mimikatz | 05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb

General

Target

05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
Size

1009KB
MD5

a38109846c85c59384c9b71ef67f655d
SHA1

211f659b70bf4abd6be8b742e156cc6d5c1d9e43
SHA256

05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb
SHA512

adc11e5871df6db8f5921ef803865a4611bc274bfef308a524cc7d00e9f4e81d2047ff984a90a6dc752c506246fc9ae141409c685e79d83185c577126729a19a
SSDEEP

24576:Ld9Mrf7iaNVxowiTsJvJkI65s0o5bJQAoDy:ByTeFwWsJxkI660o5roW

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023403-23.dat	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023403-23.dat	mimikatz

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe

Executes dropped EXE 1 IoCs

pid	Process
3808	mimikatz.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Help\Help\Win32\mimilib.dll	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\mimicom.idl	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\3.bat	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\Win32\mimikatz.exe	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\Win32\mimikatz.exe	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\Win32\mimilove.exe	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\README.md	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\README.md	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\Win32\mimilib.dll	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\Win32\mimispool.dll	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\kiwi_passwords.yar	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\Win32\mimilove.exe	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\Win32\mimispool.dll	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\Win32\mimidrv.sys	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\Win32	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\mimicom.idl	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\3.bat	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\kiwi_passwords.yar	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\Win32\mimidrv.sys	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2736	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3808	mimikatz.exe
3808	mimikatz.exe
3808	mimikatz.exe
3808	mimikatz.exe
3808	mimikatz.exe
3808	mimikatz.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3392	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
Token: SeDebugPrivilege	3808	mimikatz.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 2544	3392	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe	83
PID 3392 wrote to memory of 2544	3392	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe	83
PID 3392 wrote to memory of 2544	3392	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe	83
PID 3392 wrote to memory of 4168	3392	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe	85
PID 3392 wrote to memory of 4168	3392	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe	85
PID 3392 wrote to memory of 4168	3392	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe	85
PID 2544 wrote to memory of 3808	2544	cmd.exe	87
PID 2544 wrote to memory of 3808	2544	cmd.exe	87
PID 2544 wrote to memory of 3808	2544	cmd.exe	87
PID 2544 wrote to memory of 4124	2544	cmd.exe	88
PID 2544 wrote to memory of 4124	2544	cmd.exe	88
PID 2544 wrote to memory of 4124	2544	cmd.exe	88
PID 4168 wrote to memory of 2736	4168	cmd.exe	89
PID 4168 wrote to memory of 2736	4168	cmd.exe	89
PID 4168 wrote to memory of 2736	4168	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
"C:\Users\Admin\AppData\Local\Temp\05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Help\Help\3.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\Help\Help\Win32\mimikatz.exe
    Win32\mimikatz.exe privilege::debug sekurlsa::logonpasswords
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Executed 32. You can close ."
    3⤵
    PID:4124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~4A09.tmp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HZ~4A09.tmp.bat

Filesize
266B

MD5
3a2efde61c44f800aceedb24c7966acc

SHA1
5267d8deea10916a68d3a3d482cd15b957eba864

SHA256
3b569b72310e33b4704d2de0bbc75ce0331d3ec229cf4f6e7d07451469fa5132

SHA512
48e5433f1c0b8468c0722290bbc2973c829ac61152dd756d0ea14ad3c89c868d51af18aecfa6f982188f5936b57f1c5581d1c8d4bcc280f41baaa41309655a0d

Download Submit
C:\Windows\Help\Help\3.bat

Filesize
196B

MD5
86310b48a6ad1c68fc8e4a0eeb15f180

SHA1
0f69537f3742eb57a1e9e57a895aec4b6667320c

SHA256
b05f645941a40594c82a4277cb02edcf75a31378676f002dcd79c9dda2f71a43

SHA512
f6c0188562476236efe5cc816855e64c1e0a6899cc94f9b180ad2d636b3bb3a5b30ec90c7e91520f5362be8dc4fc9c47d0188ea9101953f75746a18131f0c3c0

Download Submit
C:\Windows\Help\Help\Win32\mimikatz.exe

Filesize
1.0MB

MD5
d3b17ddf0b98fd2441ed46b033043456

SHA1
93ed68c7e5096d936115854954135d110648e739

SHA256
94795fd89366e01bd6ce6471ff27c3782e2e16377a848426cf0b2e6baee9449b

SHA512
cac2230361981323ea998c08f7d9afc9369c62a683a60421628adab1eb1e4ffbbc9c2239a8bf66cb662ad7d56e7284f9051bb548979b8c6862570ce45aa27120

Download Submit

Analysis

Sharing