271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe
Size

706KB
MD5

949185b530c0139d64efd93093bbc396
SHA1

b972873528f001080a09830624859c5c6f757023
SHA256

271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4
SHA512

ccea3e8e3fb61b8e478c50f0fed6770ca3906358dce4a8d57d605611d0f03e0749cfedcce6dce24f59a9dcc2784a8c9c5b59f13e4db78367d8319f2d4f2c0520
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGsptLRN+UpWyEl1aQ:gpQ/6trYlvYPK+lqD73TeGspxR7HEl8Q

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ScrBlaze.scrScrBlaze.scr

pid process

1796 ScrBlaze.scr
1980 ScrBlaze.scr

pid	process
1796	ScrBlaze.scr
1980	ScrBlaze.scr

Drops file in Windows directory 7 IoCs

Processes:

271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exeScrBlaze.scrScrBlaze.scr

description	ioc	process
File created	C:\Windows\ScrBlaze.scr	271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe
File opened for modification	C:\Windows\s18273659	271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop	271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

ScrBlaze.scrScrBlaze.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	596	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	596	AUDIODG.EXE
Token: 33	596	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	596	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exeScrBlaze.scrScrBlaze.scr

pid	process
1488	271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe
1488	271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe
1796	ScrBlaze.scr
1796	ScrBlaze.scr
1980	ScrBlaze.scr
1980	ScrBlaze.scr

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe

description	pid	process	target process
PID 1488 wrote to memory of 1796	1488	271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe	ScrBlaze.scr
PID 1488 wrote to memory of 1796	1488	271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe	ScrBlaze.scr
PID 1488 wrote to memory of 1796	1488	271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe	ScrBlaze.scr
PID 1488 wrote to memory of 1796	1488	271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe	ScrBlaze.scr

C:\Users\Admin\AppData\Local\Temp\271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe
"C:\Users\Admin\AppData\Local\Temp\271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4.exe"
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\ScrBlaze.scr
"C:\Windows\ScrBlaze.scr" /S
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\17NKjm[1].htm
Filesize
125B

MD5
1cd6fcc634a5715f528fa28fd1a87c54

SHA1
6a6d7dac28bb8a89e87ed677966f95df583ee210

SHA256
d233c49335982d56db02bebfdb395b50c19fc0bf8fcb61409afe0777c08a501d

SHA512
1ff16b809e07511efcadb7fa1af2b26ad092c42a65aa1ff3e4ee8e07bbdee836eab660b9ae3ed3ce1016dd08699826064759a3077696eb604d42b64d1b320c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\common[1].js
Filesize
1KB

MD5
e2e96d214a8e7f0ca2a37277ece233f5

SHA1
fbbdb205a058fc8101b45951b64d3cda6fdeb6aa

SHA256
93bdbe0f178532159cdb7bcbb6b8af856b114954228637f8a0186530e0897c28

SHA512
78839d0151e34f2e70d6b3917d8ad065ca3ead7462432ea6676b50603e795fffca88611d1c9a46c749ed548af07046d660cbfb856d0291be9ce1e6d358e35652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MK8YK3QV\tj[1].js
Filesize
214B

MD5
bdb59b05453bf6baed64d3003a7528bc

SHA1
8005fd48ee13bbfc72f4aa4245356bca32219948

SHA256
d9794733843db10e8c8498f8f313048a6b06148aa081a4c8e20ed17a3dc21cfe

SHA512
35a8a60a15364c37e289a8bfc35ff2ff8e5eb68af3061731372b5ea1cf71e71696660b32c45f0bb3e8c45548c8b13f3be3d87ae7444404d5fcdc45ba170e817d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V881MODH\steamtown[1].htm
Filesize
2KB

MD5
d184e9a1274731ddfdd0ad7c15ebd510

SHA1
513eadf0f0916c3492426fed9fd3df1468457ffc

SHA256
aef9f97137009eec603bb676f9e291f865488442d9d62766e6c5d895b0bc3faa

SHA512
93e044ae2f5ecadab262a94603d9e62fe03d1def9c93eefd3eea74485b3386cb126a0045abd4b002f3f9a2af76ac5611e6c25fc69b52b534f80c2a02ce9e7034

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1KNA9KAU.txt
Filesize
74B

MD5
5b618db49462569e1dbe605dec2b3aac

SHA1
6d11931cbcba39aec6a269d82f8b19d365ea8b97

SHA256
5f06b0d8c701aa061885e3f58dfaa21007cacdfccd4f0783e6bfa2ea80333d37

SHA512
543b4c769f02f038fe8e557fad3eabe3e7c75b3cc6b292dae9d6a2b97988e3fdeca6201a223a3cf276a20e77ce6b96c4130b8dd54910fd717030a1fbf06ab450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8TQC05K4.txt
Filesize
89B

MD5
6b6fb1a42475d8b0f1d2f815806de38a

SHA1
fd535121b09621de3ab9d125b99801b1dd99ae4d

SHA256
2af9b792bc6dc4c6b59fd2807a3634130d8598b0dcfdb8e3a6f4a54b95b84ce8

SHA512
df46962572f3e441a56b17dea90392749668344afcb54003be3ab1a5a0c51d6666847e457e6f76b424a4331cc4c361d06b87382615f785ba0a798b570c78d5be

Download Submit
C:\Windows\ScrBlaze.scr
Filesize
706KB

MD5
949185b530c0139d64efd93093bbc396

SHA1
b972873528f001080a09830624859c5c6f757023

SHA256
271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4

SHA512
ccea3e8e3fb61b8e478c50f0fed6770ca3906358dce4a8d57d605611d0f03e0749cfedcce6dce24f59a9dcc2784a8c9c5b59f13e4db78367d8319f2d4f2c0520

Download Submit
C:\Windows\ScrBlaze.scr
Filesize
706KB

MD5
949185b530c0139d64efd93093bbc396

SHA1
b972873528f001080a09830624859c5c6f757023

SHA256
271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4

SHA512
ccea3e8e3fb61b8e478c50f0fed6770ca3906358dce4a8d57d605611d0f03e0749cfedcce6dce24f59a9dcc2784a8c9c5b59f13e4db78367d8319f2d4f2c0520

Download Submit
C:\Windows\ScrBlaze.scr
Filesize
706KB

MD5
949185b530c0139d64efd93093bbc396

SHA1
b972873528f001080a09830624859c5c6f757023

SHA256
271f9b7e5df35b528fe8d18cd0de96eaf2772d35b97756664352faf6186bdcb4

SHA512
ccea3e8e3fb61b8e478c50f0fed6770ca3906358dce4a8d57d605611d0f03e0749cfedcce6dce24f59a9dcc2784a8c9c5b59f13e4db78367d8319f2d4f2c0520

Download Submit
C:\Windows\s18273659
Filesize
884B

MD5
c00f60bd8416186182caa0f6fcf6a0b2

SHA1
5fe1e9eb4af6c816c41d315cce6165aa4f0efaa4

SHA256
208e791dd7ef4c363ea707ca1750572703fa261b1f8ca35aec66b7702179dda8

SHA512
7fcc786860fba0977ba69e9facdebfb1ae0405de7d6173e5217e4f60e48eaa4abf73691bc76dff57ffc1739a6b0c209ec19a5204b27f54abc05f70c1a5199efc

Download Submit
C:\Windows\s18273659
Filesize
904B

MD5
1f264369c7b12decbdaed939a0780414

SHA1
38e559a9c8510209467918b74fce5aafe04423e4

SHA256
b65ce68c5b3252bddd38c59fec8b84c23cf1059fb787b54e30463e5d00da1078

SHA512
e8ccea0d022195c1aa5b64b14d043dc30e0c12d3e47dc3489dd58190a2ef990495ad7c77d50da92bc7effbd7677f63a2e359d8ab672aa969fb573d8c86145b8e

Download Submit
memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1796-55-0x0000000000000000-mapping.dmp

Download