aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39

General

Target

aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
Size

706KB
MD5

e95c2dd08bf1a35bd4203d263014937a
SHA1

79db7c1c20f09f3b4436831caaf7e2cf47e7f8a6
SHA256

aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39
SHA512

310a9fdc07f5cfea452200922326568495abc9f602ce6e92527a6d2639cc47d4f20b01d0aa7adcb9928506cfbaea1cccf1711ba20f3e64bd42c70e9e1d95ec41
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspemCs36DqeQ8jawRXjZNam:gpQ/6trYlvYPK+lqD73TeGspWsKoAaAl

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4964	ScrBlaze.scr
3988	ScrBlaze.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\ScrBlaze.scr	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
File opened for modification	C:\Windows\s18273659	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\GPU	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	ScrBlaze.scr
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
956	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
956	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
4964	ScrBlaze.scr
4964	ScrBlaze.scr
3988	ScrBlaze.scr
3988	ScrBlaze.scr

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 4964	956	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe	80
PID 956 wrote to memory of 4964	956	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe	80
PID 956 wrote to memory of 4964	956	aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe	80

C:\Users\Admin\AppData\Local\Temp\aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe
"C:\Users\Admin\AppData\Local\Temp\aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4964

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\94PW68LC\17NKjm[1].htm

Filesize
125B

MD5
1cd6fcc634a5715f528fa28fd1a87c54

SHA1
6a6d7dac28bb8a89e87ed677966f95df583ee210

SHA256
d233c49335982d56db02bebfdb395b50c19fc0bf8fcb61409afe0777c08a501d

SHA512
1ff16b809e07511efcadb7fa1af2b26ad092c42a65aa1ff3e4ee8e07bbdee836eab660b9ae3ed3ce1016dd08699826064759a3077696eb604d42b64d1b320c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\94PW68LC\steamtown[1].htm

Filesize
2KB

MD5
d184e9a1274731ddfdd0ad7c15ebd510

SHA1
513eadf0f0916c3492426fed9fd3df1468457ffc

SHA256
aef9f97137009eec603bb676f9e291f865488442d9d62766e6c5d895b0bc3faa

SHA512
93e044ae2f5ecadab262a94603d9e62fe03d1def9c93eefd3eea74485b3386cb126a0045abd4b002f3f9a2af76ac5611e6c25fc69b52b534f80c2a02ce9e7034

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
e95c2dd08bf1a35bd4203d263014937a

SHA1
79db7c1c20f09f3b4436831caaf7e2cf47e7f8a6

SHA256
aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39

SHA512
310a9fdc07f5cfea452200922326568495abc9f602ce6e92527a6d2639cc47d4f20b01d0aa7adcb9928506cfbaea1cccf1711ba20f3e64bd42c70e9e1d95ec41

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
e95c2dd08bf1a35bd4203d263014937a

SHA1
79db7c1c20f09f3b4436831caaf7e2cf47e7f8a6

SHA256
aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39

SHA512
310a9fdc07f5cfea452200922326568495abc9f602ce6e92527a6d2639cc47d4f20b01d0aa7adcb9928506cfbaea1cccf1711ba20f3e64bd42c70e9e1d95ec41

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
e95c2dd08bf1a35bd4203d263014937a

SHA1
79db7c1c20f09f3b4436831caaf7e2cf47e7f8a6

SHA256
aeefcd58ac62baf48572d82051f71fe2bd1a861962b85fd1a8e2ca04d07f0f39

SHA512
310a9fdc07f5cfea452200922326568495abc9f602ce6e92527a6d2639cc47d4f20b01d0aa7adcb9928506cfbaea1cccf1711ba20f3e64bd42c70e9e1d95ec41

Download Submit
C:\Windows\s18273659

Filesize
819B

MD5
0fb7c1e9474eb454497b9bd99d789f56

SHA1
7bdf74c6cac8f35c76bb2fe3d7b69303f1ad0a3c

SHA256
b908c5ae677e7eb9ff4a01b5d2e5af90553960c237bf3dc1d2062a3c59ac4aea

SHA512
c1c3af9c7dc04ef66715e1a052a9fd2134069419c500046c57ac0432df44976676fc64664053b4f7bd391974dce11d8d48679f3e8150ce5ad1755bb241110452

Download Submit
C:\Windows\s18273659

Filesize
819B

MD5
0fb7c1e9474eb454497b9bd99d789f56

SHA1
7bdf74c6cac8f35c76bb2fe3d7b69303f1ad0a3c

SHA256
b908c5ae677e7eb9ff4a01b5d2e5af90553960c237bf3dc1d2062a3c59ac4aea

SHA512
c1c3af9c7dc04ef66715e1a052a9fd2134069419c500046c57ac0432df44976676fc64664053b4f7bd391974dce11d8d48679f3e8150ce5ad1755bb241110452

Download Submit
C:\Windows\s18273659

Filesize
857B

MD5
d7ec223136fc35e3101bc1dd9c117ceb

SHA1
5f5799e217ec66f112ee545f2cd6469a21a7b807

SHA256
4b8acd9c90c0ce6f711782c066ebcc6a95102c6865ef4487b5f97c757cf139ba

SHA512
f6b58868b37b0bd3a1cf8dfadb86e280a6e2399ff93aff373e73cbfbceb8533fd1bf2dcfa082a6b676f855811d67e000494b92d720114a221c6cb97bd308c35d

Download Submit
memory/4964-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing