f6a89f1bd3d3d1a061365f2cdc6149b0e25ad998a51ad0d289a299e6c3c91c57

General

Target

59ce339260dc2114375443b5992600f9.exe
Size

264KB
MD5

59ce339260dc2114375443b5992600f9
SHA1

37f064ada5dcacf9b6638bcdd2f858eef3518603
SHA256

f6a89f1bd3d3d1a061365f2cdc6149b0e25ad998a51ad0d289a299e6c3c91c57
SHA512

628e3b4d6db6dc25dd26bac524b2c712adf7cc936ce0a3186dcec8830f7f575b83a3e0dfed77e98c7b8ff5a8c6f54ac6ece4d0ea783fd7bf567126beeefbf65d
SSDEEP

6144:nf7lLkTfSUk1hDyhW9+VQ98MZwx3TLbQzc8IDGEDC4uP:nfRWS3jt+rWs3PMzcVDGCmP

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2740 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

miokc.exemiokc.exe

pid process

2292 miokc.exe
2656 miokc.exe
Loads dropped DLL 3 IoCs

Processes:

59ce339260dc2114375443b5992600f9.exemiokc.exe

pid process

2636 59ce339260dc2114375443b5992600f9.exe
2636 59ce339260dc2114375443b5992600f9.exe
2292 miokc.exe

pid	process
2740	cmd.exe

pid	process
2292	miokc.exe
2656	miokc.exe

pid	process
2636	59ce339260dc2114375443b5992600f9.exe
2636	59ce339260dc2114375443b5992600f9.exe
2292	miokc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

miokc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F8DA8A5C-8AF5-6339-3FFA-F78495083BB4} = "C:\\Users\\Admin\\AppData\\Roaming\\Neahh\\miokc.exe"	miokc.exe

Drops autorun.inf file 1 TTPs 12 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

59ce339260dc2114375443b5992600f9.exemiokc.exe

description	ioc	process
File opened for modification	F:\Autorun.inf	59ce339260dc2114375443b5992600f9.exe
File opened for modification	C:\Autorun.inf	miokc.exe
File created	C:\Autorun.inf	59ce339260dc2114375443b5992600f9.exe
File opened for modification	D:\Autorun.inf	59ce339260dc2114375443b5992600f9.exe
File created	F:\Autorun.inf	59ce339260dc2114375443b5992600f9.exe
File created	C:\Autorun.inf	miokc.exe
File created	D:\Autorun.inf	miokc.exe
File opened for modification	D:\Autorun.inf	miokc.exe
File created	F:\Autorun.inf	miokc.exe
File opened for modification	F:\Autorun.inf	miokc.exe
File opened for modification	C:\Autorun.inf	59ce339260dc2114375443b5992600f9.exe
File created	D:\Autorun.inf	59ce339260dc2114375443b5992600f9.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

59ce339260dc2114375443b5992600f9.exemiokc.exe

description	pid	process	target process
PID 2904 set thread context of 2636	2904	59ce339260dc2114375443b5992600f9.exe	59ce339260dc2114375443b5992600f9.exe
PID 2292 set thread context of 2656	2292	miokc.exe	miokc.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

59ce339260dc2114375443b5992600f9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Privacy	59ce339260dc2114375443b5992600f9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	59ce339260dc2114375443b5992600f9.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

miokc.exe

pid	process
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe
2656	miokc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

59ce339260dc2114375443b5992600f9.exe

description	pid	process
Token: SeSecurityPrivilege	2636	59ce339260dc2114375443b5992600f9.exe
Token: SeSecurityPrivilege	2636	59ce339260dc2114375443b5992600f9.exe
Token: SeSecurityPrivilege	2636	59ce339260dc2114375443b5992600f9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

59ce339260dc2114375443b5992600f9.exe59ce339260dc2114375443b5992600f9.exemiokc.exemiokc.exe

description	pid	process	target process
PID 2904 wrote to memory of 2636	2904	59ce339260dc2114375443b5992600f9.exe	59ce339260dc2114375443b5992600f9.exe
PID 2904 wrote to memory of 2636	2904	59ce339260dc2114375443b5992600f9.exe	59ce339260dc2114375443b5992600f9.exe
PID 2904 wrote to memory of 2636	2904	59ce339260dc2114375443b5992600f9.exe	59ce339260dc2114375443b5992600f9.exe
PID 2904 wrote to memory of 2636	2904	59ce339260dc2114375443b5992600f9.exe	59ce339260dc2114375443b5992600f9.exe
PID 2904 wrote to memory of 2636	2904	59ce339260dc2114375443b5992600f9.exe	59ce339260dc2114375443b5992600f9.exe
PID 2904 wrote to memory of 2636	2904	59ce339260dc2114375443b5992600f9.exe	59ce339260dc2114375443b5992600f9.exe
PID 2904 wrote to memory of 2636	2904	59ce339260dc2114375443b5992600f9.exe	59ce339260dc2114375443b5992600f9.exe
PID 2904 wrote to memory of 2636	2904	59ce339260dc2114375443b5992600f9.exe	59ce339260dc2114375443b5992600f9.exe
PID 2904 wrote to memory of 2636	2904	59ce339260dc2114375443b5992600f9.exe	59ce339260dc2114375443b5992600f9.exe
PID 2636 wrote to memory of 2292	2636	59ce339260dc2114375443b5992600f9.exe	miokc.exe
PID 2636 wrote to memory of 2292	2636	59ce339260dc2114375443b5992600f9.exe	miokc.exe
PID 2636 wrote to memory of 2292	2636	59ce339260dc2114375443b5992600f9.exe	miokc.exe
PID 2636 wrote to memory of 2292	2636	59ce339260dc2114375443b5992600f9.exe	miokc.exe
PID 2292 wrote to memory of 2656	2292	miokc.exe	miokc.exe
PID 2292 wrote to memory of 2656	2292	miokc.exe	miokc.exe
PID 2292 wrote to memory of 2656	2292	miokc.exe	miokc.exe
PID 2292 wrote to memory of 2656	2292	miokc.exe	miokc.exe
PID 2292 wrote to memory of 2656	2292	miokc.exe	miokc.exe
PID 2292 wrote to memory of 2656	2292	miokc.exe	miokc.exe
PID 2292 wrote to memory of 2656	2292	miokc.exe	miokc.exe
PID 2292 wrote to memory of 2656	2292	miokc.exe	miokc.exe
PID 2292 wrote to memory of 2656	2292	miokc.exe	miokc.exe
PID 2656 wrote to memory of 1128	2656	miokc.exe	taskhost.exe
PID 2656 wrote to memory of 1128	2656	miokc.exe	taskhost.exe
PID 2656 wrote to memory of 1128	2656	miokc.exe	taskhost.exe
PID 2656 wrote to memory of 1128	2656	miokc.exe	taskhost.exe
PID 2656 wrote to memory of 1128	2656	miokc.exe	taskhost.exe
PID 2656 wrote to memory of 1212	2656	miokc.exe	Dwm.exe
PID 2656 wrote to memory of 1212	2656	miokc.exe	Dwm.exe
PID 2656 wrote to memory of 1212	2656	miokc.exe	Dwm.exe
PID 2656 wrote to memory of 1212	2656	miokc.exe	Dwm.exe
PID 2656 wrote to memory of 1212	2656	miokc.exe	Dwm.exe
PID 2656 wrote to memory of 1252	2656	miokc.exe	Explorer.EXE
PID 2656 wrote to memory of 1252	2656	miokc.exe	Explorer.EXE
PID 2656 wrote to memory of 1252	2656	miokc.exe	Explorer.EXE
PID 2656 wrote to memory of 1252	2656	miokc.exe	Explorer.EXE
PID 2656 wrote to memory of 1252	2656	miokc.exe	Explorer.EXE
PID 2656 wrote to memory of 624	2656	miokc.exe	DllHost.exe
PID 2656 wrote to memory of 624	2656	miokc.exe	DllHost.exe
PID 2656 wrote to memory of 624	2656	miokc.exe	DllHost.exe
PID 2656 wrote to memory of 624	2656	miokc.exe	DllHost.exe
PID 2656 wrote to memory of 624	2656	miokc.exe	DllHost.exe
PID 2656 wrote to memory of 2636	2656	miokc.exe	59ce339260dc2114375443b5992600f9.exe
PID 2656 wrote to memory of 2636	2656	miokc.exe	59ce339260dc2114375443b5992600f9.exe
PID 2656 wrote to memory of 2636	2656	miokc.exe	59ce339260dc2114375443b5992600f9.exe
PID 2656 wrote to memory of 2636	2656	miokc.exe	59ce339260dc2114375443b5992600f9.exe
PID 2656 wrote to memory of 2636	2656	miokc.exe	59ce339260dc2114375443b5992600f9.exe
PID 2636 wrote to memory of 2740	2636	59ce339260dc2114375443b5992600f9.exe	cmd.exe
PID 2636 wrote to memory of 2740	2636	59ce339260dc2114375443b5992600f9.exe	cmd.exe
PID 2636 wrote to memory of 2740	2636	59ce339260dc2114375443b5992600f9.exe	cmd.exe
PID 2636 wrote to memory of 2740	2636	59ce339260dc2114375443b5992600f9.exe	cmd.exe
PID 2656 wrote to memory of 2740	2656	miokc.exe	cmd.exe
PID 2656 wrote to memory of 2740	2656	miokc.exe	cmd.exe
PID 2656 wrote to memory of 2740	2656	miokc.exe	cmd.exe
PID 2656 wrote to memory of 2740	2656	miokc.exe	cmd.exe
PID 2656 wrote to memory of 2740	2656	miokc.exe	cmd.exe
PID 2656 wrote to memory of 592	2656	miokc.exe	DllHost.exe
PID 2656 wrote to memory of 592	2656	miokc.exe	DllHost.exe
PID 2656 wrote to memory of 592	2656	miokc.exe	DllHost.exe
PID 2656 wrote to memory of 592	2656	miokc.exe	DllHost.exe
PID 2656 wrote to memory of 592	2656	miokc.exe	DllHost.exe
PID 2656 wrote to memory of 1032	2656	miokc.exe	DllHost.exe
PID 2656 wrote to memory of 1032	2656	miokc.exe	DllHost.exe
PID 2656 wrote to memory of 1032	2656	miokc.exe	DllHost.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:624

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\59ce339260dc2114375443b5992600f9.exe
"C:\Users\Admin\AppData\Local\Temp\59ce339260dc2114375443b5992600f9.exe"
2⤵
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2904

C:\Users\Admin\AppData\Local\Temp\59ce339260dc2114375443b5992600f9.exe
"C:\Users\Admin\AppData\Local\Temp\59ce339260dc2114375443b5992600f9.exe"
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Roaming\Neahh\miokc.exe
"C:\Users\Admin\AppData\Roaming\Neahh\miokc.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Roaming\Neahh\miokc.exe
"C:\Users\Admin\AppData\Roaming\Neahh\miokc.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3e722150.bat"
4⤵
- Deletes itself
PID:2740

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1212

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1032

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2220

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Autorun.inf
Filesize
60B

MD5
e7657f44000130127886ebc04163dded

SHA1
31cfb9932f391ff760fdaa562eadee972c28d350

SHA256
34fafc1c2582adae988444ac68a39385e23359edda45036584ccc17a3b7939f4

SHA512
dd2aae7861709fa442cf03b6b1b64ba5f874613a68f51070b4207983c72ef4ce513fea0ba7c3cbf2fa2c955604e10457cb4623802e3214e6c33189a4655701b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3e722150.bat
Filesize
243B

MD5
bb8966fec034daf5cf83f9baf168800a

SHA1
c9dce0f64ff622090826d04406fdd965badf4917

SHA256
2c699a3aa3ecff8399336c71035a619e6ccbff86531924721fe5a4be8dbf31e9

SHA512
33606b1f0a6e96dc77394026d179df209f07150f0ae493423a9ba088e4d992fe8a7de3644267d4c99f51ed860745c93610884cc562f45d41427e9661c02d99c5

Download Submit
C:\Users\Admin\AppData\Roaming\Neahh\miokc.exe
Filesize
264KB

MD5
db4a6454ca2aa00eae502045fd1d4697

SHA1
b1b479e890cb2ef7a7c321c30eadbc0b0cd82fb8

SHA256
0948d0e3d5c84070dc8c0978955f2e0ee9079c463005bbd3648616a85890ffb8

SHA512
7d941d8170780ecd36bdef1cc93611f0a04f7e311d550f526ebbe33fbb2715432b5ff02fb9ff43a07caca4f9260aab43247c9d919a156241028052ff5272d4ea

Download Submit
memory/624-88-0x0000000000250000-0x0000000000277000-memory.dmp

Filesize
156KB

Download
memory/624-89-0x0000000000250000-0x0000000000277000-memory.dmp

Filesize
156KB

Download
memory/624-90-0x0000000000250000-0x0000000000277000-memory.dmp

Filesize
156KB

Download
memory/624-91-0x0000000000250000-0x0000000000277000-memory.dmp

Filesize
156KB

Download
memory/1128-65-0x0000000001F50000-0x0000000001F77000-memory.dmp

Filesize
156KB

Download
memory/1128-69-0x0000000001F50000-0x0000000001F77000-memory.dmp

Filesize
156KB

Download
memory/1128-63-0x0000000001F50000-0x0000000001F77000-memory.dmp

Filesize
156KB

Download
memory/1128-67-0x0000000001F50000-0x0000000001F77000-memory.dmp

Filesize
156KB

Download
memory/1212-78-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1212-80-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1212-76-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1212-74-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1252-83-0x0000000002DC0000-0x0000000002DE7000-memory.dmp

Filesize
156KB

Download
memory/1252-86-0x0000000002DC0000-0x0000000002DE7000-memory.dmp

Filesize
156KB

Download
memory/1252-84-0x0000000002DC0000-0x0000000002DE7000-memory.dmp

Filesize
156KB

Download
memory/1252-85-0x0000000002DC0000-0x0000000002DE7000-memory.dmp

Filesize
156KB

Download
memory/2292-37-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2292-36-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2636-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-8-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2636-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2636-190-0x00000000002E0000-0x0000000000307000-memory.dmp

Filesize
156KB

Download
memory/2636-189-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2636-120-0x0000000077550000-0x0000000077551000-memory.dmp

Filesize
4KB

Download
memory/2636-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2636-25-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2636-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2636-118-0x00000000002E0000-0x0000000000307000-memory.dmp

Filesize
156KB

Download
memory/2636-24-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2636-22-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2636-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2636-26-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2656-73-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2656-217-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2904-1-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2904-0-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads