Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
22-05-2024 23:25
General
-
Target
a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557.exe
-
Size
1.8MB
-
MD5
2475d4fa80a7b6af042c79d1046016d2
-
SHA1
22834caa9edf1fc3ea29c435efd772dc571a6ab4
-
SHA256
a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557
-
SHA512
0b5a30de1edb91f4bffdf16973102f2fe560fcfdd57ffd77642eb6dee797d34d8a488491029792867426d3f24f280d60335752ab710675ea8a8ccded773fc5ac
-
SSDEEP
49152:gpuG8T0+TL3Z0DmvyTm61lGdODmuGu4IDAAM:gpuGjaH6HGA/GxID7M
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 27 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 18 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 49 IoCs
-
Modifies registry class 32 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 13 IoCs
-
Suspicious use of SendNotifyMessage 11 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557.exe"C:\Users\Admin\AppData\Local\Temp\a69ff0e6922d563a4e2aa9cea3a8a18c72b43338f4d2c6fd4d6d6f45e6c1f557.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADE1F403D7A8C449DEE94324A0C05E71 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI879.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259393688 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 965271F0383F00868C3C7DBB225BD42A2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3340ADD0A185A59456A6C9C7B22C2E0E M Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A0" "0000000000000574"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=remote.itpscorp.com&p=8041&s=a5baac61-ca2f-4dfc-b72a-156668a878ef&k=BgIAAACkAABSU0ExAAgAAAEAAQDRZuff2G6AqGrCUrnr8YRri%2fQ2b4QvL9J74fMDfzFPNAwEBQ%2fCpEzbvKBAQ2NPCwWIweRELTDWwrYEN0H6cXAubwnahOnwyG2j69lwy0MuEWgX1vTvzJEfE0Kn%2boe7FBzJaNPrEkJYyEcX9Wcx%2bJH0I9VpJc6qzVsdPgjOTN4DpoINBJoZfur%2bPRxGwhHk7aZYht69jz1IdTmmjOwo%2b9VUTil2M0258AYc2DpLD6bIX754tyMcyTaDVu4MR8guiwRH7wlFht2yxzdTIFjSfoE%2f1Qs6g9KZsdJsIlK%2bWoYhgnd4uc1oZJAwHI8NcuMJAgxJuPx7vctwBmSW%2fbhAToW2&t=&c=&c=&c=&c=&c=&c=&c=&c="1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.WindowsClient.exe" "RunRole" "379e9eb9-c3b3-4355-912b-0f0bb6faace6" "User"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f7629b1.rbsFilesize
161KB
MD5f23c48972cd0b5b0f16f0f2473767a07
SHA1eeb480306c2982d5745a8afe709537d1a2ea6e1c
SHA256063e7a1bf0afe4e7cdfa0adbd2168cb9a2c4b6520ffd2f8b36081929d9d32008
SHA512bf64b6530431e7ba46bb92d44c8f28e49e13fbeea59ce14e88292dc34da37fc050a3c81b973c2976c8e62b866bf79129878f542f5c8d0e2b12131f91ff999dc9
-
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\Client.Override.en-US.resourcesFilesize
376B
MD524831dc7eb428756b06bcc13dfb51133
SHA145fcaf20bb858ea45de81230dfc885bf8f1893f5
SHA256381405a47d821c2d1199cca034dddfe38bbf6da4a399eaec8c13835593873274
SHA512e0b701387c62639d4ef0bea63325ce2393c02c206cdf01caf882685b588216c62ce6e20b192569b91d6f34b6661d736b2d49beecffba66acd58f8bb95011f41a
-
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\Client.Override.resourcesFilesize
33KB
MD5193f71a0681b3f5f606e64025c6c6808
SHA1205662c9430edf6979feacea309f584f44e5be78
SHA2564d9d0e18921604bf41630fbb100ea6cdce9c4ffd75388dd488978a8d0ab1394d
SHA512efcbdd8f71bbf7c370d0b440a294a812994538a543cbe3b1dc1bb2c13cc1f38db400dcb26b6816be8e166e2a854d25371a6c60af0570d673207e7f394352ec87
-
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\Client.en-US.resourcesFilesize
29KB
MD5a43aaf2d1dddc85e4a2a8d4f504aa778
SHA15211bd8b588f6f22b907d34a01c442c9fb07792b
SHA2569c3d39f3b4c1aeac49be78fbf4ab947de5059575472409e8e39c0079bb87595a
SHA512e932bef68a03ae7665447bb031d4aeb031b4dccbdda18126fad2f0fd753a8363eea123d57352117b92b5f0738db2eb6c36fd5d41895da35e5a362745259918e6
-
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\Client.resourcesFilesize
4KB
MD52a9e105ffe57302cae11202ea1194182
SHA172255e5e34e450b450157732330761ce4c010b11
SHA2566e5a9facb9f91eb70320e4400c40a2911c4500170e05a5c02c544edaf9b7464f
SHA512024a61ada26e3dd483eb60b538c1b7e3ff15518f7ea0914a7915a3e5ca1c81ae35922f79cbd1eba8fcd9a0675044894ec36129246c47eb91811955569230edab
-
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.ClientService.exeFilesize
88KB
MD5a6b19567486c5fa7d8f62b9651960717
SHA18747ebd27f7d8c3bb0d86720942c30091c71a33d
SHA2560804a763fb0ce0a5a0431cb4f1a0a2a3e0328ae6407ea00cd17fb008b3ff13c7
SHA51286b8f5b1a0f1f193f8ce8f608e19f7cc05177ef86c9c1ece1a702b6b5300a87ad59603abfe06451ff60327b13d8a9d09c2b8dcc803b6880a469c08b68f2849bd
-
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.WindowsClient.exeFilesize
401KB
MD597ced867e7c5601a4b3c95dd1a09af6b
SHA108895d3691c44c4ea263d1d506c29de5d2a1a995
SHA256960cafb83857e8b61ed48450053358a04a9832e6a254537521f549d6a69d9571
SHA5124698c88f433036b67861a4bd3793918467fc49ea89e431ae41ee49a592d49506df69951cedf3b883d4b93a1ab3693eb31793ecf649f93d97da98236eabde1b97
-
C:\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.WindowsClient.exe.configFilesize
259B
MD595f04aa18dc27e4f0c73ac6829dcc3d8
SHA12f361486c18e23cea4b375e1c9cccdc14bdd620d
SHA256f3c7ed5a1114cbfa6e3e996f4b0311edb5e25dc2099fd7eb7a3a456c261a2d94
SHA51259bfd8675c2b215e793bf343b6d1aa9c3304ab763c5870a4934ab947284af7bb0493fc4b5a6048dc3d531262e061d68d7395f09eaee1ebf1524c0d8ed63164b4
-
C:\ProgramData\ScreenConnect Client (8cb4187b5188786a)\user.configFilesize
521B
MD5adb228bef4bba270872639b526e48b19
SHA109f429486de2b9b32d2c5a2029032a95187b95b0
SHA25603eba6653c902ec870f68b04370ea43c4e06345c8f276ece191f582a46de73b0
SHA512d5fbe92994582180cdd8dda80ee06da6dd725ec7e5d3e302a3c6f8d327f1aba816bcf7285d2efd0e8e1397b02376c8f9ae6efbc2b962d3e2b670e5eca9e91470
-
C:\Users\Admin\AppData\Local\Temp\setup.msiFilesize
1.1MB
MD5a43a610235303da1fd0585d820a3bda7
SHA1c33ae21b37e7d164a047cd048c3df8df746949ff
SHA25662c1aa40b3fe43075a2b30c01ffe5ee4b9def3d06f2e412cc38239467d2abd6b
SHA5128964faf8d2b8faa8fb75776439299da143229427ac7becaa6f44f7ff5c70f5454d5e43f84c5d0af96075a5fc504b881875b60d433ed7a197db7d12bd22c159bd
-
C:\Windows\Installer\MSI2A8B.tmpFilesize
152KB
MD5c62f1d994bb13e677211bbdba96433f8
SHA13a00d34df6ec81035234e339194fb49fbe317dbf
SHA2563585ccf92c60150cf863e26c0eb2948e206841ca8ff91dac092cf567eef0880b
SHA512c3269bcc5a639e7b8ebffc6f75313e12b27c8ad83abd99708e2aa7b5adfbb46a9fad1ebee81c2c53b9f84ea0e5ef200611a6db7b9f7165d43af04d853d47bef9
-
\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.Client.dllFilesize
111KB
MD5fe14c58a632cbf3a96cd9d0ac7ee2502
SHA151350b955de5c57e0656bf836ef64ba30fe883fe
SHA256714793018ee4413de1c6581937f9f560bec6a51d8df5547d89fdc702d8ec4fec
SHA51217af67e3e577561f8fb5a36e5880aeec43b741dff5e85cfd6bbae261c9f0d41be83050918b5998a5583914fd2b915e210927c6f6af7d8a9bcfae1c48632a09f9
-
\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.ClientService.dllFilesize
27KB
MD597c3034adbecd6244ad2ad0906a1ae29
SHA19ce6c38fab6f9f7596a3ee7d5a18258cb142f2f2
SHA25637f3cdeb50928991d607f3869566d4d25741a1d29ceafc34c59e51fd1090c363
SHA512290a6159d75d0ccca24f1234d17f519c5b4da0d593e32dffed2defd92d717cfc3e2397acad3426578af7d2d0461de325ac9c6bda3416c15c777d67a288eabc31
-
\Program Files (x86)\ScreenConnect Client (8cb4187b5188786a)\ScreenConnect.Windows.dllFilesize
399KB
MD5ffc554d3dc3a162ace86145bdd123d1b
SHA18a38bc464aa472c0dc3c15eafe408e4b56ecd336
SHA256ee903fa082246f3cc129e715b7f571fe674104e850a57ae44db6a261519c225f
SHA51237279e8251fd9c74f146abc2d3e37249365f93974c185e236c5d3f3da9a6fe33b50e944625a9c3f7b5f0a90d319e77e1cd9a87f5d7dd7333effd635bf07e5e4d
-
\Users\Admin\AppData\Local\Temp\MSI879.tmpFilesize
294KB
MD5d9f32a58000fbd76723f5b0548873279
SHA1dc72a8447304a5c65023c84cc7f756a504dd1d7c
SHA25684135ab7cbdc549ef5a0cb13ea80e250fd7c407ed436b1541f915fb4334cf803
SHA5124d80067a831f58fbb596eb16fa4db8c025a057a53c341101c6f80f7d88adbd95a7be84d848e071f49bf74dc40acfac9b520589a5a9cab914d83b7def0eff5e7a
-
\Users\Admin\AppData\Local\Temp\MSI879.tmp-\Microsoft.Deployment.WindowsInstaller.dllFilesize
176KB
MD51e5a0962f20e91ca18bc150266e6f49e
SHA1e71caab3b88b2913178ca2ae549a00455679cd4e
SHA256fa74ae4d5e62a1cc7cfeaa55d84fe9bddab06651b6744fb4469074e79317da99
SHA51209021a2183536d07d915e413bd70fbd47f6afcf9fa9b8deb886f473c7b3dc3ee3e042c126f644be70f42f491692fab0a25b49ef88099caf272eec75c5bd2fc1f
-
\Users\Admin\AppData\Local\Temp\MSI879.tmp-\ScreenConnect.Core.dllFilesize
238KB
MD557499c4e2bea1c72dfa51287b419f6af
SHA1c686b1c699dc934ceeaa62990c1396421ea4ccaf
SHA256940121c7c7827d639f6c9d8ce25a90473b79c4272e07e49f1e6d6e179800584f
SHA5123a070b9dd3179179b768f54afe5960b0f16a1895c0581cf69052c00d85fed675278216d88bef07852d895d7662a84f146678148bacd20c4531787080844f5acd
-
\Users\Admin\AppData\Local\Temp\MSI879.tmp-\ScreenConnect.InstallerActions.dllFilesize
18KB
MD5346dd22c00a48d9e98f307c0b36dabc8
SHA13ff99714b7e5e02a685d83f84dbb2ea8511e45e0
SHA25614b36c4e01a3b65595702536fdd33012aa08aead4468011b329090c01e08d077
SHA51250b979e7e585891f5502d52913014cabc4c41cbf2c2b10542031369b03cc0fb7afc9346038966519db7d4d9700a1c208ec1c7887aa2e8b4fd2908d3b31a8fd9c
-
memory/268-101-0x0000000000890000-0x00000000008B2000-memory.dmpFilesize
136KB
-
memory/268-93-0x0000000000AA0000-0x0000000000AE2000-memory.dmpFilesize
264KB
-
memory/268-86-0x00000000002D0000-0x00000000002DE000-memory.dmpFilesize
56KB
-
memory/268-105-0x0000000003730000-0x000000000379A000-memory.dmpFilesize
424KB
-
memory/268-89-0x00000000002D0000-0x00000000002DE000-memory.dmpFilesize
56KB
-
memory/268-97-0x0000000000B40000-0x0000000000BAA000-memory.dmpFilesize
424KB
-
memory/788-114-0x0000000002180000-0x00000000021C2000-memory.dmpFilesize
264KB
-
memory/788-110-0x00000000009E0000-0x0000000000A4A000-memory.dmpFilesize
424KB
-
memory/788-118-0x00000000009D0000-0x00000000009DE000-memory.dmpFilesize
56KB
-
memory/788-115-0x000000001A6B0000-0x000000001A71A000-memory.dmpFilesize
424KB
-
memory/788-113-0x00000000003F0000-0x0000000000412000-memory.dmpFilesize
136KB
-
memory/2356-6-0x00000000748B0000-0x0000000074F9E000-memory.dmpFilesize
6.9MB
-
memory/2356-7-0x00000000748B0000-0x0000000074F9E000-memory.dmpFilesize
6.9MB
-
memory/2356-8-0x0000000000AF0000-0x0000000000B5A000-memory.dmpFilesize
424KB
-
memory/2356-10-0x00000000748B0000-0x0000000074F9E000-memory.dmpFilesize
6.9MB
-
memory/2356-0-0x00000000748BE000-0x00000000748BF000-memory.dmpFilesize
4KB
-
memory/2356-4-0x0000000000540000-0x0000000000558000-memory.dmpFilesize
96KB
-
memory/2356-5-0x00000000009C0000-0x0000000000A02000-memory.dmpFilesize
264KB
-
memory/2356-3-0x00000000748B0000-0x0000000074F9E000-memory.dmpFilesize
6.9MB
-
memory/2356-2-0x0000000004C10000-0x0000000004D14000-memory.dmpFilesize
1.0MB
-
memory/2356-1-0x00000000002F0000-0x00000000002F8000-memory.dmpFilesize
32KB
-
memory/2596-34-0x00000000022F0000-0x0000000002332000-memory.dmpFilesize
264KB
-
memory/2596-26-0x0000000002070000-0x00000000020A0000-memory.dmpFilesize
192KB
-
memory/2596-30-0x0000000002150000-0x000000000215A000-memory.dmpFilesize
40KB