d4ba0b587cccc005bc37ad17817fc4dbd123d357eb34ddf6b1dd63fa57343f2f

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
29-04-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FortiClientVPNOnlineInstaller.exe
Size

4.0MB
MD5

9bfa08538f94a78395b116666e90606b
SHA1

9c62f61abded758772da22c16f825cdf40f00f92
SHA256

d4ba0b587cccc005bc37ad17817fc4dbd123d357eb34ddf6b1dd63fa57343f2f
SHA512

cfb1d911786c0e4b55e5d45bf392ed30a5f4c6843ce4d6ddfa3af3f219ce341e76ea376db2ea0cbf3421364c49920241d85075b062585a127d144942dc5e40c2
SSDEEP

49152:g9enMTO4Hht2GrgsTeu8T1a0ymq0O493Ej4LA6aKIpmb4RV/TVXUrPhTHlzuw2t3:g9ensr3a4hms4F+7XVXgTHYJOE/

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeFortiClientVPN.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	FortiClientVPN.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	FortiClientVPN.exe
File opened (read-only)	\??\Z:	FortiClientVPN.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	FortiClientVPN.exe
File opened (read-only)	\??\P:	FortiClientVPN.exe
File opened (read-only)	\??\L:	FortiClientVPN.exe
File opened (read-only)	\??\Q:	FortiClientVPN.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	FortiClientVPN.exe
File opened (read-only)	\??\G:	FortiClientVPN.exe
File opened (read-only)	\??\X:	FortiClientVPN.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	FortiClientVPN.exe
File opened (read-only)	\??\O:	FortiClientVPN.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	FortiClientVPN.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	FortiClientVPN.exe
File opened (read-only)	\??\T:	FortiClientVPN.exe
File opened (read-only)	\??\Y:	FortiClientVPN.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	FortiClientVPN.exe
File opened (read-only)	\??\M:	FortiClientVPN.exe
File opened (read-only)	\??\V:	FortiClientVPN.exe
File opened (read-only)	\??\W:	FortiClientVPN.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	FortiClientVPN.exe
File opened (read-only)	\??\K:	FortiClientVPN.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	FortiClientVPN.exe
File opened (read-only)	\??\E:	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

FortiClientVPN.exe

pid process

668 FortiClientVPN.exe

pid	process
668	FortiClientVPN.exe

Loads dropped DLL 14 IoCs

Processes:

FortiClientVPNOnlineInstaller.exeFortiClientVPN.exeMsiExec.exeWerFault.exe

pid	process
1844	FortiClientVPNOnlineInstaller.exe
668	FortiClientVPN.exe
668	FortiClientVPN.exe
668	FortiClientVPN.exe
2560	MsiExec.exe
2560	MsiExec.exe
2560	MsiExec.exe
2636	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2636 668 WerFault.exe FortiClientVPN.exe

pid	pid_target	process	target process
2636	668	WerFault.exe	FortiClientVPN.exe

Modifies registry class 7 IoCs

Processes:

FortiClientVPNOnlineInstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\AppID = "{1E048694-1D25-493A-915A-4E4753F99D60}"	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}	FortiClientVPNOnlineInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\ = "diskcopy.dll"	FortiClientVPNOnlineInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\ThreadingModel = "diskcopy.dll"	FortiClientVPNOnlineInstaller.exe

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

FortiClientVPNOnlineInstaller.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	FortiClientVPNOnlineInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	FortiClientVPNOnlineInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	FortiClientVPNOnlineInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	FortiClientVPNOnlineInstaller.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

FortiClientVPNOnlineInstaller.exe

pid process

1844 FortiClientVPNOnlineInstaller.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

FortiClientVPN.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	668	FortiClientVPN.exe
Token: SeIncreaseQuotaPrivilege	668	FortiClientVPN.exe
Token: SeRestorePrivilege	1864	msiexec.exe
Token: SeTakeOwnershipPrivilege	1864	msiexec.exe
Token: SeSecurityPrivilege	1864	msiexec.exe
Token: SeCreateTokenPrivilege	668	FortiClientVPN.exe
Token: SeAssignPrimaryTokenPrivilege	668	FortiClientVPN.exe
Token: SeLockMemoryPrivilege	668	FortiClientVPN.exe
Token: SeIncreaseQuotaPrivilege	668	FortiClientVPN.exe
Token: SeMachineAccountPrivilege	668	FortiClientVPN.exe
Token: SeTcbPrivilege	668	FortiClientVPN.exe
Token: SeSecurityPrivilege	668	FortiClientVPN.exe
Token: SeTakeOwnershipPrivilege	668	FortiClientVPN.exe
Token: SeLoadDriverPrivilege	668	FortiClientVPN.exe
Token: SeSystemProfilePrivilege	668	FortiClientVPN.exe
Token: SeSystemtimePrivilege	668	FortiClientVPN.exe
Token: SeProfSingleProcessPrivilege	668	FortiClientVPN.exe
Token: SeIncBasePriorityPrivilege	668	FortiClientVPN.exe
Token: SeCreatePagefilePrivilege	668	FortiClientVPN.exe
Token: SeCreatePermanentPrivilege	668	FortiClientVPN.exe
Token: SeBackupPrivilege	668	FortiClientVPN.exe
Token: SeRestorePrivilege	668	FortiClientVPN.exe
Token: SeShutdownPrivilege	668	FortiClientVPN.exe
Token: SeDebugPrivilege	668	FortiClientVPN.exe
Token: SeAuditPrivilege	668	FortiClientVPN.exe
Token: SeSystemEnvironmentPrivilege	668	FortiClientVPN.exe
Token: SeChangeNotifyPrivilege	668	FortiClientVPN.exe
Token: SeRemoteShutdownPrivilege	668	FortiClientVPN.exe
Token: SeUndockPrivilege	668	FortiClientVPN.exe
Token: SeSyncAgentPrivilege	668	FortiClientVPN.exe
Token: SeEnableDelegationPrivilege	668	FortiClientVPN.exe
Token: SeManageVolumePrivilege	668	FortiClientVPN.exe
Token: SeImpersonatePrivilege	668	FortiClientVPN.exe
Token: SeCreateGlobalPrivilege	668	FortiClientVPN.exe
Token: SeCreateTokenPrivilege	668	FortiClientVPN.exe
Token: SeAssignPrimaryTokenPrivilege	668	FortiClientVPN.exe
Token: SeLockMemoryPrivilege	668	FortiClientVPN.exe
Token: SeIncreaseQuotaPrivilege	668	FortiClientVPN.exe
Token: SeMachineAccountPrivilege	668	FortiClientVPN.exe
Token: SeTcbPrivilege	668	FortiClientVPN.exe
Token: SeSecurityPrivilege	668	FortiClientVPN.exe
Token: SeTakeOwnershipPrivilege	668	FortiClientVPN.exe
Token: SeLoadDriverPrivilege	668	FortiClientVPN.exe
Token: SeSystemProfilePrivilege	668	FortiClientVPN.exe
Token: SeSystemtimePrivilege	668	FortiClientVPN.exe
Token: SeProfSingleProcessPrivilege	668	FortiClientVPN.exe
Token: SeIncBasePriorityPrivilege	668	FortiClientVPN.exe
Token: SeCreatePagefilePrivilege	668	FortiClientVPN.exe
Token: SeCreatePermanentPrivilege	668	FortiClientVPN.exe
Token: SeBackupPrivilege	668	FortiClientVPN.exe
Token: SeRestorePrivilege	668	FortiClientVPN.exe
Token: SeShutdownPrivilege	668	FortiClientVPN.exe
Token: SeDebugPrivilege	668	FortiClientVPN.exe
Token: SeAuditPrivilege	668	FortiClientVPN.exe
Token: SeSystemEnvironmentPrivilege	668	FortiClientVPN.exe
Token: SeChangeNotifyPrivilege	668	FortiClientVPN.exe
Token: SeRemoteShutdownPrivilege	668	FortiClientVPN.exe
Token: SeUndockPrivilege	668	FortiClientVPN.exe
Token: SeSyncAgentPrivilege	668	FortiClientVPN.exe
Token: SeEnableDelegationPrivilege	668	FortiClientVPN.exe
Token: SeManageVolumePrivilege	668	FortiClientVPN.exe
Token: SeImpersonatePrivilege	668	FortiClientVPN.exe
Token: SeCreateGlobalPrivilege	668	FortiClientVPN.exe
Token: SeCreateTokenPrivilege	668	FortiClientVPN.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

FortiClientVPNOnlineInstaller.exeFortiClientVPN.exe

pid process

1844 FortiClientVPNOnlineInstaller.exe
668 FortiClientVPN.exe
668 FortiClientVPN.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

FortiClientVPNOnlineInstaller.exemsiexec.exeFortiClientVPN.exe

description	pid	process	target process
PID 1844 wrote to memory of 668	1844	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 1844 wrote to memory of 668	1844	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 1844 wrote to memory of 668	1844	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 1844 wrote to memory of 668	1844	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 1844 wrote to memory of 668	1844	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 1844 wrote to memory of 668	1844	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 1844 wrote to memory of 668	1844	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 1864 wrote to memory of 2560	1864	msiexec.exe	MsiExec.exe
PID 1864 wrote to memory of 2560	1864	msiexec.exe	MsiExec.exe
PID 1864 wrote to memory of 2560	1864	msiexec.exe	MsiExec.exe
PID 1864 wrote to memory of 2560	1864	msiexec.exe	MsiExec.exe
PID 1864 wrote to memory of 2560	1864	msiexec.exe	MsiExec.exe
PID 668 wrote to memory of 2636	668	FortiClientVPN.exe	WerFault.exe
PID 668 wrote to memory of 2636	668	FortiClientVPN.exe	WerFault.exe
PID 668 wrote to memory of 2636	668	FortiClientVPN.exe	WerFault.exe
PID 668 wrote to memory of 2636	668	FortiClientVPN.exe	WerFault.exe
PID 668 wrote to memory of 2636	668	FortiClientVPN.exe	WerFault.exe
PID 668 wrote to memory of 2636	668	FortiClientVPN.exe	WerFault.exe
PID 668 wrote to memory of 2636	668	FortiClientVPN.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\FortiClientVPNOnlineInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\FortiClientVPNOnlineInstaller.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe
C:\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe
2⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 1040
3⤵
- Loads dropped DLL
- Program crash
PID:2636

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 1C713357D0271505A8961751F4C99903 C
2⤵
- Loads dropped DLL
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
d5c3b24e2261c844990a8d53136a8005

SHA1
6c5d0027078afe7c1262aa19904ffedc52ca0dae

SHA256
caadc17c5ec82310d57a8269d5ece7e0bc0a54df4fef99f3f16865803dc479fe

SHA512
d7c4f3408d8da33fa1559eead99ff40b45b745f82d6a0faadb930bf828d0603b14af97cdd7562b98aff0978edcec72284fc01f0936c7866807333614893cbf78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_052D619A1738623B01B6A412349193C8

Filesize
727B

MD5
bc3ff7bd957a8b9ac975835f6f4c496e

SHA1
933cefd8b5f6feadca4b35f4a96e089c1d5e8eae

SHA256
0169a2895be74b82cd4e886fb50874b7bba0b091534914e9d2057f41864911e1

SHA512
d996763322accabcd03282b8b94fae146af9a219c096a009e8755d3e4bba9fed99ef6a3ede0ddcf7acbff70da35d8d83e65c8e80b54c4c8f69bb8a75d073d35e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Filesize
1KB

MD5
d91299e84355cd8d5a86795a0118b6e9

SHA1
7b0f360b775f76c94a12ca48445aa2d2a875701c

SHA256
46011ede1c147eb2bc731a539b7c047b7ee93e48b9d3c3ba710ce132bbdfac6b

SHA512
6d11d03f2df2d931fac9f47ceda70d81d51a9116c1ef362d67b7874f91bf20915006f7af8ecebaea59d2dc144536b25ea091cc33c04c9a3808eefdc69c90e816

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
45cd9934e40f157b62b76df92109b6cb

SHA1
2f8c98ddf70f4954e093bf7be08d246ef1a2e96b

SHA256
76952f007bf0da6261b956a3d6cbc28961be5dac45cf232e6a645c32d2f8687c

SHA512
5be5455d10c7b76e37966e6b9fdb2df00cb86549ddc6c988ae5f8f156651a2deb1e604431ed7dcf77b531e9120524a9b20bec2678ea5c18517a40c0cf926175c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Filesize
1KB

MD5
78f2fcaa601f2fb4ebc937ba532e7549

SHA1
ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

SHA256
552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

SHA512
bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
1c91c563555df11e71b6cf3dc4485661

SHA1
aad002d9a852d643de8ce877b64eb9f633ca1df7

SHA256
d5d37cf390cbf201a29da740bc23206d52c3a67918d179136daf277e46808d5d

SHA512
82a29b0e4ce27ea1d054f4fc7bca92cf14dd58a7b815e26ded92c07cf8e438778874764a77f8306a02a7291f5093de4c789a0d689e560878f820f72e6610766d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_052D619A1738623B01B6A412349193C8

Filesize
412B

MD5
cab71dc45922c6a2b49d74abfb9cea18

SHA1
cd81f50d49c3927a1d5087e973f7e3f31d6a4ef0

SHA256
ef79ed32dbbef49b95939c73ccab797ea2c923ef8dae7725fcfef3694e080508

SHA512
30c49735eccde9e1d11789d295d970b3e6c6cb121382d4c93b2fcb4f5f1e89e16852c0566d815885a1e9d49847cdaa33f9ea4a2e417bf6ba7e1f67b45a461b74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35ea45aaef5a6269853de5ae57f64641

SHA1
964aa556ee59bc42d46dad6f5b0cf1115e66a55f

SHA256
6c5207556bddca72a43deb0d1bafb8cea9ce284e95c9c9574998b6a94e416699

SHA512
a44e822a3ce96f0fb0aa72725480687c177b78131e6aa541ee75757bf8fda4e7b9d94bd3bed5cf57cb58f6bd46128df8fe307ffcba46d2e6c6a0dce80aa152ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Filesize
308B

MD5
8d5164c4c3f9b42f8e0f3b99b7ac60a3

SHA1
0d368a375d6812de982ff7d917b9e9c62e99015f

SHA256
7430ef4bde357a47ac0f603e423564575ba943a8f77c0fefff35895e19da4bc8

SHA512
31c977e3a24604121acd154ac55a6a966fc372510d4264ee435932d9411838991f66af4fe14a9f5ba95d1abff30448cd93863ecfdbf46784acf2c2ae6385ac9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
2974f5d641ed944f0fdf1e1bcd07848a

SHA1
47137f8d505a64b2b66cc9ea698b2b65fe2a4a43

SHA256
e76a01ce835c8196e12a86f4cc182f5c4eac0d805163b583dad23e9a1abe3286

SHA512
06f01c8c508d3c38eb59e2f6d3e31134b1ae79bf84f9a7554524c2d67cde5946f674a46c1cc598f1f2e0fcc17726c3ac3e113b2e7ca09cc96c33d8b5baf766cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Filesize
254B

MD5
cef37e41f42482f6a78485c433f65bb3

SHA1
87e844f33ef1bdf2f0e781eb481744fccf75dc73

SHA256
ad9edeb29135b8b401847d47eb5cd46aa096b77be54a498b97f9763294c0060a

SHA512
7fc7625d3c1169735611d9efada374383e89f1f48f4d609b169c5ea7589b6de18a7b8030a066ec4c03074bf5b8f575ff42a8b95283fecb38d60747fd3b6b1853

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6309.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCT_{625BC4BA-AC3E-4E4B-9996-EEED9D4287C3}\{87711F8C-B3E4-4052-95F3-665F099284E5}\FortiClient.msi

Filesize
133.6MB

MD5
54caa99a9a197a8f9a8e157b702a64ca

SHA1
f3ea81642b7fa10db7af6b8853fb3603a08cd18d

SHA256
d14e512ecad8f83e7eccf74f61c49080c615dbfd4017b86d0ab6c4012a8cfe5d

SHA512
537ef17c91cd89383eb90b1754c657cbb791ab099e1f34d53cc9c36a7cc1f0bc6c90c919155eed120d148795cc87dcb2e53af3da9abae7909201007b4c5d71eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FortiClient00000.log

Filesize
3KB

MD5
20409856cbe4889ed53c98172ce1e33d

SHA1
6be098a51d756be9344d0750940b15b41d67a88d

SHA256
62a92f28ba2ba43a357df996a67c748b7487368367348c6d4573136c270b7c05

SHA512
e3ecf6c8441b1aa8f5c5d179414e163078e6361e8dcbc566c59e2daa5583a057fc0e4cbc1ea965772c4e681736498e4b3a1b446370ba40d8c845e2e62ef9a637

Download Submit
C:\Users\Admin\AppData\Local\Temp\FortiClient00000.log

Filesize
4KB

MD5
5d568ed163ee7109d8463727c78d8dee

SHA1
7a54bda9977afd2b7bae708d08fa5713ac533287

SHA256
24432474c3e8d94e0ceb9b96d63737118d0c38e332d3d1288797b85b17a1046a

SHA512
5e8662b4ce74e1f8719ed38e0c5eb0b53112900aeaf654435e5d71ac77980048e6111d9737b553cb11c7c9c1f3cb5f56bccb63636e59a4d027fc0875a7e1a751

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI76A5.tmp

Filesize
7.5MB

MD5
4476a7ca716aa3ddbaf1ed3c0624ee6f

SHA1
8800ed7a7c58209405a2e0a7a92d1deacc1c9d51

SHA256
43b6e75f70d0b2fd7bc9ac4eaa50a0d92e3810cfd9c691beece447ce7c5f44da

SHA512
7c0fd10fbf424d911a36cef4d18d5070523600152e01a9d83169c7ac8d5f02d9937680d09a226503bf717d5bb442096e53b829dec22942da78f631297c5eea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6434.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6620.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe

Filesize
145.6MB

MD5
862f1ba5f5750587701f18e3f7031c5f

SHA1
eb913b6554391f81b4b9d8fc27a172d529d23a71

SHA256
c037f49df5fe011f69a933493369b0c87e7fe854a185448256c392111df6146f

SHA512
ba69cb1e6265def6c4afc75907185cca9dbe0323c00e8a2534b4b287fd886b704591f70af776a30dbff428107df1baf7062971f8cd8623b706906fae52c13380

Download Submit
\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe

Filesize
139.8MB

MD5
d7e02ee2c5dcb103a063f97c3c69335b

SHA1
8c571fea6353548e17425fb41a135451b421bc6f

SHA256
f9f6b99c919d494a7f27aacc22e2aea08251354b29b00bf2473c0426f67b0fd7

SHA512
1a99c16d2078e58a0b5bb2960bc4e8dadc3ae47cbad61d58975036a90c322f0a09d2c48aabb618de20556e3ba0b5561a9313bc8a60ad4d9b6c58ae36e2843404

Download Submit
\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe

Filesize
139.9MB

MD5
b3801bb10340ce4c04e665b2c9203640

SHA1
bf3dbe41a9ddcb63b734d627a183d64e26598f5e

SHA256
cc7b63595f7279ed776dfc722d5c1d7c7e254781ef1dc74b5bbdef30c2bbd367

SHA512
cf8bcea2cc2f7d41cae589db626a711efc5be56e912b9c43c20498967c13e1c56f226d98221c0d57626dc92b83fd3ae1d472361167d25879b78a2883d8f67521

Download Submit
\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe

Filesize
143.4MB

MD5
45414095e69bb63410452854ac9454d0

SHA1
c7566aae5f11606bab0da9c3d527da3104b3a8be

SHA256
354a049b37cf14482aa241ce04331d866c8b285b7486d455b943d8fb024f0726

SHA512
cfcdb4c5b51103dcd2e5bff3d1c48c412764a3d4d0d693161b6f4dcf31ea8df144bc9fc5835951ee4d911aaea8993a640c7d139c550d65359c6035285165a12d

Download Submit
\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe

Filesize
140.2MB

MD5
607e4de5d4c59e2222189a0b21a3c6d7

SHA1
5aa65f730487e72b71fa0b35fecf7cd5ba00eef3

SHA256
0b72a967c031d31555c5fd8a6491ad32717d0d9016e3ef743e24a2da48a2df34

SHA512
73201e270b67e1425cf775b7ebb86c83f72345bae35db7051488ffc33fb0394ba35419738d198f1fb5a7a3548068577122d37d8785e2c0110be483dce9373560

Download Submit
\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe

Filesize
137.4MB

MD5
671b1c2aa1852c671c76b232f1c9deee

SHA1
b3b791d42839d9ec0307c4917459e0bea38670a0

SHA256
ad8197784343131b3f5e0625840794bd3eb1d28f8e0b9f1058067f166c79975c

SHA512
8a65fb05bd807684147234d34f871c87f24dbe73f885a4dcc48399a81a199bd1c7928d784c80ba0f1eba200d817964db2a4376b3200c702fea02ec75c495d03f

Download Submit
\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe

Filesize
140.0MB

MD5
ad96037e32133340f61ae2e689a7b1af

SHA1
a531603d8ceb5575c160c138d54682dd21a5cb55

SHA256
4b85202a6baeb34d8a9d050ef3263a5f2124c80734de207e8715f4084e366aad

SHA512
b116e708ab0707799ab25dac862ba2eac06c9bf79031b794105d015f9d489feaf01fe215751155c7c9b8f4c43fc96ead04345ce74145633f64935ad28b05fe71

Download Submit
\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe

Filesize
138.6MB

MD5
5fd5e85501ef9d72484708fc4e444e53

SHA1
cdb67db310001b35bfe148bd4d6674aa360bca7f

SHA256
ac9e000c6c8dbf5a033c97eb91b02bdf61cec20850f4e83d0f6f411d53693f62

SHA512
9e738e47b116305b3db4f752638c7d6d40b8107d62859c737369ff5c8b2063b38991aa326b7c1350b9b7f4b347b9d0a2a7fa1659fd0688cc84a0291cfc6e126e

Download Submit
memory/1844-0-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download