865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa

General

Target

865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
Size

706KB
MD5

62fb3e66c7ff27f0c0c835ce47fb3434
SHA1

3376849ed9fff0255aff757e5ceb49190e50793e
SHA256

865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa
SHA512

9cafb43aa1a5dcf33b92e64d63009579f71c602155fa32ba338f722f3e6155e90f8566df46b1bc19e0992b35edfd4b51c10ad44d3fe9a45d221fe300ff1de2c4
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspxjg0rDHnam:gpQ/6trYlvYPK+lqD73TeGspxjzam

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2732	ScrBlaze.scr
3660	ScrBlaze.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
File opened for modification	C:\Windows\s18273659	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
File created	C:\Windows\ScrBlaze.scr	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
File created	C:\Windows\s18273659	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\GPU	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4868	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
4868	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
2732	ScrBlaze.scr
2732	ScrBlaze.scr
3660	ScrBlaze.scr
3660	ScrBlaze.scr

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 2732	4868	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe	80
PID 4868 wrote to memory of 2732	4868	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe	80
PID 4868 wrote to memory of 2732	4868	865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe	80

C:\Users\Admin\AppData\Local\Temp\865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe
"C:\Users\Admin\AppData\Local\Temp\865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2732

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\48VMALJK\17NKjm[1].htm

Filesize
125B

MD5
1cd6fcc634a5715f528fa28fd1a87c54

SHA1
6a6d7dac28bb8a89e87ed677966f95df583ee210

SHA256
d233c49335982d56db02bebfdb395b50c19fc0bf8fcb61409afe0777c08a501d

SHA512
1ff16b809e07511efcadb7fa1af2b26ad092c42a65aa1ff3e4ee8e07bbdee836eab660b9ae3ed3ce1016dd08699826064759a3077696eb604d42b64d1b320c32

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
62fb3e66c7ff27f0c0c835ce47fb3434

SHA1
3376849ed9fff0255aff757e5ceb49190e50793e

SHA256
865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa

SHA512
9cafb43aa1a5dcf33b92e64d63009579f71c602155fa32ba338f722f3e6155e90f8566df46b1bc19e0992b35edfd4b51c10ad44d3fe9a45d221fe300ff1de2c4

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
62fb3e66c7ff27f0c0c835ce47fb3434

SHA1
3376849ed9fff0255aff757e5ceb49190e50793e

SHA256
865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa

SHA512
9cafb43aa1a5dcf33b92e64d63009579f71c602155fa32ba338f722f3e6155e90f8566df46b1bc19e0992b35edfd4b51c10ad44d3fe9a45d221fe300ff1de2c4

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
62fb3e66c7ff27f0c0c835ce47fb3434

SHA1
3376849ed9fff0255aff757e5ceb49190e50793e

SHA256
865ad7cdfc9f6d685f89235bd94dee185bbfda19af79917dfd6096d8745d52aa

SHA512
9cafb43aa1a5dcf33b92e64d63009579f71c602155fa32ba338f722f3e6155e90f8566df46b1bc19e0992b35edfd4b51c10ad44d3fe9a45d221fe300ff1de2c4

Download Submit
C:\Windows\s18273659

Filesize
907B

MD5
fbdeeeebb5d58ced7e02010a5cbdc6e3

SHA1
fbfa9374130a1ab8c373b55471eced97e19dc69c

SHA256
9532bd7d9c9909f5dacce010e18c6a0a661480d131e0e9ef10f415f7baa8bbca

SHA512
39ff856c9c057aeb99dd6e62502e605b85497d0be6b9158fcb2c2ecf50fd769b49dbce0f94ebb3781c6830a95a90ea536bdcdb53cedb48782068e1f264e5f787

Download Submit
C:\Windows\s18273659

Filesize
907B

MD5
fbdeeeebb5d58ced7e02010a5cbdc6e3

SHA1
fbfa9374130a1ab8c373b55471eced97e19dc69c

SHA256
9532bd7d9c9909f5dacce010e18c6a0a661480d131e0e9ef10f415f7baa8bbca

SHA512
39ff856c9c057aeb99dd6e62502e605b85497d0be6b9158fcb2c2ecf50fd769b49dbce0f94ebb3781c6830a95a90ea536bdcdb53cedb48782068e1f264e5f787

Download Submit
C:\Windows\s18273659

Filesize
929B

MD5
64d348e6112231c3970f933b0b8a7b4a

SHA1
0cd11b59c8a104503c709ca73295ee9016e120ca

SHA256
ee47f516f7b8bcbeff4f6257bd04c1610162c79f630a4619102548e7e96be926

SHA512
b1b9d2be7225fd585131c980e65344dd2c343e58291eff4eca1521af8469cbc3b9768d3baff6a32a3eea760547feb35e995a1f2c64e9ab40b48bbd91da0d3ecd

Download Submit

Analysis

Sharing