mimikatz | efab2072095d507acf7eebe1d8e2641d741e62688edd926cf1a52c8899bb5b66

General

Target

mimilib.exe
Size

400KB
MD5

52d843d99b8783b0eda83ec6a35cc37a
SHA1

40bc79ac3ff1ac7b533c92a9991d528790fb06fd
SHA256

efab2072095d507acf7eebe1d8e2641d741e62688edd926cf1a52c8899bb5b66
SHA512

fb5c4ae50c111ed507cae077867cf94a4a9f571dc3a5fdea99a63a8daa92096028d848c9a36c5fcb8f2cb3a9478eb45866757bfbab2f56e5e255a95710c243eb
SSDEEP

12288:I/XEXxg5SJgzF9X+t4Uq9TUVAO/b2G5jNhZ1L:I/XEXjJSFHUKat/TNpL

Score

10^/10

mimikatz defense_evasion discovery privilege_escalation

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023d2d-14.dat	mimikatz

Downloads MZ/PE file 1 IoCs

flow	pid	Process
19	796	Process not Found

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000\Control Panel\International\Geo\Nation	mimilib.exe

Executes dropped EXE 2 IoCs

pid	Process
4152	KURspp.exe
672	Process not Found

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4868	runas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mimilib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KURspp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2276	MicrosoftEdgeUpdate.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3591594829-2464889670-1367169939-1000_Classes\Local Settings	cmd.exe

Runs net.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 2764	732	mimilib.exe	85
PID 732 wrote to memory of 2764	732	mimilib.exe	85
PID 732 wrote to memory of 2764	732	mimilib.exe	85
PID 2764 wrote to memory of 4152	2764	cmd.exe	88
PID 2764 wrote to memory of 4152	2764	cmd.exe	88
PID 2764 wrote to memory of 4152	2764	cmd.exe	88
PID 2764 wrote to memory of 1112	2764	cmd.exe	89
PID 2764 wrote to memory of 1112	2764	cmd.exe	89
PID 2764 wrote to memory of 1112	2764	cmd.exe	89
PID 1112 wrote to memory of 3440	1112	net.exe	90
PID 1112 wrote to memory of 3440	1112	net.exe	90
PID 1112 wrote to memory of 3440	1112	net.exe	90
PID 2764 wrote to memory of 4956	2764	cmd.exe	91
PID 2764 wrote to memory of 4956	2764	cmd.exe	91
PID 2764 wrote to memory of 4956	2764	cmd.exe	91
PID 2764 wrote to memory of 4868	2764	cmd.exe	92
PID 2764 wrote to memory of 4868	2764	cmd.exe	92
PID 2764 wrote to memory of 4868	2764	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\mimilib.exe
"C:\Users\Admin\AppData\Local\Temp\mimilib.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\DRM\batch.bat" "
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\ProgramData\Microsoft\DRM\KURspp.exe
    C:\ProgramData\Microsoft\DRM\KURspp.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4152
- - C:\Windows\SysWOW64\net.exe
    net user Admin password
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin password
      4⤵
      System Location Discovery: System Language Discovery
      PID:3440
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Microsoft\DRM\pass.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4956
- - C:\Windows\SysWOW64\runas.exe
    runas /USER:Admin cmd
    3⤵
    - Access Token Manipulation: Create Process with Token
    - System Location Discovery: System Language Discovery
    PID:4868
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:3884

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDBGRjkyQjUtM0EyRi00RTQ0LTgxN0ItNTk0RDJDREE3OUI3fSIgdXNlcmlkPSJ7RTg3NEFCODAtRkZCNS00OEY3LUEwOTgtQUU0MEYzNjA5RDE2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QzkzMjgwQjUtMDZGMS00REY0LThFOTAtRUM4MjdFRDg2QTNGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU1NzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODAxNjUyMzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTU0OTYxNTM3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

1

T1134

Create Process with Token

1

T1134.002

Defense Evasion

Access Token Manipulation

1

T1134

Create Process with Token

1

T1134.002

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\DRM\KURspp.exe

Filesize
109KB

MD5
b0220c78ac4d60097bcda4eb2c57aaf0

SHA1
0568e8bc084e4474533b7664d02af76ddea14eb1

SHA256
850bf85db1c26fb6d49438bdc913a4ceddae057e58325af60ff26a69310b7dfe

SHA512
0bce51c051ae2d1527ddda74fe22406e88bf2b3b23ec4e70668e6ff929864a25653a4f3f59094242e1278d348a45c5e30ffb6294c77431396b744bb0639c3159

Download Submit
C:\ProgramData\Microsoft\DRM\batch.bat

Filesize
107B

MD5
db0fde9dbdf881756c0507885a5e3fdb

SHA1
36bbcd4e2ec1a7adb4bc483773e2b98fbd802955

SHA256
f6dbd5c6c24471d8a1f0738902ae39a490b0d447d9d00c5f4cbc45089abba917

SHA512
e5a2dbd58fb628876a486de296420bf3ddb979cbe95e34cb0752f3ea53e2e8c412ca251c384e19b178259edb3d60fda8039bec4536646c30ffdaadbb22d3cfb8

Download Submit
C:\ProgramData\Microsoft\DRM\mediadrm.dll

Filesize
138KB

MD5
be57543e1b5b2978abf5d27690aeceac

SHA1
95bcbbe4b6745d42cc1b4b56838e6cb04f136b02

SHA256
d4f421c985f1786f603bd1eaf4232d5a0d56b5ee8a7f02e0da978b478f060af2

SHA512
d03cefeacc5bce6873b4aca253085001934d099199354d9a5dbbc86d075013d91552dce1727a968db96ad9de35da61f58d56b95116bec4b2f5574530275fe797

Download Submit
C:\ProgramData\Microsoft\DRM\pass.vbs

Filesize
103B

MD5
4eb93bc96cd33392eeb669cf1f9371e5

SHA1
80752891adcc9f4ac47668b668dc289ec9bd9836

SHA256
7eb2bbc569ff73a97730a41c2c3a4812e225b480e88231032c79d0cb8a562adf

SHA512
f85b0e649510ea2e3ac3ba50aa97079897361038461cfe7f535750055f96401e276bb4752aaa19508342c7cf1df49317db60d4da2b807da4b0b6f3692c5286e9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads