mimikatz | 9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5

General

Target

9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe
Size

1.4MB
MD5

ca4b96adeeacae4a242ebcb8071004fe
SHA1

38ef3d33101316bc546b195cb9006a8388e685ae
SHA256

9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5
SHA512

095a673fd3c99ef69c2341b36ef593ad6361a615bddec2ffe8a86c9bb74342b614a22b64f7506e4d2a21fed3793121b474118d7e401f6a4f7c8230a18fba404d
SSDEEP

24576:szG7MzQX5mTVt8BbOF4zrA2lfI9q17uHGtJfV1ZHH24L:1X6OJlfI9Eu6fZ

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023436-1.dat	mimikatz

Executes dropped EXE 1 IoCs

Processes:

9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe

pid	Process
3764	9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe

Drops file in System32 directory 2 IoCs

Processes:

9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe

description	ioc	Process
File created	\??\c:\windows\system32\9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe	9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe
File opened for modification	\??\c:\windows\system32\9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe	9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
3052	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe

description	pid	Process
Token: SeDebugPrivilege	3764	9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.execmd.execmd.exe9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe

description	pid	Process	procid_target
PID 3288 wrote to memory of 2676	3288	9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe	83
PID 3288 wrote to memory of 2676	3288	9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe	83
PID 2676 wrote to memory of 3052	2676	cmd.exe	84
PID 2676 wrote to memory of 3052	2676	cmd.exe	84
PID 3288 wrote to memory of 2752	3288	9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe	85
PID 3288 wrote to memory of 2752	3288	9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe	85
PID 2752 wrote to memory of 4460	2752	cmd.exe	86
PID 2752 wrote to memory of 4460	2752	cmd.exe	86
PID 3764 wrote to memory of 660	3764	9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe	7
PID 3764 wrote to memory of 660	3764	9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe	7

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe
"C:\Users\Admin\AppData\Local\Temp\9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineAgent" /tr "c:\windows\system32\9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe" /sc daily /st 15:14:00 /rl highest /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "MicrosoftEdgeUpdateTaskMachineAgent" /tr "c:\windows\system32\9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe" /sc daily /st 15:14:00 /rl highest /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /run /tn "MicrosoftEdgeUpdateTaskMachineAgent"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn "MicrosoftEdgeUpdateTaskMachineAgent"
    3⤵
    PID:4460

\??\c:\windows\system32\9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe
c:\windows\system32\9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5.exe

Filesize
1.4MB

MD5
ca4b96adeeacae4a242ebcb8071004fe

SHA1
38ef3d33101316bc546b195cb9006a8388e685ae

SHA256
9c75a42b4dbd0d89a8bfb33bc23def62d4d38a63d6b6226f95b68202298b3ee5

SHA512
095a673fd3c99ef69c2341b36ef593ad6361a615bddec2ffe8a86c9bb74342b614a22b64f7506e4d2a21fed3793121b474118d7e401f6a4f7c8230a18fba404d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads