mimikatz | 939c4bd2c4468053da289d965da7e91609a4c18f3548cd8457128deb34a907a8

Analysis

max time kernel
337s
max time network
341s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-11-2024 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

7.6MB
MD5

7a43dc90a23fc14eced70881471821b6
SHA1

ce9d907962d87dff5842923930bac30f6cecb318
SHA256

939c4bd2c4468053da289d965da7e91609a4c18f3548cd8457128deb34a907a8
SHA512

fefef51a0103d5209781b90262a9e43fd083d952b7f779d6cc0dc7bda713afe2eb021f2080835259fb72e1dcea5e8ae0a60d414a2d0c8e17a20954abe080308e
SSDEEP

196608:4SjsokiY8XMCHGLLc54i1wN+lPIcu9KYK39sI3PPJNMRRccx:LYXoXMCHWUjqcuI3/PJNe

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x001a00000002aa51-27.dat	mimikatz

Executes dropped EXE 3 IoCs

Processes:

mimikatz.exemimikatz.exemimikatz.exe

pid	Process
4192	mimikatz.exe
3848	mimikatz.exe
1436	mimikatz.exe

Loads dropped DLL 2 IoCs

Processes:

test.exe

pid	Process
2340	test.exe
2340	test.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

mimikatz.exeAUDIODG.EXEmimikatz.exe

description	pid	Process
Token: SeDebugPrivilege	4192	mimikatz.exe
Token: 33	3868	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3868	AUDIODG.EXE
Token: SeDebugPrivilege	1436	mimikatz.exe
Token: SeDebugPrivilege	1436	mimikatz.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

test.exetest.exe

description	pid	Process	procid_target
PID 3688 wrote to memory of 2340	3688	test.exe	80
PID 3688 wrote to memory of 2340	3688	test.exe	80
PID 2340 wrote to memory of 4192	2340	test.exe	81
PID 2340 wrote to memory of 4192	2340	test.exe	81

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\Temp\test.exe
  "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\Downloads\mimikatz.exe
    C:\Users\Admin\Downloads\mimikatz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3532

C:\Users\Admin\Downloads\mimikatz.exe
"C:\Users\Admin\Downloads\mimikatz.exe"
1⤵
- Executes dropped EXE
PID:3848

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Users\Admin\Downloads\mimikatz.exe
"C:\Users\Admin\Downloads\mimikatz.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI36882\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_bz2.pyd

Filesize
82KB

MD5
cb8c06c8fa9e61e4ac5f22eebf7f1d00

SHA1
d8e0dfc8127749947b09f17c8848166bac659f0d

SHA256
fc3b481684b926350057e263622a2a5335b149a0498a8d65c4f37e39dd90b640

SHA512
e6da642b7200bfb78f939f7d8148581259baa9a5edda282c621d14ba88083a9b9bd3d17b701e9cde77ad1133c39bd93fc9d955bb620546bb4fcf45c68f1ec7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_decimal.pyd

Filesize
271KB

MD5
f3377f3de29579140e2bbaeefd334d4f

SHA1
b3076c564dbdfd4ca1b7cc76f36448b0088e2341

SHA256
b715d1c18e9a9c1531f21c02003b4c6726742d1a2441a1893bc3d79d7bb50e91

SHA512
34d9591590bba20613691a5287ef329e5927a58127ce399088b4d68a178e3af67159a8fc55b4fcdcb08ae094753b20dec2ac3f0b3011481e4ed6f37445cecdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_hashlib.pyd

Filesize
62KB

MD5
32d76c9abd65a5d2671aeede189bc290

SHA1
0d4440c9652b92b40bb92c20f3474f14e34f8d62

SHA256
838d5c8b7c3212c8429baf612623abbbc20a9023eec41e34e5461b76a285b86c

SHA512
49dc391f4e63f4ff7d65d6fd837332745cc114a334fd61a7b6aa6f710b235339964b855422233fac4510ccb9a6959896efe880ab24a56261f78b2a0fd5860cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_lzma.pyd

Filesize
154KB

MD5
1ba022d42024a655cf289544ae461fb8

SHA1
9772a31083223ecf66751ff3851d2e3303a0764c

SHA256
d080eabd015a3569813a220fd4ea74dff34ed2a8519a10473eb37e22b1118a06

SHA512
2b888a2d7467e29968c6bb65af40d4b5e80722ffdda760ad74c912f3a2f315d402f3c099fde82f00f41de6c9faaedb23a643337eb8821e594c567506e3464c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_socket.pyd

Filesize
81KB

MD5
fe896371430bd9551717ef12a3e7e818

SHA1
e2a7716e9ce840e53e8fc79d50a77f40b353c954

SHA256
35246b04c6c7001ca448554246445a845ce116814a29b18b617ea38752e4659b

SHA512
67ecd9a07df0a07edd010f7e3732f3d829f482d67869d6bce0c9a61c24c0fdc5ff4f4e4780b9211062a6371945121d8883ba2e9e2cf8eb07b628547312dfe4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\python313.dll

Filesize
5.8MB

MD5
b9de917b925dd246b709bb4233777efd

SHA1
775f258d8b530c6ea9f0dd3d1d0b61c1948c25d2

SHA256
0c0a66505093b6a4bb3475f716bd3d9552095776f6a124709c13b3f9552c7d99

SHA512
f4bf3398f50fdd3ab7e3f02c1f940b4c8b5650ed7af16c626ccd1b934053ba73a35f96da03b349c1eb614bb23e0bc6b5cc58b07b7553a5c93c6d23124f324a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\select.pyd

Filesize
30KB

MD5
20831703486869b470006941b4d996f2

SHA1
28851dfd43706542cd3ef1b88b5e2749562dfee0

SHA256
78e5994c29d8851f28b5b12d59d742d876683aea58eceea1fb895b2036cdcdeb

SHA512
4aaf5d66d2b73f939b9a91e7eddfeb2ce2476c625586ef227b312230414c064aa850b02a4028363aa4664408c9510594754530a6d026a0a84be0168d677c1bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\unicodedata.pyd

Filesize
693KB

MD5
0902d299a2a487a7b0c2d75862b13640

SHA1
04bcbd5a11861a03a0d323a8050a677c3a88be13

SHA256
2693c7ee4fba55dc548f641c0cb94485d0e18596ffef16541bd43a5104c28b20

SHA512
8cbef5a9f2d24da1014f8f1ccbddd997a084a0b04dd56bcb6ac38ddb636d05ef7e4ea7f67a085363aad3f43d45413914e55bdef14a662e80be955e6dfc2feca3

Download Submit
C:\Users\Admin\Downloads\mimikatz.exe

Filesize
1.2MB

MD5
e930b05efe23891d19bc354a4209be3e

SHA1
d1f7832035c3e8a73cc78afd28cfd7f4cece6d20

SHA256
92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50

SHA512
a7a59176ca275d5d5ea6547108907bbe8ddbf3489308b3d6efe571b685de7e6263d36d6580abe9587a7f77adc22d3b7b164ad42845b6c110b794eaba7ab47ec6

Download Submit