mimikatz | 0b432f20d54647f077811ecb1df4dbc64fb17fbd6a9e0cce4ac9437d5f7891fb

Resubmissions

18-03-2024 22:36

240318-2h9hwsba88 10

Analysis

max time kernel
1802s
max time network
1810s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/NotPetya.exe
Size

390KB
MD5

5b7e6e352bacc93f7b80bc968b6ea493
SHA1

e686139d5ed8528117ba6ca68fe415e4fb02f2be
SHA256

63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a
SHA512

9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6
SSDEEP

12288:ef/X4NTS/x9jNG+w+9OqFoK323qdQYKU3:EXATS/x9jNg+95vdQa

Score

10^/10

mimikatz bootkit persistence spyware stealer

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4AEF.tmp	mimikatz

Blocklisted process makes network request 11 IoCs

Processes:

rundll32.exe

flow	pid	process
1475	3404	rundll32.exe
1493	3404	rundll32.exe
1528	3404	rundll32.exe
1539	3404	rundll32.exe
1563	3404	rundll32.exe
1575	3404	rundll32.exe
1601	3404	rundll32.exe
1611	3404	rundll32.exe
1635	3404	rundll32.exe
1646	3404	rundll32.exe
1671	3404	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NotPetya.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	NotPetya.exe

Executes dropped EXE 1 IoCs

Processes:

4AEF.tmp

pid process

4940 4AEF.tmp
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3404 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

rundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rundll32.exe

pid	process
4940	4AEF.tmp

pid	process
3404	rundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in Program Files directory 57 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jni.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\javafx-src.zip	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files\OpenCompare.php	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h	rundll32.exe
File opened for modification	C:\Program Files\SearchAssert.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmti.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.VBS	rundll32.exe
File opened for modification	C:\Program Files\ResolveSet.doc	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jawt.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{A22979E4-D188-4AF0-A888-04FE21284B11}\EDGEMITMP_19EA3.tmp\MSEDGE.PACKED.7Z	rundll32.exe

Drops file in Windows directory 4 IoCs

Processes:

rundll32.exeNotPetya.exe

description	ioc	process
File created	C:\Windows\dllhost.dat	rundll32.exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File created	C:\Windows\perfc	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

524 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

rundll32.exe4AEF.tmp

pid process

3404 rundll32.exe
3404 rundll32.exe
4940 4AEF.tmp
4940 4AEF.tmp
4940 4AEF.tmp
4940 4AEF.tmp
4940 4AEF.tmp
4940 4AEF.tmp
4940 4AEF.tmp

pid	process
524	schtasks.exe

pid	process
3404	rundll32.exe
3404	rundll32.exe
4940	4AEF.tmp
4940	4AEF.tmp
4940	4AEF.tmp
4940	4AEF.tmp
4940	4AEF.tmp
4940	4AEF.tmp
4940	4AEF.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exe4AEF.tmp

description	pid	process
Token: SeShutdownPrivilege	3404	rundll32.exe
Token: SeDebugPrivilege	3404	rundll32.exe
Token: SeTcbPrivilege	3404	rundll32.exe
Token: SeDebugPrivilege	4940	4AEF.tmp

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

NotPetya.exerundll32.execmd.exe

description	pid	process	target process
PID 1380 wrote to memory of 3404	1380	NotPetya.exe	rundll32.exe
PID 1380 wrote to memory of 3404	1380	NotPetya.exe	rundll32.exe
PID 1380 wrote to memory of 3404	1380	NotPetya.exe	rundll32.exe
PID 3404 wrote to memory of 3144	3404	rundll32.exe	cmd.exe
PID 3404 wrote to memory of 3144	3404	rundll32.exe	cmd.exe
PID 3404 wrote to memory of 3144	3404	rundll32.exe	cmd.exe
PID 3404 wrote to memory of 4940	3404	rundll32.exe	4AEF.tmp
PID 3404 wrote to memory of 4940	3404	rundll32.exe	4AEF.tmp
PID 3144 wrote to memory of 524	3144	cmd.exe	schtasks.exe
PID 3144 wrote to memory of 524	3144	cmd.exe	schtasks.exe
PID 3144 wrote to memory of 524	3144	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware\NotPetya.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\NotPetya.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:55
3⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 23:55
4⤵
- Creates scheduled task(s)
PID:524

C:\Users\Admin\AppData\Local\Temp\4AEF.tmp
"C:\Users\Admin\AppData\Local\Temp\4AEF.tmp" \\.\pipe\{0C856779-51A0-407F-BBF3-3A323B4596BD}
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3592 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4AEF.tmp
Filesize
55KB

MD5
7e37ab34ecdcc3e77e24522ddfd4852d

SHA1
38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

SHA256
02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

SHA512
1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

Download Submit
C:\Windows\perfc.dat
Filesize
353KB

MD5
71b6a493388e7d0b40c83ce903bc6b04

SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

Download Submit
memory/3404-3-0x0000000000DB0000-0x0000000000E0E000-memory.dmp

Filesize
376KB

Download
memory/3404-11-0x0000000000DB0000-0x0000000000E0E000-memory.dmp

Filesize
376KB

Download
memory/3404-12-0x0000000000DB0000-0x0000000000E0E000-memory.dmp

Filesize
376KB

Download
memory/3404-13-0x0000000000DB0000-0x0000000000E0E000-memory.dmp

Filesize
376KB

Download
memory/3404-21-0x0000000000DB0000-0x0000000000E0E000-memory.dmp

Filesize
376KB

Download