banload | 0af8d5f83519730a4b3b7a40e91e059f54d58a43191671aef17267810ed88aec

Analysis

max time kernel
25s
max time network
18s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-08-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Black Mesa Monitor Screensaver.exe
Size

2.9MB
MD5

89044caf59d133723b2ca8386ba812e6
SHA1

ecb695a01219648fa53e51d9118610c48fc88d74
SHA256

0af8d5f83519730a4b3b7a40e91e059f54d58a43191671aef17267810ed88aec
SHA512

0c9912a93e7626cc625485884addc1c1f2ab8b8401f6e73f2cbb8a9c49a843569e114568eade86e8c23e1d6f8b394297bd35191be834bf5784244096a6d45e79
SSDEEP

49152:C9vxKshalUdKJ8z2xZ4Hrs1YShHZdwL8npzbxBAN0W/oRadJqJA8NU:MvOyK8zL419dZeLwzbDANXUad9

Score

10^/10

banload discovery downloader dropper trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Black Mesa Monitor Screensaver.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Black Mesa Monitor Screensaver.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Black Mesa Monitor Screensaver.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Black Mesa Monitor Screensaver.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Black Mesa Monitor Screensaver.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Black Mesa Monitor Screensaver.scr

Executes dropped EXE 4 IoCs

pid	Process
3756	Black Mesa Monitor Screensaver.tmp
592	Black Mesa Monitor Screensaver.scr
1824	Black Mesa Monitor Screensaver.scr
1684	Black Mesa Monitor Screensaver.scr

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-5G492.tmp	Black Mesa Monitor Screensaver.tmp

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Black Mesa Monitor Screensaver\unins000.dat	Black Mesa Monitor Screensaver.tmp
File created	C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-PIS8V.tmp	Black Mesa Monitor Screensaver.tmp
File created	C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-FDK2M.tmp	Black Mesa Monitor Screensaver.tmp
File created	C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-TQI16.tmp	Black Mesa Monitor Screensaver.tmp
File created	C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-70QGR.tmp	Black Mesa Monitor Screensaver.tmp
File opened for modification	C:\Program Files (x86)\Black Mesa Monitor Screensaver\unins000.dat	Black Mesa Monitor Screensaver.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Black Mesa Monitor Screensaver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Black Mesa Monitor Screensaver.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Black Mesa Monitor Screensaver.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Black Mesa Monitor Screensaver.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Black Mesa Monitor Screensaver.scr

Modifies Control Panel 7 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop	Black Mesa Monitor Screensaver.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SysWOW64\\BLACKM~1.SCR"	Black Mesa Monitor Screensaver.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\ScreenSaveActive = "1"	Black Mesa Monitor Screensaver.tmp
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SysWOW64\\BLACKM~1.SCR"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\ScreenSaveActive = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\ScreenSaveTimeOut = "900"	rundll32.exe

Modifies registry class 59 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\zjJmtr\ = "Nw{ZXV\x7fBvz\x7ffF}oL`xgL"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\kRrVMwDganzRl	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\opsvuGqBKc	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\NsyWpMuWeAehC\ = "dQLXSC{WYODGjjJ_HAIvmjkwvp"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\mAExptvuQyox\ = "hVzxg]o[fbzbnT"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\aNRwv	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\kRrVMwDganzRl\ = "fSsKLgVj^R`KSnwJ\x7fr{mg"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\wykkcLkf\ = "DvQMIEEXTuWa^fVa^{S}A{]`qmTtfOO]"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\jgpm	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\opsvuGqBKc\ = "Grj[CKkS\x7fwy^Q`OFimT~}jNQ[DHXsT"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\NsyWpMuWeAehC\ = "@MapdMebg\|}\x7fQsIsz`LuOLVlrH"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ProgID\ = "InkObjCore.msinkaut.InkObject.1"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\zjJmtr	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\zjJmtr\ = "NyEW}MXzEm\\PJ{UrphfL"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\kRrVMwDganzRl\ = "tpvHMkhao_E[vl}WLcmPG"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\oqQJt\ = "PM\\CsJJElftAF@QBPLxrDBj_Kh"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\kRrVMwDganzRl\ = "fSsKLgVj^RLKSnwJ\x7fr{mg"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ = "InkObject Class"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\VersionIndependentProgID	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\VersionIndependentProgID\ = "InkObjCore.msinkaut.InkObject"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\aNRwv	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\mAExptvuQyox\ = "hVtxg]o[bBUrc`"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\opsvuGqBKc	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\mAExptvuQyox\ = "hVyxg]o[g@I@Gh"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\oqQJt	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\NsyWpMuWeAehC	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\aNRwv\ = "jjNKtGfPE\\LZCg{YS^"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\aNRwv\ = "ZnvABCZ^UR][zB_cxg"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\mAExptvuQyox\ = "\x7fkIhsGTHOlH`nT"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\mAExptvuQyox\ = "\x7fkKhsGTHENRZD\\"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\wykkcLkf	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\NsyWpMuWeAehC\ = "dQLXSC{WYODGjjJ_HAIvajkwvp"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\kRrVMwDganzRl\ = "fS\x7fKLgVj^R`KSnwJ\x7fr{mg"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\wykkcLkf	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\zjJmtr	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\oqQJt	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\jgpm\ = "KcRZRWcAXJfEaJ`y"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\NsyWpMuWeAehC	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\kRrVMwDganzRl	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\mAExptvuQyox\ = "\x7fkDhsGTHJnTRJ\\"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\kRrVMwDganzRl\ = "tpzHMkhao_E[vl}WLcmPG"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\mAExptvuQyox\ = "hV{xg]o[mbSzm`"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32\ = "C:\\Windows\\SysWOW64\\InkObjCore.dll"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\opsvuGqBKc\ = "}@opDIu~n]ltO]jyzF]`nqPb\x7fjFxvg"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\jgpm\ = "]O\|lak@\|qD\\P~\x7fPn"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\mAExptvuQyox	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32\ThreadingModel = "Both"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\oqQJt\ = "AF]WEPiSxz\\i\\jUrw]d{AkRZa\x7f"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\mAExptvuQyox	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\mAExptvuQyox\ = "\x7fkJhsGTHNN{BGh"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ProgID	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\kRrVMwDganzRl\ = "tpvHMkhao_i[vl}WLcmPG"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\Programmable	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\NsyWpMuWeAehC\ = "@MapdMebg\|}\x7fQsIsz`LuCLVlrH"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\wykkcLkf\ = "\|BiCbB`Zk^oJiJEjOEmTJhtlrpxKlmhr"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\jgpm	Black Mesa Monitor Screensaver.scr

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:0C1DBA97	Black Mesa Monitor Screensaver.scr
File opened for modification	C:\ProgramData\TEMP:0C1DBA97	Black Mesa Monitor Screensaver.scr

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3756	Black Mesa Monitor Screensaver.tmp
3756	Black Mesa Monitor Screensaver.tmp

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	592	Black Mesa Monitor Screensaver.scr
Token: SeIncBasePriorityPrivilege	592	Black Mesa Monitor Screensaver.scr
Token: SeShutdownPrivilege	592	Black Mesa Monitor Screensaver.scr
Token: SeCreatePagefilePrivilege	592	Black Mesa Monitor Screensaver.scr
Token: 33	1824	Black Mesa Monitor Screensaver.scr
Token: SeIncBasePriorityPrivilege	1824	Black Mesa Monitor Screensaver.scr
Token: SeShutdownPrivilege	1824	Black Mesa Monitor Screensaver.scr
Token: SeCreatePagefilePrivilege	1824	Black Mesa Monitor Screensaver.scr

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3756	Black Mesa Monitor Screensaver.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
592	Black Mesa Monitor Screensaver.scr
592	Black Mesa Monitor Screensaver.scr
1824	Black Mesa Monitor Screensaver.scr
1824	Black Mesa Monitor Screensaver.scr

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3756	3016	Black Mesa Monitor Screensaver.exe	74
PID 3016 wrote to memory of 3756	3016	Black Mesa Monitor Screensaver.exe	74
PID 3016 wrote to memory of 3756	3016	Black Mesa Monitor Screensaver.exe	74
PID 3756 wrote to memory of 1120	3756	Black Mesa Monitor Screensaver.tmp	75
PID 3756 wrote to memory of 1120	3756	Black Mesa Monitor Screensaver.tmp	75
PID 3756 wrote to memory of 1120	3756	Black Mesa Monitor Screensaver.tmp	75
PID 1120 wrote to memory of 592	1120	rundll32.exe	76
PID 1120 wrote to memory of 592	1120	rundll32.exe	76
PID 1120 wrote to memory of 592	1120	rundll32.exe	76
PID 1120 wrote to memory of 1824	1120	rundll32.exe	79
PID 1120 wrote to memory of 1824	1120	rundll32.exe	79
PID 1120 wrote to memory of 1824	1120	rundll32.exe	79
PID 1120 wrote to memory of 1684	1120	rundll32.exe	80
PID 1120 wrote to memory of 1684	1120	rundll32.exe	80
PID 1120 wrote to memory of 1684	1120	rundll32.exe	80

C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe
"C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp" /SL5="$60138,2762590,56832,C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" desk.cpl,InstallScreenSaver C:\Windows\SysWOW64\BLACKM~1.SCR
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
      "C:\Windows\system32\Black Mesa Monitor Screensaver.scr" /p 131722
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:592
  - - C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
      "C:\Windows\system32\Black Mesa Monitor Screensaver.scr" /s
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1824
  - - C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
      "C:\Windows\system32\Black Mesa Monitor Screensaver.scr" /p 131722
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Black Mesa Monitor Screensaver\bmmonitor3 [High quality and size].avi

Filesize
408KB

MD5
fbe78fb6977b6ee0e98783e7089e82cf

SHA1
630afbec2cbf6098fccbe1f0e6ecc55a7b9e5e4e

SHA256
16645007455bc40e2aa8da1b1eb5ab07f7ae0aca9cae3b90668b569bed5fb6e0

SHA512
7c1b64bb8ffc101871644dc0db37cabcc4aaddf169662912b84457e9426faf3b57f8dcdafb5ff63946e1e531a8ffa9a8b8a302abfa1ed9063bea7add4e7e08ff

Download Submit
C:\Program Files (x86)\Black Mesa Monitor Screensaver\conf.dat

Filesize
801B

MD5
d77bdddf6a46fee68c17080d37c6633d

SHA1
fc5046888da49193ac54faf54298752df8ed4c88

SHA256
039cb063a6f59038791583f76780c6d0c6098736103d7cecae5fe0ea9d1c28d2

SHA512
be5e748649f3bbbf576f46c974d71c50d4d80ffb3f603953f831894e7f2eeca303c75d204624e463d3772ec80c9bf90aea227d3109bd7a4c19d3a818c64d1ce4

Download Submit
C:\ProgramData\Licenses\064D58E86EDBDD346.Lic

Filesize
151B

MD5
fd9c453013da37a867de4ec2db984841

SHA1
2b6805ade0cbfa527565333aac0be12616825a90

SHA256
43612ca391f7d8425d53e688c04c50520a75f327ae55b4220059b1e4f7bd1326

SHA512
146eb11b2c22115d6911ed8319be49b2701bb17c57fb90f2920e21bfb4d6631cbf8b778aedf07563b511b026d9cc3f6a91828e6df8e42bf6989c8af8867b9174

Download Submit
C:\ProgramData\Licenses\064D58E86EDBDD346.Lic

Filesize
151B

MD5
49934729c9eff8e8884fd08cf7f1bf8e

SHA1
bb55cd42c56d698dc8ccb35f525271c91da1e2d7

SHA256
86f01f3c69eda8de3f9e30fe8a58971135b4ecce8382d797d8a3da31142bd7ad

SHA512
3e340dcb95c823e645f18769ca416d27d82fb6ef5018c78ab4ad6bea1eb0597cb6207b77fc83e3fea3179ee5fb38a267eaf8ca38b4f029e992b7824679240d85

Download Submit
C:\ProgramData\TEMP:0C1DBA97

Filesize
151B

MD5
6feb2cc13c7c52814bb2f030d2c4b41b

SHA1
b0d9fd87278744d6fad1d985fde92e77b7f1f332

SHA256
fda8c6a4ba486450a06394da22243a40f618eff04ee4116390ae10200601737d

SHA512
0d98c7a2fceedaa8e486b282e7034890440adf2fe06c0862e83c6013811e7dbee13539a52c96785f8b8d0eff15f5461320c5e081b1c1d553f7196ef0ad7cf977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
7014934e6077847aab722c935384bb8f

SHA1
ac64a966844b4507b60ee3cbed4545402a0eaca8

SHA256
dbbb01f8e2efbf672dbea860d22356ec8025b6ce95a8faa8661d65e3c96644de

SHA512
4570b8e203e8142ae3e032c4f67c92b72622d42c3500ec5b7843f633c3f3201c1a29d434627aead1a3d38f5131b03a14bd766afd0e5713be4a2057e2c876d13e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
ad14e0edd2c6ec4391860d4f1b4d5d25

SHA1
22ddfef5c4ffa9030b08c6372b6694d987033732

SHA256
0f07ff61fa78c825add8fef8087e536a0c658d46c5ea948ba2d4e173e5903954

SHA512
2340341f45356b6628b2246c7f2c96ec760041d88ed328eb82ba8d5db64e9cf4f301e7d3b9e6728aeb549f424082f9baa5275b77e0c8e8dfb3f9443b89296520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
bd861f4cd48640ade200aae6896f45a0

SHA1
8fc7688b5f1fe42e629d2ce1c630dcd77f6a10e6

SHA256
c0c797843ebf5387d14252f1147601041f0b7b680192ad2a29d9629205e89399

SHA512
b2e053e96936852305b70b9764aed68a25e46af1d80a35d6734e7e77f089aab2fe8f89d620bf9ef99421cbb7b88ba4f7c8c2d892f307e2250224580c42269afe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
0aa5aeb580565321b18e1d1f25d190ba

SHA1
86b0a1e223dcfcd90846d82e722bd7410fb5edd6

SHA256
0d01a6f675422526a2f51b6ff95956b48de38a0324afeb3cac19334c1f396217

SHA512
a376c40bdd0f3bf32938a522def539d222d73f5549b943ec2b90fb93451903fca8f1eb258601577a5c16d6bd70786235b4d20146129d02461d439557644cc5f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
88f6840df20957085734772ae60ff28d

SHA1
ba8665bd32265fb5685ebf9e82b3f1ea20e41e8b

SHA256
fc9853a10bdef43df464172a3030f6ff280841265097bd39d17c561cae2314d8

SHA512
2adfdcc3097981b26135c25fd1a03621a1ed2a1573cbf742059b28835f8bfe7089ea0aeb1c30393299b74939e8c8135d4112c20c47234653e17fc280cd89cf2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
6717e79545f3b286a5e79bb1bb41ed57

SHA1
ebcc7945814b33dde160051b613e85f774417ec2

SHA256
7403abbe5b0597da3f64f1c183d6499858a92f2e92e851ddfca3a3fd50521e85

SHA512
9cece5efb808f1410440a14b7113642ed05434e78678bf7d17392e5543127a4b0748e33174dfbf4d2ed204efb774df504a63138f23d8dfc15c33431c5c7fa581

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-757D7.tmp\Black Mesa Monitor Screensaver.tmp

Filesize
690KB

MD5
a2c4d52c66b4b399facadb8cc8386745

SHA1
c326304c56a52a3e5bfbdce2fef54604a0c653e0

SHA256
6c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a

SHA512
2a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6

Download Submit
C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr

Filesize
3.2MB

MD5
91cce0d13104f694fcb110df259189fc

SHA1
5d663ce4b6d877abbb937897a3bf00b933d815e9

SHA256
932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd

SHA512
af9d8e7a0b4825e516196e4b8d9c510b71d8cc8663c9280b7db413e1193440c1bb7b5faa5de41850cfe2299b09526e3eaae1f086f7e1f15113daa23b31f20eea

Download Submit
memory/592-750-0x0000000003830000-0x0000000003A09000-memory.dmp

Filesize
1.8MB

Download
memory/592-753-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/592-725-0x0000000003830000-0x0000000003A09000-memory.dmp

Filesize
1.8MB

Download
memory/592-736-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/592-739-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/592-740-0x0000000003D10000-0x0000000003D30000-memory.dmp

Filesize
128KB

Download
memory/592-737-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/592-741-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/592-726-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/592-744-0x0000000003830000-0x0000000003A09000-memory.dmp

Filesize
1.8MB

Download
memory/592-743-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/592-747-0x0000000003830000-0x0000000003A09000-memory.dmp

Filesize
1.8MB

Download
memory/592-721-0x0000000003830000-0x0000000003A09000-memory.dmp

Filesize
1.8MB

Download
memory/1684-790-0x00000000036F0000-0x00000000038C9000-memory.dmp

Filesize
1.8MB

Download
memory/1684-786-0x00000000036F0000-0x00000000038C9000-memory.dmp

Filesize
1.8MB

Download
memory/1684-809-0x00000000036F0000-0x00000000038C9000-memory.dmp

Filesize
1.8MB

Download
memory/1684-805-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/1684-806-0x00000000036F0000-0x00000000038C9000-memory.dmp

Filesize
1.8MB

Download
memory/1684-803-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/1684-802-0x0000000003620000-0x0000000003640000-memory.dmp

Filesize
128KB

Download
memory/1684-801-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/1684-799-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/1684-798-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/1824-774-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/1824-770-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/1824-771-0x0000000003E70000-0x0000000003E90000-memory.dmp

Filesize
128KB

Download
memory/1824-778-0x0000000003970000-0x0000000003B49000-memory.dmp

Filesize
1.8MB

Download
memory/1824-779-0x0000000003970000-0x0000000003B49000-memory.dmp

Filesize
1.8MB

Download
memory/1824-782-0x0000000003970000-0x0000000003B49000-memory.dmp

Filesize
1.8MB

Download
memory/1824-784-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/1824-772-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/1824-755-0x0000000003970000-0x0000000003B49000-memory.dmp

Filesize
1.8MB

Download
memory/1824-760-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/1824-759-0x0000000003970000-0x0000000003B49000-memory.dmp

Filesize
1.8MB

Download
memory/1824-775-0x0000000003970000-0x0000000003B49000-memory.dmp

Filesize
1.8MB

Download
memory/1824-767-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/1824-768-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/3016-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3016-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3016-732-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3756-8-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3756-731-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download