a3a33ea371114c9cb4e483829520ac7e5b2686ded399c019c9b20df2dd65b505

General

Target

8c657cdaeb25025153e52777590996e2.exe
Size

1.6MB
MD5

8c657cdaeb25025153e52777590996e2
SHA1

3d64bbc4f111d29752a1806ceebcdc26ede68e69
SHA256

a3a33ea371114c9cb4e483829520ac7e5b2686ded399c019c9b20df2dd65b505
SHA512

e9be59baa96e6999aab4f838f22650a1243dcd4052b6680b60c32dc2f51959e92eda9026fd151e62e6bd6444d6e03ac01a53ebde4106ae215a12fd1a2b42c6fe
SSDEEP

49152:/4nBO1JWkYDKsBeVpUpU6MUtygJyasJIwJaxSk2Z:QQ1zYXIVL6MU/Hw0xSk2Z

Score

7^/10

evasion

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2676	MINKE-IVY.EXE
2812	MINKE-IVY.EXE

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Wine	8c657cdaeb25025153e52777590996e2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 2812	2676	MINKE-IVY.EXE	29

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\MINKE-IVY.EXE	8c657cdaeb25025153e52777590996e2.exe
File created	C:\Windows\ROSAROJA.JPG	8c657cdaeb25025153e52777590996e2.exe
File opened for modification	C:\Windows\ROSAROJA.JPG	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2308	2812	WerFault.exe	29

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2696	DllHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2676	1972	8c657cdaeb25025153e52777590996e2.exe	28
PID 1972 wrote to memory of 2676	1972	8c657cdaeb25025153e52777590996e2.exe	28
PID 1972 wrote to memory of 2676	1972	8c657cdaeb25025153e52777590996e2.exe	28
PID 1972 wrote to memory of 2676	1972	8c657cdaeb25025153e52777590996e2.exe	28
PID 2676 wrote to memory of 2812	2676	MINKE-IVY.EXE	29
PID 2676 wrote to memory of 2812	2676	MINKE-IVY.EXE	29
PID 2676 wrote to memory of 2812	2676	MINKE-IVY.EXE	29
PID 2676 wrote to memory of 2812	2676	MINKE-IVY.EXE	29
PID 2676 wrote to memory of 2812	2676	MINKE-IVY.EXE	29
PID 2676 wrote to memory of 2812	2676	MINKE-IVY.EXE	29
PID 2812 wrote to memory of 2308	2812	MINKE-IVY.EXE	30
PID 2812 wrote to memory of 2308	2812	MINKE-IVY.EXE	30
PID 2812 wrote to memory of 2308	2812	MINKE-IVY.EXE	30
PID 2812 wrote to memory of 2308	2812	MINKE-IVY.EXE	30

C:\Users\Admin\AppData\Local\Temp\8c657cdaeb25025153e52777590996e2.exe
"C:\Users\Admin\AppData\Local\Temp\8c657cdaeb25025153e52777590996e2.exe"
1⤵
- Identifies Wine through registry keys
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\MINKE-IVY.EXE
  "C:\Windows\MINKE-IVY.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\MINKE-IVY.EXE
    C:\Windows\MINKE-IVY.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 116
      4⤵
      Program crash
      PID:2308

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MINKE-IVY.EXE

Filesize
37KB

MD5
e8b23e5f8395518302dfa03cabab2256

SHA1
b48fc4db5a1c33c2658102cca891907aa7fa9d51

SHA256
8dc7f26bedc293d8ddcbe52c4fec3e32e19e139f905e4e534337942e042f64ec

SHA512
2ed91032e65c160e207a82dfeb23191908d2e87cd62494173b80526873890a3af5090f164e53f4dbc01f3cec080b1a5e82888ba5e7f2fc608bf8c8005f67a3de

Download Submit
C:\Windows\ROSAROJA.JPG

Filesize
13KB

MD5
d62ee5aa477fb2aa8f0e846980b0b9b2

SHA1
b6f898fe7759b82e0f116b6dd0f148231904601b

SHA256
6c2d5e2466b5aea0a3426c74a4a763ba1cd773cee02223e7c45003d6c588311d

SHA512
f705418b4fd8845b5c45e6e130523e18f5a0afa5990c33d55a9813d9c5c8d8ff75356671942cf5f99c07d0c73390ff386ae52eeeb30c722a04fa46d321e193be

Download Submit
memory/1972-2-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download
memory/1972-0-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download
memory/1972-23-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download
memory/1972-21-0x00000000046F0000-0x00000000046F2000-memory.dmp

Filesize
8KB

Download
memory/2676-17-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2696-22-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2696-26-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2696-24-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2812-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2812-20-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2812-19-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2812-11-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2812-15-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads