Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 25, 2023, 5:46 p.m.	April 25, 2023, 5:49 p.m.

Size	10.5KB
Type	PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5	`c6cc0def7d584f431d69126c1cc33a20`
SHA256	`66928c3316a12091995198710e0c537430dacefac1dbe78f12a331e1520142bd`
CRC32	`2D5DD9F1`
ssdeep	`192:DGMoIQaZcsBTSWoH6DlI0zPQ4Ib/me0C0uolZC7:VJxgWFlVC50C0uols`
Yara	IsDLL - (no description) IsPE64 - (no description) PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvDisableDriver
2564
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvDisableDriver
  2744
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvEnableDriver
2648
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvEnableDriver
  2860
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvQueryDriverInfo
2780
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvQueryDriverInfo
  2996
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvResetConfigCache
2908
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvResetConfigCache
  744
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,GenerateCopyFilePaths
3064
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,GenerateCopyFilePaths
  2068
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,SpoolerCopyFileEvent
2180
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,SpoolerCopyFileEvent
  2456
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,
2576

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 25, 2023, 5:46 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 25, 2023, 5:46 p.m.	stacktrace: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x76df40f2 EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x76df4736 RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x76df5942 RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x76df75f4 RtlIsDosDeviceName_U+0x7afb NtdllDialogWndProc_A-0x26c71 ntdll+0x6157b @ 0x76d9157b RtlAllocateHeap+0xd9d AlpcGetMessageAttribute-0x8c3 ntdll+0x5413d @ 0x76d8413d LocalFree+0x32 LocalAlloc-0x2e kernelbase+0x1582 @ 0x7fefd4f1582 rundll32+0x3023 @ 0xff1c3023 rundll32+0x3b7a @ 0xff1c3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00 exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 exception.instruction: jmp 0x76df40f4 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 803058 exception.address: 0x76df40f2 registers.r14: 0 registers.r15: 0 registers.rcx: 1174896 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1178368 registers.r11: 646 registers.r8: 281263483800092852 registers.r9: 1937443928 registers.rdx: 1994830928 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1995945795 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 25, 2023, 5:46 p.m.

stacktrace:

RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x76df40f2
EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x76df4736
RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x76df5942
RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x76df75f4
RtlIsDosDeviceName_U+0x7afb NtdllDialogWndProc_A-0x26c71 ntdll+0x6157b @ 0x76d9157b
RtlAllocateHeap+0xd9d AlpcGetMessageAttribute-0x8c3 ntdll+0x5413d @ 0x76d8413d
LocalFree+0x32 LocalAlloc-0x2e kernelbase+0x1582 @ 0x7fefd4f1582
rundll32+0x3023 @ 0xff1c3023
rundll32+0x3b7a @ 0xff1c3b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00
exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2
exception.instruction: jmp 0x76df40f4
exception.module: ntdll.dll
exception.exception_code: 0xc0000374
exception.offset: 803058
exception.address: 0x76df40f2
registers.r14: 0
registers.r15: 0
registers.rcx: 1174896
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1178368
registers.r11: 646
registers.r8: 281263483800092852
registers.r9: 1937443928
registers.rdx: 1994830928
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1995945795
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 25, 2023, 5:46 p.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 25, 2023, 5:46 p.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 25, 2023, 5:46 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 25, 2023, 5:46 p.m.	process_identifier: 744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 25, 2023, 5:46 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 25, 2023, 5:46 p.m.	process_identifier: 2456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Lionic	Trojan.Win64.Mimikatz.i!c
MicroWorld-eScan	Gen:Variant.Mimikatz.10
FireEye	Gen:Variant.Mimikatz.10
ALYac	Gen:Variant.Mimikatz.10
Malwarebytes	Mimikatz.Spyware.Stealer.DDS
Zillya	Trojan.Mimikatz.Win64.482
Sangfor	Infostealer.Win32.Mimikatz.Vfnv
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	TrojanPSW:Win32/Mimikatz.f5bcc2d8
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Mimikatz.10
Cyren	W64/Mimikatz.L
Symantec	Hacktool.Mimikatz
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Generik.BAPJZZG
Cynet	Malicious (score: 100)
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.Win64.Mimikatz.gen
BitDefender	Gen:Variant.Mimikatz.10
NANO-Antivirus	Trojan.Win64.Mimikatz.jsrsix
Avast	Win32:CVE-2021-1675-G [Expl]
Tencent	Trojan.Win64.Mimikatz.a
Emsisoft	Gen:Variant.Mimikatz.10 (B)
DrWeb	Tool.Mimikatz.1199
VIPRE	Gen:Variant.Mimikatz.10
TrendMicro	HKTL_MIMIKATZ64
McAfee-GW-Edition	RDN/Generic PWS.y
Sophos	ATK/Mimikatz-CR
Jiangmin	Trojan.PSW.Mimikatz.cyl
Webroot	W32.Hacktool.Gen
Antiy-AVL	Trojan[PSW]/Win64.Mimikatz
Gridinsoft	Trojan.Win64.Downloader.cl
Microsoft	HackTool:Win32/Mimikatz!MSR
ZoneAlarm	HEUR:Trojan-PSW.Win64.Mimikatz.gen
GData	Gen:Variant.Mimikatz.10
Google	Detected
AhnLab-V3	Trojan/Win.Mimikatz.R445129
McAfee	RDN/Generic PWS.y
MAX	malware (ai score=100)
Cylance	unsafe
Panda	Trj/CI.A
TrendMicro-HouseCall	HKTL_MIMIKATZ64
Rising	Trojan.Agent!8.B1E (TFE:6:Z7hKCBfrpcB)
Yandex	Trojan.Agent!UfvKYTGIZOw
Ikarus	Trojan.PSW.Mimikatz
MaxSecure	Trojan.Malware.9545116.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:CVE-2021-1675-G [Expl]
DeepInstinct	MALICIOUS

mimispool.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All