6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe
Size

706KB
MD5

5c5d223575eda7878bf3953a308833a8
SHA1

445748e04b431022241a90acfbe2346fdafca0ba
SHA256

6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61
SHA512

08f0e0c57359774a11632d1ed660fc50a85176cf5a46465020426a9b9319eb1a6be93ed1dc0aeb62b64ca7ef5e27a4dfffe0e070d8468b5f9552dac4f1a96b6d
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspglZVQnqw56f0xnjwQa:gpQ/6trYlvYPK+lqD73TeGspoVQCsjA

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ScrBlaze.scrScrBlaze.scr

pid process

4624 ScrBlaze.scr
1632 ScrBlaze.scr

pid	process
4624	ScrBlaze.scr
1632	ScrBlaze.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe

Drops file in Windows directory 7 IoCs

Processes:

6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exeScrBlaze.scrScrBlaze.scr

description	ioc	process
File opened for modification	C:\Windows\s18273659	6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe
File created	C:\Windows\ScrBlaze.scr	6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop	6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

ScrBlaze.scrScrBlaze.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	ScrBlaze.scr
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\GPU	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exeScrBlaze.scrScrBlaze.scr

pid	process
1264	6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe
1264	6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe
4624	ScrBlaze.scr
4624	ScrBlaze.scr
1632	ScrBlaze.scr
1632	ScrBlaze.scr

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe

description	pid	process	target process
PID 1264 wrote to memory of 4624	1264	6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe	ScrBlaze.scr
PID 1264 wrote to memory of 4624	1264	6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe	ScrBlaze.scr
PID 1264 wrote to memory of 4624	1264	6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe	ScrBlaze.scr

C:\Users\Admin\AppData\Local\Temp\6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe
"C:\Users\Admin\AppData\Local\Temp\6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\ScrBlaze.scr
"C:\Windows\ScrBlaze.scr" /S
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4624

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
f2d89c85e212ef130eac6d92aa534b39

SHA1
1291a316628bb3582421a4af7ad700141c9f15fd

SHA256
4430efe85d4c1c214ec8e4d5cdf0b3b8e39195a3e037b334fdcb93915253cb1f

SHA512
d80608f2fb32d30cac39b853f00bea61d5aadf9eb5fb607e41820f5782986d6a5e2151c38235342a3128649938edf91c4f27e3d5c355ed961c9ad314c762b335

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_4A183155DB502CF599F3A8AD6680B8C3

Filesize
472B

MD5
6fe23ae41ec0cbb3d702b1c64028cd13

SHA1
e0e4d852454a5eae80a797aaa6f0991834dcc19a

SHA256
47a12f27ec1ec271d17295d822c69d1b49c6a24107f3f7ce06a320688fae7f3c

SHA512
be8e0668f228898fcd6b6766ea496a69d03007a06783947365b03bcc639b48a91f9b1ab1b62e31506b716e3570d3454b2ea6a3d11f38c21b5fac3ea550adf82a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_DD5E18651A85E635F184F73BE6D3DB70

Filesize
472B

MD5
065495ec7a963a205abd9c8dbc75cb5d

SHA1
ea416d0df4f6706150bda5da2077174f5cdd986b

SHA256
1b2a2afee887651b23a849f14ace89b330329f6bf61c331545a3f6d12037aee5

SHA512
be7c2e7da354a9c56cea2fba5a05b54d633f93cfda4fd3c1c5a760e2bf0999eb8048af906220e25c079dd3fd659fd1295842effd3647460d3329ee1a0d334749

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
fc14e9dba9cd70aac6181a1f88db0eb2

SHA1
de56a58cfbdea430ccd6ec2f2a7fd1513dd6e350

SHA256
a8afc85e8917968105eea4bdba6b7b7f6ec50c0de6ff381a525c031a280b8cc3

SHA512
ec15f06168e3440ed8e739050837cde0e8ff7c7af21539017634f7024411f27bf4847e1f7f5a42a10156f083479dc093fa5fc3eb68502a17a11f3a852bdded19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_4A183155DB502CF599F3A8AD6680B8C3

Filesize
402B

MD5
9ec3ff0e3f63d2e675a40f54816c8cab

SHA1
ce685e0896db62a3ab04fb6d6b64153a128b8bd1

SHA256
e6ef05162daf82b1f3e32503ae3ace518c372221f82711b3f063b7631a21c5e9

SHA512
bb273ec378f44693b450e1c54e8e5e42b98a021d7cfd533212a8411d303756f5beac5808cd012babaa965d424e64e765cc15f8d64f7883986ca72a8cfba99c5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
f9a3ea5087f627a6c708256631bd79df

SHA1
dbe00bc575e8c2e85d86526e9634b349945afdc9

SHA256
ce517bcfeb1ce03478c288b46d43a71f9f835cc291170def401aac22d5c7decb

SHA512
0d3ec12573c5d2a1d508373677a72b06f5db53fb00c54eb968c8a0694200674b95485a34302edd4acd7c7fde6ad3fbc518f1df981fb1716c27175436236d435c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_DD5E18651A85E635F184F73BE6D3DB70

Filesize
406B

MD5
3d5904ad74f58c63c042cf29b8deb34b

SHA1
0f681c95eda603257ed27d5ef82fad973dbf0733

SHA256
416b8d16275b82df000261a267dbca5669bc4125ae404ce80e545136fcaee022

SHA512
5493b13a492ace68ac04ec640a6ad28e96c761a264d172b9381b7804951cbdbd6c93e41c7663a628d3b3486e31d62b22f538d880d0c4f36b6bb879ebeab0aaed

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
5c5d223575eda7878bf3953a308833a8

SHA1
445748e04b431022241a90acfbe2346fdafca0ba

SHA256
6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61

SHA512
08f0e0c57359774a11632d1ed660fc50a85176cf5a46465020426a9b9319eb1a6be93ed1dc0aeb62b64ca7ef5e27a4dfffe0e070d8468b5f9552dac4f1a96b6d

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
5c5d223575eda7878bf3953a308833a8

SHA1
445748e04b431022241a90acfbe2346fdafca0ba

SHA256
6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61

SHA512
08f0e0c57359774a11632d1ed660fc50a85176cf5a46465020426a9b9319eb1a6be93ed1dc0aeb62b64ca7ef5e27a4dfffe0e070d8468b5f9552dac4f1a96b6d

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
5c5d223575eda7878bf3953a308833a8

SHA1
445748e04b431022241a90acfbe2346fdafca0ba

SHA256
6c6edbecd66e9fe3ba8424b375ef42151b84404c14407942f1d4f7bae3905e61

SHA512
08f0e0c57359774a11632d1ed660fc50a85176cf5a46465020426a9b9319eb1a6be93ed1dc0aeb62b64ca7ef5e27a4dfffe0e070d8468b5f9552dac4f1a96b6d

Download Submit
C:\Windows\s18273659

Filesize
903B

MD5
2aa70144e71180cd4e529087d4b94d4f

SHA1
94b708e7f73fdca1d78aa094c30a76e657c8df25

SHA256
0c0e934906bcf729765ed3d6c5412b7d207f7a97b5cff09b2470a5dadeeb9f1a

SHA512
7d4b22c0a8c7e91ad65e4e0bd1579fc4b8c8feaf006b7e9d23fd595105d1351da13774b9fb99cf9a5668233a96068249d4fffc70be1d8bc4a9262066facb73c0

Download Submit
C:\Windows\s18273659

Filesize
903B

MD5
2aa70144e71180cd4e529087d4b94d4f

SHA1
94b708e7f73fdca1d78aa094c30a76e657c8df25

SHA256
0c0e934906bcf729765ed3d6c5412b7d207f7a97b5cff09b2470a5dadeeb9f1a

SHA512
7d4b22c0a8c7e91ad65e4e0bd1579fc4b8c8feaf006b7e9d23fd595105d1351da13774b9fb99cf9a5668233a96068249d4fffc70be1d8bc4a9262066facb73c0

Download Submit
C:\Windows\s18273659

Filesize
923B

MD5
623fbeb8c099fa8a7c925736d13ec5ca

SHA1
7cc28b64be8bdce4405455eca539ba6ab3a8d766

SHA256
465ecabe12a53f529933ae7a9c67235052ac3594e5eb11efcefab7a9b7c7b5aa

SHA512
45da4a31309b6e70520a47a12a56d89a7f460965d4747ae88f5d1301aaa81bec0bcaad21f356ed330b4b84cbf45395aa2e61442560c3d98b1d3c617a8e24a0ee

Download Submit
memory/4624-132-0x0000000000000000-mapping.dmp

Download