Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 10:46
Static task
static1
Behavioral task
behavioral1
Sample
c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
Resource
win10v2004-20220812-en
General
-
Target
c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
-
Size
706KB
-
MD5
f19169a6b8560929aa39a73913b7ec34
-
SHA1
2c033549b4bde08aa04dcc8ab8b48404194a26df
-
SHA256
c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8
-
SHA512
a1e0839b60864ded94b71c3371847d61cce03b3ae43d2e03b7644ade1539e56b758cd0d075380cfe437dbb7fe7677bb0e2d6563880dc88e5c3579d6f1678b548
-
SSDEEP
12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspmioKY1XelYa:gpQ/6trYlvYPK+lqD73TeGspmisg/
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ScrBlaze.scrScrBlaze.scrpid process 1496 ScrBlaze.scr 632 ScrBlaze.scr -
Drops file in Windows directory 6 IoCs
Processes:
c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exeScrBlaze.scrScrBlaze.scrdescription ioc process File created C:\Windows\s18273659 c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe File opened for modification C:\Windows\s18273659 c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe File created C:\Windows\ScrBlaze.scr c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe File created C:\Windows\s18273659 ScrBlaze.scr File opened for modification C:\Windows\s18273659 ScrBlaze.scr File created C:\Windows\s18273659 ScrBlaze.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
Processes:
c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr" c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe -
Processes:
ScrBlaze.scrdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main ScrBlaze.scr Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch ScrBlaze.scr Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" ScrBlaze.scr -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 2024 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2024 AUDIODG.EXE Token: 33 2024 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2024 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exeScrBlaze.scrScrBlaze.scrpid process 2004 c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe 2004 c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe 1496 ScrBlaze.scr 1496 ScrBlaze.scr 632 ScrBlaze.scr 632 ScrBlaze.scr -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exedescription pid process target process PID 2004 wrote to memory of 1496 2004 c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe ScrBlaze.scr PID 2004 wrote to memory of 1496 2004 c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe ScrBlaze.scr PID 2004 wrote to memory of 1496 2004 c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe ScrBlaze.scr PID 2004 wrote to memory of 1496 2004 c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe ScrBlaze.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe"C:\Users\Admin\AppData\Local\Temp\c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe"1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\ScrBlaze.scr"C:\Windows\ScrBlaze.scr" /S2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4501⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\ScrBlaze.scrC:\Windows\ScrBlaze.scr /s1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2TS4V25K.txtFilesize
74B
MD5e40e67483e2b7efb3827a68a1b4c45e5
SHA13d7cefad908c5c30d57e57ec8cee7b4963b80413
SHA25688a43469e668d9bc4e438ea1f5f86a3c2f9eccc3d6839ac3cea9c113a188b375
SHA512eb778a9207f0e34048e933bc87a7efb6b89843c79a89ae15e983161b787f1ff9364e315aae667e5ca0adff3ff4bcdded94e3ff52923f1f29f2c12e09e394b916
-
C:\Windows\ScrBlaze.scrFilesize
706KB
MD5f19169a6b8560929aa39a73913b7ec34
SHA12c033549b4bde08aa04dcc8ab8b48404194a26df
SHA256c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8
SHA512a1e0839b60864ded94b71c3371847d61cce03b3ae43d2e03b7644ade1539e56b758cd0d075380cfe437dbb7fe7677bb0e2d6563880dc88e5c3579d6f1678b548
-
C:\Windows\ScrBlaze.scrFilesize
706KB
MD5f19169a6b8560929aa39a73913b7ec34
SHA12c033549b4bde08aa04dcc8ab8b48404194a26df
SHA256c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8
SHA512a1e0839b60864ded94b71c3371847d61cce03b3ae43d2e03b7644ade1539e56b758cd0d075380cfe437dbb7fe7677bb0e2d6563880dc88e5c3579d6f1678b548
-
C:\Windows\ScrBlaze.scrFilesize
706KB
MD5f19169a6b8560929aa39a73913b7ec34
SHA12c033549b4bde08aa04dcc8ab8b48404194a26df
SHA256c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8
SHA512a1e0839b60864ded94b71c3371847d61cce03b3ae43d2e03b7644ade1539e56b758cd0d075380cfe437dbb7fe7677bb0e2d6563880dc88e5c3579d6f1678b548
-
C:\Windows\s18273659Filesize
933B
MD5cf73ddfac877bee8d7f89ea79cfbba3e
SHA187bce7d4efc494c783704284c5bd565fcfe39ecc
SHA2564bc1bd8d8806dd8810162b834e658cb59ec2b3886193452bccbbbfea9db1ebee
SHA5127f640a44c735b0ca2af830f5448004c22278ccd71235db30f93462826361e17d5942c3c4921412b24a93e532b52e668c6632f4fa6b4429086ca58aaca36ab60f
-
memory/1496-55-0x0000000000000000-mapping.dmp
-
memory/2004-54-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB