Overview

overview

10

Static

static

10

2022-10-22...tz.exe

windows7-x64

10

2022-10-22...tz.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    10s
  • max time network
    13s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2024 15:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe

  • Size

    10.2MB

  • MD5

    668b61346bcbc37780208b93dbdb25e2

  • SHA1

    9d286221d4171631a9e26bade8abfb216a784efa

  • SHA256

    ff2134b2480edf5f1f49e980b352a544b46a4a927382556da944cba0a10fb306

  • SHA512

    735b9b307013723501880de1749c4c2e477a373f52aa59371482cce59398f29af639a9719457a7cacfa172535e7c3be10f66b8dc8e190c4c9db73e4657cca122

  • SSDEEP

    98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr

Score
10/10
mimikatzdiscovery

Malware Config

Signatures

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • mimikatz is an open source tool to dump credentials on Windows 4 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 1 IoCs
    installer
  • Modifies data under HKEY_USERS 24 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe
    "C:\Users\Admin\AppData\Local\Temp\2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\eujkczal\jkdzukl.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 5
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1976
      • C:\Windows\eujkczal\jkdzukl.exe
        C:\Windows\eujkczal\jkdzukl.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2440
  • C:\Windows\eujkczal\jkdzukl.exe
    C:\Windows\eujkczal\jkdzukl.exe
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2848
      • C:\Windows\SysWOW64\cacls.exe
        cacls C:\Windows\system32\drivers\etc\hosts /T /D users
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2228
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2992
      • C:\Windows\SysWOW64\cacls.exe
        cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2896
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2612
      • C:\Windows\SysWOW64\cacls.exe
        cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system32\drivers\etc\hosts
    Filesize

    975B

    MD5

    b5d815ff5310f62de5020591be598bc0

    SHA1

    8013562b0cc2516d16d474308c8982a31b7f5dd0

    SHA256

    a7ea603e6e80aed429a34b68ca8210ae3b082cf6104646ed7f8025c3b304ae85

    SHA512

    4e3175ef0c289e1beea60f51239a98533690505b709f778703502dad3f72e3c7e9aa26e1a3837712ed5e1344e28e5ccff1d63a1245352bbc8435a71e15347a94

    Download Submit

  • \Windows\eujkczal\jkdzukl.exe
    Filesize

    10.3MB

    MD5

    844d6464eab58bb2575cd2c453140308

    SHA1

    f839069f6c6792feba4027ed63562cb86cd89310

    SHA256

    584bf5aac4a3956f24567404daec51fb6f1f0c91731465ce61af88ab9ca81a84

    SHA512

    30e485eae9e4092623479c86d04b0742cd4d64785ea80df9469bbc936bc1f8827fd821937655c4a506d966550b5686af26086c92f726f35a50166f27f5c67e42

    Download Submit

  • memory/1716-0-0x0000000000400000-0x0000000000AA4000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1716-4-0x0000000000400000-0x0000000000AA4000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/2440-9-0x0000000000400000-0x0000000000AA4000-memory.dmp

    Filesize

    6.6MB

    Download