mimikatz | 57b7a71a547177dd70ce0a69109bbdd2138541c875ae0330c6b71ad16d1b9442

Analysis

max time kernel
31s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 07:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe
Size

9.0MB
MD5

85fc44842dc0edd70684564be9bb4a2a
SHA1

4c3aaff62b1f82db8db216b54f52c177eeab320c
SHA256

57b7a71a547177dd70ce0a69109bbdd2138541c875ae0330c6b71ad16d1b9442
SHA512

fb507676114ace38e9237322d80fea91a03d2ad7b84c883288f0633dcbced1a03128cd074bf1a74cc9a67daef6d56dcc10a2647b80ebe684856351e409a28993
SSDEEP

196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1

Score

10^/10

mimikatz discovery persistence privilege_escalation

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4228-0-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/memory/4228-4-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz
behavioral2/files/0x000700000002345c-6.dat	mimikatz
behavioral2/memory/1572-8-0x0000000000400000-0x0000000000A9B000-memory.dmp	mimikatz

Drops file in Drivers directory 1 IoCs

Processes:

itugbag.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	itugbag.exe

Executes dropped EXE 2 IoCs

Processes:

itugbag.exeitugbag.exe

pid	Process
1572	itugbag.exe
4756	itugbag.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe

description	ioc	Process
File created	C:\Windows\wbpqcagd\itugbag.exe	2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe
File opened for modification	C:\Windows\wbpqcagd\itugbag.exe	2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.execmd.exePING.EXEitugbag.exenetsh.exeitugbag.exenetsh.execmd.execmd.execacls.execmd.execacls.exenetsh.execacls.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	itugbag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	itugbag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
1484	cmd.exe
2064	PING.EXE

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
behavioral2/files/0x000700000002345c-6.dat	nsis_installer_2

Modifies data under HKEY_USERS 5 IoCs

Processes:

itugbag.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	itugbag.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	itugbag.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	itugbag.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	itugbag.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	itugbag.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2064	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

itugbag.exe

pid	Process
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe

pid	Process
4228	2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exeitugbag.exeitugbag.exe

description	pid	Process
Token: SeDebugPrivilege	4228	2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe
Token: SeDebugPrivilege	1572	itugbag.exe
Token: SeDebugPrivilege	4756	itugbag.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exeitugbag.exeitugbag.exe

pid	Process
4228	2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe
4228	2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe
1572	itugbag.exe
1572	itugbag.exe
4756	itugbag.exe
4756	itugbag.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.execmd.exeitugbag.execmd.exe

description	pid	Process	procid_target
PID 4228 wrote to memory of 1484	4228	2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe	82
PID 4228 wrote to memory of 1484	4228	2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe	82
PID 4228 wrote to memory of 1484	4228	2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe	82
PID 1484 wrote to memory of 2064	1484	cmd.exe	84
PID 1484 wrote to memory of 2064	1484	cmd.exe	84
PID 1484 wrote to memory of 2064	1484	cmd.exe	84
PID 1484 wrote to memory of 1572	1484	cmd.exe	85
PID 1484 wrote to memory of 1572	1484	cmd.exe	85
PID 1484 wrote to memory of 1572	1484	cmd.exe	85
PID 4756 wrote to memory of 1752	4756	itugbag.exe	87
PID 4756 wrote to memory of 1752	4756	itugbag.exe	87
PID 4756 wrote to memory of 1752	4756	itugbag.exe	87
PID 1752 wrote to memory of 3056	1752	cmd.exe	89
PID 1752 wrote to memory of 3056	1752	cmd.exe	89
PID 1752 wrote to memory of 3056	1752	cmd.exe	89
PID 1752 wrote to memory of 2556	1752	cmd.exe	90
PID 1752 wrote to memory of 2556	1752	cmd.exe	90
PID 1752 wrote to memory of 2556	1752	cmd.exe	90
PID 1752 wrote to memory of 2452	1752	cmd.exe	91
PID 1752 wrote to memory of 2452	1752	cmd.exe	91
PID 1752 wrote to memory of 2452	1752	cmd.exe	91
PID 1752 wrote to memory of 2492	1752	cmd.exe	92
PID 1752 wrote to memory of 2492	1752	cmd.exe	92
PID 1752 wrote to memory of 2492	1752	cmd.exe	92
PID 1752 wrote to memory of 4556	1752	cmd.exe	93
PID 1752 wrote to memory of 4556	1752	cmd.exe	93
PID 1752 wrote to memory of 4556	1752	cmd.exe	93
PID 1752 wrote to memory of 928	1752	cmd.exe	94
PID 1752 wrote to memory of 928	1752	cmd.exe	94
PID 1752 wrote to memory of 928	1752	cmd.exe	94
PID 4756 wrote to memory of 3624	4756	itugbag.exe	102
PID 4756 wrote to memory of 3624	4756	itugbag.exe	102
PID 4756 wrote to memory of 3624	4756	itugbag.exe	102
PID 4756 wrote to memory of 620	4756	itugbag.exe	104
PID 4756 wrote to memory of 620	4756	itugbag.exe	104
PID 4756 wrote to memory of 620	4756	itugbag.exe	104
PID 4756 wrote to memory of 2504	4756	itugbag.exe	106
PID 4756 wrote to memory of 2504	4756	itugbag.exe	106
PID 4756 wrote to memory of 2504	4756	itugbag.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-07_85fc44842dc0edd70684564be9bb4a2a_hacktools_icedid_mimikatz.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start C:\Windows\wbpqcagd\itugbag.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2064
- - C:\Windows\wbpqcagd\itugbag.exe
    C:\Windows\wbpqcagd\itugbag.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1572

C:\Windows\wbpqcagd\itugbag.exe
C:\Windows\wbpqcagd\itugbag.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D users & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators & echo Y|cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3056
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D users
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D administrators
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4556
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\system32\drivers\etc\hosts /T /D SYSTEM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:928
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static del all
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3624
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add policy name=Bastards description=FuckingBastards
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:620
- C:\Windows\SysWOW64\netsh.exe
  netsh ipsec static add filteraction name=BastardsList action=block
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
c838e174298c403c2bbdf3cb4bdbb597

SHA1
70eeb7dfad9488f14351415800e67454e2b4b95b

SHA256
1891edcf077aa8ed62393138f16e445ef4290a866bccdbb7e2d7529034a66e53

SHA512
c53a52b74d19274c20dece44f46c5d9f37cd0ec28cf39cac8b26ba59712f789c14d1b10b7f5b0efdf7ce3211dda0107792cc42503faa82cb13ffae979d49d376

Download Submit
C:\Windows\wbpqcagd\itugbag.exe

Filesize
9.1MB

MD5
afc8a36fc29d4a58a5b8afdc1fba1349

SHA1
76cd5aafe28db3c11aa445c72ddf0cc789c35cca

SHA256
e2fd40b16ff51ff3bb2dd9af9771d93b06bd595acb304a8e4973ee73028c5332

SHA512
3af42f491a2785dbdf972ae9c5bc878df1b8228960b0bdca0adabe970fe55c159eee2fab12349900285d65c435ec1029e4caaa9d3a44b08aace6120232881aeb

Download Submit
memory/1572-8-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4228-0-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download
memory/4228-4-0x0000000000400000-0x0000000000A9B000-memory.dmp

Filesize
6.6MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads