Edit tour
Windows
Analysis Report
ScreenConnect.ClientSetup (1).exe
Overview
General Information
Detection
ScreenConnect Tool
Score: | 57 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Compliance
Score: | 33 |
Range: | 0 - 100 |
Signatures
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
Modifies security policies related information
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool
Classification
- System is w10x64
- ScreenConnect.ClientSetup (1).exe (PID: 5208 cmdline:
"C:\Users\ user\Deskt op\ScreenC onnect.Cli entSetup ( 1).exe" MD5: 2FBF1296C804795CD2F5E0A301307472) - msiexec.exe (PID: 5276 cmdline:
"C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\AppData\ Local\Temp \ScreenCon nect\ccf23 f1afa8af06 1\setup.ms i" MD5: 9D09DC1EDA745A5F87553048E57620CF)
- msiexec.exe (PID: 4236 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 3392 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng BC108F6 9163DAA59A 6F99811787 43870 C MD5: 9D09DC1EDA745A5F87553048E57620CF) - rundll32.exe (PID: 6932 cmdline:
rundll32.e xe "C:\Use rs\user\Ap pData\Loca l\Temp\MSI CF5E.tmp", zzzzInvoke ManagedCus tomActionO utOfProc S fxCA_72622 03 1 Scree nConnect.I nstallerAc tions!Scre enConnect. ClientInst allerActio ns.FixupSe rviceArgum ents MD5: 889B99C52A60DD49227C5E485A016679) - msiexec.exe (PID: 5612 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng CCDB781 75ACA179D0 D189E42F6A 15F79 MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 5700 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 644E16E 75658CB40C 644CEA9BB6 1A5D0 E Gl obal\MSI00 00 MD5: 9D09DC1EDA745A5F87553048E57620CF)
- ScreenConnect.ClientService.exe (PID: 1372 cmdline:
"C:\Progra m Files (x 86)\Screen Connect Cl ient (ccf2 3f1afa8af0 61)\Screen Connect.Cl ientServic e.exe" "?e =Access&y= Guest&h=in stance-f13 iq7-relay. screenconn ect.com&p= 443&s=8c45 65db-ac67- 42c5-9630- 9aa3f157ab 83&k=BgIAA ACkAABSU0E xAAgAAAEAA QC1MY9w4B1 kmCI8rrVVc N3Qv2pF2in cNEaC5%2f5 7%2frQys%2 fxWV8jitTH xen5sI4Wll 36RpM9KV99 bb78RmSViU CckbjE5Kmp upWzSRQPRo XSxvLn2bqJ 43r%2b0c1X zj6wxUS%2b GCdb3y5osD TbAX4izwcS X%2fWd5Mib cXFXyV0GDs Ys7uPqQNXS Ntw1v5PTrV 4hH6KEn7iG 8xD119OfXk lw0j4quXga pgwpI4dZ5E 20CIMcRqfP C5dqnBzSKD %2bnQ0l48A o%2fzM5Obr NV%2f8giwI Obi%2f%2b9 H0BQvztiy4 rypOySEqrH 3oVDeR1OWm dV0FGCTguA a5uyNJoKXR LqK4n1ztMQ Hr%2f%2bi& c=Van%20Bu ren%20Tele phone%20Co mpany&c=&c =&c=&c=&c= &c=&c=" MD5: 361BCC2CB78C75DD6F583AF81834E447) - ScreenConnect.WindowsClient.exe (PID: 5156 cmdline:
"C:\Progra m Files (x 86)\Screen Connect Cl ient (ccf2 3f1afa8af0 61)\Screen Connect.Wi ndowsClien t.exe" "Ru nRole" "45 494334-b96 f-4a01-b0e e-df000a95 fbae" "Use r" MD5: 20AB8141D958A58AADE5E78671A719BF)
- svchost.exe (PID: 3080 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
JoeSecurity_ScreenConnectTool | Yara detected ScreenConnect Tool | Joe Security | ||
Click to see the 3 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |