Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20/09/2024, 08:47
General
-
Target
https://github.com/ParrotSec/mimikatz/blob/master/x64/mimikatz.exe
Malware Config
Signatures
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ParrotSec/mimikatz/blob/master/x64/mimikatz.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd73946f8,0x7ffcd7394708,0x7ffcd73947182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2036 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3444 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6300 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\mimikatz.exe"C:\Users\Admin\Downloads\mimikatz.exe"2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12239692059176712413,6922929871702867549,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
2KB
MD590ce073cd1ed115bd38fcf4d2b70f8d8
SHA1ad26aaea2c5add7e42295403f20072000691bfc4
SHA256fa5ef24ba2abbcf128f413e9d56577698be182bdb91aec19792951b961e32f75
SHA5120c2719d8dc03634d14a6c36553f03ba1e221ffa050da465f0acd156bd349d46bb12a59b5138623b456146254b1127bde59d834f9857dc70c4fc70bb806b6031d
-
Filesize
579B
MD5552c94911b4d9413d92d5095a0c64b11
SHA1e9fe0f0eebf35d168d2d889b5367fa7a12f299c2
SHA256b687ba320a6689a39d8a01f8c10dc8e5d9f25465dbea04c2851d4d38e040fa5f
SHA5121cd929ccb9992a26cc3b5c9210138d3f30a46f5388aa6a123dbde986956a74ddfb2d529b860fc3c924b6435197c175bd004bbe309834340c3ddf90484c7d8a5b
-
Filesize
5KB
MD5e43bafd0e0389b4cb2d7bfa5e51514ee
SHA163a1a1cd40600e4543e71b2f5a5dd8d1f52e7de5
SHA256e1d1ead648fc7894df1bb3d3362f5b74508df53410ec9c36464a01ceea3429a6
SHA512d74e45fe773c702a8b29ca59f16c55efca9c5ca4f3195163ecf770bc9d06ec334eb67fdf0fd807be2eb2f023a75e9ee9b425b4c30793852a387ca5127e96b332
-
Filesize
6KB
MD53e0429460d143987f6bec735526eaace
SHA136de4c1b495e224a9d80de45c27d41dad2f060d9
SHA25657edc3e6631b47e790c373e641311b50df7f7079689fd07fee5efb577e1f7556
SHA51243cd112d162059d92aa65f5c56795450a652b67021713bf0cc744c234f75611994973e42bc3a388a63f87b7c910e93061b70602e583126a516ee48f34443d141
-
Filesize
1KB
MD5e69d0bf2943ba5f36e4385dd768ef6dc
SHA1bf9158e34eba01b242e78b408589d534b22d002b
SHA2561737912f46c5d51b8e50474ea1619627f662658faaa6124db01711b25ee2cfa2
SHA512c1fc94757357841c5f23a4cca5e16d497a70310f96ee373a29061f0fb28283d13a21b3c43aa521d7182fccafd90e69f15cd1abe8acec8fa0e88e1124347ed7b1
-
Filesize
1KB
MD584df08e3441046bab4b1b28b3a2c8a2a
SHA104461f62a79a15b5154aaedeed2996045963832e
SHA256600eed9343f590245c8597d9a2ad5d83c6540bf5befe80fadff1b72f367fae5e
SHA512857d1e56c65f6292b92fc8667412317757ccfcb175803c60aa21a73e9e7b4893035dd2d4f16c96b91f6c9b368008d7264b3f8e6978d1533369585766f3c84b3b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD53e00a704e5d8044cf9b4ed73b717a28f
SHA1462b57a9601c5140103c9267c7b42c99a01074a0
SHA256409d09c29601441d8fb316e90e83a85073616e33eb62799c02575f00d7dab296
SHA5129fa869d79c124ad94525e1e9b3101f94eeaf9df1227c2fe120c7a36bdb58f625fdd8c2674e3ec32e0529c40c59cbe46c6da007ec8a5feffd65c4f8339c45e3ac
-
Filesize
10KB
MD528fbea1b986cd73989dd0be7d1ffe68d
SHA13d9e2d7bab2fb7cf1e362dba3921267714d63795
SHA256d4a9525288f5e06bfc34647d848239eee9d27b52b6fed3fccc51b267fbe99d83
SHA512cb7437d2baa1ae463ba9df07eae299732eb83e09b151cbc1d4cf77903539a71c2227976e7c9417549aabc6ae4618649a89ecf4b7f7632db5070dd4be2fb02bb5
-
Filesize
1.2MB
MD5e930b05efe23891d19bc354a4209be3e
SHA1d1f7832035c3e8a73cc78afd28cfd7f4cece6d20
SHA25692804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50
SHA512a7a59176ca275d5d5ea6547108907bbe8ddbf3489308b3d6efe571b685de7e6263d36d6580abe9587a7f77adc22d3b7b164ad42845b6c110b794eaba7ab47ec6