Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 21, 2025, 1:14 p.m.	April 21, 2025, 1:33 p.m.

Size	22.1KB
Type	PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5	`5737ef577c12225563d2c55f133bcaf5`
SHA256	`f20e0114c8038b9d66bd45049c9396254586f307390479746a6c67f5e1abce2d`
CRC32	`FFA4D97B`
ssdeep	`384:fJxgWFlVZ50C0uolsbpwKNsdu5CJR6CBT1/wfT3ir2WSx7bLta:xxgWFln5B0uolsIdASRA3iPmbLc`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) IsDLL - (no description) Generic_Malware_Zero - Generic Malware

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmspol.dll,DrvDisableDriver
2056
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmspol.dll,DrvDisableDriver
  2460
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmspol.dll,DrvQueryDriverInfo
2244
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmspol.dll,DrvQueryDriverInfo
  2532
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmspol.dll,DrvEnableDriver
2156
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmspol.dll,DrvEnableDriver
  2588
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmspol.dll,DrvResetConfigCache
2332
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmspol.dll,DrvResetConfigCache
  2636
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmspol.dll,GenerateCopyFilePaths
2432
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmspol.dll,GenerateCopyFilePaths
  2788
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmspol.dll,SpoolerCopyFileEvent
2644
- rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmspol.dll,SpoolerCopyFileEvent
  2832
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\mmspol.dll,
2804

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
196.251.118.210	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 21, 2025, 1:06 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:06 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:06 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:06 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:06 p.m.			0	0
IsDebuggerPresent April 21, 2025, 1:06 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 21, 2025, 1:06 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 21, 2025, 1:06 p.m.	stacktrace: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2 EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736 RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942 RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4 RtlIsDosDeviceName_U+0x7afb NtdllDialogWndProc_A-0x26c71 ntdll+0x6157b @ 0x7772157b RtlAllocateHeap+0xd9d AlpcGetMessageAttribute-0x8c3 ntdll+0x5413d @ 0x7771413d LocalFree+0x32 LocalAlloc-0x2e kernelbase+0x1582 @ 0x7fefdbf1582 rundll32+0x3023 @ 0xffee3023 rundll32+0x3b7a @ 0xffee3b7a BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00 exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 exception.instruction: jmp 0x777840f4 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 803058 exception.address: 0x777840f2 registers.r14: 0 registers.r15: 0 registers.rcx: 1764160 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1767632 registers.r11: 646 registers.r8: 4593035653381653712 registers.r9: 156325152 registers.rdx: 2004857936 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2003107068 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 21, 2025, 1:06 p.m.

stacktrace:

RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2
EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736
RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942
RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4
RtlIsDosDeviceName_U+0x7afb NtdllDialogWndProc_A-0x26c71 ntdll+0x6157b @ 0x7772157b
RtlAllocateHeap+0xd9d AlpcGetMessageAttribute-0x8c3 ntdll+0x5413d @ 0x7771413d
LocalFree+0x32 LocalAlloc-0x2e kernelbase+0x1582 @ 0x7fefdbf1582
rundll32+0x3023 @ 0xffee3023
rundll32+0x3b7a @ 0xffee3b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00
exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2
exception.instruction: jmp 0x777840f4
exception.module: ntdll.dll
exception.exception_code: 0xc0000374
exception.offset: 803058
exception.address: 0x777840f2
registers.r14: 0
registers.r15: 0
registers.rcx: 1764160
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1767632
registers.r11: 646
registers.r8: 4593035653381653712
registers.r9: 156325152
registers.rdx: 2004857936
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 2003107068
registers.r13: 0

Communicates with host for which no DNS query was performed (1 event)

host

196.251.118.210

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

CAT-QuickHeal	HackTool.Mimikatz.S33893082
Skyhigh	Trojan-FWXX!5737EF577C12
ALYac	Gen:Variant.Mimikatz.10
VIPRE	Gen:Variant.Mimikatz.10
BitDefender	Gen:Variant.Mimikatz.10
Arcabit	Trojan.Mimikatz.10
VirIT	Trojan.Win32.Mimi.DQYA
Symantec	Hacktool.Mimikatz
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/RiskWare.Mimikatz.BO
Avast	Win32:CVE-2021-1675-G [Expl]
Kaspersky	HEUR:Trojan-PSW.Win64.Mimikatz.gen
MicroWorld-eScan	Gen:Variant.Mimikatz.10
Rising	Trojan.Agent!8.B1E (TFE:6:Z7hKCBfrpcB)
Emsisoft	Gen:Variant.Mimikatz.10 (B)
DrWeb	Tool.Mimikatz.1199
Zillya	Trojan.Mimikatz.Win64.482
TrendMicro	HKTL_MIMIKATZ64
McAfeeD	ti!F20E0114C803
CTX	dll.unknown.mimikatz
Sophos	ATK/Mimikatz-CR
Jiangmin	Trojan.PSW.Mimikatz.cyl
Webroot	W32.Hacktool.Gen
Google	Detected
Antiy-AVL	Trojan[PSW]/Win64.Mimikatz
Microsoft	Program:Win32/Wacapew.C!ml
ZoneAlarm	ATK/Mimikatz-CR
GData	Gen:Variant.Mimikatz.10
Varist	W64/Mimikatz.L
AhnLab-V3	Trojan/Win.Mimikatz.R445129
McAfee	Trojan-FWXX!5737EF577C12
Malwarebytes	Mimikatz.Spyware.Stealer.DDS
Ikarus	Trojan.PSW.Mimikatz
Panda	Trj/GdSda.A
TrendMicro-HouseCall	HKTL_MIMIKATZ64
Tencent	Trojan.Win64.Mimikatz.a
Yandex	RiskWare.Mimikatz!eQ4ZXKbwWQE
huorong	HackTool/Mimikatz.e
AVG	Win32:CVE-2021-1675-G [Expl]

mmspol.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All