Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

ScreenConnect.ClientService.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.505232472804977
Filename:	ScreenConnect.ClientService.exe
Filesize:	95520
MD5:	7b4e1d1fda0c30fa647e4673c9b69095
SHA1:	0dee6877d1000006a6bd1d0c18dbe571a2e45f5f
SHA256:	420d3f1a29a4b76d9a90b4d209379152cb2161c9d4e753be40d3f66d18fc310e
SHA512:	9d31c2efcd76311c5d52d3f72aca89d4897db3433cb89197b4863950559f9233d081676e9912f0d0d3f81c5e82ad188f27c68dc3b669917cbc5b522707677a02
SSDEEP:	1536:cg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgIU0HMY7uDx2L:FhbNDxZGXfdHrX7rAc6myJkgIU0HDRL
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF..qF..qF......qF......qF......qF.<.B..qF.<.E..qF.<.C..qF......qF..#...qF..qG..qF.2.O..qF.2....qF.2.D..qF.Rich.qF........

Signature Hits	Behavior Group	Mitre Attack
Detected potential unwanted application	System Summary	Masquerading
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse usering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary	System Information Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log
Category:	dropped
Dump:	ScreenConnect.ClientService.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\ScreenConnect.ClientService.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.0050635535766075
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUy:Q3La/xwQ
Size:	42
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Detected potential unwanted application	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\ScreenConnect.ClientService.exe

"C:\Users\user\Desktop\ScreenConnect.ClientService.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2820
Target ID:	0
Parent PID:	4004
Name:	ScreenConnect.ClientService.exe
Class:	system-tools
Path:	C:\Users\user\Desktop\ScreenConnect.ClientService.exe
Commandline:	"C:\Users\user\Desktop\ScreenConnect.ClientService.exe"
Size:	95520
MD5:	7B4E1D1FDA0C30FA647E4673C9B69095
Time:	14:05:43
Date:	25/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x2c0000
Modulesize:	98304
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected potential unwanted application	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

2F01000

trusted library allocation

page read and write

FF0000

heap

page read and write

1580000

heap

page execute and read and write

14E0000

trusted library allocation

page read and write

164E000

stack

page read and write

2D4000

unkown

page write copy

15CE000

stack

page read and write

1530000

heap

page read and write

2D4000

unkown

page read and write

509E000

stack

page read and write

13DE000

stack

page read and write

112E000

stack

page read and write

1229000

heap

page read and write

54CE000

stack

page read and write

1540000

trusted library allocation

page execute and read and write

10E0000

heap

page read and write

2CD000

unkown

page readonly

1560000

trusted library allocation

page read and write

150B000

trusted library allocation

page execute and read and write

3F01000

trusted library allocation

page read and write

1212000

heap

page read and write

1219000

heap

page read and write

572F000

stack

page read and write

11D0000

trusted library allocation

page read and write

116E000

stack

page read and write

11E0000

heap

page read and write

1500000

trusted library allocation

page read and write

10D5000

heap

page read and write

1650000

heap

page read and write

2D6000

unkown

page readonly

2C1000

unkown

page execute read

14DE000

stack

page read and write

2EFF000

stack

page read and write

1252000

heap

page read and write

1180000

heap

page read and write

11C0000

trusted library allocation

page read and write

11D3000

trusted library allocation

page execute and read and write

548E000

stack

page read and write

1550000

heap

page read and write

160C000

stack

page read and write

582E000

stack

page read and write

F8B000

stack

page read and write

11EA000

heap

page read and write

11DD000

trusted library allocation

page execute and read and write

1520000

trusted library allocation

page read and write

11EE000

heap

page read and write

2C0000

unkown

page readonly

1507000

trusted library allocation

page execute and read and write

592E000

stack

page read and write

54E0000

heap

page execute and read and write

2CD000

unkown

page readonly

10D0000

heap

page read and write

E8C000

stack

page read and write

11D4000

trusted library allocation

page read and write

There are 44 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
ScreenConnect.ClientService.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportScreenConnect.ClientService.exe

Files

Processes

Memdumps

IOC Report
ScreenConnect.ClientService.exe