89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104

Analysis

max time kernel
130s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
Size

706KB
MD5

6a2a7001bbafede13da555270ccdf8df
SHA1

6df0c01f6f1e175a3a1d40c62ddc2af775aee4ce
SHA256

89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104
SHA512

653961c827fb27884e0330273b2cbd5fdc0e04beff6d87d21ed8e8d8f714f3196cbc141d11bdf035e40367c29541a3deae3bd8cd1b158e652a1bd28a22d89a91
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspkQvex8nam:gpQ/6trYlvYPK+lqD73TeGspkcehm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3576	ScrBlaze.scr
4072	ScrBlaze.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\ScrBlaze.scr	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
File opened for modification	C:\Windows\s18273659	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\GPU	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2300	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
2300	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
3576	ScrBlaze.scr
3576	ScrBlaze.scr
4072	ScrBlaze.scr
4072	ScrBlaze.scr

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 3576	2300	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe	84
PID 2300 wrote to memory of 3576	2300	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe	84
PID 2300 wrote to memory of 3576	2300	89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe	84

C:\Users\Admin\AppData\Local\Temp\89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe
"C:\Users\Admin\AppData\Local\Temp\89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3576

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\47NRIJ2V\scrblaze_05[1].gif

Filesize
531B

MD5
c99d0cf85fae690ba18ef4043ec1fb50

SHA1
a2cd0b943fcb5bd4cac3db4a7216ce1abbc75f11

SHA256
94361033a75af7a44e92ec411fa681a8fbfcffadb9630cec670721db5f94c5bb

SHA512
4131eacc42bd6a43ecc2fee1295debf1f9e178bd08d46b2cc9d38349a02bb2b58c668333969e0649538d34c158c0368be9a60bc63a98624232340e7ef4029513

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBR7CLLA\home[1].htm

Filesize
12KB

MD5
f774fd2f8ec0471466436aaba72356eb

SHA1
f6fd7187e05b177f799f88b7337670cd4b5daeb4

SHA256
c3a52c9b5363d92d48de4b2b105fece95d85e8c17030fae33d0c753dcf88e3b9

SHA512
2ebe8b38752f6920da6aada653fbd323cc3453ffffa12e0f8c9b3ba20524118e6b33b07339c5bef8bcaa7280efcb52ffd49989a588d8515ad2841c659ea3d70a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBR7CLLA\scrblaze_06[1].gif

Filesize
941B

MD5
564c91f113d0fbde4bcbd051806267c4

SHA1
fe5f321982741e3d322d57f1f6324b47c9e9b9f6

SHA256
bbe0351ce04159de29ea684ca739e01e9cde7f3ad9c87dcad2f7b5612b5baa1c

SHA512
c5946ad6064e25309837a414a2487a5c1a3ae1cd7a193945fcd25bcb21b327821dcf1cb07078518a97a07c8623a31dc3f665fd43d40315ca3970e2b92b59aebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MBR7CLLA\scrblaze_07[1].gif

Filesize
1KB

MD5
069e81b554f05e898c337755a7556716

SHA1
fa5cc6dc93a146ed21ea370826cfbf263dfb33a1

SHA256
4f7e3ee95a131f07a298c2e25a8b609a0665b9b1ffc64696136aa950dc055d9f

SHA512
7908bb06847cb04c890944acb6c47924e6065b55036435be2d0ee55337c0603386b83ae1ba07a8991e85f58ab75462525674a99b0ff75e9998b20fe98a7b6550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PREIF6EH\scrblaze_04[1].gif

Filesize
2KB

MD5
1ce415a470e142bf4ab70d9f9e7d0a77

SHA1
521d895938b6c79554de671b543a1b00440bd268

SHA256
d973be5262d97e2ef40db8522beead2642483e04b46cb0c9122fba6c966b27ed

SHA512
6bf9612b9fe42253811a2ee8293eb7faa33eb60f5b538e4892da9d5bcfc0b924518e935dc689e4fb6b801e5795296c5141a527e0260958622f4cdea661f7b25e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZX6MAMIN\scrblaze_01[1].gif

Filesize
21KB

MD5
81669519d2e40ab6dd12aa170b8e4cea

SHA1
05c8db44b479bcada4f8460cbdd89981f5c0ebac

SHA256
68efd9776e403d2b92150d7266dcc81fa8650ab163575bc42824c851309efa16

SHA512
df09843f1ff7348b5547ecce9cf47646b07075179e4270c4083dc6f76442ffd5e988f5010142a48e1d7978d22f8e292237481b5f5c6aa753272287f1603dd372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZX6MAMIN\scrblaze_02[1].gif

Filesize
2KB

MD5
b2e7475054308d4d2890b1429468fbe2

SHA1
8774e63707cfe5d6fca15cfa06f0d4fb8ddcddeb

SHA256
a72f06f1c39cda4f92d507e346da8334675f1da5e7cdb8b587d02bd0aadddd09

SHA512
9484e3626b4ac7a9062de5b777544fa52669630b718d86496d451ee8bb80766674d0885abf4a2e341c87dd0d64bcda9c92e337605d061bd1e83441f76e9291e7

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
6a2a7001bbafede13da555270ccdf8df

SHA1
6df0c01f6f1e175a3a1d40c62ddc2af775aee4ce

SHA256
89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104

SHA512
653961c827fb27884e0330273b2cbd5fdc0e04beff6d87d21ed8e8d8f714f3196cbc141d11bdf035e40367c29541a3deae3bd8cd1b158e652a1bd28a22d89a91

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
6a2a7001bbafede13da555270ccdf8df

SHA1
6df0c01f6f1e175a3a1d40c62ddc2af775aee4ce

SHA256
89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104

SHA512
653961c827fb27884e0330273b2cbd5fdc0e04beff6d87d21ed8e8d8f714f3196cbc141d11bdf035e40367c29541a3deae3bd8cd1b158e652a1bd28a22d89a91

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
6a2a7001bbafede13da555270ccdf8df

SHA1
6df0c01f6f1e175a3a1d40c62ddc2af775aee4ce

SHA256
89d80a0c629c626a894c80205a269f7e5fcd48d5f7300aa40b5f72511da8e104

SHA512
653961c827fb27884e0330273b2cbd5fdc0e04beff6d87d21ed8e8d8f714f3196cbc141d11bdf035e40367c29541a3deae3bd8cd1b158e652a1bd28a22d89a91

Download Submit
C:\Windows\s18273659

Filesize
964B

MD5
ce57c6d3610e42686018e0d9c622f42b

SHA1
d2051a5944a25075632e00362e0139b4f439d839

SHA256
ab973ce0aac2bbd80ef07b0c9222e16e3000a99341edc7a94b14c701ffc20897

SHA512
029d4e96597c7de38dc9357bbed3b1eef8e6294a8338d70a91e0320faa60d8e8f417276509331099ad1d3ef6f5a2bcba08e923a7771f07a40ce4793d6e998565

Download Submit
C:\Windows\s18273659

Filesize
892B

MD5
d030e2097942005b575931f3739b2f3a

SHA1
dd7d7ba5a6c8e94a1b4aa9578907f72e5cb6fd40

SHA256
d0e5092fbdb2358a3e6ab170c070171f6beb39f439d09269fe6d5f194a7a1f69

SHA512
40d909d4584a6e65d964d53482865f07872315ccce6e7b90f8dee28ec8ac4c2b052c63900aa507fc2fb08c7461b94eba1a3e4891eedca848cad1dda79d161ceb

Download Submit