ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376

General

Target

gameguard_setup.msi
Size

7.7MB
MD5

68bd8f9af44479db013a77c806f1c674
SHA1

0cbb2b63c78b42e13b1818964bb2cf43e46c5052
SHA256

ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376
SHA512

991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852
SSDEEP

196608:mELpCPNYnYCCJLuMo3nmkmKf+GNI1Xjn5CD9ilxw:fLpCVY7CtuMo2kmcNmsiLw

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

7 2868 msiexec.exe
11 2868 msiexec.exe

flow	pid	process
7	2868	msiexec.exe
11	2868	msiexec.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

msiexec.exemsiexec.exefirefox.exe

description	pid	process
Token: SeShutdownPrivilege	2868	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2868	msiexec.exe
Token: SeSecurityPrivilege	3032	msiexec.exe
Token: SeCreateTokenPrivilege	2868	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2868	msiexec.exe
Token: SeLockMemoryPrivilege	2868	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2868	msiexec.exe
Token: SeMachineAccountPrivilege	2868	msiexec.exe
Token: SeTcbPrivilege	2868	msiexec.exe
Token: SeSecurityPrivilege	2868	msiexec.exe
Token: SeTakeOwnershipPrivilege	2868	msiexec.exe
Token: SeLoadDriverPrivilege	2868	msiexec.exe
Token: SeSystemProfilePrivilege	2868	msiexec.exe
Token: SeSystemtimePrivilege	2868	msiexec.exe
Token: SeProfSingleProcessPrivilege	2868	msiexec.exe
Token: SeIncBasePriorityPrivilege	2868	msiexec.exe
Token: SeCreatePagefilePrivilege	2868	msiexec.exe
Token: SeCreatePermanentPrivilege	2868	msiexec.exe
Token: SeBackupPrivilege	2868	msiexec.exe
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeShutdownPrivilege	2868	msiexec.exe
Token: SeDebugPrivilege	2868	msiexec.exe
Token: SeAuditPrivilege	2868	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2868	msiexec.exe
Token: SeChangeNotifyPrivilege	2868	msiexec.exe
Token: SeRemoteShutdownPrivilege	2868	msiexec.exe
Token: SeUndockPrivilege	2868	msiexec.exe
Token: SeSyncAgentPrivilege	2868	msiexec.exe
Token: SeEnableDelegationPrivilege	2868	msiexec.exe
Token: SeManageVolumePrivilege	2868	msiexec.exe
Token: SeImpersonatePrivilege	2868	msiexec.exe
Token: SeCreateGlobalPrivilege	2868	msiexec.exe
Token: SeDebugPrivilege	2788	firefox.exe
Token: SeDebugPrivilege	2788	firefox.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

msiexec.exefirefox.exe

pid process

2868 msiexec.exe
2788 firefox.exe
2788 firefox.exe
2788 firefox.exe
2788 firefox.exe
2868 msiexec.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2788 firefox.exe
2788 firefox.exe
2788 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

2788 firefox.exe

pid	process
2868	msiexec.exe
2788	firefox.exe
2788	firefox.exe
2788	firefox.exe
2788	firefox.exe
2868	msiexec.exe

pid	process
2788	firefox.exe
2788	firefox.exe
2788	firefox.exe

pid	process
2788	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3932 wrote to memory of 2788	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 2788	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 2788	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 2788	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 2788	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 2788	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 2788	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 2788	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 2788	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 2788	3932	firefox.exe	firefox.exe
PID 3932 wrote to memory of 2788	3932	firefox.exe	firefox.exe
PID 2788 wrote to memory of 672	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 672	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 1824	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 412	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 412	2788	firefox.exe	firefox.exe
PID 2788 wrote to memory of 412	2788	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gameguard_setup.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2868

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.0.531936905\279645432" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4625b495-6ffc-4abe-91fc-4f2120c32dfe} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 1940 1a7ab3ecb58 gpu
3⤵
PID:672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.1.1908852923\1379680603" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d499ba78-2277-41d0-aca0-9d750b5f13dc} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 2332 1a79e475e58 socket
3⤵
- Checks processor information in registry
PID:1824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.2.279617714\245787295" -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 3068 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a347197-e450-477d-a6fd-d15f0823ac32} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 2876 1a7af106558 tab
3⤵
PID:412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.3.739964776\879032738" -childID 2 -isForBrowser -prefsHandle 3540 -prefMapHandle 3428 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cf0a85e-805a-4104-96d2-a350b7cbbe56} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 3516 1a79e474f58 tab
3⤵
PID:2760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.4.733814755\41352502" -childID 3 -isForBrowser -prefsHandle 4076 -prefMapHandle 4072 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7be17883-6f4a-4f3a-a634-b120585b1734} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 4100 1a7aed05258 tab
3⤵
PID:1836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.5.665167651\16681003" -childID 4 -isForBrowser -prefsHandle 4736 -prefMapHandle 4968 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2854c7a-2ce3-45a6-8890-02326efbbf6c} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 4952 1a7b1290958 tab
3⤵
PID:4508

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.6.1026853472\1439896073" -childID 5 -isForBrowser -prefsHandle 4964 -prefMapHandle 4908 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28b2bcef-3fb2-445a-8d92-7a35749d5156} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 4988 1a7b1404458 tab
3⤵
PID:4608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2788.7.1816857281\1841710498" -childID 6 -isForBrowser -prefsHandle 5388 -prefMapHandle 5392 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1484 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a96cc6e3-d0bb-4b9d-8898-645c2d5b7c76} 2788 "\\.\pipe\gecko-crash-server-pipe.2788" 5404 1a7b1405658 tab
3⤵
PID:3372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
153KB

MD5
7d7bcca4d1a9f1e4b6f6ade4fbc12145

SHA1
62560a445ce9c90c1436b7fc79f4f45827ef15b0

SHA256
b289673801b0f4ef2b68b492481f7ec5d2033fc1bdf27ae3ee7597b96839a23b

SHA512
367c6bbb71e1a55e6182fed5753a353c0c0ee4bfe29b37baa455954bc90886f0efb2e6918d4ba939439e562a56dbe58569baf97820fdc5947395a423ecd901fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
b9a9bdc0ce55c5d3260bafdfb0b6f36c

SHA1
41957a5cc387a08b6e263700ccdabe66c7364eda

SHA256
5e8408f5e09057101c89903a40993da3169f8e3d68c83be19d0215936c5a4bad

SHA512
2437eaca45baad6be3e3a021e95eb7e60d2f8f84e249c9a47b52a8f8601761e72bee39665cda09fa94e431414329a4b96bbce9bd6393bc2f25186b6460b5b7bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
33a677c8bf78361799d634e5311fd22c

SHA1
24d612764ac7328df6378cd44f1e760ff2b887ad

SHA256
31e36d8259e5d336dccee4edea7c226d7cd3bc1773a3c88fde9b12b45d256c2b

SHA512
5d1f851edb1688f7afd6b8a5b69f1d5c35e3a76e4149ff1228da2d597cd5b6c75437dada6ec0065a54ca4d5448be24ea7b6b40772d693affceb1dead25162fc8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js

Filesize
6KB

MD5
f73e52d124620d05267ba934f3b312d3

SHA1
34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30

SHA256
fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7

SHA512
4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore.jsonlz4

Filesize
884B

MD5
206fedaf31d0c46058b180b02a5ce30c

SHA1
546bcebe643d5807eae2b123f3dff54d3a429b60

SHA256
6ec6c9604f14b98537bfe55bd329a404c8a68ad6a1130366f10f28fceea3e415

SHA512
b846d31dee729804ba233e25d0ebf43d0336b3f8519eb7d0bb73d52ffa10c3f49cf166fa93eae7e51e9bac3bb011c29620407ab5ceecb101eb62fbd38e161203

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads