45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b

General

Target

45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
Size

706KB
MD5

0e88ff25932ed63e62007f643c768057
SHA1

2ffcfc2dc1e0e6557991dfa3e9e830f28ab79b68
SHA256

45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b
SHA512

fa288c2ce44457cf6db20c33bd91eb58abcf10cd2720e0f2885743adec113e5772f5b033a7b458e5348fbf9f1afe341ac9898f8b2bf57f536e10219bea9dce1d
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspNDYtFSs5ycVR7ofam:gpQ/6trYlvYPK+lqD73TeGsp8FSaxoym

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4336	ScrBlaze.scr
512	ScrBlaze.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
File opened for modification	C:\Windows\s18273659	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
File created	C:\Windows\ScrBlaze.scr	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	ScrBlaze.scr
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
652	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
652	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
4336	ScrBlaze.scr
4336	ScrBlaze.scr
512	ScrBlaze.scr
512	ScrBlaze.scr

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 4336	652	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe	79
PID 652 wrote to memory of 4336	652	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe	79
PID 652 wrote to memory of 4336	652	45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe	79

C:\Users\Admin\AppData\Local\Temp\45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe
"C:\Users\Admin\AppData\Local\Temp\45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4336

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
0e88ff25932ed63e62007f643c768057

SHA1
2ffcfc2dc1e0e6557991dfa3e9e830f28ab79b68

SHA256
45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b

SHA512
fa288c2ce44457cf6db20c33bd91eb58abcf10cd2720e0f2885743adec113e5772f5b033a7b458e5348fbf9f1afe341ac9898f8b2bf57f536e10219bea9dce1d

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
0e88ff25932ed63e62007f643c768057

SHA1
2ffcfc2dc1e0e6557991dfa3e9e830f28ab79b68

SHA256
45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b

SHA512
fa288c2ce44457cf6db20c33bd91eb58abcf10cd2720e0f2885743adec113e5772f5b033a7b458e5348fbf9f1afe341ac9898f8b2bf57f536e10219bea9dce1d

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
0e88ff25932ed63e62007f643c768057

SHA1
2ffcfc2dc1e0e6557991dfa3e9e830f28ab79b68

SHA256
45f58d88efc39bcb52ed29a46ee8c8598491ea136e3c23ba1c1f3c55d425452b

SHA512
fa288c2ce44457cf6db20c33bd91eb58abcf10cd2720e0f2885743adec113e5772f5b033a7b458e5348fbf9f1afe341ac9898f8b2bf57f536e10219bea9dce1d

Download Submit
C:\Windows\s18273659

Filesize
911B

MD5
4140b3631bc49d9286ac641b2eafdddc

SHA1
549ce1b863f82f2ee1bd901d6f112d96f3a46891

SHA256
02c15f14cd2d844a13297cb3f9461a0b1af2f2105ff0040f73968139ad2c56c7

SHA512
fe71d29ce8792ba1288e40ee94a4dd4e2fc75f00d89657147bee09eefa063fbdaf0c97d72269215084b63260e42acbc0fea1f3712454d794aec78b56a4321e23

Download Submit
C:\Windows\s18273659

Filesize
911B

MD5
4140b3631bc49d9286ac641b2eafdddc

SHA1
549ce1b863f82f2ee1bd901d6f112d96f3a46891

SHA256
02c15f14cd2d844a13297cb3f9461a0b1af2f2105ff0040f73968139ad2c56c7

SHA512
fe71d29ce8792ba1288e40ee94a4dd4e2fc75f00d89657147bee09eefa063fbdaf0c97d72269215084b63260e42acbc0fea1f3712454d794aec78b56a4321e23

Download Submit
C:\Windows\s18273659

Filesize
942B

MD5
1de6a5cdf178bb171a8410a288018219

SHA1
384c03e4c5fc2c69a62a65fd01a48de696e5d55b

SHA256
9a32d86b6dd62133226a68ddf367bbef321d3fa2f4f39d9cd779657d9ee606c0

SHA512
925bf2b7a6166e172d504713488ac27985b2a9a775d47de21a18f3ae29d0e32943be64dacedb13af26c6df86d2fb6553522ff19ed1d1c155bff0e90825ec9591

Download Submit

Analysis

Sharing