41f03deaab7c0a911e2073ab00c3110b704bd5f64c8fc103c50ecf7be6874d1a

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88a21c6abe4f4aa83970dd7531821ff7.exe
Size

706KB
MD5

88a21c6abe4f4aa83970dd7531821ff7
SHA1

b5dc951995804ba10594866002a8cb0e015f7dde
SHA256

41f03deaab7c0a911e2073ab00c3110b704bd5f64c8fc103c50ecf7be6874d1a
SHA512

78f05caf5cbc9c400fad6fafd37f576fb5059f9016b162efa3956d6194168fa709effa7e1d3d7f40bf97a6a3e83b3a521caa9f717d3a3f6bf485b2764a1ba824
SSDEEP

12288:gp/iN/mlVdtvrYeyZJf7kPK+iqBZn+D73iKHeGspXmr+nYSwpdD1BaQ:gpQ/6trYlvYPK+lqD73TeGspXm9yQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	88a21c6abe4f4aa83970dd7531821ff7.exe

Executes dropped EXE 2 IoCs

pid	Process
2808	ScrBlaze.scr
2960	ScrBlaze.scr

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\s18273659	88a21c6abe4f4aa83970dd7531821ff7.exe
File opened for modification	C:\Windows\s18273659	88a21c6abe4f4aa83970dd7531821ff7.exe
File created	C:\Windows\ScrBlaze.scr	88a21c6abe4f4aa83970dd7531821ff7.exe
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr
File created	C:\Windows\s18273659	ScrBlaze.scr
File opened for modification	C:\Windows\s18273659	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\Desktop	88a21c6abe4f4aa83970dd7531821ff7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	88a21c6abe4f4aa83970dd7531821ff7.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\IESettingSync	ScrBlaze.scr
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3292	88a21c6abe4f4aa83970dd7531821ff7.exe
3292	88a21c6abe4f4aa83970dd7531821ff7.exe
2808	ScrBlaze.scr
2808	ScrBlaze.scr
2960	ScrBlaze.scr
2960	ScrBlaze.scr

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 2808	3292	88a21c6abe4f4aa83970dd7531821ff7.exe	88
PID 3292 wrote to memory of 2808	3292	88a21c6abe4f4aa83970dd7531821ff7.exe	88
PID 3292 wrote to memory of 2808	3292	88a21c6abe4f4aa83970dd7531821ff7.exe	88

C:\Users\Admin\AppData\Local\Temp\88a21c6abe4f4aa83970dd7531821ff7.exe
"C:\Users\Admin\AppData\Local\Temp\88a21c6abe4f4aa83970dd7531821ff7.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2808

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
7b0c931c9e5f4ae3b486907b8e65fe09

SHA1
abb761d0fe5318119a8a21204b56840a83c12584

SHA256
d21cfbea4d9bae6d62238f6c73b0c9d2b85ca549cd6c404d013e9f859d1e4fd8

SHA512
2f9a996f02606e5a0c8a288045644b43b45401f1bfd7dcc8593fde95573d77ac83b466af1d3b019f6ae444304f7c564a4685f751a68cb04d8f014d7001409c32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_94C1D6A45E9FF1EA81CCD165811FFC09

Filesize
472B

MD5
31cd27db9734b0231236ca3fe4c4e477

SHA1
6483954b2085999a7248804668914e277383b5d3

SHA256
7109e651d4a4f9cad61e83f3b018c9e40608389f888aef639ec18f475db27cb6

SHA512
192c0c97106ec606cb3c100224f1d7bfd1221f5db3afe9d3af76a333dbe90c0e1a3f9dbc6bebd66ef722325169b5801ade02e94b597285c2649dea19eb46ee3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_E8C9186ED5BC2F64FC58A60C8F09BA16

Filesize
472B

MD5
94d94d501572aad958c8df92efd489b2

SHA1
fcd1aeba69e632c61e058418cec5fe1c53094c0b

SHA256
37e6327438daa7d175dcb22567308f1e6839f801c4ac264e6d125d3e91682fde

SHA512
95bff85865a2d3dc38ee26256f4c742f7bd424a6e2f3d3c87d0dfa6b816fca124634cea315e37858cb16743506c058290f1f949333a26b2d74d8d0ddcd2e8c44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_39B83AB13ED8E512BB8030E3672AA4B8

Filesize
472B

MD5
d8615a5a76bcd918858797e85e70d066

SHA1
20c6ea1886b974faa1d79e24537f1e4db3f5c059

SHA256
549ac44ac6ea11dc0bab9aeeb71974223270c8ec27b8ee5301ad400446d3ce9d

SHA512
25559b451268d2dc7a5b7705d84107e878fa7d859e15198169bbbdd78fca9c103821a47e7d13a1720f040673bbb27fee72b98e56eb5c6489984543162dcad8ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
66b56a9463771276b243b30d5a1a72c1

SHA1
8d61aa9c02cf606b02a8b093c7dac9d867257873

SHA256
3caa11d2286d94e06637bcab953a60c89c7bcac1bcefbb5c1c364081775ad959

SHA512
dd70349f3916590af51998d26ea250f4711b09b7b897f7fd7528567e73dfd4df14a2c2f4253de6a52d018ee6dae75b9a142773468723db001c9fbdc7eb62c60c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_94C1D6A45E9FF1EA81CCD165811FFC09

Filesize
402B

MD5
ec2e2efb6383bcf3e411381a3adc362f

SHA1
630a60a559f651792952e1ec4cf2ff47a9912157

SHA256
30fb7c5569d15e25377d37727ad4efb4b97d77bdab1c885048d580151d4a65e1

SHA512
e833772efdcd26b37cd5b5c98ab799e5996c6d62e75828b9f2e18dbda70d3fd0a18e1a5180f8aa9421f6a5b473b466846345472f97fa08adcbf5fa20d67dfca8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_E8C9186ED5BC2F64FC58A60C8F09BA16

Filesize
410B

MD5
e2cdcb4ce18335952f69673f30c2e097

SHA1
30a049ba7709e2f88f52d84a86717517e0422327

SHA256
3c1456b658b169dd36a05b715ee05e13516bf8623946bea4ee5fe9783e0b556d

SHA512
442dd4892410b74e6b15c99607f0c20c8208ca96cf262cd96fb70586ce08b00dacee2097b46abb36086a9e9da86395a9680f710e09831aadb3ee220da4c0b41c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
8b2a2dfa0dc7fa13911f04d6cbe77d83

SHA1
fb1cb6cddd2cb3d8fcb6f456d1afb7713acb2340

SHA256
40d338bbd7bbe993052e1ca0d04f14d50798c63b390c5caf446bdd06349c134d

SHA512
1a4c49485b1a9309b86521a1c0c13505d47d974b0646519c9f218163675e80469b5cddae2caacee3e084e098975c14cf1a2a02197ca03d59f211a65d2c7aedd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_39B83AB13ED8E512BB8030E3672AA4B8

Filesize
402B

MD5
639ae0e19fec439b4c0053703ba73903

SHA1
22748093c18558c0549d4f28eeabffd1be4ae8c7

SHA256
6b14f6cd07b4af9e83728c499a80d16d319427c11e438cbdb5b5089f21ff2eac

SHA512
0367cdfc34ed1f6834451e386e9276860a1a54acb7a0bd0764fe92dda002f739a646d1678df9ba627ef8b4c03e3c41ca0dcb87273c93b7cabcdec8c6cb587d09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08N5I3QV\css[1].css

Filesize
312B

MD5
3ef01f3fc6cb57c3e0cfe4bdef583664

SHA1
16211cb89f3ac90889d518414c0fa2a19b7b4395

SHA256
e90da73c667938c2223b994b02d36fab3e28dc3ab70bc22bfb8a0c119fd9b59f

SHA512
c74d0495089d7430c34591eecd059db5f1e104d739a7f846b27b5d84423db0ec7141594df30e62083f6582770c18baf645422003fa74f435b5d5ef6e7ec14c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08N5I3QV\css[2].css

Filesize
181B

MD5
2185e243008e7e21de1e91008e151338

SHA1
84edabccc8bb842762c91b5c0bf8952b98f93608

SHA256
24d65ce5cfaf00f3a3b267848cbd3c5dda4562b0b48020991dfeb283d4de38cb

SHA512
4679aa54508e988a0893085205c596ce631fa66139bf514b8cca0ccf3f01df9e73ec7e47017975e35a464289b73421a7fbdb3aefa42d112ef6e20fe404eef7a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08N5I3QV\firefox[1].png

Filesize
9KB

MD5
7f980569ce347d0d4b8c669944946846

SHA1
80a8187549645547b407f81e468d4db0b6635266

SHA256
39f9942adc112194b8ae13ba1088794b6cb6e83bd05a4ed8ce87b53155d0e2f7

SHA512
17993496f11678c9680978c969accfa33b6ae650ba2b2c3327c45435d187b74e736e1489f625adf7255441baa61b65af2b5640417b38eefd541abff598b793c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08N5I3QV\font[1].eot

Filesize
16KB

MD5
ff67c9707a52327e4af9a776959f0249

SHA1
cacacc23a517b3bf0800140f3a7ca5ab3aa0f395

SHA256
80a39406e27bfb23c559190a09789293f015b83adfe878febfa02eed0e7198ff

SHA512
4e1754ea6042e02929661c42eb269802cc52228e2409d4410593414f8a04729cbb3ddc48c2881e0a41e191f57f3044c1a2b0f5805fe49a85e846ba08f0bc604f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08N5I3QV\font[2].eot

Filesize
17KB

MD5
b92a5a1a6e756eb073f57797ed451bd7

SHA1
8b67fbbeaf9e994c678a21bb26a6463aa30e3352

SHA256
d8170a9ddcf1b455f9279db2500275bca12ede9d48a311ead5cbef84ec1c707f

SHA512
885a945259dd094d99dd6dea007547041dbfbe18550c2d5ad25b66ee8ec1e052e9b604ce2c42cc6a005d4a566e379a922c57d52ed527f75babb81a96eebd1523

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BPK32G26\dinosaur[1].png

Filesize
57KB

MD5
bdda3ffd41c3527ad053e4afb8cd9e1e

SHA1
0ad1bb7ce8d8a4dc8ac2a28e1c5155980edfab9b

SHA256
1a9251dc3b3c064cfc5e2b90b6c7dc3c225f7017066db2b77e49dae90a94a399

SHA512
4dc21ef447b54d0e17ccd88db5597171047112ce1f3f228527e6df079ce2a43a463a3a1e4255828b12f802d70a68dbe40b791852134be71c74de97718b2f1d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BPK32G26\opera[1].png

Filesize
2KB

MD5
5cb98952519cb0dd822d622dbecaef70

SHA1
2849670ba8c4e2130d906a94875b3f99c57d78e1

SHA256
02f95fbdb68f232bffd4f2c0fdd033d6c83b829c610cddccc0b1d43e2274e6a7

SHA512
5f29b7459fbd01e16dbd196e4bcddf109af017cccf31337abe1cec6cc5a84711fc2cd34ad7a35d9432a9d7e42ca23d7f6c9d4315396429d7b8e48b9491696afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DV2I56HE\edgium[1].png

Filesize
6KB

MD5
01010c21bdf1fc1d7f859071c4227529

SHA1
cd297bf459f24e417a7bf07800d6cf0e41dd36bc

SHA256
6fb31acdaf443a97183562571d52ce47dd44c1a8dcb4087338d77ea2617b286e

SHA512
8418d5ac3987ee8b6a7491167b0f90d0742e09f12fceb1e305923e60c78628d494fcd0fee64f8a6b5f6884796360e1e3ec1459dc754bbfb874504f9db5b56135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M4T5ISGA\chrome[1].png

Filesize
6KB

MD5
ac10b50494982bc75d03bd2d94e382f6

SHA1
6c10df97f511816243ba82265c1e345fe40b95e6

SHA256
846a9b551e74f824fd7ace3439a319b0c0803449e8caec9f16e2666e38a80efd

SHA512
b6666b540aef6c9c221fe6da29f3e0d897929f7b6612c27630be4a33ae2f5d593bc7c1ee44166ce9f08c72e8608f57d66dd5763b17fec7c1fb92fc4d5c6dd278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M4T5ISGA\yt_logo_rgb_light[1].png

Filesize
8KB

MD5
d654f892f287a28026cd4d4df56c29c8

SHA1
98779a55fe32a66ebec8338c838395d265e45013

SHA256
fc6f5d8f32f13d5855840234dc1bff5c91c35318ee2192d99b13eb3572f0bca8

SHA512
3668902aeaf792ad73ba51e0a4caaa520ebc38177791dfac9a9b28026c3bde99e721bf54d626f266a19cfd045a6d2dc8c8e70e53a2c5ee524c6f2736bb0ce409

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
706KB

MD5
88a21c6abe4f4aa83970dd7531821ff7

SHA1
b5dc951995804ba10594866002a8cb0e015f7dde

SHA256
41f03deaab7c0a911e2073ab00c3110b704bd5f64c8fc103c50ecf7be6874d1a

SHA512
78f05caf5cbc9c400fad6fafd37f576fb5059f9016b162efa3956d6194168fa709effa7e1d3d7f40bf97a6a3e83b3a521caa9f717d3a3f6bf485b2764a1ba824

Download Submit
C:\Windows\s18273659

Filesize
985B

MD5
3cceab1bd0391a4566791ba1c9543a42

SHA1
2d8a1e748464b5ba83fa9d897974e561df134ebe

SHA256
5f2eff4a47537376cf531b6ac0ff626d34ff176b4da62226872bee36222801d7

SHA512
97505b1b8d7b5c61c2264c390ee8702961324409c368c923bd38c18bf314de6fefa102b4bb3bf8b5e755498451917efaad962cfde33ffe4c4efab15898c098b6

Download Submit
memory/2808-76-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2808-37-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2808-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2960-88-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2960-106-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3292-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3292-0-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download