ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376

General

Target

gameguard_setup.msi
Size

7.7MB
MD5

68bd8f9af44479db013a77c806f1c674
SHA1

0cbb2b63c78b42e13b1818964bb2cf43e46c5052
SHA256

ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376
SHA512

991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852
SSDEEP

196608:mELpCPNYnYCCJLuMo3nmkmKf+GNI1Xjn5CD9ilxw:fLpCVY7CtuMo2kmcNmsiLw

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

3 2416 msiexec.exe
5 2416 msiexec.exe

flow	pid	process
3	2416	msiexec.exe
5	2416	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 3 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e58a1f8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58a1f8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008ccb747e6bc781e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008ccb747e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008ccb747e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	2416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2416	msiexec.exe
Token: SeSecurityPrivilege	1688	msiexec.exe
Token: SeCreateTokenPrivilege	2416	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2416	msiexec.exe
Token: SeLockMemoryPrivilege	2416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2416	msiexec.exe
Token: SeMachineAccountPrivilege	2416	msiexec.exe
Token: SeTcbPrivilege	2416	msiexec.exe
Token: SeSecurityPrivilege	2416	msiexec.exe
Token: SeTakeOwnershipPrivilege	2416	msiexec.exe
Token: SeLoadDriverPrivilege	2416	msiexec.exe
Token: SeSystemProfilePrivilege	2416	msiexec.exe
Token: SeSystemtimePrivilege	2416	msiexec.exe
Token: SeProfSingleProcessPrivilege	2416	msiexec.exe
Token: SeIncBasePriorityPrivilege	2416	msiexec.exe
Token: SeCreatePagefilePrivilege	2416	msiexec.exe
Token: SeCreatePermanentPrivilege	2416	msiexec.exe
Token: SeBackupPrivilege	2416	msiexec.exe
Token: SeRestorePrivilege	2416	msiexec.exe
Token: SeShutdownPrivilege	2416	msiexec.exe
Token: SeDebugPrivilege	2416	msiexec.exe
Token: SeAuditPrivilege	2416	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2416	msiexec.exe
Token: SeChangeNotifyPrivilege	2416	msiexec.exe
Token: SeRemoteShutdownPrivilege	2416	msiexec.exe
Token: SeUndockPrivilege	2416	msiexec.exe
Token: SeSyncAgentPrivilege	2416	msiexec.exe
Token: SeEnableDelegationPrivilege	2416	msiexec.exe
Token: SeManageVolumePrivilege	2416	msiexec.exe
Token: SeImpersonatePrivilege	2416	msiexec.exe
Token: SeCreateGlobalPrivilege	2416	msiexec.exe
Token: SeBackupPrivilege	4236	vssvc.exe
Token: SeRestorePrivilege	4236	vssvc.exe
Token: SeAuditPrivilege	4236	vssvc.exe
Token: SeBackupPrivilege	1688	msiexec.exe
Token: SeRestorePrivilege	1688	msiexec.exe
Token: SeRestorePrivilege	1688	msiexec.exe
Token: SeTakeOwnershipPrivilege	1688	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2416 msiexec.exe

pid	process
2416	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1688 wrote to memory of 4008	1688	msiexec.exe	srtasks.exe
PID 1688 wrote to memory of 4008	1688	msiexec.exe	srtasks.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gameguard_setup.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2416

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Program Files (x86)\GameGuard\acsvc.exe
"C:\Program Files (x86)\GameGuard\acsvc.exe"
1⤵
PID:3200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58a1f9.rbs

Filesize
11KB

MD5
c7291b2a38669eae4c89f0df29d1dbdc

SHA1
efc26b10d33c8fcdc0c2a50f0b9788d32c1b4ab7

SHA256
0623917089b5734ccf43d8ce3d4d3ef23a1f674cb3ae6d451726ace78a637da8

SHA512
573759a9299561ef98e3094730c415d6ccea9a9722611596235a6bb483935fe650d52fad251f1bf963d51aa44fc9fee83f69273b19ecc6dcaa2801297e9c787d

Download Submit
C:\Program Files (x86)\GameGuard\acsvc.exe

Filesize
316KB

MD5
7ec55f85dd4740e6f146d3ee54e01201

SHA1
44fcf3bb83a006ab6ca90d728bec43c031e0cada

SHA256
7997c3e9c03c0e91b8b07cb482c97066afdd483d2dbab1f292f749f4fe97e229

SHA512
7b6a494b5506e249e67e63c32fe42895227ec53a49f37e9b3884f628fd7bcc29f1f8bf96d616b8b741adc48540fc8eda7e64701a459acb707569bd1e36ee143b

Download Submit
C:\Program Files (x86)\GameGuard\acsvc.exe

Filesize
316KB

MD5
7ec55f85dd4740e6f146d3ee54e01201

SHA1
44fcf3bb83a006ab6ca90d728bec43c031e0cada

SHA256
7997c3e9c03c0e91b8b07cb482c97066afdd483d2dbab1f292f749f4fe97e229

SHA512
7b6a494b5506e249e67e63c32fe42895227ec53a49f37e9b3884f628fd7bcc29f1f8bf96d616b8b741adc48540fc8eda7e64701a459acb707569bd1e36ee143b

Download Submit
C:\Program Files (x86)\GameGuard\gameguard.exe

Filesize
7.2MB

MD5
81ed38976254bb646c0ecee753324027

SHA1
c3fe70f9daff9e66b315b2adc9481a7d39d7e7c6

SHA256
cf169e7a746c574f3e2ec653a6739ca71fe0e34aa76f604cd36706fe45536be7

SHA512
476a6f9f65857d015661dc8504c537efff00fbd69014ab2e36aeed393b69083962195b3aa6e4485aa46f7471aa59aec21a6e56a687fc6474cc7a62b9c47ca018

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037

Filesize
1KB

MD5
063123ea85988b5341fb2820b47b5b85

SHA1
89150a1b0d14e3b371ce4b23f9ffa6eb79306475

SHA256
734564f4d9598e88ae54acf6c8382bf26db505c2d37161e8b5097465ae8fac2d

SHA512
df5964212c5e00f0ba5701df4b9b1bcff9117896c03f6636465390f650add09f61459d6377a659ee65f589a57d4c156cbe5e909fb6701b426dbfa507f69a8f60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C

Filesize
1KB

MD5
d00289ccad2c03629c12bc5c0e1fba15

SHA1
951f00335db15bce9c96402c3f65eb5e4ee9c535

SHA256
9e9b3434f9d5e25063ae12a33d478c4fc929b4185386adda86df087c02e190a6

SHA512
54bcead347080efae718cc45779653cbc87f87e8b685b059383c9d5805cb1ca0acfccd524ef727ab5872dc0bbd5e34a64dee0757f6619bc7f287a2df5f997d34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037

Filesize
498B

MD5
0fa05e3479cfaf5c01dab5f2e9342ef9

SHA1
788670170f1400f1a0c22cdd74c53481281065f8

SHA256
03cd11deb0443fcb7cb4b1a40a6a9eac0acd235113787b4481b034b59c3e8002

SHA512
7984f40cf43774dccdb304a29c2cf3feaaa11eee64a2b87284b0fbb00c1237c3b0b9beb34139889c7694e8b04caf38a661b80557e6f5b9374caf2b44b5156911

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C

Filesize
534B

MD5
6d60ce1ff8f757606c48f8eeb1a85546

SHA1
b93387353137db6e179a75538e051d0b13ebeedb

SHA256
d3d6b2efc10c404da20fec38fc254106a25f02b961918f9c58f358b69ee4306c

SHA512
90b316b5846fcad668e5c53400c0a554f4f5af9fe8669eebbf16174c1199624dda467c3b482857b35fad11dba45d7f6c5ad521b8374f46d4cc9199e04e8bc5bc

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads