26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
Size

706KB
MD5

414c7d9f181ab15e2e8f9d86f8cdbde9
SHA1

7a819ac79643a5756887b515a004e8382913cf6a
SHA256

26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670
SHA512

c2714f3dd45ba697cb6487d4aa86a4c050cc320381eefdd019f740b7c4678a68a35e676c450b53ac37082f5169dca03ce14176cb7b026ecbf5cbe4c886bdfb66
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspybTgfkJa:gpQ/6trYlvYPK+lqD73TeGspybM8Q

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ScrBlaze.scrScrBlaze.scr

pid process

5028 ScrBlaze.scr
3920 ScrBlaze.scr

pid	process
5028	ScrBlaze.scr
3920	ScrBlaze.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe

Drops file in Windows directory 7 IoCs

Processes:

ScrBlaze.scr26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exeScrBlaze.scr

description	ioc	process
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
File opened for modification	C:\Windows\s18273659	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
File created	C:\Windows\ScrBlaze.scr	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

ScrBlaze.scrScrBlaze.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\GPU	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	ScrBlaze.scr
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exeScrBlaze.scrScrBlaze.scr

pid	process
1080	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
1080	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
5028	ScrBlaze.scr
5028	ScrBlaze.scr
3920	ScrBlaze.scr
3920	ScrBlaze.scr

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe

description	pid	process	target process
PID 1080 wrote to memory of 5028	1080	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe	ScrBlaze.scr
PID 1080 wrote to memory of 5028	1080	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe	ScrBlaze.scr
PID 1080 wrote to memory of 5028	1080	26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe	ScrBlaze.scr

C:\Users\Admin\AppData\Local\Temp\26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe
"C:\Users\Admin\AppData\Local\Temp\26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\ScrBlaze.scr
"C:\Windows\ScrBlaze.scr" /S
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
9c094971a27ff86a263ae18cf5a0ff14

SHA1
368624fab92930f3edd9818b82341a152e72a162

SHA256
078a8257a7f0fe4fd6eb28f408e8ac24b0b018aaa023b37b1db23005ce91bd63

SHA512
236c9a1af251eb8175c25718f724fb564c6dd3aa48330641c0fa2bc2885c29d40f8cc504d1e68e5d9b4983760497b02aba396675deeaddeefce2214a3e6a82d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_4A183155DB502CF599F3A8AD6680B8C3

Filesize
472B

MD5
8069f5e67c25fc0b7388ba5d4decd8c9

SHA1
64a85ba44c80ea206f4382f573c3d61e4f607ccf

SHA256
7587cd04333ddf1cff15ae219cb8fca0618786a9fe4cee989975f4d50889e72a

SHA512
ef64ef29197f452d07d13610d7f03ec81cfb3b7d8f45621e8b23ed3aeb90bb62afff7b8a699c585847138f855a66ee76e380c788b80003cf0cc8693a009742bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_DD5E18651A85E635F184F73BE6D3DB70

Filesize
472B

MD5
065495ec7a963a205abd9c8dbc75cb5d

SHA1
ea416d0df4f6706150bda5da2077174f5cdd986b

SHA256
1b2a2afee887651b23a849f14ace89b330329f6bf61c331545a3f6d12037aee5

SHA512
be7c2e7da354a9c56cea2fba5a05b54d633f93cfda4fd3c1c5a760e2bf0999eb8048af906220e25c079dd3fd659fd1295842effd3647460d3329ee1a0d334749

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
db3df3f603d470d84bd2528060cfec1d

SHA1
f7d0aae637733409b14ee1d4e2d17f04b2a229dd

SHA256
2e8f3418758ad1c08db334fb6c4109f4a629c16c2456e61216ff2fde0824449b

SHA512
05b8cc6435749354b2664e759894431422e7d485788e3bbfe8594f1f87697193ae6a0e951ab60d7ecdbdce952eb1cd0e6b1c72c63e78695a239f54e4d039a8d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_4A183155DB502CF599F3A8AD6680B8C3

Filesize
402B

MD5
be1e9123cdc1a1e1876a06a14601ffb6

SHA1
4519aeb4f5326845d0d3852c1389d9f797c2e3f4

SHA256
2feeaadf0433cd42f636fe7b116a40ee11933c5ecef14998ef5d35cdfa8c8522

SHA512
b8c5e92c96bc2a7cbab9b5801eee9e82584b8a12de2b5bb654df25d51ebca9bdfb9e6fe79fbcea39e7680c9dedea55bc6c8c65adf409f705770e25ef2e021ec1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
08cbb5c93689bf749ade187c1710ca50

SHA1
ceaa3f0db2735d5b24c359d0f75b72c524890d70

SHA256
f22d0305dc86a947784ebdbbb4b2983731868906702b2d425838f482ad3c2b68

SHA512
7846f00a5e62779fe0473345791b10a67b50e6566e7508c887ceecd5a7f260ff6876e82c808bc7aaa7bb97bb0ef1311ee8daf62b81cae24ba8f47db4f04db4c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_DD5E18651A85E635F184F73BE6D3DB70

Filesize
406B

MD5
75bafca9cf4ead76476a9cf2d3d62574

SHA1
93077d0c77e140662e10615d524f43287d379ea5

SHA256
a34f1e39621513d15c0c7532882aa87c4eb7af5e9e213854fa388810b1ac7fb6

SHA512
d3a467d0e180a0ba3f9045c74ca39efcad4ac715df1e914615a1be7e31ddd275eb60b24faac935af4c681ae10df939d96d885515721a010de482af525c310940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TQFWGWHN\css[1].css

Filesize
159B

MD5
ff0bf9d3cc4d07f95eef640c1d790a59

SHA1
cd8e2a8d6730f9e0462e4f6a638c8cb9d48fb6e3

SHA256
a050244d5ec49afeed7cc2c870e75dae86dfdbe8e7bc56fe533436e83e2b5ba2

SHA512
fe726865ce47079263e573a89393fa74879e264f8cb114c246e24076dce4aa72fc6f4a5450df3a6fa2c2b327f06d8e74ba1d7db6d5bca75fd51abfbc691764e7

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
414c7d9f181ab15e2e8f9d86f8cdbde9

SHA1
7a819ac79643a5756887b515a004e8382913cf6a

SHA256
26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670

SHA512
c2714f3dd45ba697cb6487d4aa86a4c050cc320381eefdd019f740b7c4678a68a35e676c450b53ac37082f5169dca03ce14176cb7b026ecbf5cbe4c886bdfb66

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
414c7d9f181ab15e2e8f9d86f8cdbde9

SHA1
7a819ac79643a5756887b515a004e8382913cf6a

SHA256
26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670

SHA512
c2714f3dd45ba697cb6487d4aa86a4c050cc320381eefdd019f740b7c4678a68a35e676c450b53ac37082f5169dca03ce14176cb7b026ecbf5cbe4c886bdfb66

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
414c7d9f181ab15e2e8f9d86f8cdbde9

SHA1
7a819ac79643a5756887b515a004e8382913cf6a

SHA256
26f65a07db0ff83fb4103737d252b4e0890e5d9493b59189ef77e0243eaa8670

SHA512
c2714f3dd45ba697cb6487d4aa86a4c050cc320381eefdd019f740b7c4678a68a35e676c450b53ac37082f5169dca03ce14176cb7b026ecbf5cbe4c886bdfb66

Download Submit
C:\Windows\s18273659

Filesize
876B

MD5
25ae1be4c73fdb40ac330134a5d14374

SHA1
0a3c69cc226f3106a97129e4dc421a7d9bcaf1b2

SHA256
4e173994c0c37f2e8e21dffd3262871f28f25fd32f0582c75e231f56fe3e2324

SHA512
ba6c35c3dadba80b1d9f16745bf8a82a1ee08b00e128395ab4ba2e85464a1460a39949d33fed4a36648699f83a7f8eea77f90d8d20c756aa9df3c0a44ca41c9f

Download Submit
C:\Windows\s18273659

Filesize
896B

MD5
986e67da4b074830bb20b76909078430

SHA1
f0676e4d485d27c1c4a09a6f1111d3587af028be

SHA256
2dc5f2689a5bcfe9a1c6c72dd2e35bb27ff5c890a2e16e63d907d6644dafa4df

SHA512
7930f730cd1ef21bd02a304190dc6a231f41c63a50bcabf6ce24ecdd09edb39f4177f04b1fe0c7e995743ab6d35a15fd0d9e0b0f3ec1a003d6049965f530a7fd

Download Submit
memory/5028-132-0x0000000000000000-mapping.dmp

Download