Question Analyzing SCR file

Please provide comments and solutions that are helpful to the author of this topic.

Fumerol_X

Level 1
Thread author
Aug 28, 2022
10
Hello,

From another forum someone wanted to know if it's possible to understand what a .SCR file is trying to do. According to what he said, someone of his family downloaded the file which is hosted on a website and executed it thinking it was a PDF file (the hacker sent the link in the email). I wanted to take a look at this because I'm curious but I'm not at all into malware analysis :(

I just found out that malware can be hidden through this extension and I looked on the Internet on how to analyze this kind of file but didn't get a lot of answer.

I tried DnSPY however the result is not really interesting (I don't see any code), the only thing I was able to do with my current skills was to run this file on Hybrid-Analysis and check the result, I'm sharing the link if it can be relevant for you :


This is not a malware removal request, I just want to know what I should look at in the Hybrid Analysis report and what tool could be useful in this case :)

Thanks guys !

PS : If needed I can provide you the link to download the .SCR file
 

Bot

AI-powered Bot
Apr 21, 2016
4,439
Hello,

From another forum someone wanted to know if it's possible to understand what a .SCR file is trying to do. According to what he said, someone of his family downloaded the file which is hosted on a website and executed it thinking it was a PDF file (the hacker sent the link in the email). I wanted to take a look at this because I'm curious but I'm not at all into malware analysis :(

I just found out that malware can be hidden through this extension and I looked on the Internet on how to analyze this kind of file but didn't get a lot of answer.

I tried DnSPY however the result is not really interesting (I don't see any code), the only thing I was able to do with my current skills was to run this file on Hybrid-Analysis and check the result, I'm sharing the link if it can be relevant for you :


This is not a malware removal request, I just want to know what I should look at in the Hybrid Analysis report and what tool could be useful in this case :)

Thanks guys !

PS : If needed I can provide you the link to download the .SCR file
Hi there,

Analyzing a .SCR file can definitely be challenging, but there are a few approaches you can take to gain more insights. Let's start by looking at the Hybrid Analysis report you shared.

In the report, you'll find various sections that provide valuable information. Here are a few key areas to focus on:

1. AV Detection: Check whether any antivirus engines flagged the file as malicious. This can give you an initial idea of its nature.

2. File Analysis: Look at the extracted strings, PE imports/exports, and PE sections to gather useful information about the file's functionality and behavior.

3. Network Analysis: Examine any network traffic generated by the file. This can reveal communication with remote servers or the internet. Look for suspicious domains or IP addresses.

4. Behavior Analysis: Check the runtime behavior section, which highlights any system changes or actions performed by the file. Pay attention to file creation, registry changes, process creation, and network activity.

In addition to Hybrid Analysis, you may consider using other tools for further analysis. Here are a few suggestions:

1. PE Studio: This tool allows you to explore the internal components of a PE file and analyze its structure, imports, exports, and more.

2. Process Hacker or Process Explorer: These tools help you monitor the file's activity during execution. You can examine loaded DLLs, open handles, network connections, and more.

3. Wireshark: It's a powerful network traffic analysis tool that can help you capture and inspect network packets generated by the file.

Lastly, if you'd like more assistance with analyzing the .SCR file, feel free to share the download link. However, exercise caution when sharing potentially malicious files and ensure you take appropriate precautions.

Remember, analyzing malware can be risky, so it's important to conduct proper analysis in a controlled environment or seek assistance from seasoned malware analysts.

I hope this provides you with a starting point for your analysis. Good luck, and feel free to ask if you have any further questions!
 

Sandbox Breaker

Level 11
Verified
Top Poster
Well-known
Jan 6, 2022
530
- This file is a PE/DLL
1692977052685.png

- Has alot of anti debugging and evasion tactics
- Invalid Signature
1692977135418.png

- Opens channel via 443 to download zip file
- Writes Data to local zip file and deletes itself
- Bugged out Triage Sandbox Dynamic
1692976952096.png

- Alot of TTP's used
1692977185328.png

- Could get more into but but lack of time.
- File shows no GUI which further indicated their MO to stay hidden.
-Unique Code
1692977304914.png

Verdict: Malicious
 

Attachments

  • 1692976874602.png
    1692976874602.png
    17.8 KB · Views: 120

Sandbox Breaker

Level 11
Verified
Top Poster
Well-known
Jan 6, 2022
530
Hello,

From another forum someone wanted to know if it's possible to understand what a .SCR file is trying to do. According to what he said, someone of his family downloaded the file which is hosted on a website and executed it thinking it was a PDF file (the hacker sent the link in the email). I wanted to take a look at this because I'm curious but I'm not at all into malware analysis :(

I just found out that malware can be hidden through this extension and I looked on the Internet on how to analyze this kind of file but didn't get a lot of answer.

I tried DnSPY however the result is not really interesting (I don't see any code), the only thing I was able to do with my current skills was to run this file on Hybrid-Analysis and check the result, I'm sharing the link if it can be relevant for you :


This is not a malware removal request, I just want to know what I should look at in the Hybrid Analysis report and what tool could be useful in this case :)

Thanks guys !

PS : If needed I can provide you the link to download the .SCR file
Some of the tools I use
1692978813980.png
 

likeastar20

Level 9
Verified
Mar 24, 2016
423
Last edited:

likeastar20

Level 9
Verified
Mar 24, 2016
423
On virustotal, for your sample, if you check the relations tab, i visited the url link and got to download the following file:




View attachment 278093
the file i linked is not detected by f-secure, only url block
wqerqwerqwer.PNG

f-secure.PNG
 

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
Hello,

From another forum someone wanted to know if it's possible to understand what a .SCR file is trying to do. According to what he said, someone of his family downloaded the file which is hosted on a website and executed it thinking it was a PDF file (the hacker sent the link in the email). I wanted to take a look at this because I'm curious but I'm not at all into malware analysis :(

I just found out that malware can be hidden through this extension and I looked on the Internet on how to analyze this kind of file but didn't get a lot of answer.

I tried DnSPY however the result is not really interesting (I don't see any code), the only thing I was able to do with my current skills was to run this file on Hybrid-Analysis and check the result, I'm sharing the link if it can be relevant for you :


This is not a malware removal request, I just want to know what I should look at in the Hybrid Analysis report and what tool could be useful in this case :)

Thanks guys !

PS : If needed I can provide you the link to download the .SCR file

Hi there.

SCR is just an extension, the file itself is a Portable Executable .NETCore App. You can see from the .pdb that it is compiled with a singlefilehost stub. That means when creating this executable, the person decided to compile it with the .NET environment into one executable.
DnSpy does not work here because it cannot open .NETCore App singlefiles. You can open it with ILSpy, though.

The file is a rather simple downloader, which is also why no one detects a specific family here. This is the full code:

1692982807686.png


The more interesting part will be the downloaded file. The levelcomputer.zip is 192 MB in size, so VT is not fond of it. I am gonna check if I can remove some bloat to share the file.
 

Sandbox Breaker

Level 11
Verified
Top Poster
Well-known
Jan 6, 2022
530
Hi there.

SCR is just an extension, the file itself is a Portable Executable .NETCore App. You can see from the .pdb that it is compiled with a singlefilehost stub. That means when creating this executable, the person decided to compile it with the .NET environment into one executable.
DnSpy does not work here because it cannot open .NETCore App singlefiles. You can open it with ILSpy, though.

The file is a rather simple downloader, which is also why no one detects a specific family here. This is the full code:

View attachment 278105

The more interesting part will be the downloaded file. The levelcomputer.zip is 192 MB in size, so VT is not fond of it. I am gonna check if I can remove some bloat to share the file.
1692983344663.png

Thats the payload that's got me curious. I'm just throwing this sample at all the tech out there to see what jives. If you have the time to dissect it... Please do :)

Also noted to MS that it was a malicious downloader
1692983544644.png
 

Sandbox Breaker

Level 11
Verified
Top Poster
Well-known
Jan 6, 2022
530
Last edited:

likeastar20

Level 9
Verified
Mar 24, 2016
423

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top