Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 09:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
152e9894347fd4e57954028f330c0837.exe
Resource
win7-20231129-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
152e9894347fd4e57954028f330c0837.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
152e9894347fd4e57954028f330c0837.exe
-
Size
4.1MB
-
MD5
152e9894347fd4e57954028f330c0837
-
SHA1
acf9ddceee55f0bdd785b074809d6dedb914521e
-
SHA256
d763fb5ec25dc941cc01c9e3621b28fffa846fd687ea8defdecbbcd7d44ba865
-
SHA512
51b69e2d2c68c371cfe0d355e2590f60c693e040fa20af2b72f6e27be6ebc77c21353a1939a4abacc695607410ca5b3f8e951a951bd877b329ae48f53d7d855d
-
SSDEEP
49152:qdhwrvi963PSumT0+TFiH7efPp3Z03guLI3pXCLLZldj6tCi+KfXGujLYV1gX8:qdhwq6+6efPYwuc3ELFld2qcGEW/
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 704 ScreenConnect.ClientService.exe 2052 ScreenConnect.WindowsClient.exe -
Loads dropped DLL 27 IoCs
pid Process 2748 MsiExec.exe 2848 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe 896 MsiExec.exe 896 MsiExec.exe 896 MsiExec.exe 1696 MsiExec.exe 1696 MsiExec.exe 704 ScreenConnect.ClientService.exe 704 ScreenConnect.ClientService.exe 704 ScreenConnect.ClientService.exe 704 ScreenConnect.ClientService.exe 704 ScreenConnect.ClientService.exe 704 ScreenConnect.ClientService.exe 704 ScreenConnect.ClientService.exe 704 ScreenConnect.ClientService.exe 704 ScreenConnect.ClientService.exe 704 ScreenConnect.ClientService.exe 704 ScreenConnect.ClientService.exe 704 ScreenConnect.ClientService.exe 704 ScreenConnect.ClientService.exe 704 ScreenConnect.ClientService.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\system.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\ScreenConnect.Client.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\ScreenConnect.ClientService.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\ScreenConnect.Windows.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\ScreenConnect.ClientService.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\Client.Override.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\Client.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\ScreenConnect.Core.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\ScreenConnect.WindowsClient.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\ScreenConnect.WindowsClient.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\app.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\Client.en-US.resources msiexec.exe -
Drops file in Windows directory 18 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\wix{69ABDE51-40D1-459C-BE37-FCE0BD06A1E4}.SchedServiceConfig.rmi MsiExec.exe File created C:\Windows\Installer\{69ABDE51-40D1-459C-BE37-FCE0BD06A1E4}\DefaultIcon msiexec.exe File opened for modification C:\Windows\Installer\{69ABDE51-40D1-459C-BE37-FCE0BD06A1E4}\DefaultIcon msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f762858.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI28E4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2A10.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2B2B.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f762858.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2992.tmp msiexec.exe File opened for modification C:\Windows\Installer\f762859.ipi msiexec.exe File created C:\Windows\Installer\f762859.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI28F5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2BD7.tmp msiexec.exe File created C:\Windows\Installer\f76285b.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 49 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.ClientService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ScreenConnect.ClientService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ScreenConnect.ClientService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe -
Modifies registry class 32 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-0557653572935cb6\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0557653572935cb6\shell\open msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\Version = "352915367" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0557653572935cb6\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0557653572935cb6\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (0557653572935cb6)\\ScreenConnect.WindowsClient.exe\" \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\15EDBA961D04C954EB73CF0EDB601A4E msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A49130C130D06A2E507556532739C56B\15EDBA961D04C954EB73CF0EDB601A4E msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-0557653572935cb6 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0557653572935cb6\UseOriginalUrlEncoding = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A49130C130D06A2E507556532739C56B msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0557653572935cb6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\ProductName = "ScreenConnect Client (0557653572935cb6)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\Language = "1033" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\PackageCode = "BA2350671443E4A469BC5F92FB7C83DC" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\SourceList\PackageName = "setup.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\15EDBA961D04C954EB73CF0EDB601A4E\Full msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\ProductIcon = "C:\\Windows\\Installer\\{69ABDE51-40D1-459C-BE37-FCE0BD06A1E4}\\DefaultIcon" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0557653572935cb6\URL Protocol msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-0557653572935cb6\shell msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\15EDBA961D04C954EB73CF0EDB601A4E\AdvertiseFlags = "388" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2936 msiexec.exe 2936 msiexec.exe 704 ScreenConnect.ClientService.exe 704 ScreenConnect.ClientService.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 780 152e9894347fd4e57954028f330c0837.exe Token: SeShutdownPrivilege 1756 msiexec.exe Token: SeIncreaseQuotaPrivilege 1756 msiexec.exe Token: SeRestorePrivilege 2936 msiexec.exe Token: SeTakeOwnershipPrivilege 2936 msiexec.exe Token: SeSecurityPrivilege 2936 msiexec.exe Token: SeCreateTokenPrivilege 1756 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1756 msiexec.exe Token: SeLockMemoryPrivilege 1756 msiexec.exe Token: SeIncreaseQuotaPrivilege 1756 msiexec.exe Token: SeMachineAccountPrivilege 1756 msiexec.exe Token: SeTcbPrivilege 1756 msiexec.exe Token: SeSecurityPrivilege 1756 msiexec.exe Token: SeTakeOwnershipPrivilege 1756 msiexec.exe Token: SeLoadDriverPrivilege 1756 msiexec.exe Token: SeSystemProfilePrivilege 1756 msiexec.exe Token: SeSystemtimePrivilege 1756 msiexec.exe Token: SeProfSingleProcessPrivilege 1756 msiexec.exe Token: SeIncBasePriorityPrivilege 1756 msiexec.exe Token: SeCreatePagefilePrivilege 1756 msiexec.exe Token: SeCreatePermanentPrivilege 1756 msiexec.exe Token: SeBackupPrivilege 1756 msiexec.exe Token: SeRestorePrivilege 1756 msiexec.exe Token: SeShutdownPrivilege 1756 msiexec.exe Token: SeDebugPrivilege 1756 msiexec.exe Token: SeAuditPrivilege 1756 msiexec.exe Token: SeSystemEnvironmentPrivilege 1756 msiexec.exe Token: SeChangeNotifyPrivilege 1756 msiexec.exe Token: SeRemoteShutdownPrivilege 1756 msiexec.exe Token: SeUndockPrivilege 1756 msiexec.exe Token: SeSyncAgentPrivilege 1756 msiexec.exe Token: SeEnableDelegationPrivilege 1756 msiexec.exe Token: SeManageVolumePrivilege 1756 msiexec.exe Token: SeImpersonatePrivilege 1756 msiexec.exe Token: SeCreateGlobalPrivilege 1756 msiexec.exe Token: SeCreateTokenPrivilege 1756 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1756 msiexec.exe Token: SeLockMemoryPrivilege 1756 msiexec.exe Token: SeIncreaseQuotaPrivilege 1756 msiexec.exe Token: SeMachineAccountPrivilege 1756 msiexec.exe Token: SeTcbPrivilege 1756 msiexec.exe Token: SeSecurityPrivilege 1756 msiexec.exe Token: SeTakeOwnershipPrivilege 1756 msiexec.exe Token: SeLoadDriverPrivilege 1756 msiexec.exe Token: SeSystemProfilePrivilege 1756 msiexec.exe Token: SeSystemtimePrivilege 1756 msiexec.exe Token: SeProfSingleProcessPrivilege 1756 msiexec.exe Token: SeIncBasePriorityPrivilege 1756 msiexec.exe Token: SeCreatePagefilePrivilege 1756 msiexec.exe Token: SeCreatePermanentPrivilege 1756 msiexec.exe Token: SeBackupPrivilege 1756 msiexec.exe Token: SeRestorePrivilege 1756 msiexec.exe Token: SeShutdownPrivilege 1756 msiexec.exe Token: SeDebugPrivilege 1756 msiexec.exe Token: SeAuditPrivilege 1756 msiexec.exe Token: SeSystemEnvironmentPrivilege 1756 msiexec.exe Token: SeChangeNotifyPrivilege 1756 msiexec.exe Token: SeRemoteShutdownPrivilege 1756 msiexec.exe Token: SeUndockPrivilege 1756 msiexec.exe Token: SeSyncAgentPrivilege 1756 msiexec.exe Token: SeEnableDelegationPrivilege 1756 msiexec.exe Token: SeManageVolumePrivilege 1756 msiexec.exe Token: SeImpersonatePrivilege 1756 msiexec.exe Token: SeCreateGlobalPrivilege 1756 msiexec.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 1756 msiexec.exe 2052 ScreenConnect.WindowsClient.exe 1756 msiexec.exe 2052 ScreenConnect.WindowsClient.exe 2052 ScreenConnect.WindowsClient.exe 2052 ScreenConnect.WindowsClient.exe 2052 ScreenConnect.WindowsClient.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2052 ScreenConnect.WindowsClient.exe 2052 ScreenConnect.WindowsClient.exe 2052 ScreenConnect.WindowsClient.exe 2052 ScreenConnect.WindowsClient.exe 2052 ScreenConnect.WindowsClient.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 780 wrote to memory of 1756 780 152e9894347fd4e57954028f330c0837.exe 28 PID 780 wrote to memory of 1756 780 152e9894347fd4e57954028f330c0837.exe 28 PID 780 wrote to memory of 1756 780 152e9894347fd4e57954028f330c0837.exe 28 PID 780 wrote to memory of 1756 780 152e9894347fd4e57954028f330c0837.exe 28 PID 780 wrote to memory of 1756 780 152e9894347fd4e57954028f330c0837.exe 28 PID 780 wrote to memory of 1756 780 152e9894347fd4e57954028f330c0837.exe 28 PID 780 wrote to memory of 1756 780 152e9894347fd4e57954028f330c0837.exe 28 PID 2936 wrote to memory of 2748 2936 msiexec.exe 30 PID 2936 wrote to memory of 2748 2936 msiexec.exe 30 PID 2936 wrote to memory of 2748 2936 msiexec.exe 30 PID 2936 wrote to memory of 2748 2936 msiexec.exe 30 PID 2936 wrote to memory of 2748 2936 msiexec.exe 30 PID 2936 wrote to memory of 2748 2936 msiexec.exe 30 PID 2936 wrote to memory of 2748 2936 msiexec.exe 30 PID 2748 wrote to memory of 2848 2748 MsiExec.exe 31 PID 2748 wrote to memory of 2848 2748 MsiExec.exe 31 PID 2748 wrote to memory of 2848 2748 MsiExec.exe 31 PID 2748 wrote to memory of 2848 2748 MsiExec.exe 31 PID 2748 wrote to memory of 2848 2748 MsiExec.exe 31 PID 2748 wrote to memory of 2848 2748 MsiExec.exe 31 PID 2748 wrote to memory of 2848 2748 MsiExec.exe 31 PID 2936 wrote to memory of 896 2936 msiexec.exe 35 PID 2936 wrote to memory of 896 2936 msiexec.exe 35 PID 2936 wrote to memory of 896 2936 msiexec.exe 35 PID 2936 wrote to memory of 896 2936 msiexec.exe 35 PID 2936 wrote to memory of 896 2936 msiexec.exe 35 PID 2936 wrote to memory of 896 2936 msiexec.exe 35 PID 2936 wrote to memory of 896 2936 msiexec.exe 35 PID 2936 wrote to memory of 1696 2936 msiexec.exe 36 PID 2936 wrote to memory of 1696 2936 msiexec.exe 36 PID 2936 wrote to memory of 1696 2936 msiexec.exe 36 PID 2936 wrote to memory of 1696 2936 msiexec.exe 36 PID 2936 wrote to memory of 1696 2936 msiexec.exe 36 PID 2936 wrote to memory of 1696 2936 msiexec.exe 36 PID 2936 wrote to memory of 1696 2936 msiexec.exe 36 PID 704 wrote to memory of 2052 704 ScreenConnect.ClientService.exe 37 PID 704 wrote to memory of 2052 704 ScreenConnect.ClientService.exe 37 PID 704 wrote to memory of 2052 704 ScreenConnect.ClientService.exe 37 PID 704 wrote to memory of 2052 704 ScreenConnect.ClientService.exe 37 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\152e9894347fd4e57954028f330c0837.exe"C:\Users\Admin\AppData\Local\Temp\152e9894347fd4e57954028f330c0837.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1756
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2E0EA7DD3218992981032996715C1BDE C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIBD3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259394562 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
PID:2848
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1DD0DCC957BB518103D22027B1E942E72⤵
- Loads dropped DLL
PID:896
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1CA0A3B2C0FC5E2451B8D761240ECF27 M Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1696
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2484
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B4" "00000000000003B0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1188
-
C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\ScreenConnect.WindowsClient.exe" "RunRole" "857737cf-c50f-403d-a8e1-1f7d9b23720b" "User"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2052
-
C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (0557653572935cb6)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=help.tbcit.co.uk&p=8041&s=362a5ece-af08-4546-96e4-83c2f855ec17&k=BgIAAACkAABSU0ExAAgAAAEAAQD%2fRVKwCDhTAYjNZvhpj4NKmPP00Wkv5Prao0XtXQQPEEYvaNXZmXPdBluPxJKjB2HsNeSR4m7el4V6quql9oru44cfS0XD3lLU3%2fXEtOZm4CIbhvwpZexoNs4wk1B3dWS6KrihsncgnZ3DKme7JdobU7OmO5mxr9EMn%2frnyzb5IFptEG7yCMpARL5NVgkXwFAgbHqcwpOLy7oSF7asnfSuRXZolfizXefmcMF8mzgUtmLtAnbilSn9nUdgMXt9LfJyh4tEW2IyjQK%2ftiPGtN%2f4MUCRm1IK9vMBQyjlQQE7UA8VVyHq2NojFV1OyTmoGUaedNmQB3u2&t=&c=Atelier%20Ten&c=Head%20Office&c=&c=&c=&c=&c=&c="1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD52ef6e5719c4a336e99635f364514eda4
SHA11a1db91d2dc188775cc7788287a6075911d7c3a1
SHA256be65990e3de15181991ea7dbcf31e83b3cd7174c9efbecf3430934bd4e11e027
SHA5129eb37291ff3d7135899abed8eaf64ee650e710f457e8a1123b6083d752841fc885b111bd012790306723a02b96755bf969983e0c6d3703cce84d12b9b32d0f33
-
Filesize
1KB
MD5c5519e815309c7cc05baaba0a41b4d2a
SHA1f77aafeaa32c132b1dc95bfac9f717b9aee75f79
SHA2567873d6d11bbf9b2cd120440b6d8813123f9ff91c8ccbd275d4a05560a83e9f95
SHA512a26987f9754c14f7e7e0e1bb49d8efe3b52c7390fb55faaaba6941bfaf2a9c18bc408f36671585cbb264d4593abbb3db03381633d6a3c0e8fc92d5e4265c4fc7
-
Filesize
93KB
MD5e7da2941a83f576ca349feff032bb3a6
SHA1162aec68ca64121f36178ce98072451aba0a799d
SHA2566cbaa5a6d170d1378dc921cdfdd0f91bcafe2269a7fa26450bc9add03ab0a08f
SHA512a6bf6bad72220aee85948fd29ea95f1205345f75172bb537d204a08b95ef020afc1260c38c4c8e0384a8504d3331b98a0d54c44e5756a956100ffdc944eab57d
-
Filesize
3KB
MD5c2833dd8d522a22d6b086fb7054ca926
SHA10465325c6bf88748735d23452b5dd318fc7c6cf4
SHA25692e51a42111ae9f183b44f67d4eac10b7e43efd57af9798d4932f19cad5cb306
SHA5122ebbde5ba16dee736328b013eea69a994445693bdb9c8c435bfd808cd76a573548c1772f66f8d947d8653104c4d95b876f41567c86d2957f8db8e8c26fd3bacd
-
Filesize
351KB
MD5d529bb51febe488645886e76c84eacdd
SHA170cb3b2b8bb8cdd1f38f1af2989c7a9678ec466b
SHA256a426ce6e0a2ace4eae111555ee02a1a0e85db6c083736edeb26b0d287e25b764
SHA5123834a6d0c3f7be4272e3de57231fb8211cbbac41b29cb43991d2a2c7eff396ca2896a09664dbe0bcbef9878169ac642683764314bd6cb936ed09bee1da864cfe
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
17KB
MD54a03c5bb0aeae6d3528f7c5011e0ae1c
SHA153d7b14118818b550b00b189bf3f7a5825816ed8
SHA2560ee95b8f2ca7a4448f86dad9edad3cace5240208c828523587df3b2dd0d1b5d3
SHA5121bb83dd81bb1b2f9ea836defa4ebcbc74c1f8bf8a9b94ed1b8b67156c7773f4881fe0b476b300e2c89024d945dcbfc5ca3e6e017346a3361a128e077580436ed
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290
-
Filesize
92KB
MD56d300939fc83fd9ac0b108892acfd1fb
SHA175594df16c88fb79806a36bf20b848150e48b618
SHA2568eaf035497e0800fbabd10ef0c44c26ed671d0a693ff614152499a9e6f850ef7
SHA5125f1e4bfcb95ee8829d78e8d2be7756e0d4b6abc331362758ce820ba0dcb34e02f9677c0b6efe7806c779f035f5e67dc98d1ae36f0a7aac32325de917e1c3ad46