Windows Analysis Report
ScreenConnect.ClientService.exe

Overview

General Information

Sample name: ScreenConnect.ClientService.exe
Analysis ID: 1542347
MD5: 7b4e1d1fda0c30fa647e4673c9b69095
SHA1: 0dee6877d1000006a6bd1d0c18dbe571a2e45f5f
SHA256: 420d3f1a29a4b76d9a90b4d209379152cb2161c9d4e753be40d3f66d18fc310e
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Detected potential unwanted application
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 84.6% probability
Uses 32bit PE files
Source: ScreenConnect.ClientService.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ScreenConnect.ClientService.exe Static PE information: certificate valid
Source: ScreenConnect.ClientService.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe
Source: ScreenConnect.ClientService.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ScreenConnect.ClientService.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ScreenConnect.ClientService.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ScreenConnect.ClientService.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ScreenConnect.ClientService.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ScreenConnect.ClientService.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ScreenConnect.ClientService.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ScreenConnect.ClientService.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ScreenConnect.ClientService.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ScreenConnect.ClientService.exe String found in binary or memory: http://ocsp.digicert.com0
Source: ScreenConnect.ClientService.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: ScreenConnect.ClientService.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: ScreenConnect.ClientService.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: ScreenConnect.ClientService.exe String found in binary or memory: http://www.digicert.com/CPS0

System Summary
barindex
Detected potential unwanted application
Source: ScreenConnect.ClientService.exe PE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
Sample file is different than original file name gathered from version info
Source: ScreenConnect.ClientService.exe, 00000000.00000000.2116498994.00000000002D6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs ScreenConnect.ClientService.exe
Source: ScreenConnect.ClientService.exe Binary or memory string: OriginalFilename vs ScreenConnect.ClientService.exe
Uses 32bit PE files
Source: ScreenConnect.ClientService.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal48.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Mutant created: NULL
Source: ScreenConnect.ClientService.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: ScreenConnect.ClientService.exe Static PE information: certificate valid
Source: ScreenConnect.ClientService.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ScreenConnect.ClientService.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ScreenConnect.ClientService.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ScreenConnect.ClientService.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ScreenConnect.ClientService.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ScreenConnect.ClientService.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ScreenConnect.ClientService.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: ScreenConnect.ClientService.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe
Source: ScreenConnect.ClientService.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ScreenConnect.ClientService.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ScreenConnect.ClientService.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ScreenConnect.ClientService.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ScreenConnect.ClientService.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Memory allocated: 1540000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Memory allocated: 2F00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Memory allocated: 4F00000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe TID: 3576 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ScreenConnect.ClientService.exe Memory allocated: page read and write | page guard Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542347 Sample: ScreenConnect.ClientService.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 48 10 Detected potential unwanted application 2->10 12 AI detected suspicious sample 2->12 5 ScreenConnect.ClientService.exe 1 2->5         started        process3 file4 8 C:\...\ScreenConnect.ClientService.exe.log, ASCII 5->8 dropped
No contacted IP infos