Overview

overview

10

Static

static

3

GreenField.exe

windows7-x64

6

GreenField.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2024 22:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GreenField.exe

  • Size

    12KB

  • MD5

    18208ba6920a74e8ca7bd244571ae383

  • SHA1

    61797d94d14935a588a799e8dc943355eb6f4022

  • SHA256

    1c30611e8e3a99301ffe1102d4f70c44fd2d7593878dcdf4178002777fe6e920

  • SHA512

    87fdb3de8301e8f2dd7b8601ee468e64387ce72616af21153d129f236bf28a6dd81e1ba905cd534281bdc94aca1d85898ec6e64170cab2bb58d3c608002f64f3

  • SSDEEP

    192:4Qt7If16ODCvuuYT6DI6kDmBwqVT9N62uEiGe5PF:A16O5CDIJDawqrklEiP5P

Score
6/10
discoverypersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GreenField.exe
    "C:\Users\Admin\AppData\Local\Temp\GreenField.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2660
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2272
    • C:\Users\Admin\AppData\Local\Temp\GreenField.exe
      "C:\Users\Admin\AppData\Local\Temp\GreenField.exe"
      1⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2924
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\GreenField.docx"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1344
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /vu "C:\Users\Admin\AppData\Local\Temp\GreenField.docx"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1228
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\GreenField.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:1780

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      01ec3a2e65e9398eb0727b7072da8e47

      SHA1

      2d477148f7a7d46e80dc59b60f2096008a460d3c

      SHA256

      99fd266df4cc97db8373ad42c1ad9dbcf7d8b3bd34dc30ecfd91699ae2191a4d

      SHA512

      fa7d55a81230c8dc32ecaa86e8dca5e5ab13e7791068c5ea759c06f65a6c07fc9eca43fee8283d41c4cdd9068bb4808d3352b68f467aede09d1fbc716cb65c9c

      Download Submit

    • memory/1228-27-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1344-7-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1344-26-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2660-0-0x000000007490E000-0x000000007490F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2660-1-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2660-2-0x0000000074900000-0x0000000074FEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2660-3-0x0000000074900000-0x0000000074FEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2924-4-0x00000000012E0000-0x00000000012EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2924-5-0x0000000074880000-0x0000000074F6E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2924-6-0x0000000074880000-0x0000000074F6E000-memory.dmp

      Filesize

      6.9MB

      Download