mimikatz | 05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb

General

Target

05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
Size

1009KB
MD5

a38109846c85c59384c9b71ef67f655d
SHA1

211f659b70bf4abd6be8b742e156cc6d5c1d9e43
SHA256

05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb
SHA512

adc11e5871df6db8f5921ef803865a4611bc274bfef308a524cc7d00e9f4e81d2047ff984a90a6dc752c506246fc9ae141409c685e79d83185c577126729a19a
SSDEEP

24576:Ld9Mrf7iaNVxowiTsJvJkI65s0o5bJQAoDy:ByTeFwWsJxkI660o5roW

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015c83-28.dat	mimikatz

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2476	mimikatz.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	cmd.exe
2656	cmd.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Help\Help\kiwi_passwords.yar	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\Win32\mimikatz.exe	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\kiwi_passwords.yar	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\Win32\mimikatz.exe	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\Win32\mimilove.exe	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\Win32\mimispool.dll	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\README.md	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\Win32\mimilib.dll	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\Win32\mimilib.dll	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\Win32\mimidrv.sys	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\Win32	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\Win32\mimispool.dll	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\Win32\mimidrv.sys	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\README.md	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\mimicom.idl	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\mimicom.idl	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File created	C:\Windows\Help\Help\3.bat	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\3.bat	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
File opened for modification	C:\Windows\Help\Help\Win32\mimilove.exe	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2832	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2476	mimikatz.exe
2476	mimikatz.exe
2476	mimikatz.exe
2476	mimikatz.exe
2476	mimikatz.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1704	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
Token: SeDebugPrivilege	2476	mimikatz.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2656	1704	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe	28
PID 1704 wrote to memory of 2656	1704	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe	28
PID 1704 wrote to memory of 2656	1704	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe	28
PID 1704 wrote to memory of 2656	1704	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe	28
PID 1704 wrote to memory of 2688	1704	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe	30
PID 1704 wrote to memory of 2688	1704	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe	30
PID 1704 wrote to memory of 2688	1704	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe	30
PID 1704 wrote to memory of 2688	1704	05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe	30
PID 2656 wrote to memory of 2476	2656	cmd.exe	32
PID 2656 wrote to memory of 2476	2656	cmd.exe	32
PID 2656 wrote to memory of 2476	2656	cmd.exe	32
PID 2656 wrote to memory of 2476	2656	cmd.exe	32
PID 2656 wrote to memory of 2356	2656	cmd.exe	34
PID 2656 wrote to memory of 2356	2656	cmd.exe	34
PID 2656 wrote to memory of 2356	2656	cmd.exe	34
PID 2656 wrote to memory of 2356	2656	cmd.exe	34
PID 2688 wrote to memory of 2832	2688	cmd.exe	33
PID 2688 wrote to memory of 2832	2688	cmd.exe	33
PID 2688 wrote to memory of 2832	2688	cmd.exe	33
PID 2688 wrote to memory of 2832	2688	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe
"C:\Users\Admin\AppData\Local\Temp\05b5a1a5354201eb02051a8555a63d82e98766798f5739111c454103ca2599bb.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\Help\Help\3.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\Help\Help\Win32\mimikatz.exe
    Win32\mimikatz.exe privilege::debug sekurlsa::logonpasswords
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Executed 32. You can close ."
    3⤵
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~602A.tmp.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HZ~602A.tmp.bat

Filesize
266B

MD5
3a2efde61c44f800aceedb24c7966acc

SHA1
5267d8deea10916a68d3a3d482cd15b957eba864

SHA256
3b569b72310e33b4704d2de0bbc75ce0331d3ec229cf4f6e7d07451469fa5132

SHA512
48e5433f1c0b8468c0722290bbc2973c829ac61152dd756d0ea14ad3c89c868d51af18aecfa6f982188f5936b57f1c5581d1c8d4bcc280f41baaa41309655a0d

Download Submit
C:\Windows\Help\Help\3.bat

Filesize
196B

MD5
86310b48a6ad1c68fc8e4a0eeb15f180

SHA1
0f69537f3742eb57a1e9e57a895aec4b6667320c

SHA256
b05f645941a40594c82a4277cb02edcf75a31378676f002dcd79c9dda2f71a43

SHA512
f6c0188562476236efe5cc816855e64c1e0a6899cc94f9b180ad2d636b3bb3a5b30ec90c7e91520f5362be8dc4fc9c47d0188ea9101953f75746a18131f0c3c0

Download Submit
C:\Windows\Help\Help\Win32\mimikatz.exe

Filesize
1.0MB

MD5
d3b17ddf0b98fd2441ed46b033043456

SHA1
93ed68c7e5096d936115854954135d110648e739

SHA256
94795fd89366e01bd6ce6471ff27c3782e2e16377a848426cf0b2e6baee9449b

SHA512
cac2230361981323ea998c08f7d9afc9369c62a683a60421628adab1eb1e4ffbbc9c2239a8bf66cb662ad7d56e7284f9051bb548979b8c6862570ce45aa27120

Download Submit

Analysis

Sharing