45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b

General

Target

45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
Size

706KB
MD5

0e88ff25932ed63e62007f643c768057
SHA1

2ffcfc2dc1e0e6557991dfa3e9e830f28ab79b68
SHA256

45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b
SHA512

fa288c2ce44457cf6db20c33bd91eb58abcf10cd2720e0f2885743adec113e5772f5b033a7b458e5348fbf9f1afe341ac9898f8b2bf57f536e10219bea9dce1d
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspNDYtFSs5ycVR7ofam:gpQ/6trYlvYPK+lqD73TeGsp8FSaxoym

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1800	ScrBlaze.scr
1532	ScrBlaze.scr

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
File opened for modification	C:\Windows\s18273659	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
File created	C:\Windows\ScrBlaze.scr	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
File created	C:\Windows\s18273659	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	840	AUDIODG.EXE
Token: 33	840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	840	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1492	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
1492	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
1800	ScrBlaze.scr
1800	ScrBlaze.scr
1532	ScrBlaze.scr
1532	ScrBlaze.scr

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1800	1492	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe	30
PID 1492 wrote to memory of 1800	1492	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe	30
PID 1492 wrote to memory of 1800	1492	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe	30
PID 1492 wrote to memory of 1800	1492	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe	30

C:\Users\Admin\AppData\Local\Temp\45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
"C:\Users\Admin\AppData\Local\Temp\45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe"
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1800

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R1SZ86RD.txt

Filesize
74B

MD5
3349b691778a86be58a5621c5fa08bfd

SHA1
12fc59d2d36b60a313c28d0c4cd1574ba75cd819

SHA256
766edfb2924a9387c5fb6e64ab1f5df893fff507e34fa8625845fe041b7f85db

SHA512
50e00e5c6a41c8d744835af3041156c58d8a57d3b9dac9ab515da0859874eb74f83ab2a2e7db458b5b6092c6415e529a615b17ac9afefb200817d2fc32754ebe

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
0e88ff25932ed63e62007f643c768057

SHA1
2ffcfc2dc1e0e6557991dfa3e9e830f28ab79b68

SHA256
45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b

SHA512
fa288c2ce44457cf6db20c33bd91eb58abcf10cd2720e0f2885743adec113e5772f5b033a7b458e5348fbf9f1afe341ac9898f8b2bf57f536e10219bea9dce1d

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
0e88ff25932ed63e62007f643c768057

SHA1
2ffcfc2dc1e0e6557991dfa3e9e830f28ab79b68

SHA256
45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b

SHA512
fa288c2ce44457cf6db20c33bd91eb58abcf10cd2720e0f2885743adec113e5772f5b033a7b458e5348fbf9f1afe341ac9898f8b2bf57f536e10219bea9dce1d

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
0e88ff25932ed63e62007f643c768057

SHA1
2ffcfc2dc1e0e6557991dfa3e9e830f28ab79b68

SHA256
45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b

SHA512
fa288c2ce44457cf6db20c33bd91eb58abcf10cd2720e0f2885743adec113e5772f5b033a7b458e5348fbf9f1afe341ac9898f8b2bf57f536e10219bea9dce1d

Download Submit
C:\Windows\s18273659

Filesize
891B

MD5
fde19e4872ca18c3acbf4c3fca256613

SHA1
f11aef75773d1484b658d0b0ad7be9cd6954b7d5

SHA256
0448dbcafde5beb8d60570d675e79785b3716e435809073108d98b6d2dbbb672

SHA512
2ba5e27e5abcd7d8af161fd3eb7aba3cc700294ac5c87fc672ece21e5b4a7423c177a1cbb67a6649abe5ea489fc0b06d0c136d8e90c7a73c5b2ae960595c2a81

Download Submit
C:\Windows\s18273659

Filesize
853B

MD5
43d873bc6dcac239d5843f53fbd723cf

SHA1
87a84b81971129e70b571b05086c4fe0c15a8287

SHA256
973065c2f7f47fff3fc651ff5c3e3eda9394e5574923e739b52ec0382e8771f1

SHA512
cf9796ed1283b7c8c5ecc3a9895fac3fe9fee2c550d62061ed51e9a6b035279bf613241043015cb5aed8deb41dc925173c5ebcb254e55adabe127957a575fc8a

Download Submit
memory/1492-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing