407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c

General

Target

407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c.exe
Size

276KB
MD5

76b381845bad95fcae5de597f15c9370
SHA1

c438818fe78989f242246e04a3dbc68e2a79842b
SHA256

407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c
SHA512

7ff7619548acd4f8c9df8eaa755fffc4c5d6038667e805ec58a8dec27bef35e26da512266e84875c1b2e8c8f9eb6a73de6a64f98c4b251ce65d618b6d2d00be4
SSDEEP

6144:TGij5Nrm/DJznc2m9Q8sR19iNKdUEsgiGs91vc1z/YN2x:zrm/DVhL8sR1DdUpgiN1k1zS+

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1732	greendou.exe

Loads dropped DLL 5 IoCs

pid	Process
1764	407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c.exe
1764	407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c.exe
1764	407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c.exe
1764	407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c.exe
1764	407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\greeou\PopWinParam.xml	407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c.exe
File created	C:\Program Files (x86)\greeou\greendou.exe	407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	greendou.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1732	greendou.exe
1732	greendou.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1732	1764	407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c.exe	26
PID 1764 wrote to memory of 1732	1764	407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c.exe	26
PID 1764 wrote to memory of 1732	1764	407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c.exe	26
PID 1764 wrote to memory of 1732	1764	407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c.exe	26

C:\Users\Admin\AppData\Local\Temp\407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c.exe
"C:\Users\Admin\AppData\Local\Temp\407cca7850954a4ab091cd51001e1644f4a76302549476865ef2138bac871b1c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Program Files (x86)\greeou\greendou.exe
  "C:\Program Files (x86)\greeou\greendou.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\greeou\PopWinParam.xml

Filesize
4KB

MD5
5878a5fc650998e670c9c75a8c01cbd2

SHA1
687166ce5af6881e31ddece8484c467977630f74

SHA256
176a5f97ea6a72c2273bcdd22770da93af960df9cc4d665d3eb090105796b545

SHA512
a199ab467ed5ae2745432fed9c0ce503885db69c14758e404be2d199971359ed41fbb1feec1bf306764d15ce49a9b86c306c59d222ed4a120b1f5a8d9e2246f3

Download Submit
C:\Program Files (x86)\greeou\greendou.exe

Filesize
297KB

MD5
436059abd31132521c370d4b2404656b

SHA1
37dc56d81013549fc5bba5cdc1ffe331d93a0d89

SHA256
a17c3f3d2b5868f403466e50356564d4189a364d171cb3464f667bbdeacccbd5

SHA512
00fd376ce9dc3bce63f472b08be76efb182b35f9de951beb97fb9b2d485df5cf7d68745f071fdbbaa0050291c568ea2e201fe29b91c4e03de648fe999b9b73f4

Download Submit
C:\Program Files (x86)\greeou\greendou.exe

Filesize
297KB

MD5
436059abd31132521c370d4b2404656b

SHA1
37dc56d81013549fc5bba5cdc1ffe331d93a0d89

SHA256
a17c3f3d2b5868f403466e50356564d4189a364d171cb3464f667bbdeacccbd5

SHA512
00fd376ce9dc3bce63f472b08be76efb182b35f9de951beb97fb9b2d485df5cf7d68745f071fdbbaa0050291c568ea2e201fe29b91c4e03de648fe999b9b73f4

Download Submit
\Program Files (x86)\greeou\greendou.exe

Filesize
297KB

MD5
436059abd31132521c370d4b2404656b

SHA1
37dc56d81013549fc5bba5cdc1ffe331d93a0d89

SHA256
a17c3f3d2b5868f403466e50356564d4189a364d171cb3464f667bbdeacccbd5

SHA512
00fd376ce9dc3bce63f472b08be76efb182b35f9de951beb97fb9b2d485df5cf7d68745f071fdbbaa0050291c568ea2e201fe29b91c4e03de648fe999b9b73f4

Download Submit
\Program Files (x86)\greeou\greendou.exe

Filesize
297KB

MD5
436059abd31132521c370d4b2404656b

SHA1
37dc56d81013549fc5bba5cdc1ffe331d93a0d89

SHA256
a17c3f3d2b5868f403466e50356564d4189a364d171cb3464f667bbdeacccbd5

SHA512
00fd376ce9dc3bce63f472b08be76efb182b35f9de951beb97fb9b2d485df5cf7d68745f071fdbbaa0050291c568ea2e201fe29b91c4e03de648fe999b9b73f4

Download Submit
\Program Files (x86)\greeou\greendou.exe

Filesize
297KB

MD5
436059abd31132521c370d4b2404656b

SHA1
37dc56d81013549fc5bba5cdc1ffe331d93a0d89

SHA256
a17c3f3d2b5868f403466e50356564d4189a364d171cb3464f667bbdeacccbd5

SHA512
00fd376ce9dc3bce63f472b08be76efb182b35f9de951beb97fb9b2d485df5cf7d68745f071fdbbaa0050291c568ea2e201fe29b91c4e03de648fe999b9b73f4

Download Submit
\Users\Admin\AppData\Local\Temp\nse9781.tmp\NSISdl.dll

Filesize
14KB

MD5
f0e51d5722c11a4fe40c97b746c1ffc5

SHA1
8ec31853e9ef08fdc2a8c3c8eaa5f5b9469af193

SHA256
93a27f96055ae6b7f44916e13487b0efa7cd6d762e6768f7cb6427e32bda777d

SHA512
212c1ed753b54e5eccf7e1421bcca86955e09d6e3873f891d3d7076e21f79feb5f1dba350818804a215980875c306283b02f628fbc191d958f0de0f528c7194a

Download Submit
\Users\Admin\AppData\Local\Temp\nse9781.tmp\NSISdl.dll

Filesize
14KB

MD5
f0e51d5722c11a4fe40c97b746c1ffc5

SHA1
8ec31853e9ef08fdc2a8c3c8eaa5f5b9469af193

SHA256
93a27f96055ae6b7f44916e13487b0efa7cd6d762e6768f7cb6427e32bda777d

SHA512
212c1ed753b54e5eccf7e1421bcca86955e09d6e3873f891d3d7076e21f79feb5f1dba350818804a215980875c306283b02f628fbc191d958f0de0f528c7194a

Download Submit
memory/1764-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing