7c0c2c2ac8bb363c372b015c46e2bc8e57b895b0e61a7728622c0134f476cff0

General

Target

80480df20528a22dee4ff724e155e4f0.exe
Size

706KB
MD5

80480df20528a22dee4ff724e155e4f0
SHA1

f8d53c2693c7b0a7ec57804cfe73d518d5f858c9
SHA256

7c0c2c2ac8bb363c372b015c46e2bc8e57b895b0e61a7728622c0134f476cff0
SHA512

1a9c711da9cdf2ac26fccce16828dbf91f4c4d664c25547a462b800df005abd97f613f8950e562ce0d9ae6600773782ce69a26e10070971bfe7ce3bfbf48f82f
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGsptI7FNtWS0Oam:gpQ/6trYlvYPK+lqD73TeGsptIpDWPm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2724	ScrBlaze.scr

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\s18273659	80480df20528a22dee4ff724e155e4f0.exe
File opened for modification	C:\Windows\s18273659	80480df20528a22dee4ff724e155e4f0.exe
File created	C:\Windows\ScrBlaze.scr	80480df20528a22dee4ff724e155e4f0.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop	80480df20528a22dee4ff724e155e4f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	80480df20528a22dee4ff724e155e4f0.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2880	80480df20528a22dee4ff724e155e4f0.exe
2880	80480df20528a22dee4ff724e155e4f0.exe
2724	ScrBlaze.scr
2724	ScrBlaze.scr

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2724	2880	80480df20528a22dee4ff724e155e4f0.exe	29
PID 2880 wrote to memory of 2724	2880	80480df20528a22dee4ff724e155e4f0.exe	29
PID 2880 wrote to memory of 2724	2880	80480df20528a22dee4ff724e155e4f0.exe	29
PID 2880 wrote to memory of 2724	2880	80480df20528a22dee4ff724e155e4f0.exe	29

C:\Users\Admin\AppData\Local\Temp\80480df20528a22dee4ff724e155e4f0.exe
"C:\Users\Admin\AppData\Local\Temp\80480df20528a22dee4ff724e155e4f0.exe"
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\47GK3MWP.txt

Filesize
73B

MD5
cc72ae9fad187d5f386609980c6482d7

SHA1
28cb399a98d18b200a5c12f700e9e7a558286da2

SHA256
0c71f7bff22cbde479407ae4b7268362a1e535de137e1b03cb548c002d6b0763

SHA512
9af0e784a06e381b2e187b025e5f1fea2965ee9694cbbe3bd1a5f55897af6c0c9b1a33151c3c7722b806654d20b74940a22e28eb11ce82d560d96f08f1878435

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
80480df20528a22dee4ff724e155e4f0

SHA1
f8d53c2693c7b0a7ec57804cfe73d518d5f858c9

SHA256
7c0c2c2ac8bb363c372b015c46e2bc8e57b895b0e61a7728622c0134f476cff0

SHA512
1a9c711da9cdf2ac26fccce16828dbf91f4c4d664c25547a462b800df005abd97f613f8950e562ce0d9ae6600773782ce69a26e10070971bfe7ce3bfbf48f82f

Download Submit
C:\Windows\s18273659

Filesize
825B

MD5
d65166943fba3032efadd102a502b056

SHA1
a9834d819fdd3f4ed02fc43d684b6ad1e525ff08

SHA256
0f2a908a50479089064985a0c3f1232142882d23ff8c491dfe18d2bd07eb27dc

SHA512
aa80b32bef8eec415337c7811525ebe9f2ee76916142377c17f958487e7f5865cad05f5c348fbecb9d9cad460e0db90dab07ed27d9f414e847dd9f2cf0ab0f00

Download Submit
memory/2724-27-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2724-29-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2724-66-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2724-23-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2724-24-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2724-25-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2724-26-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2724-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2724-28-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2724-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2724-35-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2724-36-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2724-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2724-38-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2724-39-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2880-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2880-6-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2880-14-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing