ConnectWiseControl.ClientSetup.exe
This report is generated from a file or URL submitted to this webservice on March 8th 2018 18:45:58 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Tries to sleep for a long time (more than two minutes)
- Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 920)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 920)
"<Input Sample>" wrote 8 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 920)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 920)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 920) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Unusual Characteristics
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:"
"msiexec.exe" touched "O:"
"msiexec.exe" touched "P:"
"msiexec.exe" touched "Q:"
"msiexec.exe" touched "R:"
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:" - source
- API Call
- relevance
- 9/10
-
Tries to access unusual system drive letters
-
Suspicious Indicators 21
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"<Input Sample>" at 00011850-00001392-00000033-45236366
"msiexec.exe" at 00012735-00002940-00000033-46106694 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "<Input Sample>" is allocating memory with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.24434445691
- source
- Static Parser
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Tries to sleep for a long time (more than two minutes)
- details
- "<Input Sample>" sleeping for "1566804069" milliseconds
- source
- API Call
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Reads configuration files
- details
- "<Input Sample>" read file "%USERPROFILE%\Desktop\desktop.ini"
- source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Drops executable files
- details
- "MSI1473.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
- Heuristic match: "Cryptography.AesCryptoServiceProvider, System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
System Destruction
-
Marks file for deletion
- details
- "%WINDIR%\SysWOW64\msiexec.exe" marked "%TEMP%\MSI1473.tmp" for deletion
- source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
- "msiexec.exe" opened "%TEMP%\MSI1473.tmp" with delete access
- source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"ConnectWiseControl.ClientSetup.exe.bin" claimed CRC 3123552 while the actual is CRC 3164550
"MSI1473.tmp" claimed CRC 193043 while the actual is CRC 390188 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
GetModuleFileNameA
LockResource
UnhandledExceptionFilter
LoadLibraryExW
GetStartupInfoW
GetCommandLineA
GetProcAddress
LoadLibraryW
WriteFile
GetModuleHandleW
TerminateProcess
GetModuleHandleExW
FindResourceW
CreateFileW
Sleep
GetFileAttributesW
GetTempPathW
ConnectNamedPipe
CreateThread
DisconnectNamedPipe
GetTickCount
CreateDirectoryW
DeleteFileW
FindNextFileW
FindFirstFileW
CreateProcessW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>" wrote bytes "711107027a3b0602ab8b02007f950200fc8c0200729602006cc805001ecd03027d260302" to virtual address "0x758B07E4" (part of module "USER32.DLL")
"<Input Sample>" wrote bytes "9e962d9c" to virtual address "0x7166F314" (part of module "CLR.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 4 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 17
-
Environment Awareness
-
Possibly tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
- "msiexec.exe" queries volume information of "C:\" at 00012735-00002940-00000046-46292310
- source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
- "msiexec.exe" queries volume information of "C:\" at 00012735-00002940-00000046-46292310
- source
- API Call
- relevance
- 8/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MSIEXEC.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MSIEXEC.EXE") - source
- Registry Access
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET INFO Windows OS Submitting USB Metadata to Microsoft" (SID: 2025275, Rev: 1, Severity: 3) categorized as "Misc activity"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Contains PDB pathways
- details
-
"%USERPROFILE%\Source\ScreenConnectWork\Custom\DotNetRunner\Release\DotNetRunner.pdb"
"E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb"
"C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb"
"C:\Users\%USERNAME%\Source\ScreenConnectWork\Custom\DotNetRunner\DotNetResolver\obj\Release\DotNetResolver.pdb"
"!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~EEE00P('8PW700PP (`h`hhhxppwppH RSDS_2Kx E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb@00@L@(8hTdlh@TL(s`JKS~[OcZclx0cL"hiinpovz%K^SOI"LTrh~|bL2zpbTH80"lD,*6LXn.DZj&<L^t`gJstyv}w1 "/36:>?0@LNPrx{msi.dllCabinet.dllEPathFileExistsWSHLWAPI.dllOLEAUT32.dllbFreeLibraryEGetProcAddressGetLastError?LoadLibraryWCreateDirectoryWgMultiByteToWideCharCreateEventWRCloseHandleWaitForSingleObjectYSetEventDisconnectNamedPipeBCancelIo8GetOverlappedResultWaitForMultipleObjectsReadFileResetEvent%WriteFileWaitNamedPipeWeConnectNamedPipeCreateNamedPipeWCreateFileWCreateThreadGetExitCodeProcessCreateProcessWpGetSystemDirectoryWGetModuleFileNameWGetTickCountGetFileAttributesWRemoveDirectoryW.FindCloseEFindNextFileWDeleteFileW9FindFirstFileWGetTempPathWKERNEL32.dllfSetFilePointerGetFileTypeHeapAllocHeapFreeWideCharToMultiByteGetConsoleCPGetConsoleModeGetCurrentThreadIdDecodePointerGetCommandLineAUnhandledExceptionFilterSetUnhandledExceptionFilterIsDebuggerPresentEncodePointerTerminateProcessGetCurrentProcessSetStdHandleEnterCriticalSectionInitializeCriticalSectionAndSpinCount9LeaveCriticalSectionoSetHandleCountdGetStdHandlecGetStartupInfoWDeleteCriticalSectionSSetEndOfFileJGetProcessHeapGetModuleHandleWExitProcessHeapCreateHeapDestroySleep$WriteConsoleWTlsAllocTlsGetValueTlsSetValueTlsFreeInterlockedIncrementsSetLastErrorInterlockedDecrementRaiseExceptionIsProcessorFeaturePresentGetModuleFileNameAaFreeEnvironmentStringsWGetEnvironmentStringsWQueryPerformanceCounterGetCurrentProcessIdyGetSystemTimeAsFileTimeRtlUnwindHeapReAllocrGetCPInfohGetACP7GetOEMCP", "hD <0#%+RSDS@uC:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdbp.text$dip.text$mn<.idata$5<.00cfg@.CRT$XCAD$.CRT$XCUh.CRT$XCZl.CRT$XIAp.CRT$XIC.CRT$XIZ.CRT$XPA.CRT$XPX.CRT$XPXA.CRT$XPZ.CRT$XTA.CRT$XTZp.rdata.rdata$sxdata.rdata$zzzdbg.rtc$IAA.rtc$IZZ.rtc$TAA.rtc$TZZ p.xdata$x.edataP.idata$2.idata$3<.idata$4@.idata$6 .data',.bssP.rsrc$01P.rsrc$02lZm]_E_U_ehhSm_llmqEAEl?GlYlpGY>''T2i2DJ!X&u}?^M*Qap}8e$n(0
.2" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\setup.msi"
"msiexec.exe" created file "%TEMP%\MSI1473.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Loads the .NET runtime environment
- details
- "<Input Sample>" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_32\mscorlib\77f338d420d067a26b2d34f47445fc51\mscorlib.ni.dll" at 702D0000
- source
- Loaded Module
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%TEMP%\setup.msi"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US" (SHA1: 03:A5:B1:46:63:EB:12:02:30:91:B8:4A:6D:6A:68:BC:87:1D:E6:6B; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: A4:1A:37:D0:27:0D:84:33:C3:CD:02:20:24:8A:D8:4A:5A:6A:1A:26; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47; see report for more information) - source
- Certificate Data
- relevance
- 10/10
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
"setup.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.2 Code page: 1252 Title: Installation Database Subject: Default Author: ScreenConnect Software Keywords: Default Comments: Default Template: Intel;1033 Revision Number: {20EF8040-9956-440C-A586-BC6D37B4F937} Create Time/Date: Fri Mar 2 21:50:34 2018 Last Saved Time/Date: Fri Mar 2 21:50:34 2018 Number of Pages: 200 Number of Words: 2 Name of Creating Applicatio%WINDIR%\Installer XML Toolset (3.11.0.1701) Security: 2"
"MSI1473.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config"
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\77f338d420d067a26b2d34f47445fc51\mscorlib.ni.dll.aux"
"<Input Sample>" touched file "C:\Windows\SysWOW64\rsaenh.dll"
"<Input Sample>" touched file "C:\Windows\assembly\pubpol107.dat"
"<Input Sample>" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\System\0b2f69b43a576b9edcc807a30872bd91\System.ni.dll.aux"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll"
"<Input Sample>" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\sortdefault.nlp"
"<Input Sample>" touched file "C:\Windows\SysWOW64"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl0"
Pattern match: "www.microsoft.com/pkiops/certs/MicSecSerCA2011_2011-10-18.crt0"
Pattern match: "crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^"
Pattern match: "www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0"
Heuristic match: "GET /appraiseradl/2018_03_02_14_03_x64.cab HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: */*, text/*User-Agent: WicaAgentHost: adl.windows.com"
Pattern match: "http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0"
Pattern match: "crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z"
Pattern match: "http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0"
Pattern match: "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T"
Pattern match: "www.microsoft.com/pki/certs/MicrosoftRootCert.crt0"
Pattern match: "https://www.microsoft.com"
Pattern match: "www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a"
Pattern match: "www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0"
Pattern match: "crl.microsoft.com/pki/crl/products/MicRooCerAut"
Pattern match: "www.microsoft.com/pkiops/docs/primarycps.htm0@"
Pattern match: "crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z"
Pattern match: "http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0"
Pattern match: "www.microsoft.com/PKI/docs/CPS/default.htm0@"
Pattern match: "crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z"
Pattern match: "www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0"
Pattern match: "http://dmd.metaservices.microsoft.com/dms/metadata.svc"
Pattern match: "http://schemas.microsoft.com/windowsmetadata/services/2007/09/18/dms/DeviceMetadataService/GetDeviceMetadata"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?d579956195e3ec07 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ctldl.windowsupdate.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: s2.symcb.com"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa0"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEBuN56dlW1Lzehhu%2FtdSD3U%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: sv.symcd.com"
Pattern match: "http://www.symauth.com/cps0*"
Heuristic match: "GET /CRL/Omniroot2025.crl HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: cdp1.public-trust.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAt%2BEJA8OEkP%2Bi9nmoehp7k%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSLIycRsoI3J6zPns4K1aQgAqaqHgQUZ50PIAkMzIo65YJGcmL88cyQ5UACEAG2Yem3HYLmNssdMr3TCFk%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.usertrust.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2FpT9HLfNNK8%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.comodoca.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEASgPbzjLFo0QgpBn7dAqho%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.comodoca.com"
Pattern match: "k.screenconnect.com/Feedback.axd"
Pattern match: "feedback.screenconnect.com/Feedback.axd"
Pattern match: "aG7B.LYr/%`ESsLub0=Scj$2"
Heuristic match: "y.IEOiajg.tg"
Heuristic match: ">|IsXjA<>FWpT@ xLJ\z'ja8:6.Kn"
Pattern match: "E.zwJV/[LF{M:knffqPG\Wr+s%N&2f6*"
Heuristic match: "!.zL*[t+_FD/(%6X~YBmU2]vN0o1H/LbA=3?NPaY_?.LK"
Pattern match: "XF.joKG/9@"
Heuristic match: ")F#wp~i<!>H?P}`p\BpXD;ArQ,s(F5B91Cc0tT?4nVzO*(C3Hb8i@%?)+.vu"
Heuristic match: ".#GVn.666666260phW{Iyw\{ q-$1z0HQ{z,qwKxa#AQ?*)j%j?~8TOB2]TTLBBd..Do"
Heuristic match: "ey55!P7<r+j}jrw[8,,o-Do>5`B;rD(]qAwCC*D_.Gi"
Heuristic match: "ZG|Vpd;NFisb+-x1LkU.?Y8FW.DK"
Heuristic match: "F_gIF77}y{{3g.mv"
Pattern match: "Jn.UF/7FK"
Heuristic match: ";*rh0hiPUKgfu5O($a#Ef-X{m:gM]n)m^Bfb(F\njmv *.pW"
Heuristic match: "G\]tY.gPAP>n8B.*EQ*WDjpNdD2&)|kQQ0B:.H'_McUCp.VI"
Pattern match: "Y.pbP/#Lz+::iWG5"
Heuristic match: "o6P.np" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"ConnectWiseControl.ClientSetup.exe.bin" was detected as "Microsoft visual C++ 8"
"MSI1473.tmp" was detected as "Visual C++ 2005 DLL -> Microsoft" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
ConnectWiseControl.ClientSetup.exe
- Filename
- ConnectWiseControl.ClientSetup.exe
- Size
- 3MiB (3136280 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- d07244dfbc4c6107e1530c2862668bbc788736a519bc596d6c79fadaacb9f427
- MD5
- 170010761e72be733e1bee67a8d7eb0e
- SHA1
- b164b7886d323e1618b12eb0e11bb674a6a713ad
- ssdeep
- 49152:K7osTeT0+TL3Z0Mi963PSumfzL6aKYt0Miu+asAyg3frgGuQXdkX1gX:G116szeal0Xur0g3fEGdgA
- imphash
- 5e4c14112c0f4c3c784dd28246e56fe5
- authentihash
- ed8c5d035ddeed4b2672184f46da9b95e0617a8f0153ef1ef86a4fa257690b82
- Compiler/Packer
- Microsoft visual C++ 8
- PDB Pathway
Classification (TrID)
- 47.3% (.EXE) Win32 EXE PECompact compressed (generic)
- 35.5% (.EXE) Win32 Executable MS Visual C++ (generic)
- 7.4% (.DLL) Win32 Dynamic Link Library (generic)
- 5.1% (.EXE) Win32 Executable (generic)
- 2.2% (.EXE) Generic Win/DOS Executable
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (49KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=COMODO SHA-1 Time Stamping Signer, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US Serial: 1688f039255e638e69143907e6330b |
12/31/2015 01:00:00 07/09/2019 20:40:36 |
8F:C6:01:B2:F5:01:26:30:60:AC:8D:52:9D:37:A2:94 03:A5:B1:46:63:EB:12:02:30:91:B8:4A:6D:6A:68:BC:87:1D:E6:6B |
CN=ScreenConnect Software, O=ScreenConnect Software, OID.2.5.4.18=33634, STREET="4110 George Road, Suite 200", L=Tampa, ST=Florida, OID.2.5.4.17=33634, C=US | CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 4a03dbce32c5a34420a419fb740aa1a |
02/02/2016 01:00:00 02/02/2019 00:59:59 |
45:37:90:B6:14:9C:C2:3B:1C:9E:C2:AC:9D:3E:D2:B5 A4:1A:37:D0:27:0D:84:33:C3:CD:02:20:24:8A:D8:4A:5A:6A:1A:26 |
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 2e7c87cc0e934a52fe94fd1cb7cd34af |
05/09/2013 02:00:00 05/09/2028 01:59:59 |
AA:37:4C:C0:0B:ED:2E:1E:A6:91:EF:41:5B:80:8F:E1 B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
ConnectWiseControl.ClientSetup.exe
(PID: 1392)
- msiexec.exe /i "%TEMP%\setup.msi" (PID: 2940)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 52.164.240.59:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
local -> 52.164.240.59:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
local -> 52.164.240.59:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
local -> 52.164.240.59:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
Extracted Strings
Extracted Files
-
Informative Selection 1
-
-
setup.msi
- Size
- 1.4MiB (1499136 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {20EF8040-9956-440C-A586-BC6D37B4F937}, Create Time/Date: Fri Mar 2 21:50:34 2018, Last Saved Time/Date: Fri Mar 2 21:50:34 2018, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1701), Security: 2
- Runtime Process
- ConnectWiseControl.ClientSetup.exe (PID: 1392)
- MD5
- 6064526b4d933f6db9d2048eb2eb1132
- SHA1
- 9bae7a90e4cbaa2c7f7b6647f862669ff7f3fe98
- SHA256
- c7462ba229ba17afb216e55757bd1202c6516b83715038a6c0e04016b0db72e2
-
-
Informative 1
-
-
MSI1473.tmp
- Size
- 320KiB (327436 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- msiexec.exe (PID: 2940)
- MD5
- d3ce5317fcf90bddcb41cee113d51b19
- SHA1
- 250d17479371e9440b18742210d9a3be609af85e
- SHA256
- 67db9fced277aa6fa2c24391e4365d585af207e3a66acebbb40559b620e4fb5e
-
Notifications
-
Runtime
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)