Question Analyzing SCR file

Please provide comments and solutions that are helpful to the author of this topic.
Fumerol_X

Fumerol_X

Level 1
Thread author
Aug 28, 2022
10
41
27
Hello,

From another forum someone wanted to know if it's possible to understand what a .SCR file is trying to do. According to what he said, someone of his family downloaded the file which is hosted on a website and executed it thinking it was a PDF file (the hacker sent the link in the email). I wanted to take a look at this because I'm curious but I'm not at all into malware analysis :(

I just found out that malware can be hidden through this extension and I looked on the Internet on how to analyze this kind of file but didn't get a lot of answer.

I tried DnSPY however the result is not really interesting (I don't see any code), the only thing I was able to do with my current skills was to run this file on Hybrid-Analysis and check the result, I'm sharing the link if it can be relevant for you :

Free Automated Malware Analysis Service - powered by Falcon Sandbox

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
www.hybrid-analysis.com www.hybrid-analysis.com

This is not a malware removal request, I just want to know what I should look at in the Hybrid Analysis report and what tool could be useful in this case :)

Thanks guys !

PS : If needed I can provide you the link to download the .SCR file
 
  • Like
Reactions: upnorth, vtqhtr413, simmerskool and 3 others
Yseurk said:
Hello,

From another forum someone wanted to know if it's possible to understand what a .SCR file is trying to do. According to what he said, someone of his family downloaded the file which is hosted on a website and executed it thinking it was a PDF file (the hacker sent the link in the email). I wanted to take a look at this because I'm curious but I'm not at all into malware analysis :(

I just found out that malware can be hidden through this extension and I looked on the Internet on how to analyze this kind of file but didn't get a lot of answer.

I tried DnSPY however the result is not really interesting (I don't see any code), the only thing I was able to do with my current skills was to run this file on Hybrid-Analysis and check the result, I'm sharing the link if it can be relevant for you :

Free Automated Malware Analysis Service - powered by Falcon Sandbox

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
www.hybrid-analysis.com www.hybrid-analysis.com

This is not a malware removal request, I just want to know what I should look at in the Hybrid Analysis report and what tool could be useful in this case :)

Thanks guys !

PS : If needed I can provide you the link to download the .SCR file
Click to expand...
Hi there,

Analyzing a .SCR file can definitely be challenging, but there are a few approaches you can take to gain more insights. Let's start by looking at the Hybrid Analysis report you shared.

In the report, you'll find various sections that provide valuable information. Here are a few key areas to focus on:

1. AV Detection: Check whether any antivirus engines flagged the file as malicious. This can give you an initial idea of its nature.

2. File Analysis: Look at the extracted strings, PE imports/exports, and PE sections to gather useful information about the file's functionality and behavior.

3. Network Analysis: Examine any network traffic generated by the file. This can reveal communication with remote servers or the internet. Look for suspicious domains or IP addresses.

4. Behavior Analysis: Check the runtime behavior section, which highlights any system changes or actions performed by the file. Pay attention to file creation, registry changes, process creation, and network activity.

In addition to Hybrid Analysis, you may consider using other tools for further analysis. Here are a few suggestions:

1. PE Studio: This tool allows you to explore the internal components of a PE file and analyze its structure, imports, exports, and more.

2. Process Hacker or Process Explorer: These tools help you monitor the file's activity during execution. You can examine loaded DLLs, open handles, network connections, and more.

3. Wireshark: It's a powerful network traffic analysis tool that can help you capture and inspect network packets generated by the file.

Lastly, if you'd like more assistance with analyzing the .SCR file, feel free to share the download link. However, exercise caution when sharing potentially malicious files and ensure you take appropriate precautions.

Remember, analyzing malware can be risky, so it's important to conduct proper analysis in a controlled environment or seek assistance from seasoned malware analysts.

I hope this provides you with a starting point for your analysis. Good luck, and feel free to ask if you have any further questions!
 
  • Like
Reactions: vtqhtr413, simmerskool and Jack
- This file is a PE/DLL
1692977052685.png

- Has alot of anti debugging and evasion tactics
- Invalid Signature
1692977135418.png

- Opens channel via 443 to download zip file
- Writes Data to local zip file and deletes itself
- Bugged out Triage Sandbox Dynamic
1692976952096.png

- Alot of TTP's used
1692977185328.png

- Could get more into but but lack of time.
- File shows no GUI which further indicated their MO to stay hidden.
-Unique Code
1692977304914.png

Verdict: Malicious
 

Attachments

  • 1692976874602.png
    1692976874602.png
    17.8 KB · Views: 218
  • Applause
  • +Reputation
  • Like
Reactions: vtqhtr413, simmerskool, oldschool and 3 others
Yseurk said:
Hello,

From another forum someone wanted to know if it's possible to understand what a .SCR file is trying to do. According to what he said, someone of his family downloaded the file which is hosted on a website and executed it thinking it was a PDF file (the hacker sent the link in the email). I wanted to take a look at this because I'm curious but I'm not at all into malware analysis :(

I just found out that malware can be hidden through this extension and I looked on the Internet on how to analyze this kind of file but didn't get a lot of answer.

I tried DnSPY however the result is not really interesting (I don't see any code), the only thing I was able to do with my current skills was to run this file on Hybrid-Analysis and check the result, I'm sharing the link if it can be relevant for you :

Free Automated Malware Analysis Service - powered by Falcon Sandbox

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
www.hybrid-analysis.com www.hybrid-analysis.com

This is not a malware removal request, I just want to know what I should look at in the Hybrid Analysis report and what tool could be useful in this case :)

Thanks guys !

PS : If needed I can provide you the link to download the .SCR file
Click to expand...
Some of the tools I use
1692978813980.png
 
  • Like
Reactions: vtqhtr413, simmerskool, oldschool and 1 other person
Last edited:
  • Like
Reactions: vtqhtr413, simmerskool and oldschool
likeastar20 said:
On virustotal, for your sample, if you check the relations tab, i visited the url link and got to download the following file:


lumma | 86a046300c03712f3d07e9c0e50369937b77a7e8183f3e40574da5de7fc5ce6e | Triage

Check this lumma report malware sample 86a046300c03712f3d07e9c0e50369937b77a7e8183f3e40574da5de7fc5ce6e, with a score of 10 out of 10.
tria.ge tria.ge

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

View attachment 278093
Click to expand...
the file i linked is not detected by f-secure, only url block
wqerqwerqwer.PNG

f-secure.PNG
 
  • Like
Reactions: vtqhtr413, simmerskool and oldschool
Yseurk said:
Hello,

From another forum someone wanted to know if it's possible to understand what a .SCR file is trying to do. According to what he said, someone of his family downloaded the file which is hosted on a website and executed it thinking it was a PDF file (the hacker sent the link in the email). I wanted to take a look at this because I'm curious but I'm not at all into malware analysis :(

I just found out that malware can be hidden through this extension and I looked on the Internet on how to analyze this kind of file but didn't get a lot of answer.

I tried DnSPY however the result is not really interesting (I don't see any code), the only thing I was able to do with my current skills was to run this file on Hybrid-Analysis and check the result, I'm sharing the link if it can be relevant for you :

Free Automated Malware Analysis Service - powered by Falcon Sandbox

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.
www.hybrid-analysis.com www.hybrid-analysis.com

This is not a malware removal request, I just want to know what I should look at in the Hybrid Analysis report and what tool could be useful in this case :)

Thanks guys !

PS : If needed I can provide you the link to download the .SCR file
Click to expand...

Hi there.

SCR is just an extension, the file itself is a Portable Executable .NETCore App. You can see from the .pdb that it is compiled with a singlefilehost stub. That means when creating this executable, the person decided to compile it with the .NET environment into one executable.
DnSpy does not work here because it cannot open .NETCore App singlefiles. You can open it with ILSpy, though.

The file is a rather simple downloader, which is also why no one detects a specific family here. This is the full code:

1692982807686.png


The more interesting part will be the downloaded file. The levelcomputer.zip is 192 MB in size, so VT is not fond of it. I am gonna check if I can remove some bloat to share the file.
 
  • +Reputation
  • Like
Reactions: upnorth, Nevi, vtqhtr413 and 8 others
struppigel said:
Hi there.

SCR is just an extension, the file itself is a Portable Executable .NETCore App. You can see from the .pdb that it is compiled with a singlefilehost stub. That means when creating this executable, the person decided to compile it with the .NET environment into one executable.
DnSpy does not work here because it cannot open .NETCore App singlefiles. You can open it with ILSpy, though.

The file is a rather simple downloader, which is also why no one detects a specific family here. This is the full code:

View attachment 278105

The more interesting part will be the downloaded file. The levelcomputer.zip is 192 MB in size, so VT is not fond of it. I am gonna check if I can remove some bloat to share the file.
Click to expand...
1692983344663.png

Thats the payload that's got me curious. I'm just throwing this sample at all the tech out there to see what jives. If you have the time to dissect it... Please do :)

Also noted to MS that it was a malicious downloader
1692983544644.png
 
  • Like
Reactions: vtqhtr413 and simmerskool
Last edited:
  • Like
Reactions: vtqhtr413, simmerskool and oldschool
  • Like
  • +Reputation
Reactions: Kongo, vtqhtr413 and simmerskool

You may also like...