c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8

General

Target

c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
Size

706KB
MD5

f19169a6b8560929aa39a73913b7ec34
SHA1

2c033549b4bde08aa04dcc8ab8b48404194a26df
SHA256

c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8
SHA512

a1e0839b60864ded94b71c3371847d61cce03b3ae43d2e03b7644ade1539e56b758cd0d075380cfe437dbb7fe7677bb0e2d6563880dc88e5c3579d6f1678b548
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspmioKY1XelYa:gpQ/6trYlvYPK+lqD73TeGspmisg/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ScrBlaze.scrScrBlaze.scr

pid process

1496 ScrBlaze.scr
632 ScrBlaze.scr

pid	process
1496	ScrBlaze.scr
632	ScrBlaze.scr

Drops file in Windows directory 6 IoCs

Processes:

c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exeScrBlaze.scrScrBlaze.scr

description	ioc	process
File created	C:\Windows\s18273659	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
File opened for modification	C:\Windows\s18273659	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
File created	C:\Windows\ScrBlaze.scr	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

ScrBlaze.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	2024	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2024	AUDIODG.EXE
Token: 33	2024	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2024	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exeScrBlaze.scrScrBlaze.scr

pid	process
2004	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
2004	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
1496	ScrBlaze.scr
1496	ScrBlaze.scr
632	ScrBlaze.scr
632	ScrBlaze.scr

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe

description	pid	process	target process
PID 2004 wrote to memory of 1496	2004	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe	ScrBlaze.scr
PID 2004 wrote to memory of 1496	2004	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe	ScrBlaze.scr
PID 2004 wrote to memory of 1496	2004	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe	ScrBlaze.scr
PID 2004 wrote to memory of 1496	2004	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe	ScrBlaze.scr

C:\Users\Admin\AppData\Local\Temp\c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
"C:\Users\Admin\AppData\Local\Temp\c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe"
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\ScrBlaze.scr
"C:\Windows\ScrBlaze.scr" /S
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x450
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2TS4V25K.txt
Filesize
74B

MD5
e40e67483e2b7efb3827a68a1b4c45e5

SHA1
3d7cefad908c5c30d57e57ec8cee7b4963b80413

SHA256
88a43469e668d9bc4e438ea1f5f86a3c2f9eccc3d6839ac3cea9c113a188b375

SHA512
eb778a9207f0e34048e933bc87a7efb6b89843c79a89ae15e983161b787f1ff9364e315aae667e5ca0adff3ff4bcdded94e3ff52923f1f29f2c12e09e394b916

Download Submit
C:\Windows\ScrBlaze.scr
Filesize
706KB

MD5
f19169a6b8560929aa39a73913b7ec34

SHA1
2c033549b4bde08aa04dcc8ab8b48404194a26df

SHA256
c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8

SHA512
a1e0839b60864ded94b71c3371847d61cce03b3ae43d2e03b7644ade1539e56b758cd0d075380cfe437dbb7fe7677bb0e2d6563880dc88e5c3579d6f1678b548

Download Submit
C:\Windows\ScrBlaze.scr
Filesize
706KB

MD5
f19169a6b8560929aa39a73913b7ec34

SHA1
2c033549b4bde08aa04dcc8ab8b48404194a26df

SHA256
c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8

SHA512
a1e0839b60864ded94b71c3371847d61cce03b3ae43d2e03b7644ade1539e56b758cd0d075380cfe437dbb7fe7677bb0e2d6563880dc88e5c3579d6f1678b548

Download Submit
C:\Windows\ScrBlaze.scr
Filesize
706KB

MD5
f19169a6b8560929aa39a73913b7ec34

SHA1
2c033549b4bde08aa04dcc8ab8b48404194a26df

SHA256
c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8

SHA512
a1e0839b60864ded94b71c3371847d61cce03b3ae43d2e03b7644ade1539e56b758cd0d075380cfe437dbb7fe7677bb0e2d6563880dc88e5c3579d6f1678b548

Download Submit
C:\Windows\s18273659
Filesize
933B

MD5
cf73ddfac877bee8d7f89ea79cfbba3e

SHA1
87bce7d4efc494c783704284c5bd565fcfe39ecc

SHA256
4bc1bd8d8806dd8810162b834e658cb59ec2b3886193452bccbbbfea9db1ebee

SHA512
7f640a44c735b0ca2af830f5448004c22278ccd71235db30f93462826361e17d5942c3c4921412b24a93e532b52e668c6632f4fa6b4429086ca58aaca36ab60f

Download Submit
memory/1496-55-0x0000000000000000-mapping.dmp

Download
memory/2004-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads