48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe
Size

1.2MB
MD5

0b96df92623d93a5486f9c5485133bf3
SHA1

4f3c8348a6e81af3a8e5b3e60bbdfd26bf3a091e
SHA256

48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec
SHA512

ed79c1cc94525d160431006c12b9abfbd3c9fe9ffdc23f99c37f99d7ad9176bb2e0ce33052b4bfb8bb2ae5037c98007a882d8b7ec5cde5ef0ac6b5d6a640a035
SSDEEP

24576:fXTff2BiQeY3lvbELqO7mi7QXEuibeX57XIU9wwXfN2Klx:fXzfSck1+7QXEuib87p9wG2Klx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3028	dotnetchk.exe
876	Elsinore.ScreenConnect.WindowsClient.exe

Loads dropped DLL 12 IoCs

pid	Process
3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe
3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe
3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe
3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe
2428	MsiExec.exe
2736	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.Override.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.Override.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.WindowsClient.exe	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f763489.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76348b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f763489.ipi	msiexec.exe
File created	C:\Windows\Installer\{A5BE9515-3F92-484C-9B03-796215851D09}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{A5BE9515-3F92-484C-9B03-796215851D09}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f763488.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f763488.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3543.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-74d4fd3265fb3ba5\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (74d4fd3265fb3ba5)\\Elsinore.ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5159EB5A29F3C484B93097265158D190\Full	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\SourceList\PackageName = "setup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\ProductIcon = "C:\\Windows\\Installer\\{A5BE9515-3F92-484C-9B03-796215851D09}\\DefaultIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\ProductName = "ScreenConnect Client (74d4fd3265fb3ba5)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3E5BB419EBAE49CC474DDF2356BFB35A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3E5BB419EBAE49CC474DDF2356BFB35A\5159EB5A29F3C484B93097265158D190	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-74d4fd3265fb3ba5\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-74d4fd3265fb3ba5\UseOriginalUrlEncoding = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-74d4fd3265fb3ba5\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\PackageCode = "6472EAB9D152D334180E6531F94FEC74"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5159EB5A29F3C484B93097265158D190	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\Version = "83893989"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-74d4fd3265fb3ba5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-74d4fd3265fb3ba5\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-74d4fd3265fb3ba5\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-74d4fd3265fb3ba5\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-74d4fd3265fb3ba5	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5159EB5A29F3C484B93097265158D190\SourceList\Media\1 = ";"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2660	msiexec.exe
2660	msiexec.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe
876	Elsinore.ScreenConnect.WindowsClient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1640	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1640	msiexec.exe
Token: SeRestorePrivilege	2660	msiexec.exe
Token: SeTakeOwnershipPrivilege	2660	msiexec.exe
Token: SeSecurityPrivilege	2660	msiexec.exe
Token: SeCreateTokenPrivilege	1640	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1640	msiexec.exe
Token: SeLockMemoryPrivilege	1640	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1640	msiexec.exe
Token: SeMachineAccountPrivilege	1640	msiexec.exe
Token: SeTcbPrivilege	1640	msiexec.exe
Token: SeSecurityPrivilege	1640	msiexec.exe
Token: SeTakeOwnershipPrivilege	1640	msiexec.exe
Token: SeLoadDriverPrivilege	1640	msiexec.exe
Token: SeSystemProfilePrivilege	1640	msiexec.exe
Token: SeSystemtimePrivilege	1640	msiexec.exe
Token: SeProfSingleProcessPrivilege	1640	msiexec.exe
Token: SeIncBasePriorityPrivilege	1640	msiexec.exe
Token: SeCreatePagefilePrivilege	1640	msiexec.exe
Token: SeCreatePermanentPrivilege	1640	msiexec.exe
Token: SeBackupPrivilege	1640	msiexec.exe
Token: SeRestorePrivilege	1640	msiexec.exe
Token: SeShutdownPrivilege	1640	msiexec.exe
Token: SeDebugPrivilege	1640	msiexec.exe
Token: SeAuditPrivilege	1640	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1640	msiexec.exe
Token: SeChangeNotifyPrivilege	1640	msiexec.exe
Token: SeRemoteShutdownPrivilege	1640	msiexec.exe
Token: SeUndockPrivilege	1640	msiexec.exe
Token: SeSyncAgentPrivilege	1640	msiexec.exe
Token: SeEnableDelegationPrivilege	1640	msiexec.exe
Token: SeManageVolumePrivilege	1640	msiexec.exe
Token: SeImpersonatePrivilege	1640	msiexec.exe
Token: SeCreateGlobalPrivilege	1640	msiexec.exe
Token: SeCreateTokenPrivilege	1640	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1640	msiexec.exe
Token: SeLockMemoryPrivilege	1640	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1640	msiexec.exe
Token: SeMachineAccountPrivilege	1640	msiexec.exe
Token: SeTcbPrivilege	1640	msiexec.exe
Token: SeSecurityPrivilege	1640	msiexec.exe
Token: SeTakeOwnershipPrivilege	1640	msiexec.exe
Token: SeLoadDriverPrivilege	1640	msiexec.exe
Token: SeSystemProfilePrivilege	1640	msiexec.exe
Token: SeSystemtimePrivilege	1640	msiexec.exe
Token: SeProfSingleProcessPrivilege	1640	msiexec.exe
Token: SeIncBasePriorityPrivilege	1640	msiexec.exe
Token: SeCreatePagefilePrivilege	1640	msiexec.exe
Token: SeCreatePermanentPrivilege	1640	msiexec.exe
Token: SeBackupPrivilege	1640	msiexec.exe
Token: SeRestorePrivilege	1640	msiexec.exe
Token: SeShutdownPrivilege	1640	msiexec.exe
Token: SeDebugPrivilege	1640	msiexec.exe
Token: SeAuditPrivilege	1640	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1640	msiexec.exe
Token: SeChangeNotifyPrivilege	1640	msiexec.exe
Token: SeRemoteShutdownPrivilege	1640	msiexec.exe
Token: SeUndockPrivilege	1640	msiexec.exe
Token: SeSyncAgentPrivilege	1640	msiexec.exe
Token: SeEnableDelegationPrivilege	1640	msiexec.exe
Token: SeManageVolumePrivilege	1640	msiexec.exe
Token: SeImpersonatePrivilege	1640	msiexec.exe
Token: SeCreateGlobalPrivilege	1640	msiexec.exe
Token: SeCreateTokenPrivilege	1640	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1640	msiexec.exe
1640	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
876	Elsinore.ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3028	3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe	28
PID 3016 wrote to memory of 3028	3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe	28
PID 3016 wrote to memory of 3028	3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe	28
PID 3016 wrote to memory of 3028	3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe	28
PID 3016 wrote to memory of 1640	3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe	29
PID 3016 wrote to memory of 1640	3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe	29
PID 3016 wrote to memory of 1640	3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe	29
PID 3016 wrote to memory of 1640	3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe	29
PID 3016 wrote to memory of 1640	3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe	29
PID 3016 wrote to memory of 1640	3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe	29
PID 3016 wrote to memory of 1640	3016	48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe	29
PID 2660 wrote to memory of 2428	2660	msiexec.exe	31
PID 2660 wrote to memory of 2428	2660	msiexec.exe	31
PID 2660 wrote to memory of 2428	2660	msiexec.exe	31
PID 2660 wrote to memory of 2428	2660	msiexec.exe	31
PID 2660 wrote to memory of 2428	2660	msiexec.exe	31
PID 2660 wrote to memory of 2428	2660	msiexec.exe	31
PID 2660 wrote to memory of 2428	2660	msiexec.exe	31
PID 2428 wrote to memory of 2736	2428	MsiExec.exe	32
PID 2428 wrote to memory of 2736	2428	MsiExec.exe	32
PID 2428 wrote to memory of 2736	2428	MsiExec.exe	32
PID 2428 wrote to memory of 2736	2428	MsiExec.exe	32
PID 2428 wrote to memory of 2736	2428	MsiExec.exe	32
PID 2428 wrote to memory of 2736	2428	MsiExec.exe	32
PID 2428 wrote to memory of 2736	2428	MsiExec.exe	32
PID 2660 wrote to memory of 876	2660	msiexec.exe	36
PID 2660 wrote to memory of 876	2660	msiexec.exe	36
PID 2660 wrote to memory of 876	2660	msiexec.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe
"C:\Users\Admin\AppData\Local\Temp\48c780b97e27a3f2b49e0a0a46680926ea8c8268e43ab1f1fa00c222045cb9ec.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\VSD1758.tmp\DotNetFXCustom\dotnetchk.exe
  "C:\Users\Admin\AppData\Local\Temp\VSD1758.tmp\DotNetFXCustom\dotnetchk.exe"
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1640

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57D081D79133A11B42D01CB62E22FCC1 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI191C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259397994 1 Elsinore.ScreenConnect.InstallerActions!Elsinore.ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    PID:2736
- C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.WindowsClient.exe" "?y=Host&h=connect.boxsupport.com&p=8041&s=77aeda68-c49e-451a-84f9-5139c1109754&k=BgIAAACkAABSU0ExAAgAAAEAAQAnrYFzXlcydiDgsvWW2YnAuon0BH6W%2fItMumA7VU05z7WuI9zvR0eVjsIMQxS3amQ8nGY4eZdsByUqyhO7cf%2bQDDUzkTXmlU%2flGuJA7BfEIBnh3ThyTvnf0hO7BXuMNmmSfj5t%2ftyphLOBlh9WpglNjdflM5Pu8hKBWso8CVtSW7RZu9FFZOcpQYZfnTNIkqPCBKiA2Kh93MCQ43Bk5EIL1uKffbcbfT1%2bI4ij8IwvVPvTT6V2xYqIV7VblOoLyBD4Mq4i8t%2ffml8BAQkFQLWc6s6FhtCBE9kfp5BENY2XsihU1SKkCPUIrv7qQ2AVmmtxpWTuGOJlEfUN%2fy6Tdtyz&n=qKWGrwIPQnlyb24gQmVuZGZlbGR0j26Jzn6UsrZ4GvwtsPvGTOQj1HNTuM570dRhIMlTrUn8fg%3d%3d&i=AMRIK%20GOGNA"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2540

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D8" "0000000000000328"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76348a.rbs

Filesize
8KB

MD5
cef7d355decf1978b0e3ab1b91bdfdf2

SHA1
90811b3bf91136d358d4f443df1fe33e1a082e35

SHA256
c8e3cbd0c2ce2e1be01b532e2f8b6d9a56a6952ebbc9fddb4c5beaf83d0a6e63

SHA512
9ea95ca25d5a0974cb0278db690ad3e5ccf1cc10dd8a05312a62e40160f3fa47ba48fd99320f4f041a280f8779c94b5d409f1058e06bfeae8190704d4ca8902f

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.Override.en-US.resources

Filesize
617B

MD5
5f6e8999020452a7d414469e23f820e7

SHA1
21f6820154ba7fbe18ea4a237e1682bdb41c5147

SHA256
84303e6196dccb36f8bc8dacaa183822963b71c9b8448b492114980234470ecc

SHA512
aceb9f9d6672b24ac97b9b4f2fb2b6887add0565b1ed8698fb676aa976f5dba9f5ee1bce48decdb7aeb51a1f24cd9d11f6d52a32f49a79fda132796e60b81694

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.Override.resources

Filesize
15KB

MD5
c3d204fabfa272a3b0f7319928e1822a

SHA1
874bfd93f9483d6adee4ee7c01968cc5315f4899

SHA256
0bfcc6494dfd00329a974501aa0037bc2ecdf1633554ee499b759dd799805e65

SHA512
9474555b0c610b0247c219cba5703cdeccf57ace7a0230f38188f0d429164e434265d40ce1d61e06554fd99b7e772b65aad112def2f572f5278f02a911f35a0c

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.en-US.resources

Filesize
23KB

MD5
2c3a7d5575505139752a1debe50f75be

SHA1
cc707edced1d9b6780873e92d9eaeca8f4a63e52

SHA256
d94ca7a84f8f8f9e3a0a528c07d726632f49db9640432d88b6428b99b8fb69ec

SHA512
85838ecc586dfb0a20f34174677561521b6c2f1ed4ae1fa64fcf7b95f0e6ab0b426f0f938be3a72c55c409725ad8f0638647e3216f997a6e305ce44e549f3fd5

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.resources

Filesize
4KB

MD5
43df44e3c87b3401160118d2d43601ff

SHA1
d534cd8d970c4c5bf6b8574ad0446d70a103a8fb

SHA256
e265d0d544f628387857031c8fb5983d658195423f34ea8df7aa1c49b12aa9f2

SHA512
2e4318c1105c4a34c28c5f9b06e6d4b5d08131ec28c34342402d49bae9dc00eeeecac6fc8498ac851e9ca981a84bd595f8a90f5d7967084719ab0662df3a4a3b

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.Client.dll

Filesize
93KB

MD5
39fc8f57a9b6511a808a1f7e4f325cef

SHA1
197659d433dc18acd728e236d3e0ff6225517104

SHA256
9e4d1ffd9fc3e149ba0a0e219814e9f0614e26bbe08bc5e552dcdb261770e59d

SHA512
d6b9eadc929db765c6c4ce083c6aca470bae49c86833e677908f3a7526881464a31141666f1f287be073d150065999aed680fecaa7eb268b662dc133067e2f2f

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.Windows.dll

Filesize
391KB

MD5
30fbbd14cf3d47d5619ad55c36fb269e

SHA1
237b458b3fade98b4ad7cf48c9057c6b241cb5cb

SHA256
105cd91c0f24b24dcd57c40a22fe0447a888340dcc84ca5b1c34eedfd11f3b5d

SHA512
4394323c76818360a54a207012c5bf56234041cb62e6f6247800924315f8276987861709efef3cef71e51e4330ddfee2dd14ff5cfce73e8c6d03be78e5deedcf

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.WindowsClient.exe

Filesize
338KB

MD5
d6ab7b47f447abebe3fcc9791f22e3c6

SHA1
3c61202073488e59587065eeb6010be9f0e95f32

SHA256
e71b305a592c27f8f9398eb00475c620548e1511ad532f48148223adbb604555

SHA512
97c077bc57a0c59be920e5081d6bbfcc7827fd480e3deab002ae78573fb73549ae149cdaaf24e8fb622ec319a1ca53f9f1b98b6030407197a5012f6bd4a6fb32

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.WindowsClient.exe.config

Filesize
259B

MD5
95f04aa18dc27e4f0c73ac6829dcc3d8

SHA1
2f361486c18e23cea4b375e1c9cccdc14bdd620d

SHA256
f3c7ed5a1114cbfa6e3e996f4b0311edb5e25dc2099fd7eb7a3a456c261a2d94

SHA512
59bfd8675c2b215e793bf343b6d1aa9c3304ab763c5870a4934ab947284af7bb0493fc4b5a6048dc3d531262e061d68d7395f09eaee1ebf1524c0d8ed63164b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI191C.tmp

Filesize
279KB

MD5
6d5f46d5ae78e61ea290b6c300def625

SHA1
3ae79c014bc2066a9f7966d6764825c2dab24b51

SHA256
a4c316a8d25936de049356c0a36f9d04feed977eca19a13b9908dc1e697aa0f8

SHA512
efc8a0dfbf590c23463b82c8ffc7b295d77bccd16750e3db7ef5b2c8c8acd6ea45839abd131672b3f75198dd68e539ee30bdea1bdc54d5296f27f89acdda374f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.msi

Filesize
783KB

MD5
fbf92cffb3b8741e30f2b77572728521

SHA1
dcf82648c1997b7a51ca7a5066e373ef4bec8ec8

SHA256
43762b2fc041005cd3e1ab927d980f3b75e1e12c02189bc79d9ef14d0c1e00d0

SHA512
00c11ae72e6cd2730baf0e486fd994b0b00a7af9549da35698f5b24b0d399f94cd99f378afa894ca5928c0fc0df9312edddc7d900a924dbf462accfb4407f532

Download Submit
\Users\Admin\AppData\Local\Temp\MSI191C.tmp-\Elsinore.ScreenConnect.Core.dll

Filesize
194KB

MD5
27eb6b7a79a41c8eb611e3d492f09acb

SHA1
ac0234cc29183a58e36ea4271074fbe3eb935744

SHA256
327dcc7c94c4df1822700982c40318ead01ac48fa07170221d468bf78c5189b0

SHA512
35aa8861a6fd66a74a408f558b78a5b52e7b4a963c44a945260f63f4c5aece0b0446dea890cf1c01ca10600da3d4c36c224700130ecb64b5d0298396e051902a

Download Submit
\Users\Admin\AppData\Local\Temp\MSI191C.tmp-\Elsinore.ScreenConnect.InstallerActions.dll

Filesize
19KB

MD5
fcb234ac467125d61196946526883161

SHA1
b5e919ae7fdd23a40360f3d2895fd95fd7d6047d

SHA256
ce1c13343377bc52ba06f20a9b8eb5d8334aa96a25db9c3dc33d8b928bfe2397

SHA512
e9524c35126fe8abd3b65ddca415bc2453aa2362761e082e6df819b4efb4dbae4ec61c822a94fd401867cabca6f4ace9c1c07c3c0137ece808d65ca51dc505ef

Download Submit
\Users\Admin\AppData\Local\Temp\MSI191C.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
176KB

MD5
1e5a0962f20e91ca18bc150266e6f49e

SHA1
e71caab3b88b2913178ca2ae549a00455679cd4e

SHA256
fa74ae4d5e62a1cc7cfeaa55d84fe9bddab06651b6744fb4469074e79317da99

SHA512
09021a2183536d07d915e413bd70fbd47f6afcf9fa9b8deb886f473c7b3dc3ee3e042c126f644be70f42f491692fab0a25b49ef88099caf272eec75c5bd2fc1f

Download Submit
\Users\Admin\AppData\Local\Temp\VSD1758.tmp\DotNetFXCustom\dotnetchk.exe

Filesize
85KB

MD5
4992d98e6772a5fd7256c4c7fe978a11

SHA1
6cf70905908b59553e1b92e057c3e7c13bd7b6a4

SHA256
5494efb1859e625eff5c2b51a66058fd7ffe1aa619594f62900a0bef392012d0

SHA512
8afdda6a49a4c61c62e329f3d15dc31c98327fd720e654972b14f98112b79d293648cad0dd08b3d12e48e020dd21fe40f9fc0a6c78014e1434a1703f40f6f4d8

Download Submit
memory/876-86-0x0000000001200000-0x000000000125A000-memory.dmp

Filesize
360KB

Download
memory/876-88-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/876-90-0x00000000003E0000-0x0000000000418000-memory.dmp

Filesize
224KB

Download
memory/876-92-0x00000000005D0000-0x0000000000638000-memory.dmp

Filesize
416KB

Download
memory/2736-39-0x0000000002210000-0x0000000002248000-memory.dmp

Filesize
224KB

Download
memory/2736-35-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2736-31-0x0000000000B40000-0x0000000000B70000-memory.dmp

Filesize
192KB

Download