1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5

General

Target

1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe
Size

208KB
MD5

b881e969b3000bb334e8dafbc7dbe0eb
SHA1

e70fbce90f3b6ef2e6664a253003e4027e91783b
SHA256

1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5
SHA512

94102470d7b44ce171d2e9bd4837689a0a8b82da8f5b3038510b0207581ac4b02a3bc32bf7ebdd967512d2132cc97d7ba84592c2e7364ddc5bea146ce927373d
SSDEEP

3072:zpSV2jk89a0CZI+om9jkA4d39Wv0fMDYVHtKHwUfqSady9m+7gi4NLthEjQT6:3/a055OcNDMEFt3UfqSadyl7dQEj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2880	MYKO.exe

Loads dropped DLL 2 IoCs

pid	Process
2464	cmd.exe
2464	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\system\MYKO.exe	1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe
File opened for modification	C:\windows\system\MYKO.exe	1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe
File created	C:\windows\system\MYKO.exe.bat	1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MYKO.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2280	1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe
2280	1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe
2880	MYKO.exe
2880	MYKO.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2280	1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe
2280	1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe
2880	MYKO.exe
2880	MYKO.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2464	2280	1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe	31
PID 2280 wrote to memory of 2464	2280	1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe	31
PID 2280 wrote to memory of 2464	2280	1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe	31
PID 2280 wrote to memory of 2464	2280	1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe	31
PID 2464 wrote to memory of 2880	2464	cmd.exe	33
PID 2464 wrote to memory of 2880	2464	cmd.exe	33
PID 2464 wrote to memory of 2880	2464	cmd.exe	33
PID 2464 wrote to memory of 2880	2464	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe
"C:\Users\Admin\AppData\Local\Temp\1c037e1068d9f718d9686a1c71939b925edba2ed236d218351e76f390e124ee5.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system\MYKO.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\windows\system\MYKO.exe
    C:\windows\system\MYKO.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\MYKO.exe

Filesize
208KB

MD5
374bad6700ba3d9df679c7066b6d6881

SHA1
497820b7bf4cce29da329dcac87349de2719b610

SHA256
1bf7500587a5fc876e172fb68468044e9cf370aa52e417d3814fae8f359b79f3

SHA512
4526d6e77e81f2fc8b3805a19f8351ae41509ea08e42c87eb6df9701bdcef5d34950d82a840628da6857014911bc5516b37f25bd0c114c0ee60b3bf75784bd40

Download Submit
C:\Windows\system\MYKO.exe.bat

Filesize
68B

MD5
736423c42dd5bdb899d11d9facab3d13

SHA1
94700b59bc767237bac8551240a17d46f2393519

SHA256
c706f22c27ee52c9308dc4244e84dd4b28e9d21be75dbc4bd8e4b205ea40598f

SHA512
a7f5bca5e5162de1b31b8db297914dbbfd8f70fa0015576e0f8e7f71f9d8e9d89f5642b3c5a00a750c09be503c16b6ced0beb25a69cf20c469ac1dcbe8c93f03

Download Submit
memory/2280-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2280-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2880-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2880-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing