853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c

General

Target

853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c.exe
Size

706KB
MD5

6dbf22845f9b2867c61cef220aa209a6
SHA1

fe52da591ed84ec0bb57319c80326c11a6cd4173
SHA256

853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c
SHA512

f2a336dc377ce91e354712e9fd7534c1f4dfea0d9fdfa127d0d5704e79bf6557f996cf5a9e5644020e13c01459a3ac7dde210aa6f9a3cf3f75e46b2e4ff58b4f
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspmWKDXJtYsTi17a:gpQ/6trYlvYPK+lqD73TeGspmptNTik

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
772	ScrBlaze.scr
1944	ScrBlaze.scr

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c.exe
File opened for modification	C:\Windows\s18273659	853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c.exe
File created	C:\Windows\ScrBlaze.scr	853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c.exe
File created	C:\Windows\s18273659	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop	853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
772	ScrBlaze.scr

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1112	AUDIODG.EXE
Token: 33	1112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1112	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1444	853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c.exe
1444	853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c.exe
772	ScrBlaze.scr
772	ScrBlaze.scr
1944	ScrBlaze.scr
1944	ScrBlaze.scr

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 772	1444	853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c.exe	29
PID 1444 wrote to memory of 772	1444	853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c.exe	29
PID 1444 wrote to memory of 772	1444	853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c.exe	29
PID 1444 wrote to memory of 772	1444	853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c.exe	29

C:\Users\Admin\AppData\Local\Temp\853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c.exe
"C:\Users\Admin\AppData\Local\Temp\853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c.exe"
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\58OXC2EF.txt

Filesize
74B

MD5
ededbc8dda025db7d4ec213e27230cc8

SHA1
c3eb68c0ca9ef67e349815bdff5f03293416a438

SHA256
08b10f3ce7fee5437869851e3dd334bc555b9415b71e5904660f04387507d3b8

SHA512
b3a4ad727fe41f827712699ac168690c99c34644355987387324454d635253b4406aba71e133ef7ab14c801b56ba4ee3ab0334aba00a59af8fa353030c304f0a

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
6dbf22845f9b2867c61cef220aa209a6

SHA1
fe52da591ed84ec0bb57319c80326c11a6cd4173

SHA256
853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c

SHA512
f2a336dc377ce91e354712e9fd7534c1f4dfea0d9fdfa127d0d5704e79bf6557f996cf5a9e5644020e13c01459a3ac7dde210aa6f9a3cf3f75e46b2e4ff58b4f

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
6dbf22845f9b2867c61cef220aa209a6

SHA1
fe52da591ed84ec0bb57319c80326c11a6cd4173

SHA256
853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c

SHA512
f2a336dc377ce91e354712e9fd7534c1f4dfea0d9fdfa127d0d5704e79bf6557f996cf5a9e5644020e13c01459a3ac7dde210aa6f9a3cf3f75e46b2e4ff58b4f

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
6dbf22845f9b2867c61cef220aa209a6

SHA1
fe52da591ed84ec0bb57319c80326c11a6cd4173

SHA256
853827520a9f90eb050e0dcb2f2a0f2c8ddc61508c4a7adc6316ef6a9ff3515c

SHA512
f2a336dc377ce91e354712e9fd7534c1f4dfea0d9fdfa127d0d5704e79bf6557f996cf5a9e5644020e13c01459a3ac7dde210aa6f9a3cf3f75e46b2e4ff58b4f

Download Submit
C:\Windows\s18273659

Filesize
906B

MD5
6a923b00457ec0b7fed99bedc5b7803c

SHA1
02a0d4b9d3d76fa53e7e9049abc21e909c3b355c

SHA256
c0cf92ffaa10ef62597443877cc90f320b0b7c8a8906e2535469409f60f65d64

SHA512
df5d5a828e19ca90c852afd5757bb362f609790604c7168bd9f1086382a9dd5f9d56339bf2b5a1aa335ff7d167552fa0eb7f607d986282864839121f77526b65

Download Submit
C:\Windows\s18273659

Filesize
926B

MD5
bff91ea9a6cee71083f6ba044131ec4c

SHA1
6d8860cfaf1014a973bf0839b2ba084ded6de2e4

SHA256
476433d1459a90659fa9113152a95ef229a4d8f52056a39403b32dbdd79292d7

SHA512
fb5e6fbb1aad620a916317dff25712e32fc92af55c1f48012a8f8c1cdf8aa68de9d4f6edc8ba6fb9d5142a24c9289c209bbb0b96362db3f3b64373438fd87401

Download Submit
memory/1444-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing