mimikatz | 2024-09-01_bea97a46e5034b1c0d8b774da2aa3a67_mimikatz_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-09-01_bea97a46e5034b1c0d8b774da2aa3a67_mimikatz_ryuk
Size

1.9MB
MD5

bea97a46e5034b1c0d8b774da2aa3a67
SHA1

643a3d9a301da66ef6bb2f29b8bc773e2bc5ac17
SHA256

c53397c6a25e525d12d0512416d423ddb3a003898d6fa7a00fd97e3a5c581e23
SHA512

620d428ed642f26da1c122e85ceb3c464f33bb15292e4b7ab4205af04d390e0041d9dfdbee31f84b2ac5b3b2731ae89e57e66f2c75929fd5a40be6fd03a62f43
SSDEEP

24576:P7l7dFufljdCMEjMuwe3MQUBcL1qrG/Zrw3E5j4ZymRH5Fv7uprjrsN:P7lpAxoi2TUuL1qreZrEEQygH5Fv7up

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
sample	mimikatz

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-09-01_bea97a46e5034b1c0d8b774da2aa3a67_mimikatz_ryuk

Files

2024-09-01_bea97a46e5034b1c0d8b774da2aa3a67_mimikatz_ryuk
.exe windows:6 windows x64 arch:x64

1854a53df374f01d6115a71be3bcb0cc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CryptReleaseContext
CryptGenKey
CryptGetProvParam
CryptGetHashParam
CryptImportKey
CryptSetKeyParam
CryptDestroyHash
CryptSetHashParam
CryptHashData
CryptCreateHash
CryptExportKey
CryptDecrypt
SystemFunction007
CryptDuplicateKey
CryptEncrypt
CryptAcquireContextW
CryptGetKeyParam
CryptAcquireContextA
CryptDestroyKey
GetLengthSid
CopySid
LsaClose
LsaOpenPolicy
LsaQueryInformationPolicy
CreateWellKnownSid
CreateProcessAsUserW
CreateProcessWithLogonW
RegQueryValueExW
RegEnumValueW
RegOpenKeyExW
RegSetValueExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey
SystemFunction032
ConvertSidToStringSidW
SystemFunction033
QueryServiceObjectSecurity
QueryServiceStatusEx
BuildSecurityDescriptorW
OpenServiceW
StartServiceW
FreeSid
ControlService
SetServiceObjectSecurity
DeleteService
AllocateAndInitializeSid
OpenSCManagerW
CloseServiceHandle
CreateServiceW
IsTextUnicode
GetTokenInformation
LookupAccountNameW
LookupAccountSidW
DuplicateTokenEx
CheckTokenMembership
OpenProcessToken
CryptSetProvParam
CryptEnumProvidersW
ConvertStringSidToSidW
LsaFreeMemory
IsValidSid
GetSidSubAuthority
GetSidSubAuthorityCount
SetThreadToken
SystemFunction006
CryptEnumProviderTypesW
CryptGetUserKey
OpenEventLogW
ClearEventLogW
GetNumberOfEventLogRecords
CryptSignHashW
LsaRetrievePrivateData
LsaOpenSecret
LsaQueryTrustedDomainInfoByName
CryptDeriveKey
LsaQuerySecret
SystemFunction001
SystemFunction005
LsaSetSecret
LsaEnumerateTrustedDomainsEx
SystemFunction023
LookupPrivilegeValueW
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus
OpenThreadToken
LookupPrivilegeNameW
EqualSid
CredFree
CredEnumerateW
ConvertStringSecurityDescriptorToSecurityDescriptorW
SystemFunction027
SystemFunction026
SystemFunction041
CredUnmarshalCredentialW
CredIsMarshaledCredentialW
A_SHAUpdate
A_SHAFinal
A_SHAInit

cabinet

ord11
ord14
ord10
ord13

crypt32

CertFindCertificateInStore
CertGetNameStringW
CryptQueryObject
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertAddEncodedCertificateToStore
CertFreeCertificateContext
CryptStringToBinaryA
CertCloseStore
PFXExportCertStoreEx
CertSetCertificateContextProperty
CertOpenStore
CryptStringToBinaryW
CryptUnprotectData
CryptBinaryToStringW
CryptBinaryToStringA
CryptAcquireCertificatePrivateKey
CryptExportPublicKeyInfo
CryptFindOIDInfo
CryptSignAndEncodeCertificate
CertNameToStrW
CryptEncodeObject
CertEnumSystemStore
CertGetCertificateContextProperty
CryptProtectData
CryptDecodeObjectEx

cryptdll

CDGenerateRandomBits
CDLocateCheckSum
MD5Final
CDLocateCSystem
MD5Init
MD5Update

dnsapi

DnsFree
DnsQuery_A

fltlib

FilterFindNext
FilterFindFirst

mpr

WNetAddConnection2W
WNetCancelConnection2W

netapi32

NetServerGetInfo
DsGetDcNameW
NetApiBufferFree
NetWkstaUserEnum
NetShareEnum
NetStatisticsGet
NetSessionEnum
NetRemoteTOD
DsEnumerateDomainTrustsW
I_NetServerAuthenticate2
I_NetServerTrustPasswordsGet
I_NetServerReqChallenge

odbc32

ord31
ord141
ord24
ord13
ord75
ord111
ord43
ord9

ole32

CoInitializeEx
CoSetProxyBlanket
CoTaskMemFree
CoUninitialize
CoCreateInstance

oleaut32

SysAllocString
SysFreeString
VariantInit
VariantClear

rpcrt4

NdrClientCall2
RpcBindingInqAuthClientW
RpcBindingSetOption
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcBindingSetAuthInfoExW
RpcStringFreeW
MesHandleFree
RpcImpersonateClient
RpcRevertToSelf
MesEncodeIncrementalHandleCreate
MesDecodeIncrementalHandleCreate
RpcBindingFree
MesIncrementalHandleReset
NdrMesTypeEncode2
NdrMesTypeDecode2
NdrMesTypeFree2
NdrMesTypeAlignSize2
RpcBindingVectorFree
RpcServerUseProtseqEpW
RpcServerUnregisterIfEx
RpcBindingToStringBindingW
UuidToStringW
RpcServerRegisterIf2
RpcMgmtWaitServerListen
RpcServerListen
RpcServerRegisterAuthInfoW
RpcEpUnregister
RpcEpRegisterW
RpcServerInqBindings
RpcMgmtStopServerListening
I_RpcBindingInqSecurityContext
NdrServerCall2
UuidCreate
RpcEpResolveBinding
RpcBindingSetObject
RpcBindingSetAuthInfoW
RpcMgmtEpEltInqBegin
RpcMgmtEpEltInqDone
RpcMgmtEpEltInqNextW
I_RpcGetCurrentCallHandle

shlwapi

PathFindFileNameW
PathIsDirectoryW
PathCombineW
PathCanonicalizeW
PathIsRelativeW
UrlUnescapeW

samlib

SamLookupIdsInDomain
SamEnumerateGroupsInDomain
SamGetAliasMembership
SamOpenAlias
SamRidToSid
SamGetGroupsForUser
SamGetMembersInAlias
SamEnumerateUsersInDomain
SamLookupNamesInDomain
SamOpenDomain
SamEnumerateDomainsInSamServer
SamOpenUser
SamiChangePasswordUser
SamGetMembersInGroup
SamConnect
SamCloseHandle
SamLookupDomainInSamServer
SamFreeMemory
SamQueryInformationUser
SamSetInformationUser
SamOpenGroup
SamEnumerateAliasesInDomain

secur32

LsaFreeReturnBuffer
DeleteSecurityContext
LsaLookupAuthenticationPackage
LsaCallAuthenticationPackage
LsaDeregisterLogonProcess
LsaConnectUntrusted
QueryContextAttributesW
EnumerateSecurityPackagesW
FreeCredentialsHandle
InitializeSecurityContextW
FreeContextBuffer
AcquireCredentialsHandleW

shell32

CommandLineToArgvW

user32

GetMessageW
DefWindowProcW
PostMessageW
DestroyWindow
SetClipboardViewer
CreateWindowExW
SendMessageW
UnregisterClassW
RegisterClassExW
OpenClipboard
DispatchMessageW
ChangeClipboardChain
CloseClipboard
EnumClipboardFormats
TranslateMessage
GetClipboardData
GetClipboardSequenceNumber
GetKeyboardLayout
IsCharAlphaNumericW

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

hid

HidD_GetPreparsedData
HidP_GetCaps
HidD_GetAttributes
HidD_GetFeature
HidD_GetHidGuid
HidD_FreePreparsedData
HidD_SetFeature

setupapi

SetupDiGetDeviceInterfaceDetailW
SetupDiEnumDeviceInterfaces
SetupDiDestroyDeviceInfoList
SetupDiGetClassDevsW

winscard

SCardFreeMemory
SCardTransmit
SCardDisconnect
SCardConnectW
SCardControl
SCardListReadersW
SCardGetCardTypeProviderNameW
SCardListCardsW
SCardReleaseContext
SCardEstablishContext
SCardGetAttrib

winsta

WinStationOpenServerW
WinStationQueryInformationW
WinStationCloseServer
WinStationFreeMemory
WinStationConnectW
WinStationEnumerateW

wldap32

ord147
ord157
ord224
ord203
ord88
ord26
ord127
ord133
ord167
ord309
ord304
ord27
ord310
ord208
ord73
ord13
ord36
ord79
ord41
ord142
ord77
ord145
ord54
ord14
ord140
ord113
ord223
ord96
ord69
ord12
ord139
ord122
ord97
ord301

msasn1

ASN1_FreeEncoded
ASN1_CloseEncoder
ASN1_CreateEncoder
ASN1_CloseModule
ASN1_CreateModule
ASN1_CloseDecoder
ASN1_CreateDecoder
ASN1BERDotVal2Eoid

ntdll

RtlInitUnicodeString
NtQueryObject
RtlAdjustPrivilege
RtlFreeAnsiString
NtSuspendProcess
RtlCompressBuffer
NtQuerySystemInformation
NtQueryInformationProcess
NtTerminateProcess
RtlCreateUserThread
RtlGUIDFromString
NtSetSystemEnvironmentValueEx
NtQuerySystemEnvironmentValueEx
NtEnumerateSystemEnvironmentValuesEx
RtlIpv4AddressToStringW
RtlIpv6AddressToStringW
RtlUnicodeStringToAnsiString
RtlFreeUnicodeString
RtlDowncaseUnicodeString
RtlGetCompressionWorkSpaceSize
RtlStringFromGUID
NtCompareTokens
RtlGetNtVersionNumbers
RtlEqualString
RtlAppendUnicodeStringToString
RtlUpcaseUnicodeString
RtlAnsiStringToUnicodeString
RtlFreeOemString
RtlUpcaseUnicodeStringToOemString
NtResumeProcess
NtOpenDirectoryObject
NtQueryDirectoryObject
RtlEqualUnicodeString
RtlGetCurrentPeb

kernel32

GetOEMCP
GetACP
IsValidCodePage
FindFirstFileExW
SetStdHandle
GetCPInfo
LCMapStringW
CompareStringW
InitializeCriticalSectionEx
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetFileType
GetModuleHandleExW
TerminateProcess
GetModuleFileNameW
GetCommandLineW
GetCommandLineA
LoadLibraryExW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
RtlUnwindEx
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetCurrentThreadId
LoadLibraryExA
SetFilePointerEx
GetProcessId
GetComputerNameW
IsWow64Process
ProcessIdToSessionId
GetCurrentThread
SetConsoleCursorPosition
SetCurrentDirectoryW
FillConsoleOutputCharacterW
GetSystemDirectoryW
GetStdHandle
GetConsoleScreenBufferInfo
SetEvent
CreateEventW
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
CreatePipe
SetHandleInformation
GlobalSize
SetFileAttributesW
SetConsoleTitleW
ExitProcess
RaiseException
ExitThread
SetConsoleCtrlHandler
GetTickCount
QueryPerformanceCounter
FormatMessageA
GetSystemTime
GetProcessHeap
GetCurrentProcessId
GetFileSize
LockFileEx
UnlockFile
HeapDestroy
HeapCompact
HeapAlloc
GetSystemInfo
HeapReAlloc
DeleteFileW
WaitForSingleObjectEx
LoadLibraryA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
FormatMessageW
MultiByteToWideChar
HeapSize
HeapValidate
CreateMutexW
GetTempPathW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
GetFullPathNameW
HeapFree
HeapCreate
AreFileApisANSI
GetDateFormatW
GetSystemTimeAsFileTime
WideCharToMultiByte
SystemTimeToFileTime
GetTimeFormatW
lstrlenA
ClearCommError
PurgeComm
CreateRemoteThread
WaitForSingleObject
CreateProcessW
SetConsoleOutputCP
GetConsoleOutputCP
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
VirtualQueryEx
VirtualQuery
VirtualFreeEx
ReadProcessMemory
VirtualAllocEx
VirtualProtectEx
VirtualAlloc
VirtualFree
SetLastError
VirtualProtect
WriteProcessMemory
DeviceIoControl
OpenProcess
DuplicateHandle
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetStringTypeW
ReadConsoleW
WriteConsoleW
RtlPcToFileHeader
GetConsoleMode
GetCurrentProcess
FlushFileBuffers
EncodePointer
GetCurrentDirectoryW
GetFileAttributesW
FindClose
ExpandEnvironmentStringsW
FindNextFileW
GetFileSizeEx
FindFirstFileW
lstrlenW
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryW
FileTimeToDosDateTime
GetTempFileNameA
FileTimeToLocalFileTime
DeleteFileA
CreateFileA
GetTempPathA
GetFileInformationByHandle
GetCurrentDirectoryA
SetFilePointer
LocalFree
CreateThread
CloseHandle
TerminateThread
GetLastError
Sleep
CreateFileW
LocalAlloc
WriteFile
ReadFile
FileTimeToSystemTime

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 509KB - Virtual size: 509KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 196B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gehcont
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.fptable
Size: 512B - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 156KB - Virtual size: 156KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1854a53df374f01d6115a71be3bcb0cc

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

cabinet

crypt32

cryptdll

dnsapi

fltlib

mpr

netapi32

odbc32

ole32

oleaut32

rpcrt4

shlwapi

samlib

secur32

shell32

user32

userenv

version

hid

setupapi

winscard

winsta

wldap32

msasn1

ntdll

kernel32

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 509KB - Virtual size: 509KB

.data Size: 26KB - Virtual size: 32KB

.pdata Size: 62KB - Virtual size: 62KB

.gfids Size: 512B - Virtual size: 196B

.gehcont Size: 512B - Virtual size: 24B

.fptable Size: 512B - Virtual size: 256B

.rsrc Size: 156KB - Virtual size: 156KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 509KB - Virtual size: 509KB

.data
Size: 26KB - Virtual size: 32KB

.pdata
Size: 62KB - Virtual size: 62KB

.gfids
Size: 512B - Virtual size: 196B

.gehcont
Size: 512B - Virtual size: 24B

.fptable
Size: 512B - Virtual size: 256B

.rsrc
Size: 156KB - Virtual size: 156KB

.reloc
Size: 8KB - Virtual size: 7KB