Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 4, 2024, 1:23 p.m.	Aug. 4, 2024, 1:37 p.m.

Size	85.5KB
Type	PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5	`7185df3dbaa4049c26fe2d6962528577`
SHA256	`8cb1ac82f4ec631b5d1121a01dd15c2815c46b989db83c156172338e9968fd37`
CRC32	`0DA48B5F`
ssdeep	`1536:rPIIhUDRDCEaL7ml62agJ4pRz1TBTr1vxxCNoysWQ+1LJUdc9dlDgl1QNwP0uol:rPIIyDdS7mQ2NJ4rJBTr1zCo9+1LwUxB`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsDLL - (no description) IsPE64 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvDisableDriver
2572
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvDisableDriver
  2944
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvEnableDriver
2656
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvEnableDriver
  2964
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvQueryDriverInfo
2748
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvQueryDriverInfo
  2076
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvResetConfigCache
2844
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,DrvResetConfigCache
  2184
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,GenerateCopyFilePaths
2932
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,GenerateCopyFilePaths
  2216
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,SpoolerCopyFileEvent
908
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,SpoolerCopyFileEvent
  2560
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mimispool.dll,
2200

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 4, 2024, 1:23 p.m.			0	0
IsDebuggerPresent Aug. 4, 2024, 1:23 p.m.			0	0
IsDebuggerPresent Aug. 4, 2024, 1:23 p.m.			0	0
IsDebuggerPresent Aug. 4, 2024, 1:23 p.m.			0	0
IsDebuggerPresent Aug. 4, 2024, 1:23 p.m.			0	0
IsDebuggerPresent Aug. 4, 2024, 1:23 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 4, 2024, 1:23 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 4, 2024, 1:23 p.m.	stacktrace: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x76df40f2 EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x76df4736 RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x76df5942 RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x76df75f4 RtlIsDosDeviceName_U+0x7afb NtdllDialogWndProc_A-0x26c71 ntdll+0x6157b @ 0x76d9157b RtlAllocateHeap+0xd9d AlpcGetMessageAttribute-0x8c3 ntdll+0x5413d @ 0x76d8413d LocalFree+0x32 LocalAlloc-0x2e kernelbase+0x1582 @ 0x7fefd4f1582 rundll32+0x3023 @ 0xff603023 rundll32+0x3b7a @ 0xff603b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00 exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 exception.instruction: jmp 0x76df40f4 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 803058 exception.address: 0x76df40f2 registers.r14: 0 registers.r15: 0 registers.rcx: 2747040 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2750512 registers.r11: 646 registers.r8: 1547593068839678107 registers.r9: 2060610103 registers.rdx: 1994830928 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1993323309 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 4, 2024, 1:23 p.m.

stacktrace:

RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x76df40f2
EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x76df4736
RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x76df5942
RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x76df75f4
RtlIsDosDeviceName_U+0x7afb NtdllDialogWndProc_A-0x26c71 ntdll+0x6157b @ 0x76d9157b
RtlAllocateHeap+0xd9d AlpcGetMessageAttribute-0x8c3 ntdll+0x5413d @ 0x76d8413d
LocalFree+0x32 LocalAlloc-0x2e kernelbase+0x1582 @ 0x7fefd4f1582
rundll32+0x3023 @ 0xff603023
rundll32+0x3b7a @ 0xff603b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00
exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2
exception.instruction: jmp 0x76df40f4
exception.module: ntdll.dll
exception.exception_code: 0xc0000374
exception.offset: 803058
exception.address: 0x76df40f2
registers.r14: 0
registers.r15: 0
registers.rcx: 2747040
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 2750512
registers.r11: 646
registers.r8: 1547593068839678107
registers.r9: 2060610103
registers.rdx: 1994830928
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1993323309
registers.r13: 0

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 4, 2024, 1:23 p.m.	process_identifier: 2944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 4, 2024, 1:23 p.m.	process_identifier: 2964 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 4, 2024, 1:23 p.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 4, 2024, 1:23 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 4, 2024, 1:23 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 4, 2024, 1:23 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Lionic	Trojan.Win32.Mimikatz.i!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Mimikatz.10
Cylance	Unsafe
VIPRE	Gen:Variant.Mimikatz.10
K7AntiVirus	Trojan ( 005821131 )
BitDefender	Gen:Variant.Mimikatz.10
K7GW	Trojan ( 005821131 )
Arcabit	Trojan.Mimikatz.10
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/RiskWare.Mimikatz.BG
Avast	Win32:CVE-2021-1675-G [Expl]
Kaspersky	HEUR:Trojan-PSW.Win64.Mimikatz.gen
Alibaba	TrojanPSW:Win64/Mimikatz.e8ec8578
MicroWorld-eScan	Gen:Variant.Mimikatz.10
Rising	Trojan.Agent!8.B1E (TFE:6:Z7hKCBfrpcB)
Emsisoft	Gen:Variant.Mimikatz.10 (B)
Zillya	Tool.Mimikatz.Win32.2698
TrendMicro	HKTL_MIMIKATZ64
McAfeeD	ti!8CB1AC82F4EC
FireEye	Gen:Variant.Mimikatz.10
Sophos	ATK/Mimikatz-CR
Ikarus	Win32.Outbreak
Jiangmin	Trojan.PSW.Mimikatz.cxj
Webroot	W32.Hacktool.Gen
Google	Detected
Antiy-AVL	RiskWare/Win32.Mimikatz
Kingsoft	Win64.Trojan-PSW.Mimikatz.gen
Gridinsoft	Trojan.Win64.Downloader.sa
Microsoft	VirTool:Win64/Mimispoolz.A!MTB
ZoneAlarm	HEUR:Trojan-PSW.Win64.Mimikatz.gen
GData	Gen:Variant.Mimikatz.10
Varist	W64/ABTrojan.UQBP-0786
AhnLab-V3	Trojan/Win.Mimikatz.R439082
DeepInstinct	MALICIOUS
Panda	Trj/GdSda.A
TrendMicro-HouseCall	HKTL_MIMIKATZ64
Tencent	Trojan.Win64.Mimikatz.a
Yandex	RiskWare.Mimikatz!/EnXYkTDFmc
MAX	malware (ai score=87)
AVG	Win32:CVE-2021-1675-G [Expl]
CrowdStrike	win/malicious_confidence_70% (D)
alibabacloud	HackTool:Win/Mimikatz.k

mimispool.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All