27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27

General

Target

27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27.exe
Size

706KB
MD5

34a08207913fa2aecf175aa33678061e
SHA1

f29609cf2239f6fc5c78c5118f306bb3fa0e30cb
SHA256

27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27
SHA512

fd15703de62ad7ad7a1a7d9ee9fbcd072adc16c3fbfad8b9868d07065a0879237b19e82e67f8c465fccd60882976d6e5a39e4ef801651f42eb23a27484507a36
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspibQWMDHdWjCa:gpQ/6trYlvYPK+lqD73TeGspibQ1BEt

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
460	ScrBlaze.scr
240	ScrBlaze.scr

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27.exe
File opened for modification	C:\Windows\s18273659	27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27.exe
File created	C:\Windows\ScrBlaze.scr	27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop	27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1512	27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27.exe
1512	27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27.exe
460	ScrBlaze.scr
460	ScrBlaze.scr
240	ScrBlaze.scr
240	ScrBlaze.scr

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 460	1512	27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27.exe	29
PID 1512 wrote to memory of 460	1512	27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27.exe	29
PID 1512 wrote to memory of 460	1512	27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27.exe	29
PID 1512 wrote to memory of 460	1512	27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27.exe	29

C:\Users\Admin\AppData\Local\Temp\27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27.exe
"C:\Users\Admin\AppData\Local\Temp\27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27.exe"
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:460

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P9VYYMVQ.txt

Filesize
73B

MD5
d350886984603fcebabef94268c98b70

SHA1
8207ed66a259558a019be6a82873e8999382cf19

SHA256
c2de753a140a9b0b46175482f6bec11365ba2ba01a00069fa119a85ba8d0505f

SHA512
8e535731e6af418fdacee9053b20a506c081894885754886e8d8eb1397de35d51714820753ee3790e5d635c6ca28c33f1d6726a8ffb91033ea25825277b98ea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RJ2F1IRV.txt

Filesize
73B

MD5
a9bf7644b922e159b3b2f55bfb796be1

SHA1
a8bcb0ff58af33f3191c24d1e46c43f930872a87

SHA256
a6063c619414e33bba16276d26a8c7c37e19aee11c17c9255a59204a52c692c8

SHA512
dffb46df26b0f56f92e1b54093ff3f59ed2be8708b8d57d46045d2c100509f220086474a6c26559d58098aa39aae767e73ce4096639c07a9fda9169fc9bf1035

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
34a08207913fa2aecf175aa33678061e

SHA1
f29609cf2239f6fc5c78c5118f306bb3fa0e30cb

SHA256
27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27

SHA512
fd15703de62ad7ad7a1a7d9ee9fbcd072adc16c3fbfad8b9868d07065a0879237b19e82e67f8c465fccd60882976d6e5a39e4ef801651f42eb23a27484507a36

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
34a08207913fa2aecf175aa33678061e

SHA1
f29609cf2239f6fc5c78c5118f306bb3fa0e30cb

SHA256
27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27

SHA512
fd15703de62ad7ad7a1a7d9ee9fbcd072adc16c3fbfad8b9868d07065a0879237b19e82e67f8c465fccd60882976d6e5a39e4ef801651f42eb23a27484507a36

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
34a08207913fa2aecf175aa33678061e

SHA1
f29609cf2239f6fc5c78c5118f306bb3fa0e30cb

SHA256
27c2d33de2ae5e35045e946a12db028e6c5a8df455e1ef85611e1ad7e98e3a27

SHA512
fd15703de62ad7ad7a1a7d9ee9fbcd072adc16c3fbfad8b9868d07065a0879237b19e82e67f8c465fccd60882976d6e5a39e4ef801651f42eb23a27484507a36

Download Submit
C:\Windows\s18273659

Filesize
913B

MD5
cae3acb3462eee9a029db84c08b2b644

SHA1
7926997999558ba1b42d852705ebc7efc2093500

SHA256
33244dcd176d18ab903d494af758a089509ebbc4ec598ae95971b12b3c707a52

SHA512
1a33696306fe446944792c4a0ed8af1f7cf647623a64f8cf9b63fdb8f5bcc0960cde07cbf38d9610b52610191d0f284284b6a8f5047e0cf2ee0935cd4b770136

Download Submit
C:\Windows\s18273659

Filesize
966B

MD5
12e265d5ce8c91998d0515f1486ce131

SHA1
18054e433da95f6b9a19e94e6f047a9344eef8c7

SHA256
7bdc3b69144b1360f2cf96415a9be5b5f8d0e5d5dc3c6c42a2a146a694f9484e

SHA512
72f0e536f3ad0f767a7eba46478b43bff3bca006a73dcc6bf63995b3e2811186acb8f52e0bcd9f6446e524032319e78e33495b8acefa34dbddbc62afbed7568b

Download Submit
memory/1512-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing