6fb7dafecdb6cc5057a1f3f463f8226862cd91f048b3fce1dcb717ce235bf01b

General

Target

HEUR-Trojan.Win32.Scar.exe
Size

435KB
MD5

5b3a43ee0436e6cba5d5aa7af299d860
SHA1

46be909ef35628c79813eb28e7a54e4e09548858
SHA256

6fb7dafecdb6cc5057a1f3f463f8226862cd91f048b3fce1dcb717ce235bf01b
SHA512

28b2e07fac997b6e4a036658dd211fd25632c4b107d8dc96ba9ee60ea09d15a71832274e4f52bb998cf36a407fcafd43f9d4c6e31f0d8a6838336905aa30b88c
SSDEEP

12288:Zv1nWdQP1EDhZPxYa4MSNYA4hSr1iJCSnjV57P:Z9ndEVf94Ywr1QCQVRP

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	HEUR-Trojan.Win32.Scar.exe

Executes dropped EXE 2 IoCs

pid	Process
4956	Isass.exe
2564	EN_HEUR-Trojan.Win32.Scar.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	HEUR-Trojan.Win32.Scar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Program Files (x86)\\Microsoft Build\\Isass.exe"	HEUR-Trojan.Win32.Scar.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Build\Isass.exe	HEUR-Trojan.Win32.Scar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2064	HEUR-Trojan.Win32.Scar.exe
2064	HEUR-Trojan.Win32.Scar.exe
4956	Isass.exe
4956	Isass.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 4956	2064	HEUR-Trojan.Win32.Scar.exe	98
PID 2064 wrote to memory of 4956	2064	HEUR-Trojan.Win32.Scar.exe	98
PID 2064 wrote to memory of 4956	2064	HEUR-Trojan.Win32.Scar.exe	98
PID 2064 wrote to memory of 2564	2064	HEUR-Trojan.Win32.Scar.exe	99
PID 2064 wrote to memory of 2564	2064	HEUR-Trojan.Win32.Scar.exe	99

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Scar.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Scar.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Program Files (x86)\Microsoft Build\Isass.exe
  "C:\Program Files (x86)\Microsoft Build\Isass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Users\Admin\AppData\Local\Temp\EN_HEUR-Trojan.Win32.Scar.exe
  "C:\Users\Admin\AppData\Local\Temp\EN_HEUR-Trojan.Win32.Scar.exe"
  2⤵
  - Executes dropped EXE
  PID:2564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3900 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Build\Isass.exe

Filesize
213KB

MD5
844e0ac308dcb6a9cbf19ba0003c4ead

SHA1
4142565025ef000101408c7ab73a48fe68edd2f3

SHA256
cab53046225bc6d24321d3eddcf3192371285350d8d4ea370e2a1808d96560d5

SHA512
3db7a8171f4a0dfa6f1b5e6cc0d7c10d479a1381353085366bb2a8019aaea427950781adc7dffa1e77c8a26dad6c0690af69836f5d6d86e7b3a44aecfafb394c

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

Filesize
687KB

MD5
de21a4ac6609b0a047b6ab17fcd63cd1

SHA1
803361c7e09bc2dd789ba0d5535bca82855bd48f

SHA256
ce467b92fc92af571d606ec7d79b8173f442d6e55aa43b91248531120f0b9015

SHA512
1fde21c921fa5baf6294d66f3337ac4d4aff89c3920415f1259e97339eea0deb07689fd44fcad0542ca66fc3ee09eb2263e245c2c3cd436b7f55e679d8ed24f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN_HEUR-Trojan.Win32.Scar.exe

Filesize
219KB

MD5
e2312f199976d03a7cf41e453c5af246

SHA1
c723bf05f7132c9b66c4f91d6cc363d08b4ed622

SHA256
84fe7824717bb55d7f32c7487e37012a1bc6cd4c8c0202be4bfb07e770f8dc51

SHA512
a5cad97d8bcf893b79eed436ae8df232d7e53df86a0ed38b381c128c5d8c76c0caad41407ed564f2ea2725236eb98ea6d29413886ea22371920bf2b498b49686

Download Submit
memory/2064-16-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/2064-1-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2064-0-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-21-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-28-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-19-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-20-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-7-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/4956-22-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-25-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-26-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-6-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-18-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-32-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-33-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-34-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-35-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-36-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-37-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download
memory/4956-39-0x0000000000400000-0x00000000016A7000-memory.dmp

Filesize
18.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads