89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104

General

Target

89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
Size

706KB
MD5

6a2a7001bbafede13da555270ccdf8df
SHA1

6df0c01f6f1e175a3a1d40c62ddc2af775aee4ce
SHA256

89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104
SHA512

653961c827fb27884e0330273b2cbd5fdc0e04beff6d87d21ed8e8d8f714f3196cbc141d11bdf035e40367c29541a3deae3bd8cd1b158e652a1bd28a22d89a91
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspkQvex8nam:gpQ/6trYlvYPK+lqD73TeGspkcehm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
516	ScrBlaze.scr
1848	ScrBlaze.scr

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\s18273659	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
File opened for modification	C:\Windows\s18273659	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
File created	C:\Windows\ScrBlaze.scr	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1944	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1944	AUDIODG.EXE
Token: 33	1944	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1944	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1836	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
1836	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
516	ScrBlaze.scr
516	ScrBlaze.scr
1848	ScrBlaze.scr
1848	ScrBlaze.scr

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 516	1836	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe	29
PID 1836 wrote to memory of 516	1836	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe	29
PID 1836 wrote to memory of 516	1836	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe	29
PID 1836 wrote to memory of 516	1836	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe	29

C:\Users\Admin\AppData\Local\Temp\89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
"C:\Users\Admin\AppData\Local\Temp\89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe"
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:516

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MCVYN571.txt

Filesize
74B

MD5
10f488a862ac0628880c4c4292b9e44b

SHA1
60762be2af9eeb27edafc37cf9743ea05b620d02

SHA256
b3dfce6ea7e17e09441df82fd13366cce0e9609d70d0f9612516784eeec7a1b8

SHA512
8ae3c3a6613c4eb6a3548bb4aacfbd91b098c06ca76d2aaa76b93188dacd079e23f1f7eb0def331b33afec2fab5588e8799a5d213928144206936c6b4ac64f62

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
6a2a7001bbafede13da555270ccdf8df

SHA1
6df0c01f6f1e175a3a1d40c62ddc2af775aee4ce

SHA256
89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104

SHA512
653961c827fb27884e0330273b2cbd5fdc0e04beff6d87d21ed8e8d8f714f3196cbc141d11bdf035e40367c29541a3deae3bd8cd1b158e652a1bd28a22d89a91

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
6a2a7001bbafede13da555270ccdf8df

SHA1
6df0c01f6f1e175a3a1d40c62ddc2af775aee4ce

SHA256
89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104

SHA512
653961c827fb27884e0330273b2cbd5fdc0e04beff6d87d21ed8e8d8f714f3196cbc141d11bdf035e40367c29541a3deae3bd8cd1b158e652a1bd28a22d89a91

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
6a2a7001bbafede13da555270ccdf8df

SHA1
6df0c01f6f1e175a3a1d40c62ddc2af775aee4ce

SHA256
89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104

SHA512
653961c827fb27884e0330273b2cbd5fdc0e04beff6d87d21ed8e8d8f714f3196cbc141d11bdf035e40367c29541a3deae3bd8cd1b158e652a1bd28a22d89a91

Download Submit
C:\Windows\s18273659

Filesize
880B

MD5
15087173221a81674a39eec7f89b69ff

SHA1
78960bd2dae8c5d495aaa3a41b08568ee968727a

SHA256
41abbaa82b7d578201808e9b8d8719785df89f0c8bda890b8b04943878d09891

SHA512
ea71a91373a0f405f6244a7951085aec8cae2cead119a91cc3f8fb3be50548ffac8883857c608c7cc54c2b1d60813c871a55cdf6dc4d7a35e48b9a49e2981a86

Download Submit
memory/1836-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing