Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 13:10
Static task
static1
Behavioral task
behavioral1
Sample
89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
Resource
win10v2004-20220901-en
General
-
Target
89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
-
Size
706KB
-
MD5
6a2a7001bbafede13da555270ccdf8df
-
SHA1
6df0c01f6f1e175a3a1d40c62ddc2af775aee4ce
-
SHA256
89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104
-
SHA512
653961c827fb27884e0330273b2cbd5fdc0e04beff6d87d21ed8e8d8f714f3196cbc141d11bdf035e40367c29541a3deae3bd8cd1b158e652a1bd28a22d89a91
-
SSDEEP
12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspkQvex8nam:gpQ/6trYlvYPK+lqD73TeGspkcehm
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3576 ScrBlaze.scr 4072 ScrBlaze.scr -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\ScrBlaze.scr 89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe File created C:\Windows\s18273659 ScrBlaze.scr File opened for modification C:\Windows\s18273659 ScrBlaze.scr File created C:\Windows\s18273659 ScrBlaze.scr File opened for modification C:\Windows\s18273659 ScrBlaze.scr File created C:\Windows\s18273659 89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe File opened for modification C:\Windows\s18273659 89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop 89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr" 89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" ScrBlaze.scr Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\GPU ScrBlaze.scr Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" ScrBlaze.scr Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch ScrBlaze.scr Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" ScrBlaze.scr Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync ScrBlaze.scr -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2300 89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe 2300 89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe 3576 ScrBlaze.scr 3576 ScrBlaze.scr 4072 ScrBlaze.scr 4072 ScrBlaze.scr -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2300 wrote to memory of 3576 2300 89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe 84 PID 2300 wrote to memory of 3576 2300 89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe 84 PID 2300 wrote to memory of 3576 2300 89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe"C:\Users\Admin\AppData\Local\Temp\89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\ScrBlaze.scr"C:\Windows\ScrBlaze.scr" /S2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3576
-
-
C:\Windows\ScrBlaze.scrC:\Windows\ScrBlaze.scr /s1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
531B
MD5c99d0cf85fae690ba18ef4043ec1fb50
SHA1a2cd0b943fcb5bd4cac3db4a7216ce1abbc75f11
SHA25694361033a75af7a44e92ec411fa681a8fbfcffadb9630cec670721db5f94c5bb
SHA5124131eacc42bd6a43ecc2fee1295debf1f9e178bd08d46b2cc9d38349a02bb2b58c668333969e0649538d34c158c0368be9a60bc63a98624232340e7ef4029513
-
Filesize
12KB
MD5f774fd2f8ec0471466436aaba72356eb
SHA1f6fd7187e05b177f799f88b7337670cd4b5daeb4
SHA256c3a52c9b5363d92d48de4b2b105fece95d85e8c17030fae33d0c753dcf88e3b9
SHA5122ebe8b38752f6920da6aada653fbd323cc3453ffffa12e0f8c9b3ba20524118e6b33b07339c5bef8bcaa7280efcb52ffd49989a588d8515ad2841c659ea3d70a
-
Filesize
941B
MD5564c91f113d0fbde4bcbd051806267c4
SHA1fe5f321982741e3d322d57f1f6324b47c9e9b9f6
SHA256bbe0351ce04159de29ea684ca739e01e9cde7f3ad9c87dcad2f7b5612b5baa1c
SHA512c5946ad6064e25309837a414a2487a5c1a3ae1cd7a193945fcd25bcb21b327821dcf1cb07078518a97a07c8623a31dc3f665fd43d40315ca3970e2b92b59aebe
-
Filesize
1KB
MD5069e81b554f05e898c337755a7556716
SHA1fa5cc6dc93a146ed21ea370826cfbf263dfb33a1
SHA2564f7e3ee95a131f07a298c2e25a8b609a0665b9b1ffc64696136aa950dc055d9f
SHA5127908bb06847cb04c890944acb6c47924e6065b55036435be2d0ee55337c0603386b83ae1ba07a8991e85f58ab75462525674a99b0ff75e9998b20fe98a7b6550
-
Filesize
2KB
MD51ce415a470e142bf4ab70d9f9e7d0a77
SHA1521d895938b6c79554de671b543a1b00440bd268
SHA256d973be5262d97e2ef40db8522beead2642483e04b46cb0c9122fba6c966b27ed
SHA5126bf9612b9fe42253811a2ee8293eb7faa33eb60f5b538e4892da9d5bcfc0b924518e935dc689e4fb6b801e5795296c5141a527e0260958622f4cdea661f7b25e
-
Filesize
21KB
MD581669519d2e40ab6dd12aa170b8e4cea
SHA105c8db44b479bcada4f8460cbdd89981f5c0ebac
SHA25668efd9776e403d2b92150d7266dcc81fa8650ab163575bc42824c851309efa16
SHA512df09843f1ff7348b5547ecce9cf47646b07075179e4270c4083dc6f76442ffd5e988f5010142a48e1d7978d22f8e292237481b5f5c6aa753272287f1603dd372
-
Filesize
2KB
MD5b2e7475054308d4d2890b1429468fbe2
SHA18774e63707cfe5d6fca15cfa06f0d4fb8ddcddeb
SHA256a72f06f1c39cda4f92d507e346da8334675f1da5e7cdb8b587d02bd0aadddd09
SHA5129484e3626b4ac7a9062de5b777544fa52669630b718d86496d451ee8bb80766674d0885abf4a2e341c87dd0d64bcda9c92e337605d061bd1e83441f76e9291e7
-
Filesize
706KB
MD56a2a7001bbafede13da555270ccdf8df
SHA16df0c01f6f1e175a3a1d40c62ddc2af775aee4ce
SHA25689d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104
SHA512653961c827fb27884e0330273b2cbd5fdc0e04beff6d87d21ed8e8d8f714f3196cbc141d11bdf035e40367c29541a3deae3bd8cd1b158e652a1bd28a22d89a91
-
Filesize
706KB
MD56a2a7001bbafede13da555270ccdf8df
SHA16df0c01f6f1e175a3a1d40c62ddc2af775aee4ce
SHA25689d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104
SHA512653961c827fb27884e0330273b2cbd5fdc0e04beff6d87d21ed8e8d8f714f3196cbc141d11bdf035e40367c29541a3deae3bd8cd1b158e652a1bd28a22d89a91
-
Filesize
706KB
MD56a2a7001bbafede13da555270ccdf8df
SHA16df0c01f6f1e175a3a1d40c62ddc2af775aee4ce
SHA25689d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104
SHA512653961c827fb27884e0330273b2cbd5fdc0e04beff6d87d21ed8e8d8f714f3196cbc141d11bdf035e40367c29541a3deae3bd8cd1b158e652a1bd28a22d89a91
-
Filesize
964B
MD5ce57c6d3610e42686018e0d9c622f42b
SHA1d2051a5944a25075632e00362e0139b4f439d839
SHA256ab973ce0aac2bbd80ef07b0c9222e16e3000a99341edc7a94b14c701ffc20897
SHA512029d4e96597c7de38dc9357bbed3b1eef8e6294a8338d70a91e0320faa60d8e8f417276509331099ad1d3ef6f5a2bcba08e923a7771f07a40ce4793d6e998565
-
Filesize
892B
MD5d030e2097942005b575931f3739b2f3a
SHA1dd7d7ba5a6c8e94a1b4aa9578907f72e5cb6fd40
SHA256d0e5092fbdb2358a3e6ab170c070171f6beb39f439d09269fe6d5f194a7a1f69
SHA51240d909d4584a6e65d964d53482865f07872315ccce6e7b90f8dee28ec8ac4c2b052c63900aa507fc2fb08c7461b94eba1a3e4891eedca848cad1dda79d161ceb