ecf4d4bf21fafb49c4fe730018ec9231705ebcc5794efa023d9daeee9a061fdc

General

Target

Mionoho.bin.exe
Size

106KB
MD5

5d7a2ff61b5e65fe87f499c961330055
SHA1

5d637366e15b1e4985dc5de584aa4fb6b2e363c2
SHA256

f2f6239736c48ace45e4da7a55be36e7d4c0b4a6b756a2fd35567260f4ac9713
SHA512

1d914048023f1817545a1c5f1f9b5ae3dd563eca530a755d352ebb9a25310be7dd6aaa97a54a1dd13b928f4e543270169a3f555ab55e8845f2b6e70b088798d0

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	Mionoho.bin.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "1"	Mionoho.bin.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Disables RegEdit via registry modification
evasion
Disables Task Manager via registry modification
evasion
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Mionoho.bin.exe"	Mionoho.bin.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Mionoho.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Mionoho.bin.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\DestructiveMusic.wav	Mionoho.bin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper	Mionoho.bin.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1220	Mionoho.bin.exe
1220	Mionoho.bin.exe
1220	Mionoho.bin.exe
1220	Mionoho.bin.exe
1220	Mionoho.bin.exe
1220	Mionoho.bin.exe
1220	Mionoho.bin.exe
1220	Mionoho.bin.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	Mionoho.bin.exe
Token: SeIncBasePriorityPrivilege	1220	Mionoho.bin.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Mionoho.bin.exe

C:\Users\Admin\AppData\Local\Temp\Mionoho.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Mionoho.bin.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies security service
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-59-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1220-61-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/1220-62-0x000000001AF20000-0x000000001AF22000-memory.dmp

Filesize
8KB

Download
memory/1220-63-0x000000001AF26000-0x000000001AF45000-memory.dmp

Filesize
124KB

Download
memory/1220-64-0x000000001AF45000-0x000000001AF46000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads