865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa

General

Target

865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
Size

706KB
MD5

62fb3e66c7ff27f0c0c835ce47fb3434
SHA1

3376849ed9fff0255aff757e5ceb49190e50793e
SHA256

865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa
SHA512

9cafb43aa1a5dcf33b92e64d63009579f71c602155fa32ba338f722f3e6155e90f8566df46b1bc19e0992b35edfd4b51c10ad44d3fe9a45d221fe300ff1de2c4
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspxjg0rDHnam:gpQ/6trYlvYPK+lqD73TeGspxjzam

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
908	ScrBlaze.scr
1128	ScrBlaze.scr

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\s18273659	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
File created	C:\Windows\ScrBlaze.scr	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1960	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
1960	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
908	ScrBlaze.scr
908	ScrBlaze.scr
1128	ScrBlaze.scr
1128	ScrBlaze.scr

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 908	1960	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe	30
PID 1960 wrote to memory of 908	1960	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe	30
PID 1960 wrote to memory of 908	1960	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe	30
PID 1960 wrote to memory of 908	1960	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe	30

C:\Users\Admin\AppData\Local\Temp\865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
"C:\Users\Admin\AppData\Local\Temp\865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe"
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:908

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\16MMD6A3.txt

Filesize
72B

MD5
fd709992882da9df32089bf7da6669d7

SHA1
22090ea46523d9ee88315e0634402809603a719d

SHA256
15e9c98960f4d87dfe60457bce2ab11618c8091a9e9c040061c5803403372758

SHA512
f504dfe2186a1c3cea7a0152e03e7d33a4dff58ad0b9a4487600fe1cfe0fff52b2370530900ae8345d406be337bd6a5a76f51db69970d01d2c9f603bfdd71a4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9H7A1O69.txt

Filesize
78B

MD5
e73dad52c1dfb411e092c773fb4e2cd5

SHA1
efa70faeede90bf1b03548c89ea53a84e3be3d9f

SHA256
7608bdccacb6f3d5c9ebaad6937b2f974784f93e3151b59396646f881c8f551c

SHA512
c8e588ee844a0e524159ce138d8f5c7691b6e942a7b87accea503ca592ec0123901456b685f4fbdd0963fe35c67a138894befeea1ad9dfb39648f8d258633d0f

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
62fb3e66c7ff27f0c0c835ce47fb3434

SHA1
3376849ed9fff0255aff757e5ceb49190e50793e

SHA256
865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa

SHA512
9cafb43aa1a5dcf33b92e64d63009579f71c602155fa32ba338f722f3e6155e90f8566df46b1bc19e0992b35edfd4b51c10ad44d3fe9a45d221fe300ff1de2c4

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
62fb3e66c7ff27f0c0c835ce47fb3434

SHA1
3376849ed9fff0255aff757e5ceb49190e50793e

SHA256
865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa

SHA512
9cafb43aa1a5dcf33b92e64d63009579f71c602155fa32ba338f722f3e6155e90f8566df46b1bc19e0992b35edfd4b51c10ad44d3fe9a45d221fe300ff1de2c4

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
62fb3e66c7ff27f0c0c835ce47fb3434

SHA1
3376849ed9fff0255aff757e5ceb49190e50793e

SHA256
865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa

SHA512
9cafb43aa1a5dcf33b92e64d63009579f71c602155fa32ba338f722f3e6155e90f8566df46b1bc19e0992b35edfd4b51c10ad44d3fe9a45d221fe300ff1de2c4

Download Submit
C:\Windows\s18273659

Filesize
891B

MD5
8bb8202e41a992f17e136196624bd3a6

SHA1
3e1d8c31100170a3f39b99499707bb192a8154ce

SHA256
97939f4857c346383c75c3db9fe3dc8b5377fdff95cd507328bbc85d3d23fa20

SHA512
38cd1ce21b6969d63859c636988cc36df2b154eefb1c77a11573b245a5cc486672603616f9fb07fbb360c6af361f3de42c72b169762325d66fc9f385373722de

Download Submit
C:\Windows\s18273659

Filesize
855B

MD5
7daf2f32b1a6c223001e0ee3cd037bea

SHA1
45be9aa675cd276a0ebdf7f615d32d4099a505d8

SHA256
6ea04adbd21292edad5c299839a19773e84696a52d4babdd290d39c0bf255450

SHA512
bb120c905eb07b0c4c12aba3220fe7e2e6646e58372bb47eb4f12914ea71308092c37cc983d51e82eca5deb1846c7cc5cdb2cb5f69e9474d6f35ff37e89ab374

Download Submit
memory/1960-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing