| File name: | spacedesk_driver_Win_10_64_v2129.msi |
| Full analysis: | https://app.any.run/tasks/c6481e7e-605a-4d6a-90da-381285a56377 |
| Verdict: | Malicious activity |
| Analysis date: | December 05, 2024, 01:31:24 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: spacedesk 2.1.29 Driver Installer, Author: datronicsoft Inc., Keywords: Installer, Comments: Windows Network Display Monitor Software, Template: x64;1033, Revision Number: {410373EB-2C13-45CA-9D41-BE3DC9FE49A7}, Create Time/Date: Thu Nov 28 02:27:00 2024, Last Saved Time/Date: Thu Nov 28 02:27:00 2024, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2 |
| MD5: | 4E92233F7B53EAFB3C0AAF5CB9F50207 |
| SHA1: | 24FAC327BE1AE0D59A08A73F45818F000FF51C75 |
| SHA256: | FF930F9D7FAF72FFBCACF55DC5613AAD4ECC3C358DF31A3A46088215E7B5B9DC |
| SSDEEP: | 98304:AzbzZtDDBDJoUGAf25W4QoqZWmLXbrOsBKTdryQxutRRplm9DDkEnSJaajJlKkPu:wn5mx4Ui/Kh9cQ |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executes as Windows Service
- VSSVC.exe (PID: 2408)
- spacedeskService.exe (PID: 1796)
Drops a system driver (possible attempt to evade defenses)
- msiexec.exe (PID: 2612)
- drvinst.exe (PID: 3700)
- MSIA6A3.tmp (PID: 4132)
- drvinst.exe (PID: 5792)
- drvinst.exe (PID: 772)
- MSIAFEF.tmp (PID: 4520)
- drvinst.exe (PID: 4244)
- MSIB1A5.tmp (PID: 2744)
- drvinst.exe (PID: 5652)
- drvinst.exe (PID: 4968)
- MSIABD5.tmp (PID: 2728)
Executable content was dropped or overwritten
- MSIA6A3.tmp (PID: 4132)
- drvinst.exe (PID: 3700)
- drvinst.exe (PID: 5792)
- MSIABD5.tmp (PID: 2728)
- drvinst.exe (PID: 2040)
- drvinst.exe (PID: 772)
- MSIAD0E.tmp (PID: 3288)
- drvinst.exe (PID: 3040)
- MSIAE67.tmp (PID: 5640)
- MSIAFEF.tmp (PID: 4520)
- MSIB1A5.tmp (PID: 2744)
- drvinst.exe (PID: 4244)
- drvinst.exe (PID: 5652)
- drvinst.exe (PID: 4968)
INFO
An automatically generated document
- msiexec.exe (PID: 3984)
Reads security settings of Internet Explorer
- msiexec.exe (PID: 3984)
Creates files or folders in the user directory
- msiexec.exe (PID: 3984)
Reads the computer name
- msiexec.exe (PID: 2612)
- msiexec.exe (PID: 2484)
Checks supported languages
- msiexec.exe (PID: 2612)
- msiexec.exe (PID: 2484)
Reads the software policy settings
- msiexec.exe (PID: 3984)
Executable content was dropped or overwritten
- msiexec.exe (PID: 3984)
- msiexec.exe (PID: 2612)
Manages system restore points
- SrTasks.exe (PID: 4264)
Starts application with an unusual extension
- msiexec.exe (PID: 2612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | spacedesk 2.1.29 Driver Installer |
| Author: | datronicsoft Inc. |
| Keywords: | Installer |
| Comments: | Windows Network Display Monitor Software |
| Template: | x64;1033 |
| RevisionNumber: | {410373EB-2C13-45CA-9D41-BE3DC9FE49A7} |
| CreateDate: | 2024:11:28 02:27:00 |
| ModifyDate: | 2024:11:28 02:27:00 |
| Pages: | 500 |
| Words: | 2 |
| Software: | Windows Installer XML Toolset (3.11.2.4516) |
| Security: | Read-only recommended |
Total processes
152
Monitored processes
31
Malicious processes
1
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 772 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{c9c09016-7fc5-8e40-9f99-6d0bf652650e}\spacedeskKtmInputmouse.inf" "9" "431da1b7b" "0000000000000218" "WinSta0\Default" "000000000000021C" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1200 | "C:\WINDOWS\Installer\MSIB514.tmp" -otherFirewallCheck | C:\Windows\Installer\MSIB514.tmp | — | msiexec.exe | |||||||||||
User: admin Company: datronicsoft Integrity Level: MEDIUM Description: spacedesk Setup Custom Action Exit code: 0 Version: 0.2.1.28 Modules
| |||||||||||||||
| 1576 | DrvInst.exe "2" "1" "ROOT\SPACEDESK_ANDROID_CONTROL\0000" "C:\WINDOWS\System32\DriverStore\FileRepository\spacedeskdriverandroidcontrol.inf_amd64_1985a082276b0b7b\spacedeskdriverandroidcontrol.inf" "oem1.inf:*:*:1.0.462.10:ROOT\VID_DATRONICSOFT_PID_SPACEDESK_DRIVER_USB_ANDROID_0001," "44282f7e3" "0000000000000200" | C:\Windows\System32\drvinst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1796 | "C:\Program Files\datronicsoft\spacedesk\spacedeskService.exe" | C:\Program Files\datronicsoft\spacedesk\spacedeskService.exe | — | services.exe | |||||||||||
User: SYSTEM Integrity Level: SYSTEM Modules
| |||||||||||||||
| 2040 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{8a9df6b9-df57-ff44-8e21-24e1f57a548e}\spacedeskdisplay.inf" "9" "442436977" "000000000000022C" "WinSta0\Default" "000000000000020C" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2072 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2292 | "C:\WINDOWS\Installer\MSIA578.tmp" -preInstallCheck_W10 | C:\Windows\Installer\MSIA578.tmp | — | msiexec.exe | |||||||||||
User: admin Company: datronicsoft Integrity Level: MEDIUM Description: spacedesk Setup Custom Action Exit code: 0 Version: 0.2.1.28 Modules
| |||||||||||||||
| 2408 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2484 | C:\Windows\syswow64\MsiExec.exe -Embedding 962327992EE15BC94134FA91EE519E04 C | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2612 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
31 910
Read events
31 570
Write events
306
Delete events
34
Modification events
| (PID) Process: | (2612) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 480000000000000092C35793B546DB01340A0000AC170000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2612) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 480000000000000092C35793B546DB01340A0000AC170000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2612) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 4800000000000000585C9393B546DB01340A0000AC170000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2612) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 4800000000000000585C9393B546DB01340A0000AC170000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2612) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 480000000000000013C09593B546DB01340A0000AC170000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2612) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 48000000000000000A879A93B546DB01340A0000AC170000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2612) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 11 | |||
| (PID) Process: | (2612) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 48000000000000001EF90C94B546DB01340A0000AC170000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2612) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 48000000000000009D5C0F94B546DB01340A0000D00C0000E803000001000000000000000000000026A1C17C611A904198E6ECFD302C52AC00000000000000000000000000000000 | |||
| (PID) Process: | (2408) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000C14E1B94B546DB01680900001C080000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
60
Suspicious files
76
Text files
4
Unknown types
25
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2612 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 2612 | msiexec.exe | C:\Windows\Installer\14a140.msi | — | |
MD5:— | SHA256:— | |||
| 2612 | msiexec.exe | C:\Windows\Installer\MSIA3C0.tmp | — | |
MD5:— | SHA256:— | |||
| 3984 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | binary | |
MD5:C8E2DE978B21F424FAA21C140A55DE53 | SHA256:DD4ED7CDE34F1CFF1BCF80EB02FC756D317137457516112685A0A197A2D4B5A9 | |||
| 3984 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | binary | |
MD5:39BCEAEFC1600C443B505C7A0824AFD7 | SHA256:675729F46FEF81C91652D0CE88AC11C80230A4E9B162917BABB9AE75308B6452 | |||
| 3984 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSIDEEA.tmp | executable | |
MD5:4FDD16752561CF585FED1506914D73E0 | SHA256:AECD2D2FE766F6D439ACC2BBF1346930ECC535012CF5AD7B3273D2875237B7E7 | |||
| 3984 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | der | |
MD5:4165B81B68FFB0444EF0CE862027E86B | SHA256:5BC6098B57CB923BA66F448CD3651D42159AEBF038BFA6B1D383701BF16029ED | |||
| 3984 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_74F67001B3C2D533D99B6A2860970A04 | binary | |
MD5:6CC5AAA0F38BC00CAB50E530E54173FC | SHA256:73B1E9824D5FD43EDDB950A191B937A194BEFD99B51A8F7FEE2952D20CBC4531 | |||
| 2612 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:80C9F77E82A51177A708508D9E633556 | SHA256:9BD707FEE7828BBF523F9ABE353BDEBD3E836E97769C05D57FE22FF585D6782E | |||
| 2612 | msiexec.exe | C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\spacedeskDriverAndroidControl.cat | binary | |
MD5:D29597B995EDACEC18620C0DF002CB43 | SHA256:0C520052EA889ED78BAD76D6D60CD93CF8FFF26859326C95D4B732BDDE6C974F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3984 | msiexec.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D | unknown | — | — | whitelisted |
736 | svchost.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
736 | svchost.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3984 | msiexec.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3984 | msiexec.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA4bLnp0JeaKiM0Z462JHJc%3D | unknown | — | — | whitelisted |
— | — | POST | 204 | 2.16.204.161:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
736 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
736 | svchost.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3984 | msiexec.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
736 | svchost.exe | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |