x000001F077431000-memory.dmp

Filesize
132KB

Download
memory/1968-152-0x00007FFD622A0000-0x00007FFD62D61000-memory.dmp

Filesize
10.8MB

Download
memory/1968-138-0x000001F077440000-0x000001F0774BD000-memory.dmp

Filesize
500KB

Download
memory/1968-137-0x000001F077410000-0x000001F077431000-memory.dmp

Filesize
132KB

Download
memory/1968-148-0x000001F075F60000-0x000001F075FB0000-memory.dmp

Filesize
320KB

Download
memory/1968-140-0x000001F0774C0000-0x000001F0774E6000-memory.dmp

Filesize
152KB

Download
memory/1968-150-0x000001F075FE0000-0x000001F076002000-memory.dmp

Filesize
136KB

Download
memory/1968-151-0x000001F0774C0000-0x000001F0774E6000-memory.dmp

Filesize
152KB

Download
memory/1968-141-0x00007FFD622A0000-0x00007FFD62D61000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads