c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8

General

Target

c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
Size

706KB
MD5

f19169a6b8560929aa39a73913b7ec34
SHA1

2c033549b4bde08aa04dcc8ab8b48404194a26df
SHA256

c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8
SHA512

a1e0839b60864ded94b71c3371847d61cce03b3ae43d2e03b7644ade1539e56b758cd0d075380cfe437dbb7fe7677bb0e2d6563880dc88e5c3579d6f1678b548
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspmioKY1XelYa:gpQ/6trYlvYPK+lqD73TeGspmisg/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ScrBlaze.scrScrBlaze.scr

pid process

4308 ScrBlaze.scr
3368 ScrBlaze.scr

pid	process
4308	ScrBlaze.scr
3368	ScrBlaze.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe

Drops file in Windows directory 7 IoCs

Processes:

ScrBlaze.scrScrBlaze.scrc159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe

description	ioc	process
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
File opened for modification	C:\Windows\s18273659	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
File created	C:\Windows\ScrBlaze.scr	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

ScrBlaze.scrScrBlaze.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\GPU	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	ScrBlaze.scr
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exeScrBlaze.scrScrBlaze.scr

pid	process
4028	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
4028	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
4308	ScrBlaze.scr
4308	ScrBlaze.scr
3368	ScrBlaze.scr
3368	ScrBlaze.scr

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe

description	pid	process	target process
PID 4028 wrote to memory of 4308	4028	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe	ScrBlaze.scr
PID 4028 wrote to memory of 4308	4028	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe	ScrBlaze.scr
PID 4028 wrote to memory of 4308	4028	c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe	ScrBlaze.scr

C:\Users\Admin\AppData\Local\Temp\c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe
"C:\Users\Admin\AppData\Local\Temp\c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\ScrBlaze.scr
"C:\Windows\ScrBlaze.scr" /S
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4308

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
f19169a6b8560929aa39a73913b7ec34

SHA1
2c033549b4bde08aa04dcc8ab8b48404194a26df

SHA256
c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8

SHA512
a1e0839b60864ded94b71c3371847d61cce03b3ae43d2e03b7644ade1539e56b758cd0d075380cfe437dbb7fe7677bb0e2d6563880dc88e5c3579d6f1678b548

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
f19169a6b8560929aa39a73913b7ec34

SHA1
2c033549b4bde08aa04dcc8ab8b48404194a26df

SHA256
c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8

SHA512
a1e0839b60864ded94b71c3371847d61cce03b3ae43d2e03b7644ade1539e56b758cd0d075380cfe437dbb7fe7677bb0e2d6563880dc88e5c3579d6f1678b548

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
f19169a6b8560929aa39a73913b7ec34

SHA1
2c033549b4bde08aa04dcc8ab8b48404194a26df

SHA256
c159adf4dc1eddb7122fc26fb1a0967354c6ea62b894d3e04dfd8adf286e4de8

SHA512
a1e0839b60864ded94b71c3371847d61cce03b3ae43d2e03b7644ade1539e56b758cd0d075380cfe437dbb7fe7677bb0e2d6563880dc88e5c3579d6f1678b548

Download Submit
C:\Windows\s18273659

Filesize
887B

MD5
232d715e00154e990d6307e680cd91c0

SHA1
9b332d664511959d501d1e95774b98244afaa539

SHA256
45c69f879f9fd18bcbaacf8a0e63be75113b898832ab074c2c3fd28ac69d93c2

SHA512
2d284efdd8f289b5b3bda0f9f37cad3a2fbe9762e407398cfb7fde1bfbc2b174cda83e7d455a6b4cc555187a7a8beeef28aa62ca70a9d3a2eaf78828b36ce390

Download Submit
C:\Windows\s18273659

Filesize
887B

MD5
232d715e00154e990d6307e680cd91c0

SHA1
9b332d664511959d501d1e95774b98244afaa539

SHA256
45c69f879f9fd18bcbaacf8a0e63be75113b898832ab074c2c3fd28ac69d93c2

SHA512
2d284efdd8f289b5b3bda0f9f37cad3a2fbe9762e407398cfb7fde1bfbc2b174cda83e7d455a6b4cc555187a7a8beeef28aa62ca70a9d3a2eaf78828b36ce390

Download Submit
C:\Windows\s18273659

Filesize
907B

MD5
d4b6c9c7d658d4a49b86f6072c138bf6

SHA1
cb4548b21aaa1e414018dfabfb93bd55dc076ec9

SHA256
af5b5264ca0f62ba85934782b518da40cc5803b599cf63e578efe504685f219b

SHA512
74644857c45c23b1158cb58de450de0060f6059e3c1ebc9cb5264172c81eb4490f538836166bbc57ffb4e73157a17d1d5c99c4cdfc8e2f35ab323fa3041f3d08

Download Submit
memory/4308-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads