98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8

General

Target

98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8.exe
Size

706KB
MD5

036f76cad5463a0e82b081538cd0ed40
SHA1

dfcaccc531e750dc43508ec9226947b3f9ca9a1d
SHA256

98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8
SHA512

d4f801d99a7ab22245cea883a7564c9de3dbc57d391d64d23fd10298282ba8e662bb14d92f2ca5ed482d3dffc2f27ead012b84c2ae5b723d43017964d8d01d22
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGsp4lJmW89Gkh43a:gpQ/6trYlvYPK+lqD73TeGsp4l/D/K

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1780	ScrBlaze.scr
2492	ScrBlaze.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\s18273659	98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8.exe
File opened for modification	C:\Windows\s18273659	98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8.exe
File created	C:\Windows\ScrBlaze.scr	98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop	98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	ScrBlaze.scr
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\GPU	ScrBlaze.scr
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3196	98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8.exe
3196	98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8.exe
1780	ScrBlaze.scr
1780	ScrBlaze.scr
2492	ScrBlaze.scr
2492	ScrBlaze.scr

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 1780	3196	98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8.exe	81
PID 3196 wrote to memory of 1780	3196	98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8.exe	81
PID 3196 wrote to memory of 1780	3196	98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8.exe	81

C:\Users\Admin\AppData\Local\Temp\98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8.exe
"C:\Users\Admin\AppData\Local\Temp\98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1780

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\bundle[1].js

Filesize
40KB

MD5
afacc1a1f0989d98533ef1ef8e706589

SHA1
2f258c8891e1b61d1f24c402be4ccbbc16eb6c2e

SHA256
424b49cd8707e89caca0335b2a8dc34745d8db475c51f53039eae3f6ed39e0e1

SHA512
2bac450eb2212394f5cc9f7f58bb5d35a415500142a2b7799871726545878b700decd5605adb3e7430424e9fb32f92db616e7980b2f8f636044158769efce7ec

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
036f76cad5463a0e82b081538cd0ed40

SHA1
dfcaccc531e750dc43508ec9226947b3f9ca9a1d

SHA256
98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8

SHA512
d4f801d99a7ab22245cea883a7564c9de3dbc57d391d64d23fd10298282ba8e662bb14d92f2ca5ed482d3dffc2f27ead012b84c2ae5b723d43017964d8d01d22

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
036f76cad5463a0e82b081538cd0ed40

SHA1
dfcaccc531e750dc43508ec9226947b3f9ca9a1d

SHA256
98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8

SHA512
d4f801d99a7ab22245cea883a7564c9de3dbc57d391d64d23fd10298282ba8e662bb14d92f2ca5ed482d3dffc2f27ead012b84c2ae5b723d43017964d8d01d22

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
036f76cad5463a0e82b081538cd0ed40

SHA1
dfcaccc531e750dc43508ec9226947b3f9ca9a1d

SHA256
98a2a60d02725e38e44140a411910c850f6208e7696b191ba95558a5d5db8dc8

SHA512
d4f801d99a7ab22245cea883a7564c9de3dbc57d391d64d23fd10298282ba8e662bb14d92f2ca5ed482d3dffc2f27ead012b84c2ae5b723d43017964d8d01d22

Download Submit
C:\Windows\s18273659

Filesize
824B

MD5
615120053fcacb5c48450280d5d2b747

SHA1
ffc5a6e9a84752e65501806b856c031da18b1c4b

SHA256
f2153f5b19c626efcb11dc2a4c0c5e721779f1af03918af70deaedd4f13f53c9

SHA512
8567c189d6a6edbdcafff09218d036554db8224f99a5b45754a900bc0d3ac42aa04afe9e0b8742b15d17ff748ccc6ddcd8a0fec2facbe8cd5d9035b0a82b58c8

Download Submit
C:\Windows\s18273659

Filesize
884B

MD5
3f054dd70fa0834afb116ea0655da214

SHA1
c557e138c287ff0cbd69a42057624f832f605c19

SHA256
e9eb32de65c7374aa65d1e9392cee1327c55ac790047527a6b0e14cc7cc9c37c

SHA512
ee4150bf6365c7f49db3e222f226e76c3cbc4f8cc287a4932102092bb7e2c3c0f7493b4d5d70b7e4ae4712207f5fba044c4c11147276cf19d7db96e8f6a71beb

Download Submit

Analysis

Sharing