Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 11, 2024, 1:15 p.m.	July 11, 2024, 1:17 p.m.

Size	154.0KB
Type	PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5	`fb440753675363fa570a94c2f907034f`
SHA256	`3e55b8f83888876023896576cc5849a86a0e5d9828df89e93de2d6e7e0e037e9`
CRC32	`C0D46398`
ssdeep	`3072:VUlkXjDlAZ9s1GOSPZhegBka+zfkUlm58nIJnJlrotSIMX2aDgsL0GZa:XlAQmPZIgeBfXW8ax0GZ`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsDLL - (no description) IsPE64 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,DhcpServerCalloutEntry
2056
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,DhcpServerCalloutEntry
  2352
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,DllCanUnloadNow
2156
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,DllCanUnloadNow
  2420
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,DhcpNewPktHook
1020
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,DhcpNewPktHook
  2584
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,DllGetClassObject
2248
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,DllGetClassObject
  2544
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,DnsPluginCleanup
2344
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,DnsPluginCleanup
  2624
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,DnsPluginInitialize
2520
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,DnsPluginInitialize
  2800
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,DnsPluginQuery
2744
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,DnsPluginQuery
  2912
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,ExtensionApiVersion
3024
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,ExtensionApiVersion
  2240
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,InitializeChangeNotify
2176
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,InitializeChangeNotify
  2416
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,Msv1_0SubAuthenticationFilter
2440
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,Msv1_0SubAuthenticationFilter
  2960
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,Msv1_0SubAuthenticationRoutine
2708
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,Msv1_0SubAuthenticationRoutine
  2188
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,NPGetCaps
2328
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,NPGetCaps
  2216
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,NPLogonNotify
1492
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,NPLogonNotify
  2700
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,PasswordChangeNotify
2472
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,PasswordChangeNotify
  2892
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,SpLsaModeInitialize
2412
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,SpLsaModeInitialize
  2348
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,WinDbgExtensionDllInit
2396
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,WinDbgExtensionDllInit
  2220
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,coffee
2140
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,coffee
  2392
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,startW
2984
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,startW
  3148
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,zzzkatz
2868
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,zzzkatz
  3280
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\gg.dll,
3268

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (19 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0
IsDebuggerPresent July 11, 2024, 1:08 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more processes crashed (8 events)

Time & API	Arguments	Status
__exception__ July 11, 2024, 1:08 p.m.	stacktrace: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2 EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736 RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942 RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4 RtlIsDosDeviceName_U+0x7afb NtdllDialogWndProc_A-0x26c71 ntdll+0x6157b @ 0x7772157b RtlAllocateHeap+0xd9d AlpcGetMessageAttribute-0x8c3 ntdll+0x5413d @ 0x7771413d LocalFree+0x32 LocalAlloc-0x2e kernelbase+0x1582 @ 0x7fefdbf1582 rundll32+0x3023 @ 0xff433023 rundll32+0x3b7a @ 0xff433b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00 exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 exception.instruction: jmp 0x777840f4 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 803058 exception.address: 0x777840f2 registers.r14: 0 registers.r15: 0 registers.rcx: 1634016 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1637488 registers.r11: 646 registers.r8: 2530416610888666879 registers.r9: 265129222 registers.rdx: 2004857936 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2003237070 registers.r13: 0	1
__exception__ July 11, 2024, 1:08 p.m.	stacktrace: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2 EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736 RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942 RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4 RtlIsDosDeviceName_U+0x7afb NtdllDialogWndProc_A-0x26c71 ntdll+0x6157b @ 0x7772157b RtlAllocateHeap+0xd9d AlpcGetMessageAttribute-0x8c3 ntdll+0x5413d @ 0x7771413d LocalFree+0x32 LocalAlloc-0x2e kernelbase+0x1582 @ 0x7fefdbf1582 rundll32+0x3023 @ 0xff433023 rundll32+0x3b7a @ 0xff433b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00 exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 exception.instruction: jmp 0x777840f4 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 803058 exception.address: 0x777840f2 registers.r14: 0 registers.r15: 0 registers.rcx: 1895664 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1899136 registers.r11: 646 registers.r8: 1188961650523237211 registers.r9: 771656669 registers.rdx: 2004857936 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2002975673 registers.r13: 0	1
__exception__ July 11, 2024, 1:08 p.m.	stacktrace: DhcpNewPktHook+0x2b DnsPluginCleanup-0x75 gg+0x120f @ 0x7fef3f3120f rundll32+0x2f42 @ 0xff432f42 rundll32+0x3b7a @ 0xff433b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 0f b7 47 1c 4b 8d 14 52 48 8d 2d c2 f7 01 00 66 exception.instruction: movzx eax, word ptr [rdi + 0x1c] exception.exception_code: 0xc0000005 exception.symbol: DhcpNewPktHook+0x2b DnsPluginCleanup-0x75 gg+0x120f exception.address: 0x7fef3f3120f registers.r14: 0 registers.r15: 0 registers.rcx: 65892 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1310560 registers.r11: 0 registers.r8: 1950064 registers.r9: 10 registers.rdx: 4282580992 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 65892 registers.r13: 0	1
__exception__ July 11, 2024, 1:08 p.m.	stacktrace: Msv1_0SubAuthenticationFilter+0x34 DllGetClassObject-0x5bc gg+0x1580 @ 0x7fef3f31580 rundll32+0x2f42 @ 0xff432f42 rundll32+0x3b7a @ 0xff433b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 0f b7 8b 30 01 00 00 4c 8d 46 20 44 8b 8b 14 01 exception.instruction: movzx ecx, word ptr [rbx + 0x130] exception.exception_code: 0xc0000005 exception.symbol: Msv1_0SubAuthenticationFilter+0x34 DllGetClassObject-0x5bc gg+0x1580 exception.address: 0x7fef3f31580 registers.r14: 0 registers.r15: 0 registers.rcx: 3175328 registers.rsi: 0 registers.r10: 27 registers.rbx: 0 registers.rsp: 982176 registers.r11: 981184 registers.r8: 8791596032272 registers.r9: 981072 registers.rdx: 3 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 3175280 registers.r13: 0	1
__exception__ July 11, 2024, 1:08 p.m.	stacktrace: Msv1_0SubAuthenticationFilter+0x34 DllGetClassObject-0x5bc gg+0x1580 @ 0x7fef3f31580 rundll32+0x2f42 @ 0xff432f42 rundll32+0x3b7a @ 0xff433b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 0f b7 8b 30 01 00 00 4c 8d 46 20 44 8b 8b 14 01 exception.instruction: movzx ecx, word ptr [rbx + 0x130] exception.exception_code: 0xc0000005 exception.symbol: Msv1_0SubAuthenticationFilter+0x34 DllGetClassObject-0x5bc gg+0x1580 exception.address: 0x7fef3f31580 registers.r14: 0 registers.r15: 0 registers.rcx: 1012656 registers.rsi: 0 registers.r10: 27 registers.rbx: 0 registers.rsp: 2424544 registers.r11: 2423552 registers.r8: 8791596032272 registers.r9: 2423440 registers.rdx: 3 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1012608 registers.r13: 0	1
__exception__ July 11, 2024, 1:08 p.m.	stacktrace: zzzkatz+0x5947 gg+0x8b67 @ 0x7fef3f38b67 zzzkatz+0x58e1 gg+0x8b01 @ 0x7fef3f38b01 zzzkatz+0x515a gg+0x837a @ 0x7fef3f3837a zzzkatz+0x4bb9 gg+0x7dd9 @ 0x7fef3f37dd9 zzzkatz+0x4895 gg+0x7ab5 @ 0x7fef3f37ab5 zzzkatz+0x4436 gg+0x7656 @ 0x7fef3f37656 zzzkatz+0x5a7d gg+0x8c9d @ 0x7fef3f38c9d zzzkatz+0x15d0 gg+0x47f0 @ 0x7fef3f347f0 NPLogonNotify+0x65 NPGetCaps-0x47 gg+0x13d9 @ 0x7fef3f313d9 rundll32+0x2f42 @ 0xff432f42 rundll32+0x3b7a @ 0xff433b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 0f b7 0e 8b 50 14 c1 ea 0c f6 c2 01 74 0a 49 8b exception.instruction: movzx ecx, word ptr [rsi] exception.exception_code: 0xc0000005 exception.symbol: zzzkatz+0x5947 gg+0x8b67 exception.address: 0x7fef3f38b67 registers.r14: 0 registers.r15: 0 registers.rcx: 2096184 registers.rsi: 0 registers.r10: 2096184 registers.rbx: 0 registers.rsp: 2097120 registers.r11: 2094896 registers.r8: 58 registers.r9: 2095096 registers.rdx: 113582075351040 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 3306256 registers.r13: 0	1
__exception__ July 11, 2024, 1:08 p.m.	stacktrace: SpLsaModeInitialize+0x7 Msv1_0SubAuthenticationFilter-0x15 gg+0x1537 @ 0x7fef3f31537 rundll32+0x2f42 @ 0xff432f42 rundll32+0x3b7a @ 0xff433b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: c7 02 00 00 01 00 49 89 00 33 c0 41 c7 01 01 00 exception.instruction: mov dword ptr [rdx], 0x10000 exception.exception_code: 0xc0000005 exception.symbol: SpLsaModeInitialize+0x7 Msv1_0SubAuthenticationFilter-0x15 gg+0x1537 exception.address: 0x7fef3f31537 registers.r14: 0 registers.r15: 0 registers.rcx: 66130 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 851840 registers.r11: 850928 registers.r8: 1819002 registers.r9: 10 registers.rdx: 4282580992 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 8791596027680 registers.r13: 0	1
__exception__ July 11, 2024, 1:08 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 0 registers.r15: 0 registers.rcx: 8791596030544 registers.rsi: 0 registers.r10: 0 registers.rbx: 131706 registers.rsp: 1439928 registers.r11: 1440192 registers.r8: 7000 registers.r9: 10 registers.rdx: 4282580992 registers.r12: 10 registers.rbp: 1440192 registers.rdi: 8791596010960 registers.rax: 58536 registers.r13: 0	1

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Lionic	Trojan.Win32.Mimikatz.i!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Tedy.570298
VIPRE	Gen:Variant.Tedy.570298
Sangfor	Infostealer.Win32.Mimikatz.Vro2
BitDefender	Trojan.GenericKD.73437193
Arcabit	Trojan.Tedy.D8B3BA
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Riskware.Mimikatz.DV
APEX	Malicious
Avast	Win64:PWSX-gen [Trj]
Kaspersky	Trojan-PSW.Win32.Mimikatz.nmc
Alibaba	TrojanPSW:Win32/Mimikatz.3dce3a7c
MicroWorld-eScan	Trojan.GenericKD.73437193
Rising	Stealer.Mimikatz!8.1335D (CLOUD)
Emsisoft	Gen:Variant.Tedy.570298 (B)
TrendMicro	Trojan.Win64.BAZARLOADER.SMYXBIMZ
FireEye	Generic.mg.fb440753675363fa
Sophos	Mal/Generic-S
Ikarus	PUA.Generic
Webroot	W32.Mimikatz
Google	Detected
Antiy-AVL	Trojan[PSW]/Win32.Mimikatz
Kingsoft	Win32.Trojan-PSW.Mimikatz.nmc
Gridinsoft	Trojan.Win64.Mimikatz.sa
Microsoft	Program:Win32/Wacapew.C!ml
ZoneAlarm	Trojan-PSW.Win32.Mimikatz.nmc
GData	Trojan.GenericKD.73437193
Varist	W64/ABRisk.TGTV-0435
DeepInstinct	MALICIOUS
Panda	Trj/Chgt.AD
Tencent	Win32.Trojan-QQPass.QQRob.Rgil
MAX	malware (ai score=85)
Fortinet	W32/PossibleThreat
AVG	Win64:PWSX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_60% (D)
alibabacloud	HackTool:Win/mimikatz.ntu

gg.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All