mimikatz | 1b8e19d90f8fccfbf6c7448315085464150553e0f901a5b816ace97b2b9b53ab

Analysis

max time kernel
480s
max time network
482s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beacon_x64.exe
Size

321KB
MD5

c27f56b0de8b01665662e3a1b22aa582
SHA1

44950fe971cfea5e5613ff1787082e353e3e38eb
SHA256

1b8e19d90f8fccfbf6c7448315085464150553e0f901a5b816ace97b2b9b53ab
SHA512

be0c63d709a446d6cb2d05699da9fec004a0a3d0a748268191da57bce85dd03f677a12d0bfdf7bd1f0d229cda875fbc7f4a8bfaede22fbd2ee581d51baa7ab5c
SSDEEP

6144:CR25Bc7SRe7ZZ/o9Uu8iiK3X8JGjToWyRFZVrM8LyNsAGqmh6+X+sTJJUqYUJn:9BfCeX8eeRFZVVyQhXt12

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 3 IoCs

resource	yara_rule
behavioral1/memory/332-43-0x0000000000060000-0x00000000000AD000-memory.dmp	mimikatz
behavioral1/memory/332-44-0x00000000001D0000-0x0000000000221000-memory.dmp	mimikatz
behavioral1/memory/332-46-0x00000000001D0000-0x0000000000221000-memory.dmp	mimikatz

Blocklisted process makes network request 13 IoCs

flow	pid	Process
20	2280	rundll32.exe
21	2280	rundll32.exe
22	2280	rundll32.exe
25	2280	rundll32.exe
26	2280	rundll32.exe
28	2280	rundll32.exe
30	2280	rundll32.exe
33	2280	rundll32.exe
35	2280	rundll32.exe
36	2280	rundll32.exe
38	2280	rundll32.exe
40	2280	rundll32.exe
41	2280	rundll32.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 332	2416	beacon_x64.exe	32
PID 2416 set thread context of 2928	2416	beacon_x64.exe	34
PID 2416 set thread context of 2656	2416	beacon_x64.exe	35
PID 2416 set thread context of 2776	2416	beacon_x64.exe	36
PID 2416 set thread context of 2280	2416	beacon_x64.exe	37
PID 2280 set thread context of 2404	2280	rundll32.exe	39
PID 2280 set thread context of 2156	2280	rundll32.exe	40

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
332	rundll32.exe
332	rundll32.exe
332	rundll32.exe
332	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	332	rundll32.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 332	2416	beacon_x64.exe	32
PID 2416 wrote to memory of 332	2416	beacon_x64.exe	32
PID 2416 wrote to memory of 332	2416	beacon_x64.exe	32
PID 2416 wrote to memory of 332	2416	beacon_x64.exe	32
PID 2416 wrote to memory of 2928	2416	beacon_x64.exe	34
PID 2416 wrote to memory of 2928	2416	beacon_x64.exe	34
PID 2416 wrote to memory of 2928	2416	beacon_x64.exe	34
PID 2416 wrote to memory of 2928	2416	beacon_x64.exe	34
PID 2416 wrote to memory of 2656	2416	beacon_x64.exe	35
PID 2416 wrote to memory of 2656	2416	beacon_x64.exe	35
PID 2416 wrote to memory of 2656	2416	beacon_x64.exe	35
PID 2416 wrote to memory of 2656	2416	beacon_x64.exe	35
PID 2416 wrote to memory of 2776	2416	beacon_x64.exe	36
PID 2416 wrote to memory of 2776	2416	beacon_x64.exe	36
PID 2416 wrote to memory of 2776	2416	beacon_x64.exe	36
PID 2416 wrote to memory of 2776	2416	beacon_x64.exe	36
PID 2416 wrote to memory of 2280	2416	beacon_x64.exe	37
PID 2416 wrote to memory of 2280	2416	beacon_x64.exe	37
PID 2416 wrote to memory of 2280	2416	beacon_x64.exe	37
PID 2416 wrote to memory of 2280	2416	beacon_x64.exe	37
PID 2280 wrote to memory of 2404	2280	rundll32.exe	39
PID 2280 wrote to memory of 2404	2280	rundll32.exe	39
PID 2280 wrote to memory of 2404	2280	rundll32.exe	39
PID 2280 wrote to memory of 2404	2280	rundll32.exe	39
PID 2280 wrote to memory of 2156	2280	rundll32.exe	40
PID 2280 wrote to memory of 2156	2280	rundll32.exe	40
PID 2280 wrote to memory of 2156	2280	rundll32.exe	40
PID 2280 wrote to memory of 2156	2280	rundll32.exe	40

C:\Users\Admin\AppData\Local\Temp\beacon_x64.exe
"C:\Users\Admin\AppData\Local\Temp\beacon_x64.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe
  2⤵
  PID:2928
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe
  2⤵
  PID:2656
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe
  2⤵
  PID:2776
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    PID:2404
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    PID:2156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ae4fc5c20101f3aab0cd83d7f3d184f

SHA1
12e0abee212d40b3153a164b36563460ff86d4c6

SHA256
2345d58fbc299a8bd6631318ce6957d13a0d3c6de3eb0ca09bbc4e092aa8a960

SHA512
027afa03504f99412502523bb6f65dda4e71536c6769cc80aee14345829032bd84f0b2edd54cb6b02ac3b4d0219af752e04dca57acb779fd0a435ec8fe3fe4a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
269b9faed129c0c6095f60d2ec766e34

SHA1
2d58d0aa5fb70e2d7bdd01d8f2f21c3ec174bf5e

SHA256
cdab0ba39fecb2e1ec16e15970d8513bc8319f0e8758903aa87db7f486704226

SHA512
b1c1ef7a6e395face0f3cfbdbacb69862ec57b4d6a1b945755c5750ee55097462b2a77078278e4c09f93acf0419d5eda39139770261bf8e0cd1504a2fdb5783e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e8741747bf294dd055db7cd8989b7c4

SHA1
d9d5e1e655b8f6036ce20aefa6716a8e8ba96d96

SHA256
7bb65efe70de15fed627b5444e2723122f704005b3bafe6d7927e3dff377fc96

SHA512
54d287f039168c25b8b4b2076bb99b8941decc0cbe85c47cc4e400a267792ebc26f74ef1a1015586b7e9c9289ca1a5a405f8acd461560f3b3d3412ecba1fa5a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
411471ab77a56a3317d5ac93c33aa00e

SHA1
3d476eea2c3f079e6e311b81174e3df3480f06cb

SHA256
9252c9e7b3b8ce660ed7228f2d5130a084f43aab1086a7497c8a24a6a35d2057

SHA512
ac9fd760860ef426911831eec09983790ba07c617c861e4f3f497628dc6524899555a82270f353392d7c90ab749304e3235b22279e41af38c1d574d5ae0dce15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35768128b8017d19ebfc8ec4a6ada846

SHA1
c8705dffb950f74e8aba8194a3bff843c3d781fe

SHA256
7fcee80282f8aa824f9ac1e1f2e0f3aade689e72eb85b65678bb531652b54528

SHA512
e209bf977cf11e3f744c7baf19ed79265b9a7ecac381aebe1e794cf1ba4a48cfb8f3bf817399ef42a725382b315e4aec9a3f4b24b49322ed39c3424becbc41f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
163a4c39b77cae467c5768bfcd83a57d

SHA1
c90f541b302206c751f7402b4e8a2b9f25c9cf67

SHA256
7081eff3381847832be02f6592f183951418493b3c658954702f38948b30790a

SHA512
58ecec926c71f120c9bdb842e7d5beada33a64aade792a8e84cd27052dc0a989f01b38668d961e75f6604845481813a38bac3368eb0c05f8cf7e5a03ccf4a5c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66c3d7e20bedf76a96b5c0b910b1fd1a

SHA1
9de1eccc9873e5123c82d004945ac8e0c0a4600b

SHA256
83633bbc26f461dfcc2ded58706d99c67ca7b69dd8b91281b0bacf2e1c213049

SHA512
1732c56a04a311598736bd6e6a79643e7f2c679d0863e69e070d0c4d63823f7b14d8657192d831c07151303c58455ffc0cb6c11c7c706f83df9454aaebdd9c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabED3E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDC21.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/332-46-0x00000000001D0000-0x0000000000221000-memory.dmp

Filesize
324KB

Download
memory/332-44-0x00000000001D0000-0x0000000000221000-memory.dmp

Filesize
324KB

Download
memory/332-43-0x0000000000060000-0x00000000000AD000-memory.dmp

Filesize
308KB

Download
memory/2156-271-0x0000000000130000-0x000000000014B000-memory.dmp

Filesize
108KB

Download
memory/2156-269-0x0000000000060000-0x0000000000078000-memory.dmp

Filesize
96KB

Download
memory/2156-270-0x0000000000060000-0x0000000000078000-memory.dmp

Filesize
96KB

Download
memory/2156-273-0x0000000000130000-0x000000000014B000-memory.dmp

Filesize
108KB

Download
memory/2280-182-0x0000000000230000-0x0000000000288000-memory.dmp

Filesize
352KB

Download
memory/2280-142-0x0000000000060000-0x00000000000AB000-memory.dmp

Filesize
300KB

Download
memory/2280-143-0x0000000000230000-0x0000000000288000-memory.dmp

Filesize
352KB

Download
memory/2404-216-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/2404-213-0x00000000000E0000-0x00000000000FA000-memory.dmp

Filesize
104KB

Download
memory/2404-215-0x00000000000E0000-0x00000000000FA000-memory.dmp

Filesize
104KB

Download
memory/2404-217-0x00000000001A0000-0x00000000001BF000-memory.dmp

Filesize
124KB

Download
memory/2416-1-0x0000000000310000-0x0000000000368000-memory.dmp

Filesize
352KB

Download
memory/2416-18-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2416-19-0x0000000000310000-0x0000000000368000-memory.dmp

Filesize
352KB

Download
memory/2416-0-0x00000000002C0000-0x000000000030B000-memory.dmp

Filesize
300KB

Download
memory/2656-136-0x0000000000060000-0x0000000000091000-memory.dmp

Filesize
196KB

Download
memory/2656-147-0x0000000000140000-0x0000000000176000-memory.dmp

Filesize
216KB

Download
memory/2656-137-0x0000000000140000-0x0000000000176000-memory.dmp

Filesize
216KB

Download
memory/2776-139-0x0000000000060000-0x0000000000091000-memory.dmp

Filesize
196KB

Download
memory/2776-146-0x00000000001C0000-0x00000000001F6000-memory.dmp

Filesize
216KB

Download
memory/2776-140-0x00000000001C0000-0x00000000001F6000-memory.dmp

Filesize
216KB

Download
memory/2928-246-0x0000000001D20000-0x0000000001D3F000-memory.dmp

Filesize
124KB

Download
memory/2928-135-0x0000000001D20000-0x0000000001D3F000-memory.dmp

Filesize
124KB

Download
memory/2928-134-0x0000000001D20000-0x0000000001D3F000-memory.dmp

Filesize
124KB

Download
memory/2928-133-0x00000000000E0000-0x00000000000FA000-memory.dmp

Filesize
104KB

Download
memory/2928-141-0x0000000001D20000-0x0000000001D3F000-memory.dmp

Filesize
124KB

Download