Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 14, 2021, 9:52 a.m.	Sept. 14, 2021, 9:54 a.m.

Size	3.4MB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`a66953b8a3eeee7d5057ddf80b8be962`
SHA256	`e70132be487ca63d5b5d52cfa25273958526dc896c62eaf8bea041339fa8aece`
CRC32	`F9BB5350`
ssdeep	`24576:U8GHcf9/8DdzcolHO21UVrovchJsmpLBs417cy9Cx+pwThJ97Ol2y9l3tN5H/MVa:T58Ddf0xEvwx1qF6dN`
Yara	Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check NPKI_Zero - File included NPKI

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "MpxufNjX" C:\Users\test22\AppData\Local\Temp\mimi.dat
544
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\mimi.dat
  2744
  - editplus.exe "editplus.exe"
    1108
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 14, 2021, 9:45 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 14, 2021, 9:45 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 14, 2021, 9:52 a.m.			0	0
IsDebuggerPresent Sept. 14, 2021, 9:53 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 14, 2021, 9:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f90000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73601000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73571000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73602000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ec1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72041000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:52 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72043000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:53 a.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73602000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:53 a.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72043000 process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 14, 2021, 9:46 a.m.	total_number_of_free_bytes: 10929778688 free_bytes_available: 10929778688 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates a shortcut to an executable file (13 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 14, 2021, 9:45 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2021, 9:45 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2021, 9:45 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2021, 9:45 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2021, 9:45 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2021, 9:45 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2021, 9:45 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 14, 2021, 9:45 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Lionic	Trojan.Win64.Mimikatz.i!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	PS1.Script.43071
McAfee	PS/Dropper.b
Sangfor	Malware.Generic-PS.Save.61540701
K7AntiVirus	Trojan ( 0056ee871 )
K7GW	Trojan ( 0056ee871 )
Arcabit	Generic.PwShell.RefA.C931A605
Baidu	PowerShell.Trojan.Agent.i
Cyren	PSH/Mimikatz.C
Symantec	Trojan.Dropper
ESET-NOD32	PowerShell/Injector.P
TrendMicro-HouseCall	HackTool.PS1.MIMIKATZ.THDBHBA
Avast	PwrSh:MimikatzGen-A [Trj]
Kaspersky	HEUR:Trojan-PSW.Win64.Mimikatz.gen
BitDefender	Generic.PwShell.RefA.C931A605
NANO-Antivirus	Trojan.Script.ExpKit.eydujq
MicroWorld-eScan	Generic.PwShell.RefA.C931A605
Ad-Aware	Generic.PwShell.RefA.C931A605
Emsisoft	Generic.PwShell.RefA.C931A605 (B)
Comodo	TrojWare.Script.Injector.K@81qaij
F-Secure	Trojan.TR/PowerShell.Gen
TrendMicro	HackTool.PS1.MIMIKATZ.THDBHBA
McAfee-GW-Edition	BehavesLike.Dropper.wn
FireEye	Generic.PwShell.RefA.C931A605
Sophos	ATK/Mimikatz-X
Ikarus	Trojan.PS.Agent
Avira	TR/PowerShell.Gen
Antiy-AVL	Trojan/Generic.ASCommon.1BA
Microsoft	HackTool:PowerShell/Mimikatz.F
GData	Generic.PwShell.RefA.C931A605
AhnLab-V3	Trojan/PowerShell.Mimikatz.S1462
ALYac	Generic.PwShell.RefA.C931A605
Tencent	Win32.Trojan-psw.Mimikatz.Xyrt
MAX	malware (ai score=100)
Fortinet	PowerShell/Injector.T!tr
AVG	PwrSh:MimikatzGen-A [Trj]

mimi.dat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All