Overview
overview
10Static
static
10Win32/mimidrv.sys
windows7-x64
10Win32/mimidrv.sys
windows10-2004-x64
10Win32/mimikatz.exe
windows7-x64
1Win32/mimikatz.exe
windows10-2004-x64
1Win32/mimilib.dll
windows7-x64
3Win32/mimilib.dll
windows10-2004-x64
3Win32/mimilove.exe
windows7-x64
1Win32/mimilove.exe
windows10-2004-x64
1Win32/mimispool.dll
windows7-x64
1Win32/mimispool.dll
windows10-2004-x64
1x64/mimidrv.sys
windows7-x64
10x64/mimidrv.sys
windows10-2004-x64
10x64/mimikatz.exe
windows7-x64
1x64/mimikatz.exe
windows10-2004-x64
1x64/mimilib.dll
windows7-x64
1x64/mimilib.dll
windows10-2004-x64
1x64/mimispool.dll
windows7-x64
1x64/mimispool.dll
windows10-2004-x64
1Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 04:44
Behavioral task
behavioral1
Sample
Win32/mimidrv.sys
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Win32/mimidrv.sys
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
Win32/mimikatz.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Win32/mimikatz.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Win32/mimilib.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Win32/mimilib.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Win32/mimilove.exe
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
Win32/mimilove.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral9
Sample
Win32/mimispool.dll
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
Win32/mimispool.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
x64/mimidrv.sys
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
x64/mimidrv.sys
Resource
win10v2004-20240419-en
Behavioral task
behavioral13
Sample
x64/mimikatz.exe
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
x64/mimikatz.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral15
Sample
x64/mimilib.dll
Resource
win7-20240220-en
Behavioral task
behavioral16
Sample
x64/mimilib.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral17
Sample
x64/mimispool.dll
Resource
win7-20240419-en
Behavioral task
behavioral18
Sample
x64/mimispool.dll
Resource
win10v2004-20240419-en
General
-
Target
Win32/mimispool.dll
-
Size
10KB
-
MD5
dab7a18b02399053ba3ff1e568789fce
-
SHA1
ceee090c9ee8279d6410d8d450d55acb81d34766
-
SHA256
05842de51ede327c0f55df963f6de4e32ab88f43a73b9e0e1d827bc70199eff0
-
SHA512
6dd0ade4112d7ed44c090f81614ed2f1d84cfcb25a45b08d22b3fa74e4e3f9b99f719f8bca9c1f03d13757f38eac072bb4d55e229c478524bf348f76fc3e36dd
-
SSDEEP
192:I191rqbIcL9uD3nhKlWUEHRl1RtnIDKwIb/DtC0uolZC7:RRgDXhKAUQlftO6tC0uols
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2820 2248 rundll32.exe 82 PID 2248 wrote to memory of 2820 2248 rundll32.exe 82 PID 2248 wrote to memory of 2820 2248 rundll32.exe 82
Processes
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A204.79.197.237dual-a-0034.a-msedge.netIN A13.107.21.237
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8uPeRdfm_Vfdw7vJ8DamvPDVUCUzvnBI72GoENUL2k2mws3CTxKQS3BKhZSYPmbmuCbzV_F8vtVz1l29_pjNE4D2yAb87voCZVKwCKxCb8Z-d_QgN3hDuhtMnMsvOd0ymkGHSPpDbNMBeWY0gAMG1Pm6IGNygUUHTD8vfN2mFVs4sCoq6%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D51890e9c9f2c1ef4f67768b739ef54be&TIME=20240426T130642Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DFRemote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8uPeRdfm_Vfdw7vJ8DamvPDVUCUzvnBI72GoENUL2k2mws3CTxKQS3BKhZSYPmbmuCbzV_F8vtVz1l29_pjNE4D2yAb87voCZVKwCKxCb8Z-d_QgN3hDuhtMnMsvOd0ymkGHSPpDbNMBeWY0gAMG1Pm6IGNygUUHTD8vfN2mFVs4sCoq6%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D51890e9c9f2c1ef4f67768b739ef54be&TIME=20240426T130642Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0482D957209A661B1114CD2621BD6751; domain=.bing.com; expires=Sun, 25-May-2025 04:45:54 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 01A293FF4C3441659F726D72A9B99BFE Ref B: LON04EDGE0622 Ref C: 2024-04-30T04:45:54Z
date: Tue, 30 Apr 2024 04:45:54 GMT
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8uPeRdfm_Vfdw7vJ8DamvPDVUCUzvnBI72GoENUL2k2mws3CTxKQS3BKhZSYPmbmuCbzV_F8vtVz1l29_pjNE4D2yAb87voCZVKwCKxCb8Z-d_QgN3hDuhtMnMsvOd0ymkGHSPpDbNMBeWY0gAMG1Pm6IGNygUUHTD8vfN2mFVs4sCoq6%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D51890e9c9f2c1ef4f67768b739ef54be&TIME=20240426T130642Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DFRemote address:204.79.197.237:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8uPeRdfm_Vfdw7vJ8DamvPDVUCUzvnBI72GoENUL2k2mws3CTxKQS3BKhZSYPmbmuCbzV_F8vtVz1l29_pjNE4D2yAb87voCZVKwCKxCb8Z-d_QgN3hDuhtMnMsvOd0ymkGHSPpDbNMBeWY0gAMG1Pm6IGNygUUHTD8vfN2mFVs4sCoq6%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D51890e9c9f2c1ef4f67768b739ef54be&TIME=20240426T130642Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DF HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0482D957209A661B1114CD2621BD6751; _EDGE_S=SID=0C9339A53BBA6CC610E62DD43AD66DEE
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=wCpyMYfYilLIKyCEPQ9wj5D4qD49V-MRepa4qEgOl18; domain=.bing.com; expires=Sun, 25-May-2025 04:45:54 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 51B5A84A1E114974BB4894D4C710264D Ref B: LON04EDGE0622 Ref C: 2024-04-30T04:45:54Z
date: Tue, 30 Apr 2024 04:45:54 GMT
-
GEThttps://www.bing.com/aes/c.gif?RG=603ae34df4634dbe816c2b9e677cec2a&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130642Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266Remote address:23.62.61.194:443RequestGET /aes/c.gif?RG=603ae34df4634dbe816c2b9e677cec2a&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130642Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0482D957209A661B1114CD2621BD6751
ResponseHTTP/2.0 200
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 814F39F5280F4A07A6842E09C9EB98B3 Ref B: BRU30EDGE0622 Ref C: 2024-04-30T04:45:54Z
content-length: 0
date: Tue, 30 Apr 2024 04:45:54 GMT
set-cookie: _EDGE_S=SID=0C9339A53BBA6CC610E62DD43AD66DEE; path=/; httponly; domain=bing.com
set-cookie: MUIDB=0482D957209A661B1114CD2621BD6751; path=/; httponly; expires=Sun, 25-May-2025 04:45:54 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1714452354.3798846
-
Remote address:8.8.8.8:53Request237.197.79.204.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request133.190.18.2.in-addr.arpaIN PTRResponse133.190.18.2.in-addr.arpaIN PTRa2-18-190-133deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request194.61.62.23.in-addr.arpaIN PTRResponse194.61.62.23.in-addr.arpaIN PTRa23-62-61-194deploystaticakamaitechnologiescom
-
GEThttps://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:23.62.61.194:443RequestGET /th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=0482D957209A661B1114CD2621BD6751; _EDGE_S=SID=0C9339A53BBA6CC610E62DD43AD66DEE; MSPTC=wCpyMYfYilLIKyCEPQ9wj5D4qD49V-MRepa4qEgOl18; MUIDB=0482D957209A661B1114CD2621BD6751
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1463
date: Tue, 30 Apr 2024 04:45:55 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.be3d3e17.1714452355.3798a10
-
Remote address:8.8.8.8:53Request71.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
204.79.197.237:443https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8uPeRdfm_Vfdw7vJ8DamvPDVUCUzvnBI72GoENUL2k2mws3CTxKQS3BKhZSYPmbmuCbzV_F8vtVz1l29_pjNE4D2yAb87voCZVKwCKxCb8Z-d_QgN3hDuhtMnMsvOd0ymkGHSPpDbNMBeWY0gAMG1Pm6IGNygUUHTD8vfN2mFVs4sCoq6%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D51890e9c9f2c1ef4f67768b739ef54be&TIME=20240426T130642Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DFtls, http22.5kB 9.0kB 19 17
HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8uPeRdfm_Vfdw7vJ8DamvPDVUCUzvnBI72GoENUL2k2mws3CTxKQS3BKhZSYPmbmuCbzV_F8vtVz1l29_pjNE4D2yAb87voCZVKwCKxCb8Z-d_QgN3hDuhtMnMsvOd0ymkGHSPpDbNMBeWY0gAMG1Pm6IGNygUUHTD8vfN2mFVs4sCoq6%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D51890e9c9f2c1ef4f67768b739ef54be&TIME=20240426T130642Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DFHTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8uPeRdfm_Vfdw7vJ8DamvPDVUCUzvnBI72GoENUL2k2mws3CTxKQS3BKhZSYPmbmuCbzV_F8vtVz1l29_pjNE4D2yAb87voCZVKwCKxCb8Z-d_QgN3hDuhtMnMsvOd0ymkGHSPpDbNMBeWY0gAMG1Pm6IGNygUUHTD8vfN2mFVs4sCoq6%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D51890e9c9f2c1ef4f67768b739ef54be&TIME=20240426T130642Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266&muid=ADDDFB3EF7AA0DA8A4964D397794E5DFHTTP Response
204 -
23.62.61.194:443https://www.bing.com/aes/c.gif?RG=603ae34df4634dbe816c2b9e677cec2a&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130642Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266tls, http21.5kB 5.4kB 17 12
HTTP Request
GET https://www.bing.com/aes/c.gif?RG=603ae34df4634dbe816c2b9e677cec2a&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T130642Z&adUnitId=11730597&localId=w:ADDDFB3E-F7AA-0DA8-A496-4D397794E5DF&deviceId=6896200621815266HTTP Response
200 -
23.62.61.194:443https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.7kB 6.8kB 18 14
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239355179391_1LFCMSFC5TYGHD1FP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
204.79.197.23713.107.21.237
-
73 B 143 B 1 1
DNS Request
237.197.79.204.in-addr.arpa
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
133.190.18.2.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
194.61.62.23.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
71.31.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.236.111.52.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.205.248.87.in-addr.arpa