Devis de remise multi-licences

Changer de région

English Dansk Deutsch Español Français Italiano Nederlands Polski Português Svenska Türkçe Русский हिन्दी 汉语 漢語 한국어
Données concernant les menaces Logiciels malveillants Mimikatz

Mimikatz

Par GoldSparrow en Logiciels malveillants
Se traduisent par :

Mimikatz ou Hacktool.Mimikatz n'est pas classé comme outil à haut risque bien qu'il puisse donner à un attaquant l'accès à une machine en corrompant des capacités déterminées dans un système d'exploitation Windows. Lorsqu'un ordinateur est attaqué par Mimikatz, ses contrôleurs peuvent injecter des DLL dans des processus aléatoires, exporter des certificats de sécurité, récupérer des mots de passe en texte brut à partir de Windows, désactiver certaines connexions et services de sécurité, effacer certains privilèges et échapper à quelques paramètres de stratégie de groupe.

Si vous pensez que Mimikatz peut avoir infecté votre ordinateur, il existe un moyen simple de le vérifier: utilisez un scanner dédié car il peut détecter et supprimer Mimikatz. Cependant, si vous n'êtes pas infecté par celui-ci et que vous souhaitez prendre des mesures pour éviter les infections, vous pouvez mettre en œuvre certaines stratégies, telles que vérifier la source et la fiabilité des e-mails provenant d'expéditeurs inconnus, être prudent lors du partage de fichiers, ne pas partager avec beaucoup d'informations sur les messageries instantanées, qui peuvent éviter d'innombrables problèmes, y compris été infecté par des menaces plus sévères.

Bulletin d'analyse

Informations générales

Family Name: Trojan.Mimikatz
Signature status: No Signature

Known Samples

MD5: 11ecb568da9cd1ff8d060914e85ff4bf
SHA1: 8965c2c8f55c5fe1a80b7fac7001bd5eb83304a4
SHA256: B2F9055DFD172B1C11BA01C121D3C37F27B3E48827D4562659796F8D4DFD4DF6
Taille du fichier: 1.19 MB, 1185280 bytes
MD5: 252525c8d6539a3aa97123afc2ddc687
SHA1: 1bf04ed6dc09a32a7861263e4fa24770681d1b4a
SHA256: 6E38131457328C9A93FF10DC0209718E4EFCA909621773301B52E83DBD1469A6
Taille du fichier: 235.52 KB, 235520 bytes
MD5: fe7c1fb2fc8b5e2f49267f3cee6f8a26
SHA1: 3b1711ba13b32df8d3d84c48a7e8862faaa0975d
SHA256: A14E0BFE9ED712E717EA063AA0D17CC7C5A74866B09CD6B460A795981DBB5EDF
Taille du fichier: 2.67 MB, 2667008 bytes
MD5: 4cfb8825872b3c4cf3cc550bb4d5410f
SHA1: 0fe546d8c715cab95faeb7710f49e2864b049bf6
SHA256: 80956CF050F27640093FD18D4906215E95DFBB3BAFE44E994B6A0FC825A725FB
Taille du fichier: 1.97 MB, 1969572 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have resources
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
Show More
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Nom Évaluer
Assembly Version 1.0.0.0
File Description SharpKatz
File Version 1.0.0.0
Internal Name SharpKatz.exe
Legal Copyright Copyright © 2020
Original Filename SharpKatz.exe
Product Name SharpKatz
Product Version 1.0.0.0

File Traits

  • .NET
  • Agile.net
  • CreateThread
  • CryptUnprotectData
  • dll
  • Fody
  • HighEntropy
  • No Version Info
  • ntdll
  • VirtualQueryEx
Show More
  • WriteProcessMemory
  • x64
  • x86

Block Information

Similar Families

  • MSIL.SharpKatz.B
  • MSIL.SharpKatz.E

Files Modified

File Attributes
c:\tempz\security Generic Write
c:\tempz\system Generic Write
c:\users\user\downloads\__tmp_rar_sfx_access_check_6681109 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\wmi Generic Write,Read Attributes
c:\users\user\downloads\wmi Synchronize,Write Attributes
c:\users\user\downloads\wmi\1.run.bat Generic Write,Read Attributes
c:\users\user\downloads\wmi\1.run.bat Synchronize,Write Attributes
c:\users\user\downloads\wmi\2.del.bat Generic Write,Read Attributes
c:\users\user\downloads\wmi\2.del.bat Synchronize,Write Attributes
c:\users\user\downloads\wmi\mimi.bat Generic Write,Read Attributes
Show More
c:\users\user\downloads\wmi\mimi.bat Synchronize,Write Attributes
c:\users\user\downloads\wmi\miparser.vbs Generic Write,Read Attributes
c:\users\user\downloads\wmi\miparser.vbs Synchronize,Write Attributes
c:\users\user\downloads\wmi\p Generic Write,Read Attributes
c:\users\user\downloads\wmi\p Synchronize,Write Attributes
c:\users\user\downloads\wmi\p\p.exe Generic Write,Read Attributes
c:\users\user\downloads\wmi\p\p.exe Synchronize,Write Attributes
c:\users\user\downloads\wmi\p\p64.exe Generic Write,Read Attributes
c:\users\user\downloads\wmi\p\p64.exe Synchronize,Write Attributes
c:\users\user\downloads\wmi\win32 Generic Write,Read Attributes
c:\users\user\downloads\wmi\win32 Synchronize,Write Attributes
c:\users\user\downloads\wmi\win32\mimidrv.sys Generic Write,Read Attributes
c:\users\user\downloads\wmi\win32\mimidrv.sys Synchronize,Write Attributes
c:\users\user\downloads\wmi\win32\mimikatz.exe Generic Write,Read Attributes
c:\users\user\downloads\wmi\win32\mimikatz.exe Synchronize,Write Attributes
c:\users\user\downloads\wmi\win32\mimilib.dll Generic Write,Read Attributes
c:\users\user\downloads\wmi\win32\mimilib.dll Synchronize,Write Attributes
c:\users\user\downloads\wmi\win32\mimilove.exe Generic Write,Read Attributes
c:\users\user\downloads\wmi\win32\mimilove.exe Synchronize,Write Attributes
c:\users\user\downloads\wmi\win32\mimispool.dll Generic Write,Read Attributes
c:\users\user\downloads\wmi\win32\mimispool.dll Synchronize,Write Attributes
c:\users\user\downloads\wmi\x64 Generic Write,Read Attributes
c:\users\user\downloads\wmi\x64 Synchronize,Write Attributes
c:\users\user\downloads\wmi\x64\mimidrv.sys Generic Write,Read Attributes
c:\users\user\downloads\wmi\x64\mimidrv.sys Synchronize,Write Attributes
c:\users\user\downloads\wmi\x64\mimikatz.exe Generic Write,Read Attributes
c:\users\user\downloads\wmi\x64\mimikatz.exe Synchronize,Write Attributes
c:\users\user\downloads\wmi\x64\mimilib.dll Generic Write,Read Attributes
c:\users\user\downloads\wmi\x64\mimilib.dll Synchronize,Write Attributes
c:\users\user\downloads\wmi\x64\mimispool.dll Generic Write,Read Attributes
c:\users\user\downloads\wmi\x64\mimispool.dll Synchronize,Write Attributes

Registry Modifications

Key::Value Données API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 纸ꨳ힇ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 陊ȁ獖} RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
Show More
HKCU\software\sysinternals\procdump::eulaaccepted  RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAdjustPrivilegesToken
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelTimer2
  • ntdll.dll!NtCancelWaitCompletionPacket
Show More
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRemoveIoCompletionEx
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetIoCompletion
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtUnsubscribeWnfStateChange
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile

4 additional items are not displayed above.

Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Other Suspicious
  • AdjustTokenPrivileges
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Keyboard Access
  • GetKeyState
Process Terminate
  • TerminateProcess

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\8965c2c8f55c5fe1a80b7fac7001bd5eb83304a4_0001185280.,LiQMAxHB
(NULL) c:\users\user\downloads\wmi\1.run.bat
WriteConsole: [*] Creating out
WriteConsole: 'LSASS' is not r
C:\WINDOWS\system32\mode.com mode con: cols=75 lines=25
Show More
WriteConsole: Access is denied
WriteConsole: [*] Saving SYSTE
C:\WINDOWS\system32\reg.exe reg save HKLM\SYSTEM "C:\tempz\SYSTEM" /y
WriteConsole: [*] Saving SAM h
C:\WINDOWS\system32\reg.exe reg save HKLM\SAM "C:\tempz\SAM" /y
WriteConsole: [*] Saving SECUR
C:\WINDOWS\system32\reg.exe reg save HKLM\SECURITY "C:\tempz\SECURITY" /y
WriteConsole: [*] Dumping LSAS
C:\Users\user\downloads\wmi\P\p.exe "C:\Users\user\downloads\wmi\P\p.exe" -accepteula -ma lsass.exe "C:\tempz\lsass.dmp"
WriteConsole: [+] lsass.dmp sa
WriteConsole:
WriteConsole: [+] Extraction c
WriteConsole: Press any key to

Tendance

Le plus regardé

Chargement...