6b4f05a024ae30ae17fe9af08864d217d8a5a50ec6eaa9c5f4e037f5daf42176

General

Target

VrGreen.exe
Size

106.3MB
MD5

4673bacdef48524bd451ab980adafe05
SHA1

fd80f30b6e798979dd35af62ca2146109a278557
SHA256

6b4f05a024ae30ae17fe9af08864d217d8a5a50ec6eaa9c5f4e037f5daf42176
SHA512

ef9ebeb550efde44b0b6dcfa8055fcb3b0428d5ac064f77ec811e79ab0ddb7ec32c74226f0318aaede28fc3aa80c46ca20bbd246e63b9344a2a4f72471c8fab9
SSDEEP

786432:d0LoCOn+2hs4urYDNulLBiuK1IBpp5niwYO4Dn0gV+W+5Nc6Np+iLg8HEDSMFY2L:dMoCm/hXwGt/j/

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3180	VrGreen.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2116	powershell.exe
2116	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 1948	3180	VrGreen.exe	81
PID 3180 wrote to memory of 1948	3180	VrGreen.exe	81
PID 1948 wrote to memory of 2116	1948	cmd.exe	82
PID 1948 wrote to memory of 2116	1948	cmd.exe	82
PID 2116 wrote to memory of 8	2116	powershell.exe	83
PID 2116 wrote to memory of 8	2116	powershell.exe	83
PID 8 wrote to memory of 2740	8	csc.exe	84
PID 8 wrote to memory of 2740	8	csc.exe	84
PID 3180 wrote to memory of 4844	3180	VrGreen.exe	86
PID 3180 wrote to memory of 4844	3180	VrGreen.exe	86
PID 4844 wrote to memory of 1132	4844	cmd.exe	88
PID 4844 wrote to memory of 1132	4844	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\VrGreen.exe
"C:\Users\Admin\AppData\Local\Temp\VrGreen.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "Powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAUQBXAFIAawBMAFYAUgA1AGMARwBVAGcATABVADUAaABiAFcAVQBnAFYAMgBsAHUAWgBHADkAMwBJAEMAMQBPAFkAVwAxAGwAYwAzAEIAaABZADIAVQBnAFEAMgA5AHUAYwAyADkAcwBaAFMAQQB0AFQAVwBWAHQAWQBtAFYAeQBSAEcAVgBtAGEAVwA1AHAAZABHAGwAdgBiAGkAQQBuAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkARgB0AEUAYgBHAHgASgBiAFgAQgB2AGMAbgBRAG8ASQBrAHQAbABjAG0ANQBsAGIARABNAHkATABtAFIAcwBiAEMASQBwAFgAUQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAHcAZABXAEoAcwBhAFcATQBnAGMAMwBSAGgAZABHAGwAagBJAEcAVgA0AGQARwBWAHkAYgBpAEIASgBiAG4AUgBRAGQASABJAGcAUgAyAFYAMABRADIAOQB1AGMAMgA5AHMAWgBWAGQAcABiAG0AUgB2AGQAeQBnAHAATwB3ADAASwBJAEMAQQBnAEkAQQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGIAUgBHAHgAcwBTAFcAMQB3AGIAMwBKADAASwBDAEoAMQBjADIAVgB5AE0AegBJAHUAWgBHAHgAcwBJAGkAbABkAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkASABCADEAWQBtAHgAcABZAHkAQgB6AGQARwBGADAAYQBXAE0AZwBaAFgAaAAwAFoAWABKAHUASQBHAEoAdgBiADIAdwBnAFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBoAEoAYgBuAFIAUQBkAEgASQBnAGEARgBkAHUAWgBDAHcAZwBTAFcANQAwAE0AegBJAGcAYgBrAE4AdABaAEYATgBvAGIAMwBjAHAATwB3ADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAbgBEAFEAbwBnAEkAQwBBAGcARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBDAFIAagBiADIANQB6AGIAMgB4AGwAVQBIAFIAeQBJAEQAMABnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFIAMgBWADAAUQAyADkAdQBjADIAOQBzAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBNAHcASQBHAGgAcABaAEcAVQBOAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBnAGsAWQAyADkAdQBjADIAOQBzAFoAVgBCADAAYwBpAHcAZwBNAEMAawBOAEMAZwA9AD0AIgB9ACcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgApAC4AUwBjAHIAaQBwAHQAKQApACAAfAAgAGkAZQB4AA=="
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAUQBXAFIAawBMAFYAUgA1AGMARwBVAGcATABVADUAaABiAFcAVQBnAFYAMgBsAHUAWgBHADkAMwBJAEMAMQBPAFkAVwAxAGwAYwAzAEIAaABZADIAVQBnAFEAMgA5AHUAYwAyADkAcwBaAFMAQQB0AFQAVwBWAHQAWQBtAFYAeQBSAEcAVgBtAGEAVwA1AHAAZABHAGwAdgBiAGkAQQBuAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkARgB0AEUAYgBHAHgASgBiAFgAQgB2AGMAbgBRAG8ASQBrAHQAbABjAG0ANQBsAGIARABNAHkATABtAFIAcwBiAEMASQBwAFgAUQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAHcAZABXAEoAcwBhAFcATQBnAGMAMwBSAGgAZABHAGwAagBJAEcAVgA0AGQARwBWAHkAYgBpAEIASgBiAG4AUgBRAGQASABJAGcAUgAyAFYAMABRADIAOQB1AGMAMgA5AHMAWgBWAGQAcABiAG0AUgB2AGQAeQBnAHAATwB3ADAASwBJAEMAQQBnAEkAQQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGIAUgBHAHgAcwBTAFcAMQB3AGIAMwBKADAASwBDAEoAMQBjADIAVgB5AE0AegBJAHUAWgBHAHgAcwBJAGkAbABkAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkASABCADEAWQBtAHgAcABZAHkAQgB6AGQARwBGADAAYQBXAE0AZwBaAFgAaAAwAFoAWABKAHUASQBHAEoAdgBiADIAdwBnAFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBoAEoAYgBuAFIAUQBkAEgASQBnAGEARgBkAHUAWgBDAHcAZwBTAFcANQAwAE0AegBJAGcAYgBrAE4AdABaAEYATgBvAGIAMwBjAHAATwB3ADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAbgBEAFEAbwBnAEkAQwBBAGcARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBDAFIAagBiADIANQB6AGIAMgB4AGwAVQBIAFIAeQBJAEQAMABnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFIAMgBWADAAUQAyADkAdQBjADIAOQBzAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBNAHcASQBHAGgAcABaAEcAVQBOAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBnAGsAWQAyADkAdQBjADIAOQBzAFoAVgBCADAAYwBpAHcAZwBNAEMAawBOAEMAZwA9AD0AIgB9ACcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgApAC4AUwBjAHIAaQBwAHQAKQApACAAfAAgAGkAZQB4AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\imhbs5l4\imhbs5l4.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89A7.tmp" "c:\Users\Admin\AppData\Local\Temp\imhbs5l4\CSCEC13C843A6DB482AA747633EFAD45E2.TMP"
        5⤵
        
        PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:1132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES89A7.tmp

Filesize
1KB

MD5
3b7a9a55c21a1f5c8e2c9ca12a02e4b4

SHA1
23270c95508be79ac7ba3e78a16a6b28a90f2bb1

SHA256
399b1f99cb0cca001a8d513a6c100281cdb47b4c7a968740bbd0b4a699d19575

SHA512
3b81412731192f4e29bde0a38fd4553e3cd5f6aa4490e65ae65004b1116aeeab40b218819df58ae0a2da77a2ed652ce72d00241a0bdb7f7a5c4e3689b92ea77b

Download Submit
C:\Users\Admin\AppData\Local\Temp\imhbs5l4\imhbs5l4.dll

Filesize
3KB

MD5
987212eae2ff6bc828f98f9fa63da726

SHA1
88e1358e15c87959c86cdc4ed00265aac6dbc7b0

SHA256
df610a025b67fba65266ddad01cdfa215aa9394e2b36aaececee0e208d47cd38

SHA512
f21add754f55c134704a44e2fc2d4d95da6b50f6b0ef21eeeaa6491d059f481522dfb133ba4354ced9acbaba3fb68df2dbc8a77ffcd71f73b7a1cbe3fc2693cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\a9f11f9c508f9a0c72ca925affd485d12d2ecf0864e402baa4e5d18890f1a518\win-dpapi\build\Release\node-dpapi.node

Filesize
141KB

MD5
3b1ae5bf6a30902fa2b4ab7fa9bdb800

SHA1
1e5b46c1c3d2cce8128568e720eb7e1a15a9629c

SHA256
a9f11f9c508f9a0c72ca925affd485d12d2ecf0864e402baa4e5d18890f1a518

SHA512
a29d050f201ce19731e3ac6418b79c835c01855e0757e91905604eeb9b514dbb6b1bd6e8e04371bc203c3a33a4d93637ca1f7bb4e91ec2d008466c91e9480e7d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\imhbs5l4\CSCEC13C843A6DB482AA747633EFAD45E2.TMP

Filesize
652B

MD5
4c20faa88b663eaa62288ca3888ee981

SHA1
5ec159fc6ee09f030eed1357f0e2e029edb30d32

SHA256
d4234fdf5c7d03e68fd900dd217c8c00905835686632e42452cdd20b227ff793

SHA512
41115c78bf9582a114e0c2773bcef5bee3fa739628a73bcfb4e7faa9cf913c64dcd6e43ab60c4bc1de332324189eadc2ba3af1592bc0d4c9e49664f98fd39bd8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\imhbs5l4\imhbs5l4.0.cs

Filesize
342B

MD5
fb818b5af427cdf4bd5e9e48265dbd9b

SHA1
4494f9fe806d3d0ec6601ab8a6bdb5ff9b37a4ed

SHA256
6914d7afe54b19a22b8dad75c0781e9dc7321bbf43d3fd8fb00179d2d6a7f3f2

SHA512
843c02c18c777ae614a49d27722c495472c2b3ed4d45dc26bbb03d009a189e7241440a77107a7f17f26d03a8771c74efb49af9c98ce83020535c9027abb64cd4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\imhbs5l4\imhbs5l4.cmdline

Filesize
369B

MD5
b66eb8e7739b53119a8591dfae6d645e

SHA1
0eb5e6fa116482e8cce9d6d809f54f72abff7caa

SHA256
28c4bae0baa95a5b3d2536215432d5f1e62158f1d21418cc4cf1cf313ba47c13

SHA512
61eb59a9da689b4a2356b0dc4d02a9e79844ee980fa4283b43b6810d89cf9fe4b109cd08bafef3e7082979948809bee86db25e85422c14b3cb66c0359fb56e98

Download Submit
memory/8-138-0x0000000000000000-mapping.dmp

Download
memory/1132-147-0x0000000000000000-mapping.dmp

Download
memory/1948-132-0x0000000000000000-mapping.dmp

Download
memory/2116-137-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/2116-136-0x00000178FC020000-0x00000178FC548000-memory.dmp

Filesize
5.2MB

Download
memory/2116-135-0x00000178FB920000-0x00000178FBAE2000-memory.dmp

Filesize
1.8MB

Download
memory/2116-134-0x00000178FB370000-0x00000178FB392000-memory.dmp

Filesize
136KB

Download
memory/2116-145-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

Filesize
10.8MB

Download
memory/2116-133-0x0000000000000000-mapping.dmp

Download
memory/2740-141-0x0000000000000000-mapping.dmp

Download
memory/4844-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads