Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2023 14:34
Static task
static1
Behavioral task
behavioral1
Sample
gameguard_setup.msi
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
gameguard_setup.msi
Resource
win10v2004-20230221-en
General
-
Target
gameguard_setup.msi
-
Size
7.7MB
-
MD5
68bd8f9af44479db013a77c806f1c674
-
SHA1
0cbb2b63c78b42e13b1818964bb2cf43e46c5052
-
SHA256
ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376
-
SHA512
991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852
-
SSDEEP
196608:mELpCPNYnYCCJLuMo3nmkmKf+GNI1Xjn5CD9ilxw:fLpCVY7CtuMo2kmcNmsiLw
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 3 2416 msiexec.exe 5 2416 msiexec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 3 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e58a1f8.msi msiexec.exe File opened for modification C:\Windows\Installer\e58a1f8.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008ccb747e6bc781e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008ccb747e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008ccb747e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 2416 msiexec.exe Token: SeIncreaseQuotaPrivilege 2416 msiexec.exe Token: SeSecurityPrivilege 1688 msiexec.exe Token: SeCreateTokenPrivilege 2416 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2416 msiexec.exe Token: SeLockMemoryPrivilege 2416 msiexec.exe Token: SeIncreaseQuotaPrivilege 2416 msiexec.exe Token: SeMachineAccountPrivilege 2416 msiexec.exe Token: SeTcbPrivilege 2416 msiexec.exe Token: SeSecurityPrivilege 2416 msiexec.exe Token: SeTakeOwnershipPrivilege 2416 msiexec.exe Token: SeLoadDriverPrivilege 2416 msiexec.exe Token: SeSystemProfilePrivilege 2416 msiexec.exe Token: SeSystemtimePrivilege 2416 msiexec.exe Token: SeProfSingleProcessPrivilege 2416 msiexec.exe Token: SeIncBasePriorityPrivilege 2416 msiexec.exe Token: SeCreatePagefilePrivilege 2416 msiexec.exe Token: SeCreatePermanentPrivilege 2416 msiexec.exe Token: SeBackupPrivilege 2416 msiexec.exe Token: SeRestorePrivilege 2416 msiexec.exe Token: SeShutdownPrivilege 2416 msiexec.exe Token: SeDebugPrivilege 2416 msiexec.exe Token: SeAuditPrivilege 2416 msiexec.exe Token: SeSystemEnvironmentPrivilege 2416 msiexec.exe Token: SeChangeNotifyPrivilege 2416 msiexec.exe Token: SeRemoteShutdownPrivilege 2416 msiexec.exe Token: SeUndockPrivilege 2416 msiexec.exe Token: SeSyncAgentPrivilege 2416 msiexec.exe Token: SeEnableDelegationPrivilege 2416 msiexec.exe Token: SeManageVolumePrivilege 2416 msiexec.exe Token: SeImpersonatePrivilege 2416 msiexec.exe Token: SeCreateGlobalPrivilege 2416 msiexec.exe Token: SeBackupPrivilege 4236 vssvc.exe Token: SeRestorePrivilege 4236 vssvc.exe Token: SeAuditPrivilege 4236 vssvc.exe Token: SeBackupPrivilege 1688 msiexec.exe Token: SeRestorePrivilege 1688 msiexec.exe Token: SeRestorePrivilege 1688 msiexec.exe Token: SeTakeOwnershipPrivilege 1688 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 2416 msiexec.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
msiexec.exedescription pid process target process PID 1688 wrote to memory of 4008 1688 msiexec.exe srtasks.exe PID 1688 wrote to memory of 4008 1688 msiexec.exe srtasks.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gameguard_setup.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2416
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4008
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
C:\Program Files (x86)\GameGuard\acsvc.exe"C:\Program Files (x86)\GameGuard\acsvc.exe"1⤵PID:3200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5c7291b2a38669eae4c89f0df29d1dbdc
SHA1efc26b10d33c8fcdc0c2a50f0b9788d32c1b4ab7
SHA2560623917089b5734ccf43d8ce3d4d3ef23a1f674cb3ae6d451726ace78a637da8
SHA512573759a9299561ef98e3094730c415d6ccea9a9722611596235a6bb483935fe650d52fad251f1bf963d51aa44fc9fee83f69273b19ecc6dcaa2801297e9c787d
-
Filesize
316KB
MD57ec55f85dd4740e6f146d3ee54e01201
SHA144fcf3bb83a006ab6ca90d728bec43c031e0cada
SHA2567997c3e9c03c0e91b8b07cb482c97066afdd483d2dbab1f292f749f4fe97e229
SHA5127b6a494b5506e249e67e63c32fe42895227ec53a49f37e9b3884f628fd7bcc29f1f8bf96d616b8b741adc48540fc8eda7e64701a459acb707569bd1e36ee143b
-
Filesize
316KB
MD57ec55f85dd4740e6f146d3ee54e01201
SHA144fcf3bb83a006ab6ca90d728bec43c031e0cada
SHA2567997c3e9c03c0e91b8b07cb482c97066afdd483d2dbab1f292f749f4fe97e229
SHA5127b6a494b5506e249e67e63c32fe42895227ec53a49f37e9b3884f628fd7bcc29f1f8bf96d616b8b741adc48540fc8eda7e64701a459acb707569bd1e36ee143b
-
Filesize
7.2MB
MD581ed38976254bb646c0ecee753324027
SHA1c3fe70f9daff9e66b315b2adc9481a7d39d7e7c6
SHA256cf169e7a746c574f3e2ec653a6739ca71fe0e34aa76f604cd36706fe45536be7
SHA512476a6f9f65857d015661dc8504c537efff00fbd69014ab2e36aeed393b69083962195b3aa6e4485aa46f7471aa59aec21a6e56a687fc6474cc7a62b9c47ca018
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
Filesize1KB
MD5063123ea85988b5341fb2820b47b5b85
SHA189150a1b0d14e3b371ce4b23f9ffa6eb79306475
SHA256734564f4d9598e88ae54acf6c8382bf26db505c2d37161e8b5097465ae8fac2d
SHA512df5964212c5e00f0ba5701df4b9b1bcff9117896c03f6636465390f650add09f61459d6377a659ee65f589a57d4c156cbe5e909fb6701b426dbfa507f69a8f60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C
Filesize1KB
MD5d00289ccad2c03629c12bc5c0e1fba15
SHA1951f00335db15bce9c96402c3f65eb5e4ee9c535
SHA2569e9b3434f9d5e25063ae12a33d478c4fc929b4185386adda86df087c02e190a6
SHA51254bcead347080efae718cc45779653cbc87f87e8b685b059383c9d5805cb1ca0acfccd524ef727ab5872dc0bbd5e34a64dee0757f6619bc7f287a2df5f997d34
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
Filesize498B
MD50fa05e3479cfaf5c01dab5f2e9342ef9
SHA1788670170f1400f1a0c22cdd74c53481281065f8
SHA25603cd11deb0443fcb7cb4b1a40a6a9eac0acd235113787b4481b034b59c3e8002
SHA5127984f40cf43774dccdb304a29c2cf3feaaa11eee64a2b87284b0fbb00c1237c3b0b9beb34139889c7694e8b04caf38a661b80557e6f5b9374caf2b44b5156911
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C
Filesize534B
MD56d60ce1ff8f757606c48f8eeb1a85546
SHA1b93387353137db6e179a75538e051d0b13ebeedb
SHA256d3d6b2efc10c404da20fec38fc254106a25f02b961918f9c58f358b69ee4306c
SHA51290b316b5846fcad668e5c53400c0a554f4f5af9fe8669eebbf16174c1199624dda467c3b482857b35fad11dba45d7f6c5ad521b8374f46d4cc9199e04e8bc5bc