Analysis by: Jay Garcia
 Modified by: Mc Justine De Guzman

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Hacking Tool

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware, Downloaded from the Internet

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

  TECHNICAL DETAILS

File Size: 862,720 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 24 Sep 2020

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

  • Ransom.Win32.ZHEN.THIBDBO

Other Details

This Hacking Tool does the following:

  • It has the following modules with different capabilities:
    • standard - contains common commands to operate the tool such as exit, cls, cd
    • privilege - used to manipulate privilege/rights
    • crypto - uses CryptoAPI functions which has the capability to list and export certificates
    • sekurlsa - has the capability to extract Windows passwords, keys, pin codes, tickets
    • kerberos - uses Microsoft Kerberos API which has the capability to manipulate Kerberos tickets
    • lsadump - has the capability to dump Windows credentials
    • vault - used to manipulate vault credentials
    • token - used to manipulate Windows authentication tokens
    • event - used to clear/drop event logs
    • ts - contains remote desktop capabilities
    • process - used to manipulate processes
    • service - used to manipulate services
    • net - used to display information about Windows users
    • misc - contains miscellaneous commands such as open cmd, open regedit and open taskmanager
    • sid - used to manipulate SID(Security Identifiers)
    • minesweeper - helps read the location of the mines on the game 'minesweeper' straight from memory
    • dpapi - used to work with DPAPI (Data Protection Application Programming Interface)
    • busylight - provides additional information for and control of connected BusyLights
    • system environment - provides the ability to manage system environment variables
    • rpc - provides remote control of mimikatz
    • sr98 - RF module for SR98 device and T5577 target
    • rdm - RF module for RDM(830 AL) device
    • acr - ACR module

  SOLUTION

Minimum Scan Engine: 9.850
SSAPI PATTERN File: 1.993.00
SSAPI PATTERN Date: 28 Aug 2018

Step 1

Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:

     
    • Troj.Win32.TRX.XXPE50FFF036

Step 2

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 3

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 4

Scan your computer with your Trend Micro product to delete files detected as HackTool.Win32.MIMIKATZ.SMGD. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.