AgentUpgrader.exe found in C:\Windows\Temp, which I believe is the application that upgrades the DesktopCentral Agents whenever a server build is upgraded, is being flagged by SentinelOne in our environment. I just wanted to share the information, so the executable may be enhanced.

*From SentinelOne*

Threat Info:

  Name: AgentUpgrader.exe

  Path: \Device\HarddiskVolume2\windows\Temp\AgentUpgrader.exe

  Process User: NT AUTHORITY\SYSTEM

  Signature Verification: NotSigned

  Originating Process: dcconfig.exe

  SHA1: 7259053ba9d672ee92590335187503a2d9505ad2

  Initiated By: Agent Policy

  Engine: On-Write Static AI - Suspicious

  Detection type: Static

  Classification: Malware

  File Size: 4.07 MB

THREAT INDICATORS:

Hiding/Stealthiness

• The majority of sections in this PE have high entropy, a sign of obfuscation or packing.

• This binary might try to schedule a task or modify a scheduled task.

General

• This binary uses Dinkumware libraries which are commonly used by malware.

We are facilitated to whitelist is based on the SHA1, but the SHA1 has been identified to be different on different endpoints. Other way is the Signature Identity, but the executable is not signed.

Hope this info is useful.

Thanks!

JABIR