50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d

General

Target

50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.exe
Size

2.7MB
MD5

13c1e6959dd8147d90f9c4864789cd45
SHA1

fcf376e09599a9f3ade51762d7c2b511d5244efb
SHA256

50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d
SHA512

0f3bc0f6924ce65f59259dd92c3bbb59e8b38c430a1ffeef41f029e271120e67f9cae33abeb3a9331b21bab6cd1ab019e61b02b7015f7f7f25bb187c1ac7a59a
SSDEEP

49152:42lZdEspqVE1S0OdJoDYhxQmUJQusk745zZC6FzHDPfRY0E:1jV04OdjMQrk74jXFzDPflE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
2916	GreenTV.exe
3228	GreenTV.exe

Loads dropped DLL 3 IoCs

pid	Process
2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\GreenTV\unins000.dat	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-69VA0.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-FRQ3G.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-VGT0G.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-V7LEF.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File opened for modification	C:\Program Files (x86)\Common Files\GreenTV\GreenTV.exe	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-22H0N.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-9E6QK.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-K83RH.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-UETHA.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-VKG29.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-80F8K.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\UIText\is-P0TQ5.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\UIText\is-KF520.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-3NKDK.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-1QUO8.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-4ISF9.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-I2OM8.tmp	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
File opened for modification	C:\Program Files (x86)\Common Files\GreenTV\unins000.dat	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 2760	4364	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.exe	71
PID 4364 wrote to memory of 2760	4364	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.exe	71
PID 4364 wrote to memory of 2760	4364	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.exe	71
PID 2760 wrote to memory of 4544	2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp	72
PID 2760 wrote to memory of 4544	2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp	72
PID 2760 wrote to memory of 4544	2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp	72
PID 2760 wrote to memory of 2916	2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp	74
PID 2760 wrote to memory of 2916	2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp	74
PID 2760 wrote to memory of 2916	2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp	74
PID 2760 wrote to memory of 4760	2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp	77
PID 2760 wrote to memory of 4760	2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp	77
PID 2760 wrote to memory of 4760	2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp	77
PID 2760 wrote to memory of 3228	2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp	75
PID 2760 wrote to memory of 3228	2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp	75
PID 2760 wrote to memory of 3228	2760	50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp	75
PID 4760 wrote to memory of 1608	4760	net.exe	78
PID 4760 wrote to memory of 1608	4760	net.exe	78
PID 4760 wrote to memory of 1608	4760	net.exe	78

C:\Users\Admin\AppData\Local\Temp\50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.exe
"C:\Users\Admin\AppData\Local\Temp\50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\is-JFOJ0.tmp\50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JFOJ0.tmp\50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp" /SL5="$A01C8,2614569,76288,C:\Users\Admin\AppData\Local\Temp\50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:4544
- - C:\Program Files (x86)\Common Files\GreenTV\GreenTV.exe
    "C:\Program Files (x86)\Common Files\GreenTV\GreenTV.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2916
- - C:\Program Files (x86)\Common Files\GreenTV\GreenTV.exe
    "C:\Program Files (x86)\Common Files\GreenTV\GreenTV.exe" -s
    3⤵
    - Executes dropped EXE
    PID:3228
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 25
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 25
      4⤵
      PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\GreenTV\GreenTV.exe

Filesize
2.2MB

MD5
e67657e2650ed285bf43a6571c494339

SHA1
545301f496ea411826cf4276e1fe58a70cb7c325

SHA256
7fcd0fe091190cffe59153897b0411724823e4cd09bf282eda9ddd5fcd2dfda5

SHA512
7fdaceffa1171357214f5ee524bbcac3d09efd22c2a9137858e7c817d6dd609bec3a1827c80d97728a40548c02f803794d3d548bdb1409e06fee3b4958e3a89d

Download Submit
C:\Program Files (x86)\Common Files\GreenTV\GreenTV.exe

Filesize
2.2MB

MD5
e67657e2650ed285bf43a6571c494339

SHA1
545301f496ea411826cf4276e1fe58a70cb7c325

SHA256
7fcd0fe091190cffe59153897b0411724823e4cd09bf282eda9ddd5fcd2dfda5

SHA512
7fdaceffa1171357214f5ee524bbcac3d09efd22c2a9137858e7c817d6dd609bec3a1827c80d97728a40548c02f803794d3d548bdb1409e06fee3b4958e3a89d

Download Submit
C:\Program Files (x86)\Common Files\GreenTV\GreenTV.exe

Filesize
2.2MB

MD5
e67657e2650ed285bf43a6571c494339

SHA1
545301f496ea411826cf4276e1fe58a70cb7c325

SHA256
7fcd0fe091190cffe59153897b0411724823e4cd09bf282eda9ddd5fcd2dfda5

SHA512
7fdaceffa1171357214f5ee524bbcac3d09efd22c2a9137858e7c817d6dd609bec3a1827c80d97728a40548c02f803794d3d548bdb1409e06fee3b4958e3a89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JFOJ0.tmp\50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp

Filesize
683KB

MD5
f507ce43ea08d1721816ad4b0e090f50

SHA1
e4f02bcd410bddabea4c741838d9a88386547629

SHA256
d2218bde27d66f28e3caf15e899653a9357ebdc7adf9a763b687f6c03c93e5e1

SHA512
37b2f92df632f75447572df840a236ef01021e8291536bf2e8156179333f770afdd8bcbf50cb05bbdbdaa53c00ace46119290800b115823ea035a2389a3f6693

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JFOJ0.tmp\50515f3c2af61a9604617c18fec408c6975d71542d8ad15a2742cb011a129c5d.tmp

Filesize
683KB

MD5
f507ce43ea08d1721816ad4b0e090f50

SHA1
e4f02bcd410bddabea4c741838d9a88386547629

SHA256
d2218bde27d66f28e3caf15e899653a9357ebdc7adf9a763b687f6c03c93e5e1

SHA512
37b2f92df632f75447572df840a236ef01021e8291536bf2e8156179333f770afdd8bcbf50cb05bbdbdaa53c00ace46119290800b115823ea035a2389a3f6693

Download Submit
\Users\Admin\AppData\Local\Temp\is-SRD5C.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-SRD5C.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b6f11a0ab7715f570f45900a1fe84732

SHA1
77b1201e535445af5ea94c1b03c0a1c34d67a77b

SHA256
e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67

SHA512
78a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771

Download Submit
\Users\Admin\AppData\Local\Temp\is-SRD5C.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b6f11a0ab7715f570f45900a1fe84732

SHA1
77b1201e535445af5ea94c1b03c0a1c34d67a77b

SHA256
e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67

SHA512
78a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771

Download Submit
memory/2760-69-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2760-9-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2760-71-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2916-59-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/2916-60-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/2916-64-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-74-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-93-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-70-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-67-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-118-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-75-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-78-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-81-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-84-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-88-0x0000000000910000-0x00000000009BD000-memory.dmp

Filesize
692KB

Download
memory/3228-87-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-115-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-96-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-97-0x0000000000910000-0x00000000009BD000-memory.dmp

Filesize
692KB

Download
memory/3228-100-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-103-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-106-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/3228-109-0x0000000000910000-0x00000000009BD000-memory.dmp

Filesize
692KB

Download
memory/3228-110-0x0000000000910000-0x00000000009BD000-memory.dmp

Filesize
692KB

Download
memory/3228-111-0x0000000000400000-0x0000000000637000-memory.dmp

Filesize
2.2MB

Download
memory/4364-68-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4364-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing