banload | 0af8d5f83519730a4b3b7a40e91e059f54d58a43191671aef17267810ed88aec

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Black Mesa Monitor Screensaver.exe
Size

2.9MB
MD5

89044caf59d133723b2ca8386ba812e6
SHA1

ecb695a01219648fa53e51d9118610c48fc88d74
SHA256

0af8d5f83519730a4b3b7a40e91e059f54d58a43191671aef17267810ed88aec
SHA512

0c9912a93e7626cc625485884addc1c1f2ab8b8401f6e73f2cbb8a9c49a843569e114568eade86e8c23e1d6f8b394297bd35191be834bf5784244096a6d45e79
SSDEEP

49152:C9vxKshalUdKJ8z2xZ4Hrs1YShHZdwL8npzbxBAN0W/oRadJqJA8NU:MvOyK8zL419dZeLwzbDANXUad9

Score

10^/10

banload discovery downloader dropper trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Black Mesa Monitor Screensaver.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Black Mesa Monitor Screensaver.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Black Mesa Monitor Screensaver.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Black Mesa Monitor Screensaver.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Black Mesa Monitor Screensaver.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Black Mesa Monitor Screensaver.scr

Executes dropped EXE 4 IoCs

pid	Process
2524	Black Mesa Monitor Screensaver.tmp
3956	Black Mesa Monitor Screensaver.scr
2052	Black Mesa Monitor Screensaver.scr
2668	Black Mesa Monitor Screensaver.scr

Loads dropped DLL 7 IoCs

pid	Process
1520	Black Mesa Monitor Screensaver.exe
2524	Black Mesa Monitor Screensaver.tmp
2524	Black Mesa Monitor Screensaver.tmp
2524	Black Mesa Monitor Screensaver.tmp
2712	rundll32.exe
2712	rundll32.exe
2712	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-PUHML.tmp	Black Mesa Monitor Screensaver.tmp

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-OFRT9.tmp	Black Mesa Monitor Screensaver.tmp
File opened for modification	C:\Program Files (x86)\Black Mesa Monitor Screensaver\unins000.dat	Black Mesa Monitor Screensaver.tmp
File created	C:\Program Files (x86)\Black Mesa Monitor Screensaver\unins000.dat	Black Mesa Monitor Screensaver.tmp
File created	C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-PSKI8.tmp	Black Mesa Monitor Screensaver.tmp
File created	C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-RH331.tmp	Black Mesa Monitor Screensaver.tmp
File created	C:\Program Files (x86)\Black Mesa Monitor Screensaver\is-3P0G1.tmp	Black Mesa Monitor Screensaver.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Black Mesa Monitor Screensaver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Black Mesa Monitor Screensaver.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Black Mesa Monitor Screensaver.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Black Mesa Monitor Screensaver.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Black Mesa Monitor Screensaver.scr

Modifies Control Panel 8 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "900"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop	Black Mesa Monitor Screensaver.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SysWOW64\\BLACKM~1.SCR"	Black Mesa Monitor Screensaver.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveActive = "1"	Black Mesa Monitor Screensaver.tmp
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SysWOW64\\BLACKM~1.SCR"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveActive = "1"	rundll32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\FLsyvqnuvl	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ezqt\ = "`nqPb\x7f`zX^Y{KLQKcYUIjEHsaVw"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "DT\x7focFP"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "Dbq@zJp"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\wKyujuokaitrG\ = "D]Hw]n`GvmgRGOLgVt_P\|OSnw"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\eMaxVq	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\wKyujuokaitrG\ = "v\|Mt\x7fHV\|rUuqBLMkh\x7fn]Y_vl}"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\ezqt\ = "~}jNQ[Ntx[j_Way\|mGpwY\|pHxUK"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\wKyujuokaitrG\ = "D]Hw]nkgvmgRGOLgVt_P\|OSnw"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq\ = "zbs]wNKl^BLVkyTTyx[Rs\|\|E"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\lainalsHikZ\ = "HMaiTG\|BIBmvtxgb\\zTK``_B"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "DEFvyn`"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\wKyujuokaitrG\ = "D]Hw]ndWvmgRGOLgVt_P\|OSnw"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq\ = "zbs]wNKl^BLVkyTTyx[ns\|\|E"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\eMaxVq\ = "DKxN^BHqr}FtLVBxWNhnPAUK"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq\ = "zbs]wNKl^BLVkyTTyx[^s\|\|E"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\Mnnlfy	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ezqt\ = "`nqPb\x7f`zX^Y{KLQKcYeIjEHsaVG"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\eMaxVq\ = "DKxN^BHqr}FtLVBxWNhrPAUK"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\XcydqisTecs	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\ezqt	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq\ = "zbs]wNKl^BLVkyTTyxZrs\|\|E"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\wKyujuokaitrG\ = "D]Hw]n\|wvmgRGOLgVt_P\|OSnw"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "DcpIKsP"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\wKyujuokaitrG\ = "v\|Mt\x7fHQ\\rUuqBLMkh\x7fn]Y_vl}"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq\ = "zbs]wNKl^BLVkyTTyx[Ns\|\|E"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\wKyujuokaitrG\ = "D]Hw]nlGvmgRGOLgVt_P\|OSnw"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\wKyujuokaitrG\ = "v\|Mt\x7fH]\\rUuqBLMkh\x7fn]Y_vl}"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ezqt	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\Mnnlfy	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\ezqt\ = "~}jNQ[Ntx[j_Way\|mG`wY\|pHxU["	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\eMaxVq\ = "DKxN^BHqr}FtLVBxWNhRPAUK"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "DNseZE`"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\eMaxVq\ = "DKxN^BHqr}FtLVBxWNhvPAUK"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ\ = "~@bRQ\\`"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ\ = "~_pliY@"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ\ = "~[lPjRp"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq\ = "zbs]wNKl^BLVkyTTyx[Fs\|\|E"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ\ = "~QCO__@"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\wKyujuokaitrG\ = "v\|Mt\x7fHE\|rUuqBLMkh\x7fn]Y_vl}"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\Mnnlfy\ = "Nyq[s}_^M]XRJ{UpqCfijOZH"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ\ = "~gNaug`"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ\ = "~vo\|{d@"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\Mnnlfy\ = "NwOVVfxf~J{dF}oNaSgi{D[\\"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\XcydqisTecs\ = "LpuQaZVgWJepU\x7ft\|AMBZ`\x7fBbIc\\c"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\XcydqisTecs\ = "zjVGuF~OM`a@rnhuDdz_Jhrfqijg"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\XcydqisTecs\ = "LpuQaZVgWJepU\x7ft\|AMBZ`\x7fBbIc\\c"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\wKyujuokaitrG\ = "v\|Mt\x7fHAlrUuqBLMkh\x7fn]Y_vl}"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\hlEJ\ = "~Y{bc~p"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "D`frsfp"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\ezqt\ = "~}jNQ[Ntx[j_Way\|mG`wY\|pHxU["	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ = "PSFactoryBuffer"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\XcydqisTecs	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\eMaxVq\ = "zbs]wNKl^BLVkyTTyx[Vs\|\|E"	Black Mesa Monitor Screensaver.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\XcydqisTecs\ = "zjVGuF~OM`a@rnhuDdz_Jhrfqijg"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\{0C1DBA97-B68A-13D1-B2E4-0060975B8649}\ezqt\ = "~}jNQ[Ntx[j_Way\|mGPwY\|pHxUk"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "Dx}JCI@"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\hlEJ\ = "DZJk\\kp"	Black Mesa Monitor Screensaver.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32\ThreadingModel = "Both"	Black Mesa Monitor Screensaver.scr

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:0C1DBA97	Black Mesa Monitor Screensaver.scr
File opened for modification	C:\ProgramData\TEMP:0C1DBA97	Black Mesa Monitor Screensaver.scr
File opened for modification	C:\ProgramData\TEMP:0C1DBA97	Black Mesa Monitor Screensaver.scr

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2524	Black Mesa Monitor Screensaver.tmp
2524	Black Mesa Monitor Screensaver.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2712	rundll32.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: 33	3956	Black Mesa Monitor Screensaver.scr
Token: SeIncBasePriorityPrivilege	3956	Black Mesa Monitor Screensaver.scr
Token: SeShutdownPrivilege	3956	Black Mesa Monitor Screensaver.scr
Token: 33	2052	Black Mesa Monitor Screensaver.scr
Token: SeIncBasePriorityPrivilege	2052	Black Mesa Monitor Screensaver.scr
Token: SeShutdownPrivilege	2052	Black Mesa Monitor Screensaver.scr
Token: 33	2668	Black Mesa Monitor Screensaver.scr
Token: SeIncBasePriorityPrivilege	2668	Black Mesa Monitor Screensaver.scr
Token: SeShutdownPrivilege	2668	Black Mesa Monitor Screensaver.scr

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2524	Black Mesa Monitor Screensaver.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3956	Black Mesa Monitor Screensaver.scr
3956	Black Mesa Monitor Screensaver.scr
2052	Black Mesa Monitor Screensaver.scr
2052	Black Mesa Monitor Screensaver.scr
2668	Black Mesa Monitor Screensaver.scr
2668	Black Mesa Monitor Screensaver.scr

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2524	1520	Black Mesa Monitor Screensaver.exe	30
PID 1520 wrote to memory of 2524	1520	Black Mesa Monitor Screensaver.exe	30
PID 1520 wrote to memory of 2524	1520	Black Mesa Monitor Screensaver.exe	30
PID 1520 wrote to memory of 2524	1520	Black Mesa Monitor Screensaver.exe	30
PID 1520 wrote to memory of 2524	1520	Black Mesa Monitor Screensaver.exe	30
PID 1520 wrote to memory of 2524	1520	Black Mesa Monitor Screensaver.exe	30
PID 1520 wrote to memory of 2524	1520	Black Mesa Monitor Screensaver.exe	30
PID 2524 wrote to memory of 2712	2524	Black Mesa Monitor Screensaver.tmp	31
PID 2524 wrote to memory of 2712	2524	Black Mesa Monitor Screensaver.tmp	31
PID 2524 wrote to memory of 2712	2524	Black Mesa Monitor Screensaver.tmp	31
PID 2524 wrote to memory of 2712	2524	Black Mesa Monitor Screensaver.tmp	31
PID 2524 wrote to memory of 2712	2524	Black Mesa Monitor Screensaver.tmp	31
PID 2524 wrote to memory of 2712	2524	Black Mesa Monitor Screensaver.tmp	31
PID 2524 wrote to memory of 2712	2524	Black Mesa Monitor Screensaver.tmp	31
PID 2712 wrote to memory of 3956	2712	rundll32.exe	32
PID 2712 wrote to memory of 3956	2712	rundll32.exe	32
PID 2712 wrote to memory of 3956	2712	rundll32.exe	32
PID 2712 wrote to memory of 3956	2712	rundll32.exe	32
PID 2712 wrote to memory of 2052	2712	rundll32.exe	35
PID 2712 wrote to memory of 2052	2712	rundll32.exe	35
PID 2712 wrote to memory of 2052	2712	rundll32.exe	35
PID 2712 wrote to memory of 2052	2712	rundll32.exe	35
PID 2712 wrote to memory of 2668	2712	rundll32.exe	36
PID 2712 wrote to memory of 2668	2712	rundll32.exe	36
PID 2712 wrote to memory of 2668	2712	rundll32.exe	36
PID 2712 wrote to memory of 2668	2712	rundll32.exe	36

C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe
"C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp" /SL5="$40112,2762590,56832,C:\Users\Admin\AppData\Local\Temp\Black Mesa Monitor Screensaver.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" desk.cpl,InstallScreenSaver C:\Windows\SysWOW64\BLACKM~1.SCR
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
      "C:\Windows\system32\Black Mesa Monitor Screensaver.scr" /p 196974
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3956
  - - C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
      "C:\Windows\system32\Black Mesa Monitor Screensaver.scr" /s
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2052
  - - C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr
      "C:\Windows\system32\Black Mesa Monitor Screensaver.scr" /p 196974
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Black Mesa Monitor Screensaver\bmmonitor3 [High quality and size].avi

Filesize
408KB

MD5
fbe78fb6977b6ee0e98783e7089e82cf

SHA1
630afbec2cbf6098fccbe1f0e6ecc55a7b9e5e4e

SHA256
16645007455bc40e2aa8da1b1eb5ab07f7ae0aca9cae3b90668b569bed5fb6e0

SHA512
7c1b64bb8ffc101871644dc0db37cabcc4aaddf169662912b84457e9426faf3b57f8dcdafb5ff63946e1e531a8ffa9a8b8a302abfa1ed9063bea7add4e7e08ff

Download Submit
C:\Program Files (x86)\Black Mesa Monitor Screensaver\conf.dat

Filesize
801B

MD5
d77bdddf6a46fee68c17080d37c6633d

SHA1
fc5046888da49193ac54faf54298752df8ed4c88

SHA256
039cb063a6f59038791583f76780c6d0c6098736103d7cecae5fe0ea9d1c28d2

SHA512
be5e748649f3bbbf576f46c974d71c50d4d80ffb3f603953f831894e7f2eeca303c75d204624e463d3772ec80c9bf90aea227d3109bd7a4c19d3a818c64d1ce4

Download Submit
C:\ProgramData\Licenses\064D58E86EDBDD346.Lic

Filesize
141B

MD5
177599e4e84efc61ed8fc926cf67537b

SHA1
1827b75f0ccdd1583ccd8e7c5d0384cb363efc1f

SHA256
5439ae835599b1007ceae385acd9c935abd3e0274279aa409ae2a36d8c4fecdf

SHA512
4b07c8eac66a43bde113370f40de1340e16911d3dd55d9ed1c0a61e8f45171a3fb80b44c7bc0907e47af8e57e85ae4754e7e8e2001ed35100f4abb39be74a260

Download Submit
C:\ProgramData\Licenses\064D58E86EDBDD346.Lic

Filesize
141B

MD5
3088b319faac391e8064545b860e425f

SHA1
003ddc389ea1b31c8d93d34b3dc4c40b51db4db0

SHA256
53eec94f4a1f0ddd2001a67177d576de65d09216f624d50f31ed2adc20a8cdc8

SHA512
32146bf2ebe68e096dd0cbf3da39f0cd9ea0e814bcfdf6cad29e318fd53c46f8f894e668e839df6f76f2deef24a8c7e309f51f65552844c85c72fe2d0ee536d0

Download Submit
C:\ProgramData\TEMP:0C1DBA97

Filesize
141B

MD5
905b4a4ea75110acbe5343d0531e05c7

SHA1
7d88f23f2b911211695df3d2f99593daeb007041

SHA256
627c08c6c31656e86207abee698034f156504986be65867f8179bcf411ee8a12

SHA512
2c65b9de79bbcca36046a256227f6d727ae7f0d2e8c358b5a44446289d48e35c0a43b1fd2697efeb787e40014bdad269686fe55b249922079d76288b470c1e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
020570a88c0692f7f3d1d42379058765

SHA1
bef5e581e4c7ef4f171c165911145dca9c68287e

SHA256
16efc91532dc5d3d151ce5bdb882e6831d562a54bf8592c31052159ce929cddb

SHA512
1f47d19f8f2dc77e7ab9fa12b096bb41600f84b67cc22fd41886b9a759c32c3565db23a1dfe039a1d376ffe7d510b3603f0acc5df14886d254235329e074ef9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
501b0d8b22c7edc8da4d2cdc27c47475

SHA1
78fd2f35000def8722d93747af4737d0f64ff4c8

SHA256
98cf4bfab67eb63eca03efb20c1928328a0ea65e8e8e811798d2686763844dac

SHA512
a596f60f6a568be76ae00e58155f62b3101dbb1002b9dc036a31377f0f8566176f344a01abfb8421e14349b3facdd198166dbb1c61563702d669db52c84cb759

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
8d74686bf2b7ce117c7537bf23535776

SHA1
b0f7077bc7a654573d2da0f89050acecbe225142

SHA256
37f45956f7978cf370a8ca27a7ae620710388b70cba91765b65c600b3e63e7c7

SHA512
9cc58bf977c87dbada28e3eab93965c50143620aff2a92ceec7d4fdae90189f5fef7ddea44c9b0ac7c6172108bf637678698adce282dc52a0a2f154a20eaa0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
a39005ce895e639bbc59d632b69a1beb

SHA1
2332f9f589ded1567bbd6d68a3caaa0c66f3660a

SHA256
ea3e3aadafc1e112948a7efb7935c3cda3e93af011397b6769e51e85efc27a1b

SHA512
e4666011204b84a3e800a4f2b0a00a59cddb9dcb50b51b59c925ff22b636817db9380b50416c164fd677b3455b680270643c30c54219986684e1a7b7affef569

Download Submit
C:\Windows\SysWOW64\Black Mesa Monitor Screensaver.scr

Filesize
3.2MB

MD5
91cce0d13104f694fcb110df259189fc

SHA1
5d663ce4b6d877abbb937897a3bf00b933d815e9

SHA256
932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd

SHA512
af9d8e7a0b4825e516196e4b8d9c510b71d8cc8663c9280b7db413e1193440c1bb7b5faa5de41850cfe2299b09526e3eaae1f086f7e1f15113daa23b31f20eea

Download Submit
\Program Files (x86)\Black Mesa Monitor Screensaver\unins000.exe

Filesize
701KB

MD5
6c82d5316ed0cd83d6f9e5a9f0914650

SHA1
d642c72bfe4b83609c3466c7bb85e2f53b6be48b

SHA256
b9e1fc89ff8ec82fb050bd32829b45f828d84226a6890ab385221c7fc6a462ed

SHA512
1cd031cec42b5d6b08c66bb1944ba8db7de0f1363e68cd915b81eaa1e53752e43560010389f338840f11b34893a8c5c132c843bb0d8ef805713152606f0586ad

Download Submit
\Users\Admin\AppData\Local\Temp\is-HAV1K.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-JQAQ7.tmp\Black Mesa Monitor Screensaver.tmp

Filesize
690KB

MD5
a2c4d52c66b4b399facadb8cc8386745

SHA1
c326304c56a52a3e5bfbdce2fef54604a0c653e0

SHA256
6c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a

SHA512
2a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6

Download Submit
memory/1520-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1520-714-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1520-15-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1520-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2052-765-0x0000000003030000-0x0000000003209000-memory.dmp

Filesize
1.8MB

Download
memory/2052-749-0x0000000003030000-0x0000000003209000-memory.dmp

Filesize
1.8MB

Download
memory/2052-768-0x0000000003000000-0x000000000300A000-memory.dmp

Filesize
40KB

Download
memory/2052-769-0x0000000003000000-0x000000000300A000-memory.dmp

Filesize
40KB

Download
memory/2052-770-0x0000000003030000-0x0000000003209000-memory.dmp

Filesize
1.8MB

Download
memory/2052-762-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2052-757-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2052-758-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2052-760-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2052-745-0x0000000003030000-0x0000000003209000-memory.dmp

Filesize
1.8MB

Download
memory/2052-761-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/2052-764-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2052-775-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2052-774-0x0000000003030000-0x0000000003209000-memory.dmp

Filesize
1.8MB

Download
memory/2052-750-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2524-16-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2524-713-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2524-8-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2668-815-0x00000000016F0000-0x00000000016FA000-memory.dmp

Filesize
40KB

Download
memory/2668-794-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2668-797-0x00000000038D0000-0x00000000038F0000-memory.dmp

Filesize
128KB

Download
memory/2668-793-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2668-796-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2668-785-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2668-798-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2668-801-0x00000000032D0000-0x00000000034A9000-memory.dmp

Filesize
1.8MB

Download
memory/2668-800-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2668-804-0x00000000032D0000-0x00000000034A9000-memory.dmp

Filesize
1.8MB

Download
memory/2668-807-0x00000000015D0000-0x00000000015DA000-memory.dmp

Filesize
40KB

Download
memory/2668-806-0x00000000015D0000-0x00000000015DA000-memory.dmp

Filesize
40KB

Download
memory/2668-809-0x00000000016F0000-0x00000000016FA000-memory.dmp

Filesize
40KB

Download
memory/2668-810-0x00000000016F0000-0x00000000016FA000-memory.dmp

Filesize
40KB

Download
memory/2668-808-0x00000000016F0000-0x00000000016FA000-memory.dmp

Filesize
40KB

Download
memory/2668-812-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/2668-813-0x00000000015D0000-0x00000000015DA000-memory.dmp

Filesize
40KB

Download
memory/2668-814-0x00000000015D0000-0x00000000015DA000-memory.dmp

Filesize
40KB

Download
memory/2668-782-0x00000000032D0000-0x00000000034A9000-memory.dmp

Filesize
1.8MB

Download
memory/2668-778-0x00000000032D0000-0x00000000034A9000-memory.dmp

Filesize
1.8MB

Download
memory/2712-743-0x00000000040D0000-0x00000000046FB000-memory.dmp

Filesize
6.2MB

Download
memory/2712-783-0x00000000040D0000-0x00000000046FB000-memory.dmp

Filesize
6.2MB

Download
memory/2712-784-0x00000000040D0000-0x00000000046FB000-memory.dmp

Filesize
6.2MB

Download
memory/2712-701-0x00000000040D0000-0x00000000046FB000-memory.dmp

Filesize
6.2MB

Download
memory/2712-811-0x00000000040D0000-0x00000000046FB000-memory.dmp

Filesize
6.2MB

Download
memory/3956-729-0x0000000003040000-0x0000000003219000-memory.dmp

Filesize
1.8MB

Download
memory/3956-726-0x0000000003040000-0x0000000003219000-memory.dmp

Filesize
1.8MB

Download
memory/3956-734-0x0000000003AE0000-0x0000000003AEA000-memory.dmp

Filesize
40KB

Download
memory/3956-735-0x0000000003AE0000-0x0000000003AEA000-memory.dmp

Filesize
40KB

Download
memory/3956-732-0x0000000003AD0000-0x0000000003ADA000-memory.dmp

Filesize
40KB

Download
memory/3956-731-0x0000000003AD0000-0x0000000003ADA000-memory.dmp

Filesize
40KB

Download
memory/3956-737-0x0000000003AD0000-0x0000000003ADA000-memory.dmp

Filesize
40KB

Download
memory/3956-723-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/3956-725-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/3956-736-0x0000000003AD0000-0x0000000003ADA000-memory.dmp

Filesize
40KB

Download
memory/3956-718-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/3956-721-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/3956-722-0x0000000002FD0000-0x0000000002FF0000-memory.dmp

Filesize
128KB

Download
memory/3956-719-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/3956-739-0x0000000003040000-0x0000000003219000-memory.dmp

Filesize
1.8MB

Download
memory/3956-703-0x0000000003040000-0x0000000003219000-memory.dmp

Filesize
1.8MB

Download
memory/3956-707-0x0000000003040000-0x0000000003219000-memory.dmp

Filesize
1.8MB

Download
memory/3956-708-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download
memory/3956-742-0x0000000000400000-0x0000000000A2B000-memory.dmp

Filesize
6.2MB

Download