26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670

General

Target

26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
Size

706KB
MD5

414c7d9f181ab15e2e8f9d86f8cdbde9
SHA1

7a819ac79643a5756887b515a004e8382913cf6a
SHA256

26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670
SHA512

c2714f3dd45ba697cb6487d4aa86a4c050cc320381eefdd019f740b7c4678a68a35e676c450b53ac37082f5169dca03ce14176cb7b026ecbf5cbe4c886bdfb66
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspybTgfkJa:gpQ/6trYlvYPK+lqD73TeGspybM8Q

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ScrBlaze.scrScrBlaze.scr

pid process

1776 ScrBlaze.scr
1484 ScrBlaze.scr

pid	process
1776	ScrBlaze.scr
1484	ScrBlaze.scr

Drops file in Windows directory 6 IoCs

Processes:

26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exeScrBlaze.scrScrBlaze.scr

description	ioc	process
File opened for modification	C:\Windows\s18273659	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
File created	C:\Windows\ScrBlaze.scr	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

ScrBlaze.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ScrBlaze.scr

pid process

1776 ScrBlaze.scr

pid	process
1776	ScrBlaze.scr

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	392	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	392	AUDIODG.EXE
Token: 33	392	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	392	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exeScrBlaze.scrScrBlaze.scr

pid	process
1672	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
1672	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
1776	ScrBlaze.scr
1776	ScrBlaze.scr
1484	ScrBlaze.scr
1484	ScrBlaze.scr

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe

description	pid	process	target process
PID 1672 wrote to memory of 1776	1672	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe	ScrBlaze.scr
PID 1672 wrote to memory of 1776	1672	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe	ScrBlaze.scr
PID 1672 wrote to memory of 1776	1672	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe	ScrBlaze.scr
PID 1672 wrote to memory of 1776	1672	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe	ScrBlaze.scr

C:\Users\Admin\AppData\Local\Temp\26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
"C:\Users\Admin\AppData\Local\Temp\26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe"
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\ScrBlaze.scr
"C:\Windows\ScrBlaze.scr" /S
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9BSBDHDB.txt

Filesize
74B

MD5
cdb6b3912a55152a7c078db605f11e36

SHA1
f47869a38fcf058570b4929934e26259e8100298

SHA256
f27249646ae33b846504f2a37579ad87e53f752c03d02bfbe16c9be48fd1324d

SHA512
78be219c4fba09bfd4d320441b7ae4f12b04b1143d5fc7e697d8e40540b6b6341036e721a198b999b94a4d45c0dca48d7a7b3f25657e443b56bfad7f1484ed97

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
414c7d9f181ab15e2e8f9d86f8cdbde9

SHA1
7a819ac79643a5756887b515a004e8382913cf6a

SHA256
26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670

SHA512
c2714f3dd45ba697cb6487d4aa86a4c050cc320381eefdd019f740b7c4678a68a35e676c450b53ac37082f5169dca03ce14176cb7b026ecbf5cbe4c886bdfb66

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
414c7d9f181ab15e2e8f9d86f8cdbde9

SHA1
7a819ac79643a5756887b515a004e8382913cf6a

SHA256
26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670

SHA512
c2714f3dd45ba697cb6487d4aa86a4c050cc320381eefdd019f740b7c4678a68a35e676c450b53ac37082f5169dca03ce14176cb7b026ecbf5cbe4c886bdfb66

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
414c7d9f181ab15e2e8f9d86f8cdbde9

SHA1
7a819ac79643a5756887b515a004e8382913cf6a

SHA256
26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670

SHA512
c2714f3dd45ba697cb6487d4aa86a4c050cc320381eefdd019f740b7c4678a68a35e676c450b53ac37082f5169dca03ce14176cb7b026ecbf5cbe4c886bdfb66

Download Submit
C:\Windows\s18273659

Filesize
910B

MD5
16136a9daa0323917499df6289e29866

SHA1
f6a85cde52acd7ba10cd4487ef0af6b4c700208c

SHA256
9405c848f1fd1d6986563a872ddb57f70b515f8a61829282c9b45499a06b488b

SHA512
69246a5f1899ef2908fb551abcf5a6f2d372780d43ef8c7216ce3610f0b11e0a768a2159be63f9e71c7c18112a2f4d9334743d173584028806cea950237dab7f

Download Submit
C:\Windows\s18273659

Filesize
930B

MD5
b9d85842755e626811290ddf32cb92c8

SHA1
6eb3c58e828c0f5188032967b6df8bd3675e90c8

SHA256
205bb0757ed80b1b095c2bb77544f145008826387d47982e1d3c11425ef198c4

SHA512
7086b2a2879380dd633b93892c600c35267847d6649557b2f4713d343240c031053ed8c61da0756bca6e176c807450adbb2178dbcc2438a72fb9f58e7af7a416

Download Submit
memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1776-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads