e1d1b39589002db4260dad9f4567cbb5a07803ca1fe7a17f1ca7f9bd1f035827

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2022 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document8765.exe
Size

4.7MB
MD5

b2a0b09874ba025e4909c76f3fc0fb70
SHA1

80c75997f2582afdbc550f5256c13ff1424aab81
SHA256

e1d1b39589002db4260dad9f4567cbb5a07803ca1fe7a17f1ca7f9bd1f035827
SHA512

1bb29068e3c8f8547e719a951820790521215a2b057cffd9ba73fdfd8537c065151d64fa49bcdf25ba9671952b1b51bb05c8a94fef6c131bb834ff6a030e8194
SSDEEP

98304:uFj6+6efPlwcw/lXvcbCOwEY/Gf4IPB3YwP:vefPzMlX+wjQP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

document8765.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	document8765.exe

Loads dropped DLL 8 IoCs

Processes:

MsiExec.exerundll32.exe

pid process

516 MsiExec.exe
4436 rundll32.exe
4436 rundll32.exe
4436 rundll32.exe
4436 rundll32.exe
4436 rundll32.exe
4436 rundll32.exe
4436 rundll32.exe

pid	process
516	MsiExec.exe
4436	rundll32.exe
4436	rundll32.exe
4436	rundll32.exe
4436	rundll32.exe
4436	rundll32.exe
4436	rundll32.exe
4436	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

document8765.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4688	document8765.exe
Token: SeShutdownPrivilege	1640	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1640	msiexec.exe
Token: SeSecurityPrivilege	2580	msiexec.exe
Token: SeCreateTokenPrivilege	1640	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1640	msiexec.exe
Token: SeLockMemoryPrivilege	1640	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1640	msiexec.exe
Token: SeMachineAccountPrivilege	1640	msiexec.exe
Token: SeTcbPrivilege	1640	msiexec.exe
Token: SeSecurityPrivilege	1640	msiexec.exe
Token: SeTakeOwnershipPrivilege	1640	msiexec.exe
Token: SeLoadDriverPrivilege	1640	msiexec.exe
Token: SeSystemProfilePrivilege	1640	msiexec.exe
Token: SeSystemtimePrivilege	1640	msiexec.exe
Token: SeProfSingleProcessPrivilege	1640	msiexec.exe
Token: SeIncBasePriorityPrivilege	1640	msiexec.exe
Token: SeCreatePagefilePrivilege	1640	msiexec.exe
Token: SeCreatePermanentPrivilege	1640	msiexec.exe
Token: SeBackupPrivilege	1640	msiexec.exe
Token: SeRestorePrivilege	1640	msiexec.exe
Token: SeShutdownPrivilege	1640	msiexec.exe
Token: SeDebugPrivilege	1640	msiexec.exe
Token: SeAuditPrivilege	1640	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1640	msiexec.exe
Token: SeChangeNotifyPrivilege	1640	msiexec.exe
Token: SeRemoteShutdownPrivilege	1640	msiexec.exe
Token: SeUndockPrivilege	1640	msiexec.exe
Token: SeSyncAgentPrivilege	1640	msiexec.exe
Token: SeEnableDelegationPrivilege	1640	msiexec.exe
Token: SeManageVolumePrivilege	1640	msiexec.exe
Token: SeImpersonatePrivilege	1640	msiexec.exe
Token: SeCreateGlobalPrivilege	1640	msiexec.exe
Token: SeCreateTokenPrivilege	1640	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1640	msiexec.exe
Token: SeLockMemoryPrivilege	1640	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1640	msiexec.exe
Token: SeMachineAccountPrivilege	1640	msiexec.exe
Token: SeTcbPrivilege	1640	msiexec.exe
Token: SeSecurityPrivilege	1640	msiexec.exe
Token: SeTakeOwnershipPrivilege	1640	msiexec.exe
Token: SeLoadDriverPrivilege	1640	msiexec.exe
Token: SeSystemProfilePrivilege	1640	msiexec.exe
Token: SeSystemtimePrivilege	1640	msiexec.exe
Token: SeProfSingleProcessPrivilege	1640	msiexec.exe
Token: SeIncBasePriorityPrivilege	1640	msiexec.exe
Token: SeCreatePagefilePrivilege	1640	msiexec.exe
Token: SeCreatePermanentPrivilege	1640	msiexec.exe
Token: SeBackupPrivilege	1640	msiexec.exe
Token: SeRestorePrivilege	1640	msiexec.exe
Token: SeShutdownPrivilege	1640	msiexec.exe
Token: SeDebugPrivilege	1640	msiexec.exe
Token: SeAuditPrivilege	1640	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1640	msiexec.exe
Token: SeChangeNotifyPrivilege	1640	msiexec.exe
Token: SeRemoteShutdownPrivilege	1640	msiexec.exe
Token: SeUndockPrivilege	1640	msiexec.exe
Token: SeSyncAgentPrivilege	1640	msiexec.exe
Token: SeEnableDelegationPrivilege	1640	msiexec.exe
Token: SeManageVolumePrivilege	1640	msiexec.exe
Token: SeImpersonatePrivilege	1640	msiexec.exe
Token: SeCreateGlobalPrivilege	1640	msiexec.exe
Token: SeCreateTokenPrivilege	1640	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1640	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1640 msiexec.exe

pid	process
1640	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

document8765.exemsiexec.exeMsiExec.exe

description	pid	process	target process
PID 4688 wrote to memory of 1640	4688	document8765.exe	msiexec.exe
PID 4688 wrote to memory of 1640	4688	document8765.exe	msiexec.exe
PID 4688 wrote to memory of 1640	4688	document8765.exe	msiexec.exe
PID 2580 wrote to memory of 516	2580	msiexec.exe	MsiExec.exe
PID 2580 wrote to memory of 516	2580	msiexec.exe	MsiExec.exe
PID 2580 wrote to memory of 516	2580	msiexec.exe	MsiExec.exe
PID 516 wrote to memory of 4436	516	MsiExec.exe	rundll32.exe
PID 516 wrote to memory of 4436	516	MsiExec.exe	rundll32.exe
PID 516 wrote to memory of 4436	516	MsiExec.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\document8765.exe
"C:\Users\Admin\AppData\Local\Temp\document8765.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1640

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A7F29D73A590956B47643A112AA5AC6C C
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI9196.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240555031 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
3⤵
- Loads dropped DLL
PID:4436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI9196.tmp
Filesize
1016KB

MD5
73475c63fde46aac78f942937230537f

SHA1
2738c1a44cb67adaf3510d90b2398b1fc41a3430

SHA256
87426736b1157828ba843bac4adf5bed17dc37db7c411c963e1529d4d21d66b0

SHA512
0f66bc116ee62669d6ed4bdc84e27796c6d601619eed92b8274b9c89ead2ea5bfdc590a66470bc66324f41e64e9b5ec50268dc6dd322b02d6094f568de4487b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9196.tmp
Filesize
1016KB

MD5
73475c63fde46aac78f942937230537f

SHA1
2738c1a44cb67adaf3510d90b2398b1fc41a3430

SHA256
87426736b1157828ba843bac4adf5bed17dc37db7c411c963e1529d4d21d66b0

SHA512
0f66bc116ee62669d6ed4bdc84e27796c6d601619eed92b8274b9c89ead2ea5bfdc590a66470bc66324f41e64e9b5ec50268dc6dd322b02d6094f568de4487b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9196.tmp
Filesize
1016KB

MD5
73475c63fde46aac78f942937230537f

SHA1
2738c1a44cb67adaf3510d90b2398b1fc41a3430

SHA256
87426736b1157828ba843bac4adf5bed17dc37db7c411c963e1529d4d21d66b0

SHA512
0f66bc116ee62669d6ed4bdc84e27796c6d601619eed92b8274b9c89ead2ea5bfdc590a66470bc66324f41e64e9b5ec50268dc6dd322b02d6094f568de4487b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9196.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Filesize
172KB

MD5
5ef88919012e4a3d8a1e2955dc8c8d81

SHA1
c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

SHA256
3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

SHA512
4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9196.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Filesize
172KB

MD5
5ef88919012e4a3d8a1e2955dc8c8d81

SHA1
c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

SHA256
3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

SHA512
4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9196.tmp-\ScreenConnect.Core.dll
Filesize
466KB

MD5
90f06bea5a196926711feaad344c1e7e

SHA1
861e4f80c57676e8f8f288b0c9df4b8639184214

SHA256
15b94caf2a52ad2296d099a2b0666decab0d00396ff5d94726c158b4a34c4317

SHA512
54411631a6314f714a551bd4f1834e87edd34f18b20e697caa98ce4783cb10f28365536c35bc7eccb30701e6c4131c6541e8668227e05366112919812ce25a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9196.tmp-\ScreenConnect.Core.dll
Filesize
466KB

MD5
90f06bea5a196926711feaad344c1e7e

SHA1
861e4f80c57676e8f8f288b0c9df4b8639184214

SHA256
15b94caf2a52ad2296d099a2b0666decab0d00396ff5d94726c158b4a34c4317

SHA512
54411631a6314f714a551bd4f1834e87edd34f18b20e697caa98ce4783cb10f28365536c35bc7eccb30701e6c4131c6541e8668227e05366112919812ce25a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9196.tmp-\ScreenConnect.InstallerActions.dll
Filesize
20KB

MD5
2bf660e4d5929045e0704ca9beb156e0

SHA1
2beb37462a31ccf1b406ba5eee3dbd0dd77f9c5f

SHA256
29e3e009d17c754af1adc44b3008f877a0068bf43b7dd989a74ba569dc3710f6

SHA512
f98f2fc29f6a0f6b247f324f092e04864390d781562e31b905e70a361ec7a03a961bb7a893db51ecd481df1bf6b3a1596d042492184e2f100f1433cb84eeff5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9196.tmp-\ScreenConnect.InstallerActions.dll
Filesize
20KB

MD5
2bf660e4d5929045e0704ca9beb156e0

SHA1
2beb37462a31ccf1b406ba5eee3dbd0dd77f9c5f

SHA256
29e3e009d17c754af1adc44b3008f877a0068bf43b7dd989a74ba569dc3710f6

SHA512
f98f2fc29f6a0f6b247f324f092e04864390d781562e31b905e70a361ec7a03a961bb7a893db51ecd481df1bf6b3a1596d042492184e2f100f1433cb84eeff5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.msi
Filesize
2.5MB

MD5
31df653a1b4d2d3111df8c8a905f1297

SHA1
1ddad6ef3be78cb099363f7093bf9a3ea3ee7f81

SHA256
0e3ded0439839c6ab7a8f656eeb5e1e4c7aeb18b9374629298394da2db66f335

SHA512
e92ffe088b16953bd39c8805bdace2bb6b1d831f5badee8bad666d7560a213a26f33b9200da5e13e1cd25c5b4be447e53f5d28cc8608c152826ebab756726b08

Download Submit
memory/516-134-0x0000000000000000-mapping.dmp

Download
memory/1640-132-0x0000000000000000-mapping.dmp

Download
memory/4436-137-0x0000000000000000-mapping.dmp

Download
memory/4436-141-0x0000000004AA0000-0x0000000004ACE000-memory.dmp

Filesize
184KB

Download
memory/4436-144-0x0000000004A90000-0x0000000004A9C000-memory.dmp

Filesize
48KB

Download
memory/4436-147-0x0000000004B90000-0x0000000004C0C000-memory.dmp

Filesize
496KB

Download