Analysis
-
max time kernel
119s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
13-02-2024 07:03
General
-
Target
setup.msi
-
Size
10.2MB
-
MD5
617299f27fdc8b8484abd9967a707cce
-
SHA1
31118c3a74526862f727e41b30997289661ef634
-
SHA256
caca9bf2a15da2e26fae327668e175279d57b26556a01b7b71beae4233a2849f
-
SHA512
5a77b4fcc25f9f94bef60c32e42bfb421a909c7d6ba86e057620cddc347b4927c46329f6b116a0ad8d15508fb7c01816b5678d808b8109781fbbb457050b5cd1
-
SSDEEP
98304:XAMvSQwxDnl2dYds9GLIeDT3OF6zbAMvSQwxDnl2dYds7AMvSQwxDnl2dYdsVAMf:LnEPDT3wonnnJntnbn
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 15 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 23 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 52 IoCs
-
Modifies registry class 37 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C7E1D733A385595EB1474E1B99DF1517 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI2211.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259400287 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F352DE56717456F8246EAAE9CE9F13812⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADDEA5562710D9BA85F117D0A4DB1842 M Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A4" "000000000000058C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\ScreenConnect Client (0a1cfe17eac896bf)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (0a1cfe17eac896bf)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-b5lwpw-relay.screenconnect.com&p=443&s=c66973a1-efcb-4721-8599-53fabeb4dfe0&k=BgIAAACkAABSU0ExAAgAAAEAAQCBEXpmMGm1D3InXFr1sRAQDkVGxS4TfvYimB7%2bHbP7MUHYpv81VqYsC9Q90NO3qQYG3HGJYy06gKx8dPxvqYRI4D06hQ%2fCHgXxWAHFaeUNVKnm7xcfXSKTFBJDBGCs%2bqzjphqOPkCp21mfzyBr1FMXznaCREVxcPD%2bLMN1p82LKW5mGif6U2Q1DqW8PsRn0h7kVD1Kd2cPCwVE5bgD7HQkEPHOCIKUfalSM%2fBYU17aXZ5NVt%2bNx4auXbg4xVuj9y60BYU1bZQli9hGhFbr%2byRh%2filGb%2bDvpECnbseW8IXPWphuLJgXAtGRC%2bME3%2fOV29Az6f6OjlZHCRWFSSAZFWKb"1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\ScreenConnect Client (0a1cfe17eac896bf)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (0a1cfe17eac896bf)\ScreenConnect.WindowsClient.exe" "RunRole" "ff4cd665-11d9-4687-a5d9-e4331c3b513d" "User"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Program Files (x86)\ScreenConnect Client (0a1cfe17eac896bf)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (0a1cfe17eac896bf)\ScreenConnect.WindowsClient.exe" "RunRole" "527c7991-4465-4edd-a9a4-6e56595e3c9f" "System"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: AddClipboardFormatListener
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD5cea3d4da59a27b7a267b1d4ca85656ba
SHA1cf59ee0f29c4dcd818e0fb4cf90735832a6d4d4b
SHA256036e9f0df84c135174131f18b6f0852057ba2408dae1ff02a592b591e3434dd2
SHA5122d4b4a8e85910580177aeb1d05abd129724a5fb7e45cc927f376fd97b61f0f5a0acb17087b6b05e81152caede9bcc3c7aa92fee0ad83369905fce9149897ea0b
-
Filesize
251B
MD57857331bd82d84f45630bffc739ddfa6
SHA191f74b971b2c66efebf2495fdff3c5f7c707a7c3
SHA256f8c6ffac6cb3413f082100c33adc6a644d92f43ce8412bfae72fad5a2659b5fe
SHA5127b9ba5bc97c84415f3586a337fcfe3fe5f2d6e06b9992e7787da12ba6e7df2bc7189b12ab5a7aceb990a389f59db02119acbb127e5c6ecb41a93410f07df9a10
-
Filesize
47KB
MD526f4eb71380f8e033c74ed8c57d0ad9d
SHA1d94252e86215a4a2e29f081cecd335d48bbd7a9c
SHA256179b6d08519b3e56dce0cc0096f31e9751d74b7875e030a3b2d01c189be0108d
SHA5128d36cad523e6847d055caa35535388008633187078c55625f32548016ffd2ba9f5528fe2df2c97d6c9e3e08ac432f8156d59da334acfec4142a44b4a4421a897
-
Filesize
26KB
MD55cd580b22da0c33ec6730b10a6c74932
SHA10b6bded7936178d80841b289769c6ff0c8eead2d
SHA256de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c
SHA512c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787
-
Filesize
93KB
MD589d3d099b6d8731bd1b7f5a68b5bf17c
SHA1c6aed886840aafd08796207e2646d8805d012b81
SHA256bcaa3d8dcba6ba08bf20077eadd0b31f58a1334b7b9c629e475694c4eeafd924
SHA5126cb52828006ef2d41b9acc2a8a8e84b2d5f0bee0304cc8762d5945a1e21023373371893a261d089599799ebe89cbe0da5327ee80d5db07a936727ea21fb0951a
-
Filesize
621KB
MD58d8f6a238eb6d857112c617e62ffa7fa
SHA14b644397b334a1ae7631b4bf7ce2180fbd6ae683
SHA256046281632493299efe37605ebd37cfc986e2f6816436ad0a030b1dcb5c3538de
SHA51245f7af5b00e041bccb95160930eb2ac0b2348957dc9ddbdb5d99c11dac00b13225e3665323c78280d48c66bc9cb91b8d03d47c0d11ca469802619e15ce5347d0
-
Filesize
110KB
MD563774b20b50a38d08c7fdb9f96542746
SHA17599e4d4e7449c0e2fb41fa9403150b43552e00e
SHA256320a1082d19429396574641c8b1d99182f0afcd4239ac060b3d02f1b65240ff8
SHA512187efd6bfdca6a8cb351b7729ae0faafefb05d960b51771105987c9a70c646fa0b342fa39da2b3a33006927d9c49815c35a11add6a98bb7f475eab6e9f0f4621
-
Filesize
243KB
MD5cd21ff1a598cf502adb2f48b66d244df
SHA16a0da071025a1c6c9a1570b2409c028a5396dfe5
SHA25615b6e4f11d97ef9ccdf5fddfc6014e0ab843b28a8578762cb1ff8ebaf8b520ec
SHA512a3c79e026fefb406561741c269a26d119b57a935b1f0f2bbbdb4fa9db4df2ca265f4713189727e94e68c01a00cd0e1b35effe2b25273b853ce3eaa4ef242f564
-
Filesize
65KB
MD5516747a757c22670371c7a74aa260076
SHA17c9321082f5171b545bca13160feef5245e5c34d
SHA256c4333b1be486f9ea6853ae4ce9f783235d07ae3214a934f6facd8c0e3d5fcb79
SHA512c16db04d506b4a48c79dc64927682c4083dbd9d5dcc5accbbc81180639a4725287c0c01270a7b4b7f9a9667946e1e5f580694cd1c666d260495e039972067757
-
Filesize
266B
MD5728175e20ffbceb46760bb5e1112f38b
SHA12421add1f3c9c5ed9c80b339881d08ab10b340e3
SHA25687c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077
SHA512fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7
-
Filesize
186KB
MD5ebf029c18bce92edf276a17911ac1544
SHA10e001f290f039fca1d30c74e09b32178bc0acfbf
SHA25673dfbd9bb57e1624e404935a20b7ed0cce18197cc0cc1807c1cec7fa45bed1c9
SHA512fea0a12495a52f06aded5997e15feaf696c1d29e7b98586e859f51f7b73e638e82b5a71c488ded6afcf8ad6282492b5f4de88570848034368dc075d16f53a69a
-
Filesize
1KB
MD5fb5648fb1b03436a3bc2d7976e303958
SHA14f2d86e66085c0376f088784280f116434be478e
SHA2568019b1ef68f4566f805dc9891a93f3b290f2c8a3d57cbc3263923479ad7f19d1
SHA51273fbb65fd7d2c6eb93a41676ba566f610a7dd60ecd827dd7c0e7436288636ee60c92e8aad5c61ca08b04e7d51b50adb0c66c91bd3b59a96b61b1683b40bf5b1e
-
Filesize
966B
MD53a44259b9ca701fa74ffb8269deffbfe
SHA1e83a9d139e2fc745e21d59ce5d3ad0087f9fdbb6
SHA25608f903e4d90e51cd06b11d7c13f9119f5d0589894cc39c99e612baa963418e41
SHA51218a96daf044c53725622e817ac382fcde24e074b1fdc8da3294c54896c863442bd3f47317a7861469249a923ed557d8b405c3404d927ef0e880cb96107c9f8b3
-
Filesize
14KB
MD5a598800a878fa4f025df3a07c30c7eb2
SHA17c88c26f2152ced2b3f9e2a72180f80ee74bf265
SHA256e5c98ea89e04ee066a78964cbbb6e62bccc5ea758bdac915c100ef3d727cbe6b
SHA5120cf1ed0d4382f350ff4fbf2350e52d56f4e692cdb1a8fd79983f0caed31c374407c34bf88257f7bfdb515ed2a21ab8cf44be904119371e10d822c1c5d74e0fcc
-
Filesize
550KB
MD558b5527e4f3c83a96fbcef235613432d
SHA141448f3ab204f6aa52856e7e86db1117a1087126
SHA256f236c7b9880e563c2428931bf93ff62ddaf307fe2f2a63ff687402f35acdd20f
SHA512f829f7c88c64f8accfd6fb6d8e56fa6551df333797d58401eec6174019df72c8d4945526f71dcef5ca3f757adf8d7cb9a5b1d2aaf5342a3393e3201aa9c2f7c4
-
Filesize
115KB
MD54dc09336499277eb2ed53e7aa9471319
SHA197c028c5b83d872c55c55dc607ca40378e9c6d6a
SHA256b73239ff542399332f5dbf48d7b2d6af71957fc1b76a2a4d506c65f221f806f4
SHA512071b466e677657980442c10b99d1fb33a5b2733401c89de2b811383ea11e08fa91d994e44cc81d06631a3bbd5f46d94c03207ecb065ea9dd31a60359f2f3f29b
-
Filesize
188KB
MD5ca2857bac072baec93fbf23e5fcff956
SHA1049f21dfe97f5dc247b0c7a29e22111dc4c63aad
SHA25604a6ba13d7f014c6650a05c55f7fef2d465903ab900bc37a2a28f4bf08a658c0
SHA51296bdfe18334b9837223da8ebb7f671abde9559f6e5150854025315bcccc09133c50939cb0e62ff16219d45b77711baa3c3c278edacda4584960e9c06e63e20f1
-
Filesize
59KB
MD5a9d86db5d9c735d6dcc83e979ab64a7d
SHA1e4f945e799d9bf5fc103f65d8ca832290b5ab03c
SHA256083eb9b90e04e39514c50e296593c3652f05cf3fe3ba41cb7adeed82930e4ddf
SHA512ceceeea84b266ca389562fcbbc4fa24bb4b44093289b0a67e60bf4506c2a554087fb2ee9ee607e29efb8912a26ce65c3457a14c23c4d742181b3795a3a6338b4
-
Filesize
380KB
MD5ebb57ac0ec83d23ce63b6acf9f40a29d
SHA1075112c0cffd77dfce2d13267fad39deee332476
SHA256bc57727106f21d7e89514f46fbd8513a56f180f6f8229c7cd95624f0a4cc9f83
SHA5129efa5fb5c3d646ad577f278655bb1358a42184b4c35319750c035a769bf6712e3080e0d388a86789203df44e07928da10d44dd2e4e3577db5e61d5e84ef7edae
-
Filesize
456KB
MD555620922e98ebad60a488552b11a6288
SHA1f7722c0a01e2ef32ecc29b40c43b7c465ecf7c28
SHA2569583fa56346f0b5068a4b29bca83d1d29a3d7e868370f3ac510e23c942cefffa
SHA512915edee8131bfaa3a637dc9780aff6274392565445c4b9725d2b5768c668351b598ca99bd79eaee52c232cccaec29cf1eb5fef71f1ae145bc7a61ca2dfc692e4
-
Filesize
486KB
MD5388eafa2f6a2345176ad8bb34cf37222
SHA10e5e9ca7adc5f45025434ef65c87ad275450dd1f
SHA2569257df422ff7025118d264a51cdedef1777111fce15fee5bb28aca43f60585b1
SHA5120a308d7c74ea09d6be01d09aca17e74a04dd5c4fc48d7c67aa420e9c10c61a22e37b7e552eba9334a5cd68dbd3c764963b67425a14c257e0fa7fe45ce99e8ef3
-
Filesize
673KB
MD54db746e0d83664d3e60206fea206de91
SHA10286e56915e1e77d72ba5ee654f1c3636dbcf9db
SHA256b4d856d24d1385a663bc9755d834ea125d84250722c4f19381166bf54962948f
SHA5129535fc3e97a579fbaefada480113c657253a028d0093ef35e14712c1532bf93b2f0d07b09ad9b6a87e32b8eaccb4206512c0436f51fd50105965c8770ac301f6
-
Filesize
177KB
MD53c639fe307efd2d0495b14169b1bd4b7
SHA1036ed94e72dc8513f357849a3a5f82e36c675bc8
SHA2565b3630c56867ae2a40e4e3ae06983ab37153d186952605553c9846751979e6f4
SHA51277c6fba168f5e4cf4130fee6e8ceb485d91ceb168ff1fa16279134880dbe6e024570b4ee31090b05dc83c4e51b215dec9f7d8c06a48ff69c391d3cd97555193e
-
Filesize
113KB
MD5bf531c219a8b2bff4f792946e3365ee0
SHA1a6ed1aec656c3da890fec94654092dfce6176288
SHA256fec36758e4b3932e45f2b5291c45186ec1db0a2d5fafafb6992d79a4318c422e
SHA51264eb7136650c013c1fd09b8ada1dfc14d02da490f6469adf68ee49f86e71276b86ac8a0fbcba256906c0a0723b943db5b4416c61f5f7fb6af56eaf83ebea6171
-
Filesize
53KB
MD5292751a6fd7dd94804066c5ed7fef8fd
SHA18542bcd9102b2f95237fe688c547cf3323debcd8
SHA2566cab7480f1a41a8d085495ec9595239844d4e2d5b25d33d16cdc2e94ac16cd4e
SHA512017abde1c19ddc842aa1afb434df4e6fd79c9e27d9494a68c332372c2b85795b3cc6d277453f8cddd630b04115ae3030502a65cb9fb1f99f5b6e119e9fdcaa54
-
Filesize
19KB
MD536c1f4b2c4ee8bfc21f7d44ca7ed3912
SHA1e1d851fe9795942d14f831a1e3a82d280c30ea6e
SHA256f8c6b94339dba8c2022e86bd8cfc6c2222ffa37c0e5c588698b7f5bcb672cc45
SHA512fc74f65484fe92ee060aaf5cee4e083b85e54fa086f1b93bdcb13d08fd6c54fa239d830ed8c64cf569d1b5e2f13dd8cd4f1eb135e7a7d9178542810c91f694de
-
Filesize
81KB
MD5f42fd8df97051c6da82884b4402b46f3
SHA15529e51206c3279d218874df8b2600f4a76d3472
SHA256189a42d7e85a9e29de2ee58468690ff38a0045935ad74adfeba65bad1c2de4b1
SHA512a7eb62ee1a066ec1b424ac384df44d645b7086e837b671b469fcad53dd5f5f65f575f1773c9f490c03a712f34ebe7ab8a929a1db0c5fa49a8616389d90919be6
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
518KB
MD5469a702d0861e2c63e6e6e575c58e399
SHA106cf299c7dc7867c9584647f5ba681aec6c469d4
SHA256affb342d2dce754b4ddbeeb4ed344806fda531d68346df12629b7bd8c0fa753c
SHA51290fa0f0bbb3076f770354fc6f870c302c2c3a7e2ea010dc451cbd4dd0d417aa360f57ddfe003ea634efa38a7e34b63236ffe1addb4738fac16cff798c940b016
-
Filesize
386KB
MD508cd9b9681098932323ebc1db4f8aed6
SHA1540e0a8d2ef932426769cd01172ea3d9220e48c9
SHA256d08dbf6789c9bb795a2cd3b34581788f41b45cb7b90952918f4bb011ac85f473
SHA512ac0d8ba4ba85bb563c0feb989f42fb1a8173f318e00aa4a4a5c9be2533aa1f6704013cdeaeaaa75c50678d56887bbb37d8c3056b0bc9e96124673d03a5706d46
-
Filesize
21KB
MD541e8c80a7f1bf4911fce55c0de249302
SHA121d6f8ddc242a55c4894127bbef0479fea1d6847
SHA256569b267d8c4cef1b26c9337f5a355f0040ad4d7e9610f28784e4af05efa3e4e9
SHA512d2f375e9956d46db0fc4e0162ea894ad8598512a3de93537579ddcd8872fc8160751a4ada37bbc9f61b78414e5d241dfb2e036f2200bff4de70ac1a417aaa240
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
88KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
592KB
-
Filesize
1.7MB
-
Filesize
544KB
-
Filesize
9.9MB
-
Filesize
216KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
216KB
-
Filesize
88KB
-
Filesize
544KB
-
Filesize
1.7MB
-
Filesize
88KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
760KB
-
Filesize
6.9MB
-
Filesize
544KB
-
Filesize
48KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
184KB