ScreenShot
| Created | 2025.02.19 10:39 | Machine | s1_win7_x6401 |
| Filename | mimikatz.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | |||
| VT API (file) | |||
| md5 | 6b5c683727229742a54ef15742b1a351 | ||
| sha256 | 66d82a3bccedaa9b460c09359777464b491d136308538f8820aa8a6dfaa9aa45 | ||
| ssdeep | 6144:VVU0b5qe7h9NDNPKFMuOP41ZtfNATzEWxuRoAOCJv/w:VOM7h9rKFMuOP41ZtfSyRoI9w | ||
| imphash | 731dd1fc6ad7bf433d008a38b5a232d8 | ||
| impfuzzy | 24:QcNzx5srjKW+Mu9QHFxtzjDYc+WZYtaM3JBl39Wu/KOovbOxvJkFZYjMLz8aBMuP:3TixtzQc+eYtaMPpHt3RaFZXBK0i/W | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| warning | Generates some ICMP traffic |
| watch | Creates a suspicious Powershell process |
| watch | Installs itself for autorun at Windows startup |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Drops an executable to the user AppData folder |
| notice | Expresses interest in specific running processes |
| notice | Repeatedly searches for a not-found process |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | This executable has a PDB path |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (15cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x431024 ReleaseMutex
0x431028 GetComputerNameExW
0x43102c OpenProcess
0x431030 CreateToolhelp32Snapshot
0x431034 Sleep
0x431038 GetLastError
0x43103c GetFileAttributesA
0x431040 Process32NextW
0x431044 WaitForSingleObject
0x431048 CloseHandle
0x43104c GetCurrentProcessId
0x431050 CreateProcessW
0x431054 WideCharToMultiByte
0x431058 GetComputerNameExA
0x43105c IsDebuggerPresent
0x431060 WriteConsoleW
0x431064 HeapSize
0x431068 CreateFileW
0x43106c CreateMutexW
0x431070 CreatePipe
0x431074 GetModuleFileNameW
0x431078 TerminateProcess
0x43107c GetStdHandle
0x431080 GetCurrentProcess
0x431084 SetHandleInformation
0x431088 Process32FirstW
0x43108c ReadFile
0x431090 SetStdHandle
0x431094 GetProcessHeap
0x431098 SetEnvironmentVariableW
0x43109c FreeEnvironmentStringsW
0x4310a0 GetEnvironmentStringsW
0x4310a4 MultiByteToWideChar
0x4310a8 QueryPerformanceCounter
0x4310ac QueryPerformanceFrequency
0x4310b0 GetStringTypeW
0x4310b4 GetCurrentThreadId
0x4310b8 InitializeCriticalSectionEx
0x4310bc GetSystemTimeAsFileTime
0x4310c0 GetModuleHandleW
0x4310c4 GetProcAddress
0x4310c8 EnterCriticalSection
0x4310cc LeaveCriticalSection
0x4310d0 DeleteCriticalSection
0x4310d4 EncodePointer
0x4310d8 DecodePointer
0x4310dc LCMapStringEx
0x4310e0 GetCPInfo
0x4310e4 UnhandledExceptionFilter
0x4310e8 SetUnhandledExceptionFilter
0x4310ec IsProcessorFeaturePresent
0x4310f0 GetStartupInfoW
0x4310f4 InitializeSListHead
0x4310f8 RtlUnwind
0x4310fc RaiseException
0x431100 SetLastError
0x431104 InitializeCriticalSectionAndSpinCount
0x431108 TlsAlloc
0x43110c TlsGetValue
0x431110 TlsSetValue
0x431114 TlsFree
0x431118 FreeLibrary
0x43111c LoadLibraryExW
0x431120 CreateThread
0x431124 ExitThread
0x431128 FreeLibraryAndExitThread
0x43112c GetModuleHandleExW
0x431130 ExitProcess
0x431134 WriteFile
0x431138 GetCommandLineA
0x43113c GetCommandLineW
0x431140 GetFileSizeEx
0x431144 SetFilePointerEx
0x431148 GetFileType
0x43114c HeapAlloc
0x431150 HeapFree
0x431154 CompareStringW
0x431158 LCMapStringW
0x43115c GetLocaleInfoW
0x431160 IsValidLocale
0x431164 GetUserDefaultLCID
0x431168 EnumSystemLocalesW
0x43116c FlushFileBuffers
0x431170 GetConsoleCP
0x431174 GetConsoleMode
0x431178 ReadConsoleW
0x43117c HeapReAlloc
0x431180 FindClose
0x431184 FindFirstFileExW
0x431188 FindNextFileW
0x43118c IsValidCodePage
0x431190 GetACP
0x431194 GetOEMCP
USER32.dll
0x4311a8 wsprintfW
ADVAPI32.dll
0x431000 AdjustTokenPrivileges
0x431004 RegCloseKey
0x431008 RegSetValueExW
0x43100c OpenProcessToken
0x431010 RegOpenKeyExW
0x431014 RegCreateKeyW
0x431018 RegQueryValueExW
0x43101c LookupPrivilegeValueW
NETAPI32.dll
0x43119c DsGetDcNameA
0x4311a0 NetApiBufferFree
EAT(Export Address Table) is none
KERNEL32.dll
0x431024 ReleaseMutex
0x431028 GetComputerNameExW
0x43102c OpenProcess
0x431030 CreateToolhelp32Snapshot
0x431034 Sleep
0x431038 GetLastError
0x43103c GetFileAttributesA
0x431040 Process32NextW
0x431044 WaitForSingleObject
0x431048 CloseHandle
0x43104c GetCurrentProcessId
0x431050 CreateProcessW
0x431054 WideCharToMultiByte
0x431058 GetComputerNameExA
0x43105c IsDebuggerPresent
0x431060 WriteConsoleW
0x431064 HeapSize
0x431068 CreateFileW
0x43106c CreateMutexW
0x431070 CreatePipe
0x431074 GetModuleFileNameW
0x431078 TerminateProcess
0x43107c GetStdHandle
0x431080 GetCurrentProcess
0x431084 SetHandleInformation
0x431088 Process32FirstW
0x43108c ReadFile
0x431090 SetStdHandle
0x431094 GetProcessHeap
0x431098 SetEnvironmentVariableW
0x43109c FreeEnvironmentStringsW
0x4310a0 GetEnvironmentStringsW
0x4310a4 MultiByteToWideChar
0x4310a8 QueryPerformanceCounter
0x4310ac QueryPerformanceFrequency
0x4310b0 GetStringTypeW
0x4310b4 GetCurrentThreadId
0x4310b8 InitializeCriticalSectionEx
0x4310bc GetSystemTimeAsFileTime
0x4310c0 GetModuleHandleW
0x4310c4 GetProcAddress
0x4310c8 EnterCriticalSection
0x4310cc LeaveCriticalSection
0x4310d0 DeleteCriticalSection
0x4310d4 EncodePointer
0x4310d8 DecodePointer
0x4310dc LCMapStringEx
0x4310e0 GetCPInfo
0x4310e4 UnhandledExceptionFilter
0x4310e8 SetUnhandledExceptionFilter
0x4310ec IsProcessorFeaturePresent
0x4310f0 GetStartupInfoW
0x4310f4 InitializeSListHead
0x4310f8 RtlUnwind
0x4310fc RaiseException
0x431100 SetLastError
0x431104 InitializeCriticalSectionAndSpinCount
0x431108 TlsAlloc
0x43110c TlsGetValue
0x431110 TlsSetValue
0x431114 TlsFree
0x431118 FreeLibrary
0x43111c LoadLibraryExW
0x431120 CreateThread
0x431124 ExitThread
0x431128 FreeLibraryAndExitThread
0x43112c GetModuleHandleExW
0x431130 ExitProcess
0x431134 WriteFile
0x431138 GetCommandLineA
0x43113c GetCommandLineW
0x431140 GetFileSizeEx
0x431144 SetFilePointerEx
0x431148 GetFileType
0x43114c HeapAlloc
0x431150 HeapFree
0x431154 CompareStringW
0x431158 LCMapStringW
0x43115c GetLocaleInfoW
0x431160 IsValidLocale
0x431164 GetUserDefaultLCID
0x431168 EnumSystemLocalesW
0x43116c FlushFileBuffers
0x431170 GetConsoleCP
0x431174 GetConsoleMode
0x431178 ReadConsoleW
0x43117c HeapReAlloc
0x431180 FindClose
0x431184 FindFirstFileExW
0x431188 FindNextFileW
0x43118c IsValidCodePage
0x431190 GetACP
0x431194 GetOEMCP
USER32.dll
0x4311a8 wsprintfW
ADVAPI32.dll
0x431000 AdjustTokenPrivileges
0x431004 RegCloseKey
0x431008 RegSetValueExW
0x43100c OpenProcessToken
0x431010 RegOpenKeyExW
0x431014 RegCreateKeyW
0x431018 RegQueryValueExW
0x43101c LookupPrivilegeValueW
NETAPI32.dll
0x43119c DsGetDcNameA
0x4311a0 NetApiBufferFree
EAT(Export Address Table) is none