mimikatz | ff2134b2480edf5f1f49e980b352a544b46a4a927382556da944cba0a10fb306

Analysis

max time kernel
30s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe
Size

10.2MB
MD5

668b61346bcbc37780208b93dbdb25e2
SHA1

9d286221d4171631a9e26bade8abfb216a784efa
SHA256

ff2134b2480edf5f1f49e980b352a544b46a4a927382556da944cba0a10fb306
SHA512

735b9b307013723501880de1749c4c2e477a373f52aa59371482cce59398f29af639a9719457a7cacfa172535e7c3be10f66b8dc8e190c4c9db73e4657cca122
SSDEEP

98304:YmBtyYXmknGzZr+HdO5SEPFtmOZ9G1Md5v/nZVnivsAl0eXTBJYa5roSCaa:I6mknGzwHdOgEPHd9BbX/nivPlTXTYr

Score

10^/10

mimikatz discovery persistence privilege_escalation

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

resource	yara_rule
behavioral2/memory/1676-0-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/memory/1676-4-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz
behavioral2/files/0x000700000002342f-7.dat	mimikatz
behavioral2/memory/4836-8-0x0000000000400000-0x0000000000AA4000-memory.dmp	mimikatz

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ifzaime.exe

Executes dropped EXE 2 IoCs

pid	Process
4836	ifzaime.exe
384	ifzaime.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\lhirpauw\ifzaime.exe	2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\lhirpauw\ifzaime.exe	2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ifzaime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ifzaime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2812	PING.EXE
3264	cmd.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002342f-7.dat	nsis_installer_2

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ifzaime.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ifzaime.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ifzaime.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ifzaime.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ifzaime.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2812	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1676	2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	4836	ifzaime.exe
Token: SeDebugPrivilege	384	ifzaime.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1676	2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe
1676	2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe
4836	ifzaime.exe
4836	ifzaime.exe
384	ifzaime.exe
384	ifzaime.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 3264	1676	2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe	82
PID 1676 wrote to memory of 3264	1676	2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe	82
PID 1676 wrote to memory of 3264	1676	2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe	82
PID 3264 wrote to memory of 2812	3264	cmd.exe	84
PID 3264 wrote to memory of 2812	3264	cmd.exe	84
PID 3264 wrote to memory of 2812	3264	cmd.exe	84
PID 3264 wrote to memory of 4836	3264	cmd.exe	85
PID 3264 wrote to memory of 4836	3264	cmd.exe	85
PID 3264 wrote to memory of 4836	3264	cmd.exe	85
PID 384 wrote to memory of 3648	384	ifzaime.exe	87
PID 384 wrote to memory of 3648	384	ifzaime.exe	87
PID 384 wrote to memory of 3648	384	ifzaime.exe	87
PID 3648 wrote to memory of 4976	3648	cmd.exe	89
PID 3648 wrote to memory of 4976	3648	cmd.exe	89
PID 3648 wrote to memory of 4976	3648	cmd.exe	89
PID 3648 wrote to memory of 3272	3648	cmd.exe	90
PID 3648 wrote to memory of 3272	3648	cmd.exe	90
PID 3648 wrote to memory of 3272	3648	cmd.exe	90
PID 3648 wrote to memory of 4632	3648	cmd.exe	91
PID 3648 wrote to memory of 4632	3648	cmd.exe	91
PID 3648 wrote to memory of 4632	3648	cmd.exe	91
PID 3648 wrote to memory of 1700	3648	cmd.exe	92
PID 3648 wrote to memory of 1700	3648	cmd.exe	92
PID 3648 wrote to memory of 1700	3648	cmd.exe	92
PID 3648 wrote to memory of 60	3648	cmd.exe	93
PID 3648 wrote to memory of 60	3648	cmd.exe	93
PID 3648 wrote to memory of 60	3648	cmd.exe	93
PID 3648 wrote to memory of 2704	3648	cmd.exe	94
PID 3648 wrote to memory of 2704	3648	cmd.exe	94
PID 3648 wrote to memory of 2704	3648	cmd.exe	94
PID 384 wrote to memory of 2380	384	ifzaime.exe	102
PID 384 wrote to memory of 2380	384	ifzaime.exe	102
PID 384 wrote to memory of 2380	384	ifzaime.exe	102
PID 384 wrote to memory of 1752	384	ifzaime.exe	104
PID 384 wrote to memory of 1752	384	ifzaime.exe	104
PID 384 wrote to memory of 1752	384	ifzaime.exe	104
PID 384 wrote to memory of 1420	384	ifzaime.exe	106
PID 384 wrote to memory of 1420	384	ifzaime.exe	106
PID 384 wrote to memory of 1420	384	ifzaime.exe	106

C:\Users\Admin\AppData\Local\Temp\2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2022-10-22_668b61346bcbc37780208b93dbdb25e2_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\lhirpauw\ifzaime.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2812
- - C:\Windows\lhirpauw\ifzaime.exe
    C:\Windows\lhirpauw\ifzaime.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4836

C:\Windows\lhirpauw\ifzaime.exe
C:\Windows\lhirpauw\ifzaime.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4976
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4632
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:60
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1752
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\lhirpauw\ifzaime.exe

Filesize
10.2MB

MD5
33223e12944c2b45935e99b55784e053

SHA1
3f3c73178052c5dd76337caccbe537f624b4d200

SHA256
e22d8a79dc2e424f745e3207647061612d750d1a415c93cc662e24e2f19268c7

SHA512
4bb010a2510b544511c05d434d451fb568b77a40f73322e90ec311bcd8f9c70eb75b5a78146674598579248db2b0d4746ba00908c57bb917a3dc23a16b5e55dd

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
memory/1676-0-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/1676-4-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/4836-8-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download