Managed XDR

screenconnect.clientsetup-3-.exe — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: screenconnect.clientsetup-3-.exe
Тип файла: PE32 executable (GUI) Intel 80386, for MS Windows
Размер файла: 12.6 MB
Первое обнаружение: 2025-11-11 18:39
Последнее обнаружение: 2025-11-11 18:39

Окружение

w10/x86 en

Хеши

SHA1: 46e7af71182aca465d6d3808e93deefa0a3bb22a
SHA256: e8c4b4f70579c074970403ce042b012baddc211a7dc55b3daf3a9b635753fec5
MD5: 803fe99eb51041853c47ec8a7b5a0695

Сигнатуры

Execution

T1569.002 persistence_service: Starts newly created service

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1543.003 creates_service: Creates a service, that will start automatically

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1543.003 creates_service: Creates a service, that will start automatically

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036.001 invalid_authenticode: Digital signature of the executable file has failed the verification

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1033 sam_users_discovery: Enumerates users or groups in system with SAM API

T1049 list_ts_rdp_sessions: Lists ts/rdp sessions

T1057 has_wmi: Executes one or several WMI requests

T1087.001 local_account_discovery: Enumerates local accounts

T1082 has_wmi: Executes one or several WMI requests

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

yara_rules: Static rules

accesses_mailslot: Performs a Mailslot ping, possibly used to get Domain Controller information

creates_exe: Creates executable files in the file system

create_rpc_bindings: Creates RPC connection

net_dumps_in_native: .Net dumps have been found in native PE

require_administrator: Requests administrator privileges

has_pdb: This executable file has a PDB path

creates_suspended_process: Creates suspended process

break_limit_exceeded: Warning: function calls limit has been exceeded

test_check_service: Starts services

writes_data: Writes big amount of data to disk

pe_overlay: PE file contains overlay

open_winlogon_process: Trying to open winlogon process

ce_info: ScreenConnect Configuration Data found