A suspicious software execution was detected on an endpoint used by an unspecified user on a workstation, rated as high severity due to attempts to access sensitive system information and persistence techniques that could allow continued access; the SOC applied containment actions with partial success and some agents fully remediated the activity. Business risk includes potential credential exposure and unauthorized access that could disrupt operations or lead to data loss.
SOC Response Actions Actions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6. ActionStatus
--- --- LyndonPC2, no full disk scan command was sent. Not Configured LyndonPC2, endpoint was not isolated from the network. Not Configured
Recommended Remediation
[Containment] Isolate 'LyndonPC2' from the network immediately (disconnect wired/wireless and remove from VPN) to prevent further lateral movement.
[Eradication] Remove the file '\Device\HarddiskVolume3\Config.Msi\87f3.rbf' and any related ScreenConnect client installers from the endpoint and from any software distribution shares.
[Eradication] Terminate and remove the process 'ScreenConnect.ClientService.exe' on the affected host and ensure the service/executable is uninstalled.
[Hardening] Reset local and domain passwords for accounts that access the endpoint and force reissue of any existing remote-access credentials used by ConnectWise/ScreenConnect integrations.
[Hardening] Audit and remove unauthorized autoruns, services, and registry run keys related to ScreenConnect or unknown installers and restrict installer rights to administrators only.
bc0b03a3...d483f68a Malicious File hash detected by 9 security engines. Classified under the meaningful name c:\users\BKatz\AppData\Local\Apps\2.0\H052W98T.2WV\K6Y89DCD.PVN\scre...exe_0000000000000000_0019.0004_none_6f38569aabb4da9b\ScreenConnect.ClientService.exe. Hybrid-Analysis
bc0b03a3...d483f68a No Relevant Results No behavioral or reputation data returned for this hash at the time of analysis. Indicators of Compromise
The threat indicators outline severe security threats. An application has been hijacked by a suspicious DLL, and there are signs of a packed process. Evasion techniques include suspicious executions of regsvr32 or rundll32, along with attempts to tamper with Event Viewer logs and SentinelOne registry keys. Multiple infostealing attempts have been detected, such as reading sensitive information from LSASS and installing a keylogger. The application has registered itself for persistence in various ways, including autoruns and safe mode. Additionally, reconnaissance activities using WMI queries indicate that the system is being actively scanned for vulnerabilities, necessitating immediate security measures.
Network Connections
20.231.45.162 (Outbound, Port 8041): outbound IP Connect attempts from ScreenConnect client to external service
20.124.27.177 (Outbound, Port 8041): outbound IP Connect attempts from ScreenConnect client to external service Process Involved
ScreenConnect.ClientService.exe (Legitimacy: Third-Party Trusted): Remote support client repeatedly established TCP connections to external IPs on port 8041
ScreenConnect.ClientService.exe (Legitimacy: Third-Party Trusted): Multiple distinct ScreenConnect client instances (different PIDs) connecting outbound to same destination
ScreenConnect.ClientService.exe (Legitimacy: Third-Party Trusted): Persistent service process observed across many timestamps initiating network connects
ScreenConnect.ClientService.exe (Legitimacy: Third-Party Trusted): Service process tied to agent 'LyndonPC2' responsible for remote access traffic
Below is additional context from other services subscribed by the customer. ServiceSourceRelevant InsightReference --- --- --- --- ESN/ANo relevant tools configured for enrichment. Need help or want us to take additional actions? Reply to this ticket and the SOC will assist.
