HackTool:Win32/Mimikatz!ml

Installation

A special PowerShell script (Invoke-Mimikatz.ps1) allows PowerShell to perform remote fileless execution of this threat. In essence, fileless execution enables loading of a binary into process space without touching the hard disk. When a fileless binary is loaded directly into memory, it remains invisible for file scanning antivirus solutions. 

In a typical credential harvesting scenario, a malicious hacker can run a PowerShell command to trick the victim's device to download the script from a malicious server. Next, the downloaded script uses reflective DLL injection to load and run the threat remotely without storing any files on the disk of the compromised device. As a result of this, the malicious hacker can remotely leverage the threat to execute malicious activity like stealing credentials, certificates, and collecting data from the compromised host.

Payload

This threat can:

• Recover and export Windows passwords in clear text by injecting a DLL into lsass.exe
• Export security certificates
• Fileless execution through PowerShell
• Inject DLLs into running processes
• List running system and user processes
• Obtain all process tokens
• Impersonate a token
• Get a list with loaded kernel drivers
• Get a table with all service calls and corresponding kernel modules names
• Retrieve data about all callback modules that receive notifications for processes, images, threads, registry changes, objects, and file changes
• BSOD the machine
• Modify privileges
• Bypass some Group Policy settings
• Disable some security and event monitoring services
• Bypass Microsoft AppLocker / Software Restriction Polices
• Gather critical data for security and instrumentation software running on the host.

Recover and export Windows credentials

This threat can dump credentials from LSASS (Windows Local Security Account database) including:

• NT LAN Manager (NTLM) password hashes
• LAN Manager password hashes
• Kerberos password, ekeys, tickets, and PIN
• TsPkg (password)
• WDigest (clear-text password)
• LiveSSP (clear-text password)
• SSP (clear-text password)
• DPAPI hashes and keys

Creates following processes:

• C:\Users\<USER>\AppData\Local\Temp\mimikatz.exe"
• %SAMPLEPATH%\mimikatz.exe
• C:\Windows\System32\wuapihost.exe
• C:\Windows\System32\UI0Detect.exe
• C:\Users\user\Desktop\software.exe

Mimikatz communicates to the following hosts:

• a83f[:]8110:0:0:d8ff:ffff:766b:e00 
• a83f[:]8110:0:0:d8ff:ffff:766b:e00 
• a83f[:]8110:0:0:700:700:2800:4000 
• a83f[:]8110:cce1:d301:10:0:0:0 
• a83f[:]8110:0:0:1b00:100:2800:0 
• 192[.]229.211.108:80 
• a83f[:]8110:0:0:1b02:0:0:0 
• a83f[:]8110:0:0:2000:0:0:0 
• a83f[:]8110:0:0:f084:e4d8:7b02:0 
• a83f[:]8110:0:0:4c8e:21:0:0 
• a83f[:]8110:6f77:2054:4350:2049:6e05:4600 
• a83f[:]8110:0:0:64ca:1f00:0:0 
• a83f[:]8110:0:0:23f2:a224:8094:db01 
• a83f[:]8110:d3a4:48ff:d5a5:46ff:d5a5:46ff 
• 218[.]85.157.99:53 
• fp2e7a[.]wpc.2be4.phicdn[.]net 
• fp2e7a[.]wpc.phicdn[.]net 

This malware also accesses or downloads from the following URLs:

• hxxp://repository.certum[.]pl/ctnca[.]cer

It can also:

• Generate Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
• Generate Kerberos Silver Tickets (Kerberos TGS service ticket attack)
• Export certificates and keys
• Dump cached credentials
• Stop event monitoring
• Patch terminal server
• Bypass basic group policy objects