Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 11, 2024, 1:15 p.m.	July 11, 2024, 1:21 p.m.

Size	150.5KB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`abd6cc945e157b48ef90264ae5f68baa`
SHA256	`1ea8a5f2df236371911746419fdeff66a2c0a05775f6903edc601bef18fe653a`
CRC32	`5F82BA04`
ssdeep	`3072:nOWUkPfx7BEwu8MsYPLci07XfW8n7nTPEFSV0/AUa/Jx:OXy7hkAv77T0APhx`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

get.exe "C:\Users\test22\AppData\Local\Temp\get.exe"
2640

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

Locates and dumps memory from the lsass.exe process indicative of credential dumping (50 out of 398 events)

Time & API	Arguments	Status	Return
NtOpenProcess July 11, 2024, 1:08 p.m.	desired_access: 0x00001010 () process_identifier: 460 process_handle: 0x0000000000000078	1	0
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: ÿÿÿÿÿÿÿÿèÿ@&æv process_handle: 0x0000000000000078 base_address: 0x000007fffffd6000	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: X@%8ð@P%8@P&8@ process_handle: 0x0000000000000078 base_address: 0x0000000076e62640	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: 0&8P&æv@&8`&ævèÿPèÿÀ:<¨#8Ð#8 process_handle: 0x0000000000000078 base_address: 0x0000000000382540	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: lsass.exe process_handle: 0x0000000000000078 base_address: 0x00000000003823d0	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: °)8@%8À)8P%8@+8p&ævÓv:<°$8øSäv process_handle: 0x0000000000000078 base_address: 0x0000000000382630	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: ntdll.dll process_handle: 0x0000000000000078 base_address: 0x0000000076e453f8	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: +80&80+8@&8p88@+8Áv ^Âvð@B`)8)8 process_handle: 0x0000000000000078 base_address: 0x00000000003829b0	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: kernel32.dll process_handle: 0x0000000000000078 base_address: 0x0000000000382988	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: P88°)8`88À)8Ð)8P&8Oýþà0Oýþ°DFÐ8ø8 process_handle: 0x0000000000000078 base_address: 0x0000000000382b20	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: KERNELBASE.dll process_handle: 0x0000000000000078 base_address: 0x0000000000382af8	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: :8 +8:80+8 :8Ð)8¯ýþ %¯ýþð <>88(88 process_handle: 0x0000000000000078 base_address: 0x0000000000383850	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: msvcrt.dll process_handle: 0x0000000000000078 base_address: 0x0000000000383828	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: ?8P88 ?8`88°?8p88¹ýþPí½ýþÐ<>þ0:8X:8 process_handle: 0x0000000000000078 base_address: 0x0000000000383a80	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: RPCRT4.dll process_handle: 0x0000000000000078 base_address: 0x0000000000383a58	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: ::80::80: :8þüþþüþ°>@þ@?8h?8 process_handle: 0x0000000000000078 base_address: 0x0000000000383f90	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: SspiSrv.dll process_handle: 0x0000000000000078 base_address: 0x0000000000383f68	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: :?8 : ?8àÃ:Â:çüþäHçüþp<>ÿÐ:ø: process_handle: 0x0000000000000078 base_address: 0x00000000003a9d20	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: lsasrv.dll process_handle: 0x0000000000000078 base_address: 0x00000000003a9cf8	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: MZÿÿ¸@è process_handle: 0x0000000000000078 base_address: 0x000007fefce70000	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: PEd)ÇçLð" process_handle: 0x0000000000000078 base_address: 0x000007fefce700e8	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: PEd)ÇçLð" ZÖäHçüþpTÍ@@¯_Tð¸O0±@à øg8àÜp@ÜDÀ process_handle: 0x0000000000000078 base_address: 0x000007fefce700e8	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: MZÿÿ¸@è process_handle: 0x0000000000000078 base_address: 0x000007fefce70000	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: PEd)ÇçLð" process_handle: 0x0000000000000078 base_address: 0x000007fefce700e8	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: PEd)ÇçLð" ZÖäHçüþpTÍ@@¯_Tð¸O0±@à øg8àÜp@ÜDÀ process_handle: 0x0000000000000078 base_address: 0x000007fefce700e8	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: : :°:0:À:°?8Åþþè`Åþþð>@:¨: process_handle: 0x0000000000000078 base_address: 0x00000000003a9e10	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: sechost.dll process_handle: 0x0000000000000078 base_address: 0x00000000003a9ca8	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: P::`: :p:0:ÿüþXÿüþP>@þP:x: process_handle: 0x0000000000000078 base_address: 0x00000000003a9fa0	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: SspiCli.dll process_handle: 0x0000000000000078 base_address: 0x00000000003a9f78	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: : : :°:0£:À:±þþ`³þþ° l@Bþ:(: process_handle: 0x0000000000000078 base_address: 0x00000000003a9a50	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: ADVAPI32.dll process_handle: 0x0000000000000078 base_address: 0x00000000003a9f28	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: à :P:ð :`:ð¿:¡:vÈ¢v <>þ@:h: process_handle: 0x0000000000000078 base_address: 0x00000000003a9b90	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: USER32.dll process_handle: 0x0000000000000078 base_address: 0x00000000003a9b68	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: Ð¡::à¡: :°:ð¡:ýþ<°ýþp:< :¸ : process_handle: 0x0000000000000078 base_address: 0x00000000003aa0e0	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: GDI32.dll process_handle: 0x0000000000000078 base_address: 0x00000000003aa0b8	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: £:à : £:ð :¡:0£:{ýþ{ýþà68P:x: process_handle: 0x0000000000000078 base_address: 0x00000000003aa1d0	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: LPK.dll process_handle: 0x0000000000000078 base_address: 0x00000000003a8278	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: Ð®:Ð¡:à®:à¡:ð¡:p:nýþt¨uýþ:<À¢:è¢: process_handle: 0x0000000000000078 base_address: 0x00000000003aa310	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: USP10.dll process_handle: 0x0000000000000078 base_address: 0x00000000003aa2e8	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: Ð¿:£:à¿: £:Á:ð¿:Ùüþ\|ÙüþÐ<>®:¨®: process_handle: 0x0000000000000078 base_address: 0x00000000003aaed0	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: SAMSRV.dll process_handle: 0x0000000000000078 base_address: 0x00000000003aaea8	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: ðÀ:Ð®:Á:à®:ð®:°:Öüþ`AÖüþ@@BP°:x°: process_handle: 0x0000000000000078 base_address: 0x00000000003abfd0	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: cryptdll.dll process_handle: 0x0000000000000078 base_address: 0x00000000003ab078	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: àÁ:Ð¿:ðÁ:à¿:Â:ð®:#ýþ #ýþð<>þ°:(°: process_handle: 0x0000000000000078 base_address: 0x00000000003ac0f0	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: MSASN1.dll process_handle: 0x0000000000000078 base_address: 0x00000000003ab028	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: ÐÂ:ðÀ:àÂ:Á:@:Á:ÏüþÏüþÐ>@þð°:±: process_handle: 0x0000000000000078 base_address: 0x00000000003ac1e0	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: wevtapi.dll process_handle: 0x0000000000000078 base_address: 0x00000000003ab118	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: ÀÃ:àÁ:ÐÃ:ðÁ:ÀÅ:àÃ:^ýþ^ýþà:< °:È°: process_handle: 0x0000000000000078 base_address: 0x00000000003ac2d0	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: IMM32.DLL process_handle: 0x0000000000000078 base_address: 0x00000000003ab0c8	1	1
ReadProcessMemory July 11, 2024, 1:08 p.m.	buffer: °Ä:ÐÂ:ÀÄ:àÂ:ðÂ:@:åþþdåþþ:<@±:h±: process_handle: 0x0000000000000078 base_address: 0x00000000003ac3c0	1	1

Requests access to read memory contents of lsass.exe potentially indicative of credential dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
NtOpenProcess July 11, 2024, 1:08 p.m.	desired_access: 0x00001010 () process_identifier: 460 process_handle: 0x0000000000000078	1	0	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Lionic	Trojan.Win32.Mimikatz.i!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win64.Rootkit.cm
ALYac	Gen:HackTool.WinCred.2
Cylance	Unsafe
VIPRE	Gen:HackTool.WinCred.2
Sangfor	Infostealer.Win32.Mimikatz.Volf
BitDefender	Gen:HackTool.WinCred.2
Cybereason	malicious.45e157
Arcabit	Gen:HackTool.WinCred.2
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Riskware.Mimikatz.DD
McAfee	Artemis!ABD6CC945E15
Avast	Win64:Malware-gen
Kaspersky	Trojan-PSW.Win32.Mimikatz.fbe
Alibaba	TrojanPSW:Win32/Mimikatz.86019b45
MicroWorld-eScan	Gen:HackTool.WinCred.2
Rising	Stealer.Mimikatz!8.1335D (CLOUD)
Emsisoft	Gen:HackTool.WinCred.2 (B)
F-Secure	Trojan.TR/PSW.Mimikatz.dtesv
TrendMicro	TROJ_GEN.R002C0WGA24
McAfeeD	ti!1EA8A5F2DF23
FireEye	Generic.mg.abd6cc945e157b48
Sophos	Mal/Generic-S
Jiangmin	Trojan.PSW.Mimikatz.czk
Google	Detected
Avira	TR/PSW.Mimikatz.dtesv
MAX	malware (ai score=85)
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Malware.Win64.Mimikatz.cc
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	Trojan-PSW.Win32.Mimikatz.fbe
GData	Gen:HackTool.WinCred.2
Varist	W64/ABPWS.FQPH-0672
DeepInstinct	MALICIOUS
VBA32	TrojanPSW.Mimikatz
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002C0WGA24
Tencent	Win32.Trojan-QQPass.QQRob.Zmhl
Fortinet	W32/Mimikatz.FBE!tr.pws
AVG	Win64:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (D)
alibabacloud	HackTool:Win/mimikatz.DF

get.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All