Question Analyzing SCR file

Please provide comments and solutions that are helpful to the author of this topic.

Yseurk

Yseurk

Level 1
Thread author
Aug 28, 2022
10
Hello,

From another forum someone wanted to know if it's possible to understand what a .SCR file is trying to do. According to what he said, someone of his family downloaded the file which is hosted on a website and executed it thinking it was a PDF file (the hacker sent the link in the email). I wanted to take a look at this because I'm curious but I'm not at all into malware analysis :(

I just found out that malware can be hidden through this extension and I looked on the Internet on how to analyze this kind of file but didn't get a lot of answer.

I tried DnSPY however the result is not really interesting (I don't see any code), the only thing I was able to do with my current skills was to run this file on Hybrid-Analysis and check the result, I'm sharing the link if it can be relevant for you :

Free Automated Malware Analysis Service - powered by Falcon Sandbox

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
www.hybrid-analysis.com www.hybrid-analysis.com

This is not a malware removal request, I just want to know what I should look at in the Hybrid Analysis report and what tool could be useful in this case :)

Thanks guys !

PS : If needed I can provide you the link to download the .SCR file
 
  • Like
Reactions: upnorth, vtqhtr413, simmerskool and 3 others
Bot

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,460
Yseurk said:
Hello,

From another forum someone wanted to know if it's possible to understand what a .SCR file is trying to do. According to what he said, someone of his family downloaded the file which is hosted on a website and executed it thinking it was a PDF file (the hacker sent the link in the email). I wanted to take a look at this because I'm curious but I'm not at all into malware analysis :(

I just found out that malware can be hidden through this extension and I looked on the Internet on how to analyze this kind of file but didn't get a lot of answer.

I tried DnSPY however the result is not really interesting (I don't see any code), the only thing I was able to do with my current skills was to run this file on Hybrid-Analysis and check the result, I'm sharing the link if it can be relevant for you :

Free Automated Malware Analysis Service - powered by Falcon Sandbox

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
www.hybrid-analysis.com www.hybrid-analysis.com

This is not a malware removal request, I just want to know what I should look at in the Hybrid Analysis report and what tool could be useful in this case :)

Thanks guys !

PS : If needed I can provide you the link to download the .SCR file
Click to expand...
Hi there,

Analyzing a .SCR file can definitely be challenging, but there are a few approaches you can take to gain more insights. Let's start by looking at the Hybrid Analysis report you shared.

In the report, you'll find various sections that provide valuable information. Here are a few key areas to focus on:

1. AV Detection: Check whether any antivirus engines flagged the file as malicious. This can give you an initial idea of its nature.

2. File Analysis: Look at the extracted strings, PE imports/exports, and PE sections to gather useful information about the file's functionality and behavior.

3. Network Analysis: Examine any network traffic generated by the file. This can reveal communication with remote servers or the internet. Look for suspicious domains or IP addresses.

4. Behavior Analysis: Check the runtime behavior section, which highlights any system changes or actions performed by the file. Pay attention to file creation, registry changes, process creation, and network activity.

In addition to Hybrid Analysis, you may consider using other tools for further analysis. Here are a few suggestions:

1. PE Studio: This tool allows you to explore the internal components of a PE file and analyze its structure, imports, exports, and more.

2. Process Hacker or Process Explorer: These tools help you monitor the file's activity during execution. You can examine loaded DLLs, open handles, network connections, and more.

3. Wireshark: It's a powerful network traffic analysis tool that can help you capture and inspect network packets generated by the file.

Lastly, if you'd like more assistance with analyzing the .SCR file, feel free to share the download link. However, exercise caution when sharing potentially malicious files and ensure you take appropriate precautions.

Remember, analyzing malware can be risky, so it's important to conduct proper analysis in a controlled environment or seek assistance from seasoned malware analysts.

I hope this provides you with a starting point for your analysis. Good luck, and feel free to ask if you have any further questions!
 
  • Like
Reactions: vtqhtr413, simmerskool and Jack
Sandbox Breaker

Sandbox Breaker

Level 9
Verified
Well-known
Jan 6, 2022
435
- This file is a PE/DLL
1692977052685.png

- Has alot of anti debugging and evasion tactics
- Invalid Signature
1692977135418.png

- Opens channel via 443 to download zip file
- Writes Data to local zip file and deletes itself
- Bugged out Triage Sandbox Dynamic
1692976952096.png

- Alot of TTP's used
1692977185328.png

- Could get more into but but lack of time.
- File shows no GUI which further indicated their MO to stay hidden.
-Unique Code
1692977304914.png

Verdict: Malicious
 

Attachments

  • 1692976874602.png
    1692976874602.png
    17.8 KB · Views: 79
  • Applause
  • +Reputation
  • Like
Reactions: vtqhtr413, simmerskool, oldschool and 3 others
Sandbox Breaker

Sandbox Breaker

Level 9
Verified
Well-known
Jan 6, 2022
435
Yseurk said:
Hello,

From another forum someone wanted to know if it's possible to understand what a .SCR file is trying to do. According to what he said, someone of his family downloaded the file which is hosted on a website and executed it thinking it was a PDF file (the hacker sent the link in the email). I wanted to take a look at this because I'm curious but I'm not at all into malware analysis :(

I just found out that malware can be hidden through this extension and I looked on the Internet on how to analyze this kind of file but didn't get a lot of answer.

I tried DnSPY however the result is not really interesting (I don't see any code), the only thing I was able to do with my current skills was to run this file on Hybrid-Analysis and check the result, I'm sharing the link if it can be relevant for you :

Free Automated Malware Analysis Service - powered by Falcon Sandbox

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
www.hybrid-analysis.com www.hybrid-analysis.com

This is not a malware removal request, I just want to know what I should look at in the Hybrid Analysis report and what tool could be useful in this case :)

Thanks guys !

PS : If needed I can provide you the link to download the .SCR file
Click to expand...
Some of the tools I use
1692978813980.png
 
  • Like
Reactions: vtqhtr413, simmerskool, oldschool and 1 other person
L

likeastar20

Level 8
Verified
Mar 24, 2016
361
Last edited:
  • Like
Reactions: vtqhtr413, simmerskool and oldschool
L

likeastar20

Level 8
Verified
Mar 24, 2016
361
likeastar20 said:
On virustotal, for your sample, if you check the relations tab, i visited the url link and got to download the following file:


lumma | 86a046300c03712f3d07e9c0e50369937b77a7e8183f3e40574da5de7fc5ce6e | Triage

Check this lumma report malware sample 86a046300c03712f3d07e9c0e50369937b77a7e8183f3e40574da5de7fc5ce6e, with a score of 10 out of 10.
tria.ge tria.ge

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

View attachment 278093
Click to expand...
the file i linked is not detected by f-secure, only url block
wqerqwerqwer.PNG

f-secure.PNG
 
  • Like
Reactions: vtqhtr413, simmerskool and oldschool
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Yseurk said:
Hello,

From another forum someone wanted to know if it's possible to understand what a .SCR file is trying to do. According to what he said, someone of his family downloaded the file which is hosted on a website and executed it thinking it was a PDF file (the hacker sent the link in the email). I wanted to take a look at this because I'm curious but I'm not at all into malware analysis :(

I just found out that malware can be hidden through this extension and I looked on the Internet on how to analyze this kind of file but didn't get a lot of answer.

I tried DnSPY however the result is not really interesting (I don't see any code), the only thing I was able to do with my current skills was to run this file on Hybrid-Analysis and check the result, I'm sharing the link if it can be relevant for you :

Free Automated Malware Analysis Service - powered by Falcon Sandbox

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
www.hybrid-analysis.com www.hybrid-analysis.com

This is not a malware removal request, I just want to know what I should look at in the Hybrid Analysis report and what tool could be useful in this case :)

Thanks guys !

PS : If needed I can provide you the link to download the .SCR file
Click to expand...

Hi there.

SCR is just an extension, the file itself is a Portable Executable .NETCore App. You can see from the .pdb that it is compiled with a singlefilehost stub. That means when creating this executable, the person decided to compile it with the .NET environment into one executable.
DnSpy does not work here because it cannot open .NETCore App singlefiles. You can open it with ILSpy, though.

The file is a rather simple downloader, which is also why no one detects a specific family here. This is the full code:

1692982807686.png


The more interesting part will be the downloaded file. The levelcomputer.zip is 192 MB in size, so VT is not fond of it. I am gonna check if I can remove some bloat to share the file.
 
  • +Reputation
  • Like
Reactions: upnorth, Nevi, vtqhtr413 and 8 others
Sandbox Breaker

Sandbox Breaker

Level 9
Verified
Well-known
Jan 6, 2022
435
struppigel said:
Hi there.

SCR is just an extension, the file itself is a Portable Executable .NETCore App. You can see from the .pdb that it is compiled with a singlefilehost stub. That means when creating this executable, the person decided to compile it with the .NET environment into one executable.
DnSpy does not work here because it cannot open .NETCore App singlefiles. You can open it with ILSpy, though.

The file is a rather simple downloader, which is also why no one detects a specific family here. This is the full code:

View attachment 278105

The more interesting part will be the downloaded file. The levelcomputer.zip is 192 MB in size, so VT is not fond of it. I am gonna check if I can remove some bloat to share the file.
Click to expand...
1692983344663.png

Thats the payload that's got me curious. I'm just throwing this sample at all the tech out there to see what jives. If you have the time to dissect it... Please do :)

Also noted to MS that it was a malicious downloader
1692983544644.png
 
  • Like
Reactions: vtqhtr413 and simmerskool
Sandbox Breaker

Sandbox Breaker

Level 9
Verified
Well-known
Jan 6, 2022
435
Last edited:
  • Like
Reactions: vtqhtr413, simmerskool and oldschool
L

likeastar20

Level 8
Verified
Mar 24, 2016
361
  • Like
  • +Reputation
Reactions: Kongo, vtqhtr413 and simmerskool

Similar threads

S
    • Like
    • Thanks
Malware Analysis PC Optimization Malware?
Replies
2
Views
522
Malware Analysis
Silverwing
S
Kongo
    • Like
    • +Reputation
Malware Analysis Malcore: Simple File Analysis
Replies
15
Views
1,321
Malware Analysis
Trident
Trident
Xeno1234
    • Like
Malicious or just a sketchy program?
Replies
10
Views
774
Malware Analysis
struppigel
struppigel

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top