d4ba0b587cccc005bc37ad17817fc4dbd123d357eb34ddf6b1dd63fa57343f2f

Analysis

max time kernel
142s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bfa08538f94a78395b116666e90606b.exe
Size

4.0MB
MD5

9bfa08538f94a78395b116666e90606b
SHA1

9c62f61abded758772da22c16f825cdf40f00f92
SHA256

d4ba0b587cccc005bc37ad17817fc4dbd123d357eb34ddf6b1dd63fa57343f2f
SHA512

cfb1d911786c0e4b55e5d45bf392ed30a5f4c6843ce4d6ddfa3af3f219ce341e76ea376db2ea0cbf3421364c49920241d85075b062585a127d144942dc5e40c2
SSDEEP

49152:g9enMTO4Hht2GrgsTeu8T1a0ymq0O493Ej4LA6aKIpmb4RV/TVXUrPhTHlzuw2t3:g9ensr3a4hms4F+7XVXgTHYJOE/

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

FortiClientVPN.exe

pid process

4940 FortiClientVPN.exe

pid	process
4940	FortiClientVPN.exe

Modifies registry class 7 IoCs

Processes:

9bfa08538f94a78395b116666e90606b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32	9bfa08538f94a78395b116666e90606b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9bfa08538f94a78395b116666e90606b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9bfa08538f94a78395b116666e90606b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}	9bfa08538f94a78395b116666e90606b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\ = "diskcopy.dll"	9bfa08538f94a78395b116666e90606b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\ThreadingModel = "diskcopy.dll"	9bfa08538f94a78395b116666e90606b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\AppID = "{F681A8AE-609B-43BB-846B-0CAD6CE69C79}"	9bfa08538f94a78395b116666e90606b.exe

Modifies system certificate store 2 TTPs 7 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

9bfa08538f94a78395b116666e90606b.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	9bfa08538f94a78395b116666e90606b.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	9bfa08538f94a78395b116666e90606b.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c190000000100000010000000a344f71a7a52a76ee49b74b1d8816b15040000000100000010000000d91299e84355cd8d5a86795a0118b6e90f000000010000003000000065b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e641400000001000000140000006837e0ebb63bf85f1186fbfe617b088865f44e425c000000010000000400000000100000180000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	9bfa08538f94a78395b116666e90606b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	9bfa08538f94a78395b116666e90606b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	9bfa08538f94a78395b116666e90606b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	9bfa08538f94a78395b116666e90606b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	9bfa08538f94a78395b116666e90606b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9bfa08538f94a78395b116666e90606b.exe

pid process

4432 9bfa08538f94a78395b116666e90606b.exe
4432 9bfa08538f94a78395b116666e90606b.exe

pid	process
4432	9bfa08538f94a78395b116666e90606b.exe
4432	9bfa08538f94a78395b116666e90606b.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9bfa08538f94a78395b116666e90606b.exe

description	pid	process	target process
PID 4432 wrote to memory of 4940	4432	9bfa08538f94a78395b116666e90606b.exe	FortiClientVPN.exe
PID 4432 wrote to memory of 4940	4432	9bfa08538f94a78395b116666e90606b.exe	FortiClientVPN.exe
PID 4432 wrote to memory of 4940	4432	9bfa08538f94a78395b116666e90606b.exe	FortiClientVPN.exe

C:\Users\Admin\AppData\Local\Temp\9bfa08538f94a78395b116666e90606b.exe
"C:\Users\Admin\AppData\Local\Temp\9bfa08538f94a78395b116666e90606b.exe"
1⤵
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe
C:\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe
2⤵
- Executes dropped EXE
PID:4940

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1940

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 179153CD0E73C05B11BDFDC3C3E670FC C
2⤵
PID:2500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize
471B

MD5
0e0de3d94c4c0f6c22b34f79ec7a3ff8

SHA1
f47cb5908787e97288c07c06b6c22e1e94c4f22b

SHA256
2f5fd796c25d6390ce87881b7843c43c798f69885f9040a3a230744cf26588fe

SHA512
14dc291573d37ac9868992ef05706248c85a841553eac130a889b622455502d1bc639a09591075ed4d8e3bd5f1d7e683ce132f3faf5e01319c9d4590983a0fd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_052D619A1738623B01B6A412349193C8
Filesize
727B

MD5
0b04740f778c438da2c75e9816028dfa

SHA1
7111e6e6d32fe7a8b14a521ab3c2ab0ac1a1c588

SHA256
28447aa833b0680e0e4bef1d24b5fd43ae354b7e3710e7f6a0e987ba58cb21c9

SHA512
d7fd9cfa91688c86676d3054d5708857c3a7a76d81a17a06883ab53373a76fc0d4f39ac8a8ef439d79f3e6ac8861b54a44ef738e25d71daeac9b8845bdb5a258

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize
727B

MD5
3dc46f15f2a4397be037679aa1b83fbf

SHA1
1f05a8c0e407bdda5fbed14a3310a41401cdb704

SHA256
e542d7ba6e9b51f890b66069c323ecec2de0f37ec511b5f370af2d41a61152e5

SHA512
97b2ef2f551e80026832304231d398a681afb19232ac70f9b7bb1a6511308783f947d7745706491c95abcccd33cbcc38a83a335d02f1502c95b6ff44b0576d07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize
400B

MD5
140d1bec3b58969faf00351ff95765d8

SHA1
ef78029747c769446484138e03c55fa568348536

SHA256
15f06655c2a0c44b7109ba1d9ec70d78d2f8baebcf329c26f59ea719ac749d76

SHA512
d1f44229cb7dbad7f487a092f4e186a974d45efe4e6b1e32db6e4473a64332cb30cfbb38f9df6a20e919b2d63fb3e12cb67a4f69360c22744cb1f73afb0b8760

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_052D619A1738623B01B6A412349193C8
Filesize
412B

MD5
aa74fe8ef2981f82bd30d7037cc4eb0c

SHA1
bd2575d90e41ff770e5958cc3d2646dea745ae15

SHA256
ad4457e27d29274ac365e6dce786f54455458a6443a7ad028308cea56d7ea214

SHA512
114239567f6d9b2e7290f48b8e81ff14736e42fdf52b307270ec98aefc39d36f37d8b6d8b1f55259bd3a288f725a5ef6f6a3b61a54c68986e920f687a23b47c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize
412B

MD5
3218345023b13e0bc6fc8d7965f7de8e

SHA1
8a292e33d44468a40715c776aa3a4e196c9fab92

SHA256
cd364634d3dfc721d2bc422a5b5ccd742b95e1e797b2fa81a9811573e95fd396

SHA512
1b217965e7afedabee2f56df1d94dce372dd6990c1cca31226ba5e7c172aed9071c35415a4e6bd2defee1da6f79e65fefa11bbbdf001255d5c360d91f8a80d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCT_{625BC4BA-AC3E-4E4B-9996-EEED9D4287C3}\{92396971-2CBA-4A57-A1F9-17F8E458E8AA}\FortiClient.msi
Filesize
3.3MB

MD5
ae5648d46f5a73929926ca11c16527eb

SHA1
2feef0b448d3208b2aed69aacc912c40a6df948c

SHA256
093b99f5bf8ef857d3d6b6a4792d4ac7e4df571cc876810aa82d9b1a261d5fd4

SHA512
c5f8ef4b212cb5ef1c12ffc6f171cddcde36061356670b20776a9a69b76111b6915795d63f17f81730941a0919a90b6e39c4b3b973d05cdb3089e1bdd9a6e584

Download Submit
C:\Users\Admin\AppData\Local\Temp\FortiClient00000.log
Filesize
3KB

MD5
e0b1d75cac0f7b125a574642cf8fe41f

SHA1
ab21d754d1acad57e85c0a76cf9e7ed021cd9904

SHA256
021c2c86cde950f47de60c78436a988f4335fb8a49cede264734b2b02c5ffdd3

SHA512
0eca406e4aa56909054ea3ca71b48336083cdafb04b93b2f01a2ff50c83ba306076002be7a3dbc5c84a02f74951b3e9496b11f4a165cf92498b509be1fbbb986

Download Submit
C:\Users\Admin\AppData\Local\Temp\FortiClient00000.log
Filesize
4KB

MD5
b3e2467363861278a40a94c7efaf99e9

SHA1
68b5f3e26cdd54a6434e2ffab4c4ee49eb33abf5

SHA256
78690529251e9e5aa30ff1165409990d1dda40e53d5b8077056b3561daf9342d

SHA512
ee08df65df555fbdf532693b7cf31734b53d733304e9a976e049f36263acb2b3c8b41d42655f82489dc7242100219f9377d241c56df0e0b8e13036d855c07439

Download Submit
C:\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe
Filesize
9.6MB

MD5
f61dd2a048a3d7b27a2f4254c0c09397

SHA1
f67e4c25d6ad0a5638ec40f80d6846a356db29e9

SHA256
52bf7b543047ea26191ca228bbff643e6013f9e109018cfb6615b8fff3698313

SHA512
081fce52f134e9590b137658a041816316d9ffd89b8538b23598f2ac20c3295e08bd450a4ab4cdda4124108b3221e8cb35c6af35949f22b79daa8e6ede9d2d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe
Filesize
9.7MB

MD5
06162fbf54fd9d3bd0868943d7c2b527

SHA1
7f2cb6051cb60e7d47e34002d7893cbd35ac865c

SHA256
cac24b97626366163d6d0f87d93401dc08c8bb5dcfbd374ed12f65ba2e0047b0

SHA512
ce64314fb6fce63e04bfcc9d0d9e22553f8098f76f759ed1f12b6ab466ce3951b4417ea0656471d40c974d6211065a3901fec2df440b31d125696cb7367fd5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7805.tmp
Filesize
2.0MB

MD5
af83a1c729649429be9fb738df671d6b

SHA1
317d836b72426c45aa734ec8a4c559cba53aeda3

SHA256
9facab809abbd733bd18fc29e3b6eeab53a204f2559d234ff31b259e0b92e70b

SHA512
48378a20886b85e1490151e0148c3233ad956f2bc5308898952ba198ba7544486dcb074f413181cb25035ccd3bd8aefdf26cb3a9fa900bbc196c5480d0074f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7805.tmp
Filesize
1.8MB

MD5
949847b5143c6e53f909464c22a7a1b8

SHA1
3b721a03a4900fa2e3cb11a5836b0d86dc74a955

SHA256
295ed769dd323aa671d0e61b97fbcc7b3325669835cd0acf354f9b265d480ad2

SHA512
0fa84b6c48a815a6a637703a6340c4d468412291bf85189e0ddd3a7bdbf6ef1e7b57fe69a26197960dda396b9549ac6d881ed0a76bd7f5508ff7523193aa7aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI792F.tmp
Filesize
974KB

MD5
4e0a0117d6d31b90f34e50d888dfda1c

SHA1
6894fb7adfca3a6f6b475aba5c58b2ce0c8d13f4

SHA256
83513c4d4ae270ab4ddfb5551ecba7749c6dfb8c621c3874d0433bc919b44ef7

SHA512
79254771b427725e6027beb6d1a2525d06a750013290705b0c6382708520210fce0fe506af9f966ef392b32e7ecc2a828f21a77922d90e2b41dfbfccc65db47d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI792F.tmp
Filesize
1.1MB

MD5
459f1fb9625b60b5f0a902b1d2629b5c

SHA1
3bd45e2314320e0bef085f41b9bbb445dc25ca1d

SHA256
e23532ebfae10783724c8735fa51464a994f817d3d89ad0134b121ab21301672

SHA512
cd7b8c1ce6657fb8ccca3857f99aabd3d3135cde0f752329bff7e5598f81852552f1d7606e7e391823f04f182802a73e0469a54dea39f608f3cd0e64a95cd31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI79BC.tmp
Filesize
860KB

MD5
6a0c1036cc6db8b56740c6e2b0e4745a

SHA1
490cffae90a999cab75619815118bf33ce57dcaa

SHA256
83a4d84c8b7d2d666e1bbeaa1e1f3ead0bc82e3b0da8eb2350574fbfe09b087b

SHA512
e89d83398413d5bee0a55b04c271ddfa6c37057057e5da77c5e9883879d897774684b0563693d44aaec5b197b25882a07e0fc31e0faefcc3103c59be74b24046

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI79BC.tmp
Filesize
915KB

MD5
f79235c2cf614e8814cbd6fd4b00f5e7

SHA1
13034dfcc088a647310e80a654e157209db4adc9

SHA256
6743abd48a990c5504bcd30047244801d0b88f1f89f4ac7ab86222582fc26055

SHA512
39893464a9f600f22cb5438a91d376fe9b79d233324d1e1561ca2ae3531b21be5785c1cca88cd954eba8886003d078442d531a0151d47a84f294feaa53fedcf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI79BC.tmp
Filesize
1.1MB

MD5
5f7495b210bdc7c08b114dca3ffe22a9

SHA1
cc83f657d1391fe4812538332fef17c86e001911

SHA256
f63b33d2598df3e160cae8d9743868f3facf12973e559d1eb3f3eb87f1e80729

SHA512
8f282a9a3fd12915a8b662ce93052f7b6d66520bd48ca29bd0a72ec54ecfaffe909cbb0976a49af123f3f71dd212a8889aad8850ae36e1da2830126ae3f66bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7A4A.tmp
Filesize
1.3MB

MD5
2ba7b2ff4b1038a9239f739a7a5ea492

SHA1
30d91e8a09843e05f329b0d5806f73165461b0b0

SHA256
1e7f81121424af3318237f9cf1921f35c5ad894152074fd22246296328a3476d

SHA512
d5178fba1ee33210414b4cb10dbd384e412b1010593de9134b66cd530bf88c12d0a00ec621778d3fc3a681c48fb22cd64a3511d50343258a28438b8691d03606

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7A4A.tmp
Filesize
718KB

MD5
3a70f3509b7e960b2a6704c494e6112c

SHA1
94bae6e041cc910225b61eedec5dc8bb0dc66bce

SHA256
1ecdec950cf4fdd53a79274fb738dc24450fb21a8e2736c1e880af797df103fd

SHA512
3a4d0494583fe9a6335b0c40dc7dcee3f114fc3e87c7b62413406f56d50e0f4452b4f7406fb761adcc63a23faf90b49af66fbd0ccf9adf8eb5e5773a2e520d15

Download Submit