Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 11, 2024, 1:16 p.m.	July 11, 2024, 1:46 p.m.

Size	138.5KB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`3c4abc6edb1572ceebfd635531e8d29e`
SHA256	`248deb03554c5cfdfbab1c07e5b58466e358ca7e23781a1b5e5bdf434cd16ef3`
CRC32	`7A7FF8E4`
ssdeep	`3072:DOn5aQRM3K+GOqlsOEjp4z/25C21vtEL9cOXVb//UB:DO5JH2qlsUOTvtEHU`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

collect.exe "C:\Users\test22\AppData\Local\Temp\collect.exe"
1952

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

Locates and dumps memory from the lsass.exe process indicative of credential dumping (50 out of 186 events)

Time & API	Arguments	Status	Return
NtOpenProcess July 11, 2024, 1:16 p.m.	desired_access: 0x00001010 () process_identifier: 452 process_handle: 0x0000000000000090	1	0
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: ÿÿÿÿÿÿÿÿ³ÿ@&w process_handle: 0x0000000000000090 base_address: 0x000007fffffdd000	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: XÐ%0<8à%0<8à&0 <8 process_handle: 0x0000000000000090 base_address: 0x00000000777f2640	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: À&0P&wÐ&0`&w³ÿP³ÿÀ:<@$0h$0 process_handle: 0x0000000000000090 base_address: 0x00000000003025d0	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: lsass.exe process_handle: 0x0000000000000090 base_address: 0x0000000000302468	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: @0Ð%0P0à%0Ð+0p&wlw:<@%0øS}w process_handle: 0x0000000000000090 base_address: 0x00000000003026c0	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: ntdll.dll process_handle: 0x0000000000000090 base_address: 0x00000000777d53f8	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: °+0À&0À+0Ð&090Ð+0üv ^ývð@Bð)0*0 process_handle: 0x0000000000000090 base_address: 0x0000000000302a40	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: kernel32.dll process_handle: 0x0000000000000090 base_address: 0x0000000000302a18	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: à80@0ð80P0`*0à&0¿ýþà0¿ýþ°DF`+0+0 process_handle: 0x0000000000000090 base_address: 0x0000000000302bb0	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: KERNELBASE.dll process_handle: 0x0000000000000090 base_address: 0x0000000000302b88	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: ;0°+0 ;0À+00;0`*0hþþ %hþþð <>80¸80 process_handle: 0x0000000000000090 base_address: 0x00000000003038e0	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: msvcrt.dll process_handle: 0x0000000000000090 base_address: 0x00000000003038b8	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: @0à800@0ð80@@090òýþPíöýþÐ<>þÀ:0è:0 process_handle: 0x0000000000000090 base_address: 0x0000000000303b10	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: RPCRT4.dll process_handle: 0x0000000000000090 base_address: 0x0000000000303ae8	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: 2;0 2 ;0 20;0ýþýþ°>@þÐ?0ø?0 process_handle: 0x0000000000000090 base_address: 0x0000000000304020	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: SspiSrv.dll process_handle: 0x0000000000000090 base_address: 0x0000000000303ff8	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: 2 @020@0@À2`¾2ýþäHýþp<>ÿ@2h2 process_handle: 0x0000000000000090 base_address: 0x0000000000329990	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: lsasrv.dll process_handle: 0x0000000000000090 base_address: 0x0000000000329968	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: MZÿÿ¸@è process_handle: 0x0000000000000090 base_address: 0x000007fefd800000	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: PEd)ÇçLð" ZÖäHýþpTÍ@@¯_Tð¸O0±@à øg8àÜp@ÜDÀ process_handle: 0x0000000000000090 base_address: 0x000007fefd8000e8	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: `22p2 22@@0£þþè`£þþð>@ð22 process_handle: 0x0000000000000090 base_address: 0x0000000000329a80	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: sechost.dll process_handle: 0x0000000000000090 base_address: 0x0000000000329918	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: p22222 2ýþXýþP>@þ282 process_handle: 0x0000000000000090 base_address: 0x0000000000329760	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: SspiCli.dll process_handle: 0x0000000000000090 base_address: 0x0000000000329738	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: `2`2p2p2 22þþ`þþ° l@BþÀ2è2 process_handle: 0x0000000000000090 base_address: 0x0000000000329b70	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: ADVAPI32.dll process_handle: 0x0000000000000090 base_address: 0x00000000003296e8	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: P2p2`22P¼2p2$wÈ¢%w <>þP2x2 process_handle: 0x0000000000000090 base_address: 0x0000000000329c60	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: USER32.dll process_handle: 0x0000000000000090 base_address: 0x0000000000329878	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: @2`2P2p22`2þþ<°þþp:< 2È2 process_handle: 0x0000000000000090 base_address: 0x0000000000329d50	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: GDI32.dll process_handle: 0x0000000000000090 base_address: 0x00000000003298c8	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: 2P22`2p2 2þþþþà68à22 process_handle: 0x0000000000000090 base_address: 0x0000000000329e40	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: LPK.dll process_handle: 0x0000000000000090 base_address: 0x0000000000328308	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: @«2@2P«2P2`22rþþt¨yþþ:<02X2 process_handle: 0x0000000000000090 base_address: 0x0000000000329f80	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: USP10.dll process_handle: 0x0000000000000090 base_address: 0x0000000000329f58	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: 0¼22@¼22p½2P¼2qýþ\|qýþÐ<>ðª2«2 process_handle: 0x0000000000000090 base_address: 0x000000000032ab40	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: SAMSRV.dll process_handle: 0x0000000000000090 base_address: 0x000000000032ab18	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: P½2@«2`½2P«2`«22nýþ`Anýþ@@B°¬2Ø¬2 process_handle: 0x0000000000000090 base_address: 0x000000000032bc30	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: cryptdll.dll process_handle: 0x0000000000000090 base_address: 0x000000000032acd8	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: @¾20¼2P¾2@¼2`¾2`«2¼ýþ ¼ýþð<>þ`¬2¬2 process_handle: 0x0000000000000090 base_address: 0x000000000032bd50	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: MSASN1.dll process_handle: 0x0000000000000090 base_address: 0x000000000032ac88	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: 0¿2P½2@¿2`½2°2p½2fýþfýþÐ>@þP2x2 process_handle: 0x0000000000000090 base_address: 0x000000000032be40	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: wevtapi.dll process_handle: 0x0000000000000090 base_address: 0x000000000032ad78	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: À2@¾20À2P¾2 Â2@À2ïýþïýþà:<2(2 process_handle: 0x0000000000000090 base_address: 0x000000000032bf30	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: IMM32.DLL process_handle: 0x0000000000000090 base_address: 0x000000000032ad28	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: Á20¿2 Á2@¿2P¿2°2WþþdWþþ:< 2È2 process_handle: 0x0000000000000090 base_address: 0x000000000032c020	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: MSCTF.dll process_handle: 0x0000000000000090 base_address: 0x000000000032adc8	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: Â2 À2Â20À2Ä2 Â2[ýþ@[ýþ@B²2(²2 process_handle: 0x0000000000000090 base_address: 0x000000000032c110	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: cngaudit.dll process_handle: 0x0000000000000090 base_address: 0x000000000032b228	1	1
ReadProcessMemory July 11, 2024, 1:16 p.m.	buffer: ðÂ2Á2Ã2 Á20Á2P¿2XýþdXýþð:<P²2x²2 process_handle: 0x0000000000000090 base_address: 0x000000000032c200	1	1

Requests access to read memory contents of lsass.exe potentially indicative of credential dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
NtOpenProcess July 11, 2024, 1:16 p.m.	desired_access: 0x00001010 () process_identifier: 452 process_handle: 0x0000000000000090	1	0	0

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Lionic	Trojan.Win32.Mimikatz.i!c
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 100)
Sangfor	Infostealer.Win32.Mimikatz.Vaqu
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Riskware.Mimikatz.DP
Avast	Win64:MalwareX-gen [Trj]
Kaspersky	Trojan-PSW.Win32.Mimikatz.hxp
Alibaba	TrojanPSW:Win32/Mimikatz.3f45c6ef
Rising	Stealer.Mimikatz!8.1335D (CLOUD)
F-Secure	Trojan.TR/AVI.Agent.vggbz
McAfeeD	ti!248DEB03554C
Sophos	Mal/Generic-S
Avira	TR/AVI.Agent.vggbz
Kingsoft	Win32.Trojan-PSW.Mimikatz.hxp
Microsoft	Program:Win32/Wacapew.C!ml
ZoneAlarm	Trojan-PSW.Win32.Mimikatz.hxp
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Tencent	Win32.Trojan-QQPass.QQRob.Gtgl
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	Riskware/Mimikatz
AVG	Win64:MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (D)
alibabacloud	HackTool:Win/mimikatz.DX

collect.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All