Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 25, 2023, 5:46 p.m.	April 25, 2023, 5:49 p.m.

Size	36.5KB
Type	PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5	`67651e9d2da634adedbe216948d5f752`
SHA256	`aef6ce3014add838cf676b57957d630cd2bb15b0c9193cf349bcffecddbc3623`
CRC32	`3F68684A`
ssdeep	`768:CsdDjdgqUQv+EAZJimW8ahsNekFkTn5btsnsFfZ9kYeUveejil0g:vU+LuaaQkFkTn5b+sFhW7ejil`
Yara	IsDLL - (no description) IsPE64 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DhcpNewPktHook
1076
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DhcpNewPktHook
  2404
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DhcpServerCalloutEntry
2144
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DhcpServerCalloutEntry
  2532
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DllCanUnloadNow
2240
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DllCanUnloadNow
  2564
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DllGetClassObject
2336
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DllGetClassObject
  2672
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DnsPluginCleanup
2468
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DnsPluginCleanup
  2784
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DnsPluginInitialize
2632
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DnsPluginInitialize
  2860
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DnsPluginQuery
2776
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,DnsPluginQuery
  3008
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,ExtensionApiVersion
2996
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,ExtensionApiVersion
  2556
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,InitializeChangeNotify
2108
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,InitializeChangeNotify
  2372
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,Msv1_0SubAuthenticationFilter
2292
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,Msv1_0SubAuthenticationFilter
  2888
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,Msv1_0SubAuthenticationRoutine
2500
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,Msv1_0SubAuthenticationRoutine
  2928
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,NPGetCaps
2752
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,NPGetCaps
  2972
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,NPLogonNotify
2024
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,NPLogonNotify
  2348
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,PasswordChangeNotify
2328
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,PasswordChangeNotify
  2140
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,SpLsaModeInitialize
2652
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,SpLsaModeInitialize
  2376
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,WinDbgExtensionDllInit
2876
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,WinDbgExtensionDllInit
  2332
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,coffee
2088
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,coffee
  2820
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,mimikatz
2456
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,mimikatz
  2644
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,startW
2204
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,startW
  3204
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimilib.dll,
3140

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (19 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0
IsDebuggerPresent April 25, 2023, 5:46 p.m.			0	0

One or more processes crashed (8 events)

Time & API	Arguments	Status
__exception__ April 25, 2023, 5:46 p.m.	stacktrace: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2 EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736 RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942 RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4 RtlIsDosDeviceName_U+0x7afb NtdllDialogWndProc_A-0x26c71 ntdll+0x6157b @ 0x7772157b RtlAllocateHeap+0xd9d AlpcGetMessageAttribute-0x8c3 ntdll+0x5413d @ 0x7771413d LocalFree+0x32 LocalAlloc-0x2e kernelbase+0x1582 @ 0x7fefdbf1582 rundll32+0x3023 @ 0xffea3023 rundll32+0x3b7a @ 0xffea3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00 exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 exception.instruction: jmp 0x777840f4 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 803058 exception.address: 0x777840f2 registers.r14: 0 registers.r15: 0 registers.rcx: 1634608 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1638080 registers.r11: 646 registers.r8: 4926819068847118417 registers.r9: 1653552140 registers.rdx: 2004857936 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2003232264 registers.r13: 0	1
__exception__ April 25, 2023, 5:46 p.m.	stacktrace: Msv1_0SubAuthenticationFilter+0x35 DllGetClassObject-0x5f3 mimilib+0x15a5 @ 0x7fef53215a5 rundll32+0x2f42 @ 0xffea2f42 rundll32+0x3b7a @ 0xffea3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 0f b7 8b 30 01 00 00 44 8b 8b 14 01 00 00 4c 8d exception.instruction: movzx ecx, word ptr [rbx + 0x130] exception.exception_code: 0xc0000005 exception.symbol: Msv1_0SubAuthenticationFilter+0x35 DllGetClassObject-0x5f3 mimilib+0x15a5 exception.address: 0x7fef53215a5 registers.r14: 0 registers.r15: 0 registers.rcx: 2621136 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1637760 registers.r11: 514 registers.r8: 8791771916416 registers.r9: 1635440 registers.rdx: 3 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 8791771917072 registers.r13: 0	1
__exception__ April 25, 2023, 5:46 p.m.	stacktrace: Msv1_0SubAuthenticationFilter+0x35 DllGetClassObject-0x5f3 mimilib+0x15a5 @ 0x7fef53215a5 rundll32+0x2f42 @ 0xffea2f42 rundll32+0x3b7a @ 0xffea3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 0f b7 8b 30 01 00 00 44 8b 8b 14 01 00 00 4c 8d exception.instruction: movzx ecx, word ptr [rbx + 0x130] exception.exception_code: 0xc0000005 exception.symbol: Msv1_0SubAuthenticationFilter+0x35 DllGetClassObject-0x5f3 mimilib+0x15a5 exception.address: 0x7fef53215a5 registers.r14: 0 registers.r15: 0 registers.rcx: 2293456 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2162400 registers.r11: 514 registers.r8: 8791771916416 registers.r9: 2160080 registers.rdx: 3 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 8791771917072 registers.r13: 0	1
__exception__ April 25, 2023, 5:46 p.m.	stacktrace: _wtol+0x82 wcstoul-0x2f2 msvcrt+0x3742 @ 0x7fefe683742 _wtol+0x7a wcstoul-0x2fa msvcrt+0x373a @ 0x7fefe68373a _vfprintf_p+0xd6 _vfwprintf_l-0x32 msvcrt+0x5a642 @ 0x7fefe6da642 vfwprintf+0x1e vfwprintf_s-0xe msvcrt+0x5a716 @ 0x7fefe6da716 mimikatz+0x19b2 mimilib+0x4b56 @ 0x7fef5324b56 NPLogonNotify+0x66 NPGetCaps-0x4a mimilib+0x1406 @ 0x7fef5321406 rundll32+0x2f42 @ 0xffea2f42 rundll32+0x3b7a @ 0xffea3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 0f b7 4d 00 4c 8b c7 48 8b d6 ff cb e8 d9 f8 ff exception.symbol: _wtol+0x82 wcstoul-0x2f2 msvcrt+0x3742 exception.instruction: movzx ecx, word ptr [rbp] exception.module: msvcrt.dll exception.exception_code: 0xc0000005 exception.offset: 14146 exception.address: 0x7fefe683742 registers.r14: 0 registers.r15: 0 registers.rcx: 1153065799487445858 registers.rsi: 0 registers.r10: 32 registers.rbx: 0 registers.rsp: 981776 registers.r11: 48 registers.r8: 8791771917072 registers.r9: 979728 registers.rdx: 56 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1
__exception__ April 25, 2023, 5:46 p.m.	stacktrace: SpLsaModeInitialize+0x7 Msv1_0SubAuthenticationFilter-0x15 mimilib+0x155b @ 0x7fef532155b rundll32+0x2f42 @ 0xffea2f42 rundll32+0x3b7a @ 0xffea3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: c7 02 00 00 01 00 49 89 00 41 c7 01 01 00 00 00 exception.instruction: mov dword ptr [rdx], 0x10000 exception.exception_code: 0xc0000005 exception.symbol: SpLsaModeInitialize+0x7 Msv1_0SubAuthenticationFilter-0x15 mimilib+0x155b exception.address: 0x7fef532155b registers.r14: 0 registers.r15: 0 registers.rcx: 65900 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2162080 registers.r11: 2161168 registers.r8: 2736548 registers.r9: 10 registers.rdx: 4293525504 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 8791616820496 registers.r13: 0	1
__exception__ April 25, 2023, 5:46 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 8791616812208 registers.rsi: 0 registers.r10: 0 registers.rbx: 131434 registers.rsp: 1308664 registers.r11: 1308304 registers.r8: 3064154 registers.r9: 10 registers.rdx: 4293525504 registers.r12: 10 registers.rbp: 3064048 registers.rdi: -1 registers.rax: 131434 registers.r13: 0	1
__exception__ April 25, 2023, 5:46 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 8791616811424 registers.rsi: 0 registers.r10: 0 registers.rbx: 131440 registers.rsp: 1637688 registers.r11: 8791616822336 registers.r8: 0 registers.r9: 0 registers.rdx: 49578 registers.r12: 10 registers.rbp: 2277664 registers.rdi: -1 registers.rax: 8791616822336 registers.r13: 0	1
__exception__ April 25, 2023, 5:46 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 8791616812304 registers.rsi: 0 registers.r10: 0 registers.rbx: 8791616807664 registers.rsp: 1636872 registers.r11: 1636784 registers.r8: 7000 registers.r9: 10 registers.rdx: 4293525504 registers.r12: 10 registers.rbp: 2736368 registers.rdi: -1 registers.rax: 58536 registers.r13: 0	1

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Lionic	Trojan.Win64.Mimikatz.i!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
McAfee	HTool-Mimikatz
Cylance	unsafe
Zillya	Tool.Mimikatz.Win64.2153
Sangfor	Riskware.Win64.Mimikatz.V0rc
K7AntiVirus	Hacktool ( 0043c1591 )
Alibaba	Trojan:Win32/Mimikatz.4b1
K7GW	Hacktool ( 0043c1591 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Mimikatz.10
Cyren	W64/Mimikatz.N
Symantec	Hacktool.Mimikatz
ESET-NOD32	a variant of Win64/Riskware.Mimikatz.U
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Mimikatz.gen
BitDefender	Gen:Variant.Mimikatz.10
NANO-Antivirus	Trojan.Win64.Mimikatz.jsrsjg
MicroWorld-eScan	Gen:Variant.Mimikatz.10
Avast	Win64:MalwareX-gen [Trj]
Tencent	Trojan.Win64.Mimikatz.a
Emsisoft	Gen:Variant.Mimikatz.10 (B)
F-Secure	Trojan.TR/AD.Mimikatz.lqmhd
DrWeb	Tool.Mimikatz.1198
VIPRE	Gen:Variant.Mimikatz.10
TrendMicro	Trojan.Win64.BAZARLOADER.SMYXBIMZ
McAfee-GW-Edition	HTool-Mimikatz
FireEye	Generic.mg.67651e9d2da634ad
Sophos	ATK/Apteryx-Gen
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.PSW.Mimikatz.cqg
Webroot	W32.Hacktool.Gen
Avira	TR/AD.Mimikatz.lqmhd
Antiy-AVL	Trojan[PSW]/Win64.Mimikatz
Gridinsoft	Virtool.Win64.Mimikatz.dd!n
Microsoft	HackTool:Win64/Mikatz!dha
ViRobot	HackTool.S.Mimikatz.37376
ZoneAlarm	HEUR:Trojan.Win32.Mimikatz.gen
GData	Win32.Riskware.Mimikatz.C
Google	Detected
AhnLab-V3	Trojan/Win.Mimikatz.R451356
ALYac	Gen:Variant.Mimikatz.10
MAX	malware (ai score=87)
Malwarebytes	Mimikatz.Spyware.Stealer.DDS
Panda	Trj/CI.A
TrendMicro-HouseCall	HKTL_MIMIKATZ64
Rising	HackTool.Mimikatz!1.B3A7 (CLASSIC)
Yandex	Riskware.Mimikatz!5N98LJ61WxY
Ikarus	HackTool.Mimikatz

mimilib.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All