aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39

General

Target

aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
Size

706KB
MD5

e95c2dd08bf1a35bd4203d263014937a
SHA1

79db7c1c20f09f3b4436831caaf7e2cf47e7f8a6
SHA256

aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39
SHA512

310a9fdc07f5cfea452200922326568495abc9f602ce6e92527a6d2639cc47d4f20b01d0aa7adcb9928506cfbaea1cccf1711ba20f3e64bd42c70e9e1d95ec41
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspemCs36DqeQ8jawRXjZNam:gpQ/6trYlvYPK+lqD73TeGspWsKoAaAl

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1204	ScrBlaze.scr
1120	ScrBlaze.scr

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\s18273659	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
File opened for modification	C:\Windows\s18273659	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
File created	C:\Windows\ScrBlaze.scr	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	ScrBlaze.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	ScrBlaze.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	ScrBlaze.scr

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1752	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1752	AUDIODG.EXE
Token: 33	1752	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1752	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1440	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
1440	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
1204	ScrBlaze.scr
1204	ScrBlaze.scr
1120	ScrBlaze.scr
1120	ScrBlaze.scr

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 1204	1440	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe	30
PID 1440 wrote to memory of 1204	1440	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe	30
PID 1440 wrote to memory of 1204	1440	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe	30
PID 1440 wrote to memory of 1204	1440	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe	30

C:\Users\Admin\AppData\Local\Temp\aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
"C:\Users\Admin\AppData\Local\Temp\aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe"
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:1204

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x554
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O5T150R7.txt

Filesize
72B

MD5
bf990095c1910f5425168bdc91d10a0b

SHA1
a0613412ec0b1483b1fd7b9504eb0f656a9dd3cd

SHA256
476ad674498003cde0f49c9c6693c5a9fa81f39d19f0446d663dd1fc5f009153

SHA512
897b2e8d726f0420300b1c47d30b13cbbf9ed0c31a9ce09ac353e28e75a057374ac091afa4bc3dc04a48742a2fa64c731aa0f5e41d7d23dbea0850dbe491a73d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SFBKVSS2.txt

Filesize
77B

MD5
5c606aba3603cd535ffbb92f8a3f3cde

SHA1
e59ec124d3bf90874b63b8706a71a5ed8829e573

SHA256
83d80c7f913bc18f49df8b8bb75a7c80784fa213f987ba2003978b276a3ba32e

SHA512
f05e23b316d081f057ab80a6ecab25db5b6ec9c062b8b7183d4aea4a7ffc1298c7bd7f6e1dfc3ab8f960988c232f0c9b05ca73c116016bc507b35d8127973e78

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
e95c2dd08bf1a35bd4203d263014937a

SHA1
79db7c1c20f09f3b4436831caaf7e2cf47e7f8a6

SHA256
aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39

SHA512
310a9fdc07f5cfea452200922326568495abc9f602ce6e92527a6d2639cc47d4f20b01d0aa7adcb9928506cfbaea1cccf1711ba20f3e64bd42c70e9e1d95ec41

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
e95c2dd08bf1a35bd4203d263014937a

SHA1
79db7c1c20f09f3b4436831caaf7e2cf47e7f8a6

SHA256
aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39

SHA512
310a9fdc07f5cfea452200922326568495abc9f602ce6e92527a6d2639cc47d4f20b01d0aa7adcb9928506cfbaea1cccf1711ba20f3e64bd42c70e9e1d95ec41

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
e95c2dd08bf1a35bd4203d263014937a

SHA1
79db7c1c20f09f3b4436831caaf7e2cf47e7f8a6

SHA256
aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39

SHA512
310a9fdc07f5cfea452200922326568495abc9f602ce6e92527a6d2639cc47d4f20b01d0aa7adcb9928506cfbaea1cccf1711ba20f3e64bd42c70e9e1d95ec41

Download Submit
C:\Windows\s18273659

Filesize
898B

MD5
813809e9d8c2f017462f9a6a5d0b8fb3

SHA1
f75292860e91aa19f33c95eb490660a2a79c6b10

SHA256
2ba3dfa957801b586134755c5ebe67fb445640121d494e288df0a258609da4d5

SHA512
27386327497495cf10a22f0f2660ab6884cd64a8ba4d4215ce3877b1dfd53f3c6b9d4425ec046adab4e9fbd2efe2d9633f9a03f2fd5800609a6467ac004704d7

Download Submit
C:\Windows\s18273659

Filesize
864B

MD5
dd589f88d1b99350ebb5bc334ecf9387

SHA1
54724b1e8bbf8f6fe3062a8666991b77877b6c6f

SHA256
3214eb8ab39992a713644311082adbb7b045d7a598a3b754ef839f2d7db84682

SHA512
a8c61c8a207dca23b089d22d05011765fedf6c94617fa65e4d61be0fab7e08742da1cee67e311a75b8e39f371686178eacec048325b9970ceb227ac9ef26b636

Download Submit
memory/1440-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads