2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c

General

Target

2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c.exe
Size

706KB
MD5

3ac3494886b2df27ae6acebb36bb5ed5
SHA1

5fce26a566de4c07ebb4374b8f7c963b3f12b783
SHA256

2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c
SHA512

8c824b689b9f8c624edb2d5807ad2d552ae3a9a642895183a5a1acf0ad52ac2b8bdfec5aa036e51a0062a1b4a31fe7f604a1bd9be6950355ecd3a2981034e381
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspEAsekFS37t9lOqa:gpQ/6trYlvYPK+lqD73TeGsp1gFCXi

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3408	ScrBlaze.scr
3784	ScrBlaze.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c.exe
File opened for modification	C:\Windows\s18273659	2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c.exe
File created	C:\Windows\ScrBlaze.scr	2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop	2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	ScrBlaze.scr
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\GPU	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4956	2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c.exe
4956	2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c.exe
3408	ScrBlaze.scr
3408	ScrBlaze.scr
3784	ScrBlaze.scr
3784	ScrBlaze.scr

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 3408	4956	2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c.exe	80
PID 4956 wrote to memory of 3408	4956	2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c.exe	80
PID 4956 wrote to memory of 3408	4956	2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c.exe	80

C:\Users\Admin\AppData\Local\Temp\2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c.exe
"C:\Users\Admin\AppData\Local\Temp\2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3408

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
3ac3494886b2df27ae6acebb36bb5ed5

SHA1
5fce26a566de4c07ebb4374b8f7c963b3f12b783

SHA256
2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c

SHA512
8c824b689b9f8c624edb2d5807ad2d552ae3a9a642895183a5a1acf0ad52ac2b8bdfec5aa036e51a0062a1b4a31fe7f604a1bd9be6950355ecd3a2981034e381

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
3ac3494886b2df27ae6acebb36bb5ed5

SHA1
5fce26a566de4c07ebb4374b8f7c963b3f12b783

SHA256
2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c

SHA512
8c824b689b9f8c624edb2d5807ad2d552ae3a9a642895183a5a1acf0ad52ac2b8bdfec5aa036e51a0062a1b4a31fe7f604a1bd9be6950355ecd3a2981034e381

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
3ac3494886b2df27ae6acebb36bb5ed5

SHA1
5fce26a566de4c07ebb4374b8f7c963b3f12b783

SHA256
2b174addd6e130d66559c95210340cf00114ff083f0477c3a87d3ec4aa9cbf0c

SHA512
8c824b689b9f8c624edb2d5807ad2d552ae3a9a642895183a5a1acf0ad52ac2b8bdfec5aa036e51a0062a1b4a31fe7f604a1bd9be6950355ecd3a2981034e381

Download Submit
C:\Windows\s18273659

Filesize
1000B

MD5
f53528814cf05fefaf90eea8710110ff

SHA1
bf26efc8e771081a8f1a56f1a5446c0d06d30ee5

SHA256
d6ec127200c1c2e627fbd9462f043118c31e8936031ec0a665101a1f66b37d62

SHA512
9985090f4c1e1a30fcb390a4b98159cc70eab76e3fb750b5fe18c98c39853629f15fd41e08601cee6a19c514fe5a3749729658f40fc80ef45b42a2e0d84f4ffa

Download Submit
C:\Windows\s18273659

Filesize
1KB

MD5
dc30e8bb3b209fc6e750fed94029bfae

SHA1
49d759ee2d016c407e1defbf876bb417b8fcd7cc

SHA256
8fbe171a6a50f3464d214b0897b05e02be6b4715ed334719a3e5a5c622da38df

SHA512
39ade3bd86129c22e29330f528a85e929cc89a24c283f13a9c43d1c25ed5839123b00fc55ac6c87085181d03c25be67599b31c71496c4a6447382557bf19f71e

Download Submit

Analysis

Sharing