Overview

overview

8

Static

static

1

ac34e44a89...6a.msi

windows7-x64

8

ac34e44a89...6a.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    135s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-08-2024 02:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac34e44a897a626c34db1c18efcf707fc1d5473a46117586649f31f53c28496a.msi

  • Size

    7.3MB

  • MD5

    6086601a8560a2037f5091d8632d0509

  • SHA1

    2a7203ea36b649e95f42a2cf0fcf38347d0a7640

  • SHA256

    ac34e44a897a626c34db1c18efcf707fc1d5473a46117586649f31f53c28496a

  • SHA512

    554fb256c1be49942c3c1b2cf1620c8d364a9fa52de7471808ba282019f87703980c9213045123fa5406916bc2e6e60fe963950d4916c622b1edd1f14032864a

  • SSDEEP

    98304:HAMvSQwxDnl2dYds9GLIeDT3OF6zfAMvSQwxDnl2dYdsTAMvSQwxDnl2dYdsbAMF:bnEPDT3wAn/nHn

Score
8/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 13 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 20 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 9 IoCs
  • Modifies registry class 37 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ac34e44a897a626c34db1c18efcf707fc1d5473a46117586649f31f53c28496a.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3408
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5EBF5BD6ADEA32B04C616B7EDD4E6F83 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI9C7E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240622953 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1220
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2992
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding D2813561934CD036147194C45B3E1E8B
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4432
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 989B500EAC18BB1F95169AEE71D03DC1 E Global\MSI0000
        2⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1420
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:2332
    • C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.ClientService.exe
      "C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-s1t9su-relay.screenconnect.com&p=443&s=405768c7-e817-4293-8bbf-ca3f80fe5001&k=BgIAAACkAABSU0ExAAgAAAEAAQAZhsU%2bP4UE5AtDTMSFWho25Rl9VjYF8BVBXNwYvU7ugYYwP08h0Z%2fmsf3hdTZqjWU0kI2j8SYjcPTHlmm1DVR4w%2bCnc6S9OaDbDbVnmTAZb4aLnlE0C%2bxZGL%2fgLPE0QdK9YGD5fWjCXXAGAq8z6%2fnmyvLLDh70j0hHGeffkk6HXpjl9E61RXxiCCy3wJleuhdWVSz2TYOAsya%2fs6TEOncLxRX5dVsIpVQHwe%2bApMXuapOWQ1kSv%2bZ0liWHcxZnDeQOpXfTGKLGsTXT3yFLz2B3W33laNnlW%2fpN5y3LSz9plPy4pGcwqi%2bgQpv6KqQ%2b4n55foFDpc6%2fFyuAI8vGWA2l&c=government&c=gov.al&c=it&c=pc&c=&c=&c=&c="
      1⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsClient.exe
        "C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsClient.exe" "RunRole" "a895b411-f310-4111-8bd7-a3248606e5bc" "User"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1892

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    2
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Installer Packages

    1
    T1546.016

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    2
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Installer Packages

    1
    T1546.016

    Defense Evasion

    Modify Registry

    1
    T1112

    System Binary Proxy Execution

    1
    T1218

    Msiexec

    1
    T1218.007

    Credential Access

    Discovery

    Peripheral Device Discovery

    2
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57d13b.rbs
      Filesize

      213KB

      MD5

      468b7150b6207cb412e88cc6acae35e4

      SHA1

      edba0845dad2d45f5c2071cf60ec4fef7fc68b04

      SHA256

      612798966d91899f3ddfe87b57dbc0e4949796e2f901a4e38eb65a7f10f7bfc9

      SHA512

      eecde0ecffa41f1ae3fe91c8a934e0d64c8eb5574578e7992e30368df4b6405e975fce54a262ab30a03da701e81d18436fdf542d77ab14fa6217197e0d3d5a6b

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\Client.en-US.resources
      Filesize

      47KB

      MD5

      26f4eb71380f8e033c74ed8c57d0ad9d

      SHA1

      d94252e86215a4a2e29f081cecd335d48bbd7a9c

      SHA256

      179b6d08519b3e56dce0cc0096f31e9751d74b7875e030a3b2d01c189be0108d

      SHA512

      8d36cad523e6847d055caa35535388008633187078c55625f32548016ffd2ba9f5528fe2df2c97d6c9e3e08ac432f8156d59da334acfec4142a44b4a4421a897

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\Client.resources
      Filesize

      26KB

      MD5

      5cd580b22da0c33ec6730b10a6c74932

      SHA1

      0b6bded7936178d80841b289769c6ff0c8eead2d

      SHA256

      de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

      SHA512

      c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.Client.dll
      Filesize

      188KB

      MD5

      ca2857bac072baec93fbf23e5fcff956

      SHA1

      049f21dfe97f5dc247b0c7a29e22111dc4c63aad

      SHA256

      04a6ba13d7f014c6650a05c55f7fef2d465903ab900bc37a2a28f4bf08a658c0

      SHA512

      96bdfe18334b9837223da8ebb7f671abde9559f6e5150854025315bcccc09133c50939cb0e62ff16219d45b77711baa3c3c278edacda4584960e9c06e63e20f1

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.ClientService.dll
      Filesize

      59KB

      MD5

      a9d86db5d9c735d6dcc83e979ab64a7d

      SHA1

      e4f945e799d9bf5fc103f65d8ca832290b5ab03c

      SHA256

      083eb9b90e04e39514c50e296593c3652f05cf3fe3ba41cb7adeed82930e4ddf

      SHA512

      ceceeea84b266ca389562fcbbc4fa24bb4b44093289b0a67e60bf4506c2a554087fb2ee9ee607e29efb8912a26ce65c3457a14c23c4d742181b3795a3a6338b4

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.ClientService.exe
      Filesize

      93KB

      MD5

      89d3d099b6d8731bd1b7f5a68b5bf17c

      SHA1

      c6aed886840aafd08796207e2646d8805d012b81

      SHA256

      bcaa3d8dcba6ba08bf20077eadd0b31f58a1334b7b9c629e475694c4eeafd924

      SHA512

      6cb52828006ef2d41b9acc2a8a8e84b2d5f0bee0304cc8762d5945a1e21023373371893a261d089599799ebe89cbe0da5327ee80d5db07a936727ea21fb0951a

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.Windows.dll
      Filesize

      1.6MB

      MD5

      44b736a074b7e0bbe0c6c5f7debe0f3d

      SHA1

      a1c063d652908b663a5e2d12c81c7a74b1f7b7e2

      SHA256

      f8c648e09fb42f145b581ed80b2a0c88e9f18041efd03ad3187a6229f17a14b8

      SHA512

      de0258dcbe6886e8c8e0b6188f6427cd2b650a80b16cd11349e3f8332af906b47d79c5714fd734df5866923735bda1e0a448c2b18dac2102464f2f237d97c37a

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsClient.exe
      Filesize

      572KB

      MD5

      19e093bc974d1ed6399f50b7fa3be1f8

      SHA1

      11e0b01858dc2ed0d1b5854ebeb09a332a36ed93

      SHA256

      ea38cff329692f6b4c8ade15970b742a9a8bb62a44f59227c510cb2882fa436f

      SHA512

      d2e4c543ddf850b5c54d2de5dea03de77fdb4a852a377b0e35146e733cfd1cb198a8afc88cb55fed20e87ac6ae7ed8ea0198f0049a0fc400615ac32bb153cc6a

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsClient.exe.config
      Filesize

      266B

      MD5

      728175e20ffbceb46760bb5e1112f38b

      SHA1

      2421add1f3c9c5ed9c80b339881d08ab10b340e3

      SHA256

      87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

      SHA512

      fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\ScreenConnect.WindowsCredentialProvider.dll
      Filesize

      746KB

      MD5

      f01a59c5cf7ec437097d414d7c6d59c4

      SHA1

      9ea1c3fbf3b5adbe5a23578dea3b511d44e6a2dd

      SHA256

      62b405f32a43da0c8e8ed14a58ec7b9b4422b154bfd4aed4f9be5de0bc6eb5e8

      SHA512

      587748ad4dd18677a3b7943eab1c0f8e77fe50a45e17266ba9a0e1363eda0ff1eabcf11884a5d608e23baf86af8f011db745ad06bcdecdfd01c20430745fe4bb

      Download Submit

    • C:\Program Files (x86)\ScreenConnect Client (d8713efd2a06052f)\system.config
      Filesize

      970B

      MD5

      ca804d47bcb02664a31fa8ec17d16793

      SHA1

      7a01687b36263ad5169ae53c421afc28fb519a64

      SHA256

      bf61fdbdc3db66c762cca24d0e06a533063b1912dbd6a83807457bd37e65befd

      SHA512

      24e42453d5d075f936f022c02b3066bf41a9a97a33dbec14c7f111898aec88c08bfd9a9e9f1126ecb0f9f8e31b40eb73637d6314117230ec85e47183c620bba7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI9C7E.tmp
      Filesize

      1015KB

      MD5

      5c1b123df7123061ca1f1cdb31ce36cb

      SHA1

      1421db694e8c2a3af066d6317282157d2c05e3b6

      SHA256

      d40ae98a7d18c2c35c0355984340b0517be47257c000931093a4fc3ccc90c226

      SHA512

      866979a543ac413dbeadce82e9ab35ffe5f4d0f69fc61ef2c4f8761030a126abfab4db053669df7e7a602e3753842a7315c17881d2a333d0abea51d8ef3041e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI9C7E.tmp-\Microsoft.Deployment.WindowsInstaller.dll
      Filesize

      172KB

      MD5

      5ef88919012e4a3d8a1e2955dc8c8d81

      SHA1

      c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

      SHA256

      3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

      SHA512

      4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI9C7E.tmp-\ScreenConnect.Core.dll
      Filesize

      518KB

      MD5

      469a702d0861e2c63e6e6e575c58e399

      SHA1

      06cf299c7dc7867c9584647f5ba681aec6c469d4

      SHA256

      affb342d2dce754b4ddbeeb4ed344806fda531d68346df12629b7bd8c0fa753c

      SHA512

      90fa0f0bbb3076f770354fc6f870c302c2c3a7e2ea010dc451cbd4dd0d417aa360f57ddfe003ea634efa38a7e34b63236ffe1addb4738fac16cff798c940b016

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI9C7E.tmp-\ScreenConnect.InstallerActions.dll
      Filesize

      21KB

      MD5

      41e8c80a7f1bf4911fce55c0de249302

      SHA1

      21d6f8ddc242a55c4894127bbef0479fea1d6847

      SHA256

      569b267d8c4cef1b26c9337f5a355f0040ad4d7e9610f28784e4af05efa3e4e9

      SHA512

      d2f375e9956d46db0fc4e0162ea894ad8598512a3de93537579ddcd8872fc8160751a4ada37bbc9f61b78414e5d241dfb2e036f2200bff4de70ac1a417aaa240

      Download Submit

    • C:\Windows\Installer\MSID216.tmp
      Filesize

      202KB

      MD5

      ba84dd4e0c1408828ccc1de09f585eda

      SHA1

      e8e10065d479f8f591b9885ea8487bc673301298

      SHA256

      3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

      SHA512

      7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

      Download Submit

    • C:\Windows\Installer\e57d13a.msi
      Filesize

      7.3MB

      MD5

      6086601a8560a2037f5091d8632d0509

      SHA1

      2a7203ea36b649e95f42a2cf0fcf38347d0a7640

      SHA256

      ac34e44a897a626c34db1c18efcf707fc1d5473a46117586649f31f53c28496a

      SHA512

      554fb256c1be49942c3c1b2cf1620c8d364a9fa52de7471808ba282019f87703980c9213045123fa5406916bc2e6e60fe963950d4916c622b1edd1f14032864a

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      82849a82a1a8af1a0a7854be4306abec

      SHA1

      6daa79f8428d68f4b0d95a634a17e947a747422a

      SHA256

      27800eb130a1bd26235ca26843b19cc19b7401371d5fd993d46208dbb98c665b

      SHA512

      d4c8f205c85f4c6199f39a714e0c2d5512348e1a804f9c19319a273cb3b2ca598bc0545e4f3950c19aeda9ede7d245df9b851ff46a74d30a24907c473545848f

      Download Submit

    • \??\Volume{848480a2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{606087f1-9998-4955-b3b0-8fe909d2c8e5}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      bb773f008c41a324c23df0069f070a5e

      SHA1

      6a1cacad3589ff47c17ff562122a24836c967a32

      SHA256

      7ca623066d0db97cbd07155015fb7051662d257f6403cf304ad8734ff7409395

      SHA512

      3ad371a1c9aad40b0659a55c31f246322910d2af042f09fc714b0926e795e63045976e2e37effe4ffda92d1014790cb6f7a79bebc23a4cc807190b6c8af18b8a

      Download Submit

    • memory/1220-87-0x0000000004130000-0x00000000041C2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1220-19-0x0000000002E70000-0x0000000002E7C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1220-86-0x0000000003EA0000-0x0000000003ED6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1220-82-0x0000000003E50000-0x0000000003EA0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1220-80-0x00000000046E0000-0x0000000004C84000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1220-79-0x0000000003F80000-0x0000000004128000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1220-70-0x0000000003B10000-0x0000000003B26000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1220-23-0x0000000002F10000-0x0000000002F98000-memory.dmp

      Filesize

      544KB

      Download

    • memory/1220-15-0x0000000002E30000-0x0000000002E5E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1220-91-0x00000000041D0000-0x000000000428E000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1892-111-0x0000000002AD0000-0x0000000002B06000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1892-112-0x000000001B600000-0x000000001B688000-memory.dmp

      Filesize

      544KB

      Download

    • memory/1892-114-0x000000001CFA0000-0x000000001D126000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1892-115-0x00000000011C0000-0x00000000011D6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1892-116-0x00000000011F0000-0x0000000001206000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1892-113-0x000000001BBB0000-0x000000001BD58000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1892-110-0x0000000000980000-0x0000000000A14000-memory.dmp

      Filesize

      592KB

      Download