Overview

overview

10

Static

static

3

dcb3ab43a6...80.exe

windows7-x64

1

dcb3ab43a6...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2024 16:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dcb3ab43a6ea430667bd1b5283ef0db79b2349031c0e91b3b4e1403b24c98d80.exe

  • Size

    1.6MB

  • MD5

    9ff9e0b9601d48a256409e5831a086be

  • SHA1

    b004eb0dae356da360b3efe55c8b281e0dc93b64

  • SHA256

    dcb3ab43a6ea430667bd1b5283ef0db79b2349031c0e91b3b4e1403b24c98d80

  • SHA512

    da597b90a515a538a29519e7491afb270f3b32157a5fc289467198c0836436acda056ae27969e56f83462d6fa20aa3e24348bd462e39e73d50b50328bc302f1d

  • SSDEEP

    6144:6VXtCGgA9T7uUVaIvbXCRxo2HHVKwIsgKNEYcevyODHqwsfPuu4TJ+voESuxDnxS:6VW+mu3wpgFl+98rOJx

Score
10/10
mimikatz

Malware Config

Signatures

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Mimikatz family
    mimikatz
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:676
  • C:\Windows\sysmon.exe
    C:\Windows\sysmon.exe
    1⤵
      PID:2920
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3508
        • C:\Users\Admin\AppData\Local\Temp\dcb3ab43a6ea430667bd1b5283ef0db79b2349031c0e91b3b4e1403b24c98d80.exe
          "C:\Users\Admin\AppData\Local\Temp\dcb3ab43a6ea430667bd1b5283ef0db79b2349031c0e91b3b4e1403b24c98d80.exe"
          2⤵
            PID:1844
            • C:\Windows\System32\werfault.exe
              \??\C:\Windows\System32\werfault.exe
              3⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1196
              • C:\Windows\system32\rundll32.exe
                C:\Windows\system32\rundll32.exe
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1400
                • C:\Windows\system32\ipconfig.exe
                  "C:\Windows\system32\ipconfig.exe" /all
                  5⤵
                  • Gathers network information
                  PID:1016
              • C:\Windows\system32\rundll32.exe
                C:\Windows\system32\rundll32.exe
                4⤵
                  PID:2348
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /C set
                  4⤵
                    PID:4724
                  • C:\Windows\system32\rundll32.exe
                    C:\Windows\system32\rundll32.exe
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1780
                  • C:\Windows\system32\rundll32.exe
                    C:\Windows\system32\rundll32.exe
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2564
            • C:\Windows\system32\backgroundTaskHost.exe
              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
              1⤵
                PID:3160
              • C:\Windows\system32\BackgroundTransferHost.exe
                "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                1⤵
                  PID:1784

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/676-30-0x0000023AC5F40000-0x0000023AC5F41000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1196-1-0x0000020E12330000-0x0000020E1237C000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/1196-2-0x0000020E12620000-0x0000020E12678000-memory.dmp

                  Filesize

                  352KB

                  Download

                • memory/1196-3-0x0000020E12620000-0x0000020E12678000-memory.dmp

                  Filesize

                  352KB

                  Download

                • memory/1400-10-0x00007FFA88EF0000-0x00007FFA89891000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/1400-11-0x00007FFA88EF0000-0x00007FFA89891000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/1400-6-0x000002201EA00000-0x000002201EA26000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/1400-7-0x00007FFA891A5000-0x00007FFA891A6000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1400-8-0x000002201EE60000-0x000002201EE68000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/1400-9-0x00007FFA88EF0000-0x00007FFA89891000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/1400-25-0x00007FFA88EF0000-0x00007FFA89891000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/1400-5-0x000002201EA00000-0x000002201EA26000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/1400-12-0x00007FFA88EF0000-0x00007FFA89891000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/1400-13-0x00007FFA88EF0000-0x00007FFA89891000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/1400-4-0x000002201E750000-0x000002201E772000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/1400-28-0x00007FFA88EF0000-0x00007FFA89891000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/1400-26-0x00007FFA891A5000-0x00007FFA891A6000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1400-17-0x000002201EA00000-0x000002201EA26000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/1780-27-0x000002118DB50000-0x000002118DB9D000-memory.dmp

                  Filesize

                  308KB

                  Download

                • memory/1844-0-0x00007FFAA89F0000-0x00007FFAA8BE5000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/2348-16-0x0000014CDAF10000-0x0000014CDAF36000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/2348-18-0x00007FFA891A5000-0x00007FFA891A6000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2348-22-0x00007FFA88EF0000-0x00007FFA89891000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2348-23-0x00007FFA88EF0000-0x00007FFA89891000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2348-24-0x0000014CDAF10000-0x0000014CDAF36000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/2348-20-0x00007FFA88EF0000-0x00007FFA89891000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2348-19-0x00007FFA88EF0000-0x00007FFA89891000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2348-21-0x00007FFA88EF0000-0x00007FFA89891000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2348-15-0x0000014CDAF10000-0x0000014CDAF36000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/2348-36-0x0000014CDAF10000-0x0000014CDAF36000-memory.dmp

                  Filesize

                  152KB

                  Download

                • memory/2348-14-0x0000014CDAC70000-0x0000014CDAC92000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/2348-35-0x00007FFA88EF0000-0x00007FFA89891000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2564-29-0x000001F9B4990000-0x000001F9B49A5000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/3508-37-0x0000000002690000-0x00000000026A5000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/3508-38-0x0000000007CF0000-0x0000000007D09000-memory.dmp

                  Filesize

                  100KB

                  Download