mimikatz | efab2072095d507acf7eebe1d8e2641d741e62688edd926cf1a52c8899bb5b66

General

Target

mimilib.exe
Size

400KB
MD5

52d843d99b8783b0eda83ec6a35cc37a
SHA1

40bc79ac3ff1ac7b533c92a9991d528790fb06fd
SHA256

efab2072095d507acf7eebe1d8e2641d741e62688edd926cf1a52c8899bb5b66
SHA512

fb5c4ae50c111ed507cae077867cf94a4a9f571dc3a5fdea99a63a8daa92096028d848c9a36c5fcb8f2cb3a9478eb45866757bfbab2f56e5e255a95710c243eb
SSDEEP

12288:I/XEXxg5SJgzF9X+t4Uq9TUVAO/b2G5jNhZ1L:I/XEXjJSFHUKat/TNpL

Score

10^/10

mimikatz defense_evasion discovery privilege_escalation

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000016c1a-26.dat	mimikatz

Executes dropped EXE 2 IoCs

pid	Process
2140	KURspp.exe
480	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
2560	cmd.exe
2560	cmd.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
3016	runas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mimilib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2560	2588	mimilib.exe	31
PID 2588 wrote to memory of 2560	2588	mimilib.exe	31
PID 2588 wrote to memory of 2560	2588	mimilib.exe	31
PID 2588 wrote to memory of 2560	2588	mimilib.exe	31
PID 2560 wrote to memory of 2140	2560	cmd.exe	33
PID 2560 wrote to memory of 2140	2560	cmd.exe	33
PID 2560 wrote to memory of 2140	2560	cmd.exe	33
PID 2560 wrote to memory of 2140	2560	cmd.exe	33
PID 2560 wrote to memory of 2424	2560	cmd.exe	34
PID 2560 wrote to memory of 2424	2560	cmd.exe	34
PID 2560 wrote to memory of 2424	2560	cmd.exe	34
PID 2560 wrote to memory of 2424	2560	cmd.exe	34
PID 2424 wrote to memory of 2884	2424	net.exe	35
PID 2424 wrote to memory of 2884	2424	net.exe	35
PID 2424 wrote to memory of 2884	2424	net.exe	35
PID 2424 wrote to memory of 2884	2424	net.exe	35
PID 2560 wrote to memory of 2792	2560	cmd.exe	36
PID 2560 wrote to memory of 2792	2560	cmd.exe	36
PID 2560 wrote to memory of 2792	2560	cmd.exe	36
PID 2560 wrote to memory of 2792	2560	cmd.exe	36
PID 2560 wrote to memory of 3016	2560	cmd.exe	37
PID 2560 wrote to memory of 3016	2560	cmd.exe	37
PID 2560 wrote to memory of 3016	2560	cmd.exe	37
PID 2560 wrote to memory of 3016	2560	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\mimilib.exe
"C:\Users\Admin\AppData\Local\Temp\mimilib.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\Microsoft\DRM\batch.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\ProgramData\Microsoft\DRM\KURspp.exe
    C:\ProgramData\Microsoft\DRM\KURspp.exe
    3⤵
    - Executes dropped EXE
    PID:2140
- - C:\Windows\SysWOW64\net.exe
    net user Admin password
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin password
      4⤵
      System Location Discovery: System Language Discovery
      PID:2884
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Microsoft\DRM\pass.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- - C:\Windows\SysWOW64\runas.exe
    runas /USER:Admin cmd
    3⤵
    - Access Token Manipulation: Create Process with Token
    - System Location Discovery: System Language Discovery
    PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

1

T1134

Create Process with Token

1

T1134.002

Defense Evasion

Access Token Manipulation

1

T1134

Create Process with Token

1

T1134.002

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\DRM\KURspp.exe

Filesize
109KB

MD5
b0220c78ac4d60097bcda4eb2c57aaf0

SHA1
0568e8bc084e4474533b7664d02af76ddea14eb1

SHA256
850bf85db1c26fb6d49438bdc913a4ceddae057e58325af60ff26a69310b7dfe

SHA512
0bce51c051ae2d1527ddda74fe22406e88bf2b3b23ec4e70668e6ff929864a25653a4f3f59094242e1278d348a45c5e30ffb6294c77431396b744bb0639c3159

Download Submit
C:\ProgramData\Microsoft\DRM\batch.bat

Filesize
107B

MD5
db0fde9dbdf881756c0507885a5e3fdb

SHA1
36bbcd4e2ec1a7adb4bc483773e2b98fbd802955

SHA256
f6dbd5c6c24471d8a1f0738902ae39a490b0d447d9d00c5f4cbc45089abba917

SHA512
e5a2dbd58fb628876a486de296420bf3ddb979cbe95e34cb0752f3ea53e2e8c412ca251c384e19b178259edb3d60fda8039bec4536646c30ffdaadbb22d3cfb8

Download Submit
C:\ProgramData\Microsoft\DRM\pass.vbs

Filesize
103B

MD5
4eb93bc96cd33392eeb669cf1f9371e5

SHA1
80752891adcc9f4ac47668b668dc289ec9bd9836

SHA256
7eb2bbc569ff73a97730a41c2c3a4812e225b480e88231032c79d0cb8a562adf

SHA512
f85b0e649510ea2e3ac3ba50aa97079897361038461cfe7f535750055f96401e276bb4752aaa19508342c7cf1df49317db60d4da2b807da4b0b6f3692c5286e9

Download Submit
\ProgramData\Microsoft\DRM\mediadrm.dll

Filesize
138KB

MD5
be57543e1b5b2978abf5d27690aeceac

SHA1
95bcbbe4b6745d42cc1b4b56838e6cb04f136b02

SHA256
d4f421c985f1786f603bd1eaf4232d5a0d56b5ee8a7f02e0da978b478f060af2

SHA512
d03cefeacc5bce6873b4aca253085001934d099199354d9a5dbbc86d075013d91552dce1727a968db96ad9de35da61f58d56b95116bec4b2f5574530275fe797

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads