mimikatz | b2a9d9fa76e0d276d2a9ee93a0cd32a7796ffa5c5481dba57c89c0590fb61d09

General

Target

New/3mm.exe
Size

1009KB
MD5

a38109846c85c59384c9b71ef67f655d
SHA1

211f659b70bf4abd6be8b742e156cc6d5c1d9e43
SHA256

05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb
SHA512

adc11e5871df6db8f5921ef803865a4611bc274bfef308a524cc7d00e9f4e81d2047ff984a90a6dc752c506246fc9ae141409c685e79d83185c577126729a19a
SSDEEP

24576:Ld9Mrf7iaNVxowiTsJvJkI65s0o5bJQAoDy:ByTeFwWsJxkI660o5roW

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000100000002aa9e-23.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
3276	mimikatz.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Help\Help\Win32	3mm.exe
File created	C:\Windows\Help\Help\README.md	3mm.exe
File opened for modification	C:\Windows\Help\Help\README.md	3mm.exe
File created	C:\Windows\Help\Help\3.bat	3mm.exe
File opened for modification	C:\Windows\Help\Help\3.bat	3mm.exe
File created	C:\Windows\Help\Help\kiwi_passwords.yar	3mm.exe
File opened for modification	C:\Windows\Help\Help\Win32\mimikatz.exe	3mm.exe
File opened for modification	C:\Windows\Help\Help\Win32\mimispool.dll	3mm.exe
File created	C:\Windows\Help\Help\Win32\mimilib.dll	3mm.exe
File opened for modification	C:\Windows\Help\Help\Win32\mimilib.dll	3mm.exe
File created	C:\Windows\Help\Help\Win32\mimidrv.sys	3mm.exe
File opened for modification	C:\Windows\Help\Help\mimicom.idl	3mm.exe
File created	C:\Windows\Help\Help\Win32\mimikatz.exe	3mm.exe
File opened for modification	C:\Windows\Help\Help\Win32\mimilove.exe	3mm.exe
File created	C:\Windows\Help\Help\Win32\mimispool.dll	3mm.exe
File created	C:\Windows\Help\Help\mimicom.idl	3mm.exe
File opened for modification	C:\Windows\Help\Help\kiwi_passwords.yar	3mm.exe
File created	C:\Windows\Help\Help\Win32\mimilove.exe	3mm.exe
File opened for modification	C:\Windows\Help\Help\Win32\mimidrv.sys	3mm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4352	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3276	mimikatz.exe
3276	mimikatz.exe
3276	mimikatz.exe
3276	mimikatz.exe
3276	mimikatz.exe
3276	mimikatz.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4092	3mm.exe
Token: SeDebugPrivilege	3276	mimikatz.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3048	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 2916	4092	3mm.exe	80
PID 4092 wrote to memory of 2916	4092	3mm.exe	80
PID 4092 wrote to memory of 2916	4092	3mm.exe	80
PID 4092 wrote to memory of 1556	4092	3mm.exe	82
PID 4092 wrote to memory of 1556	4092	3mm.exe	82
PID 4092 wrote to memory of 1556	4092	3mm.exe	82
PID 2916 wrote to memory of 3276	2916	cmd.exe	84
PID 2916 wrote to memory of 3276	2916	cmd.exe	84
PID 2916 wrote to memory of 3276	2916	cmd.exe	84
PID 2916 wrote to memory of 948	2916	cmd.exe	85
PID 2916 wrote to memory of 948	2916	cmd.exe	85
PID 2916 wrote to memory of 948	2916	cmd.exe	85
PID 1556 wrote to memory of 4352	1556	cmd.exe	86
PID 1556 wrote to memory of 4352	1556	cmd.exe	86
PID 1556 wrote to memory of 4352	1556	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\New\3mm.exe
"C:\Users\Admin\AppData\Local\Temp\New\3mm.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Help\Help\3.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\Help\Help\Win32\mimikatz.exe
    Win32\mimikatz.exe privilege::debug sekurlsa::logonpasswords
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Executed 32. You can close ."
    3⤵
    PID:948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~7724.tmp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:4352

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
cd56e155edf53e5728c46b6c9eb9c413

SHA1
14b1b0f090803c9ee39797aed4af13dc7849566d

SHA256
70a6cf268c013fb4d907bedc12af3e5f802f179f0cc8353c7b8227dde840d31a

SHA512
a4ada455d44a89fd2baa505aa9266b70913967b839522ef5da8d7afd31af6662c3ad96ac3e3531d82a72be7d019c9d88f1ce391c5b5fa0e4422a634c51491165

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZ~7724.tmp.bat

Filesize
152B

MD5
93b2d42d915da27b1f467a645efbb5de

SHA1
7d7a3743c74867eb97688b3ef1f506c5c48bd72c

SHA256
2ed1c3802692a780c56735e17d2a33f48071aa91471b9abe75943076e31f8238

SHA512
7b19b38d7ce3254c654a8db4a912f1d2e3037b140176cf6bf2731860be04c2fe14dd93395a8a891de8c0d51d134d0fc29a198162aa331c8d188afdc76133bc53

Download Submit
C:\Windows\Help\Help\3.bat

Filesize
196B

MD5
86310b48a6ad1c68fc8e4a0eeb15f180

SHA1
0f69537f3742eb57a1e9e57a895aec4b6667320c

SHA256
b05f645941a40594c82a4277cb02edcf75a31378676f002dcd79c9dda2f71a43

SHA512
f6c0188562476236efe5cc816855e64c1e0a6899cc94f9b180ad2d636b3bb3a5b30ec90c7e91520f5362be8dc4fc9c47d0188ea9101953f75746a18131f0c3c0

Download Submit
C:\Windows\Help\Help\Win32\mimikatz.exe

Filesize
1.0MB

MD5
d3b17ddf0b98fd2441ed46b033043456

SHA1
93ed68c7e5096d936115854954135d110648e739

SHA256
94795fd89366e01bd6ce6471ff27c3782e2e16377a848426cf0b2e6baee9449b

SHA512
cac2230361981323ea998c08f7d9afc9369c62a683a60421628adab1eb1e4ffbbc9c2239a8bf66cb662ad7d56e7284f9051bb548979b8c6862570ce45aa27120

Download Submit

Analysis

Sharing