d4ba0b587cccc005bc37ad17817fc4dbd123d357eb34ddf6b1dd63fa57343f2f

Analysis

max time kernel
1643s
max time network
1566s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-06-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FortiClientVPNOnlineInstaller.exe
Size

4.0MB
MD5

9bfa08538f94a78395b116666e90606b
SHA1

9c62f61abded758772da22c16f825cdf40f00f92
SHA256

d4ba0b587cccc005bc37ad17817fc4dbd123d357eb34ddf6b1dd63fa57343f2f
SHA512

cfb1d911786c0e4b55e5d45bf392ed30a5f4c6843ce4d6ddfa3af3f219ce341e76ea376db2ea0cbf3421364c49920241d85075b062585a127d144942dc5e40c2
SSDEEP

49152:g9enMTO4Hht2GrgsTeu8T1a0ymq0O493Ej4LA6aKIpmb4RV/TVXUrPhTHlzuw2t3:g9ensr3a4hms4F+7XVXgTHYJOE/

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeFortiClientVPN.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	FortiClientVPN.exe
File opened (read-only)	\??\O:	FortiClientVPN.exe
File opened (read-only)	\??\T:	FortiClientVPN.exe
File opened (read-only)	\??\V:	FortiClientVPN.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	FortiClientVPN.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	FortiClientVPN.exe
File opened (read-only)	\??\J:	FortiClientVPN.exe
File opened (read-only)	\??\K:	FortiClientVPN.exe
File opened (read-only)	\??\L:	FortiClientVPN.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	FortiClientVPN.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	FortiClientVPN.exe
File opened (read-only)	\??\X:	FortiClientVPN.exe
File opened (read-only)	\??\Z:	FortiClientVPN.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	FortiClientVPN.exe
File opened (read-only)	\??\Q:	FortiClientVPN.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	FortiClientVPN.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	FortiClientVPN.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	FortiClientVPN.exe
File opened (read-only)	\??\S:	FortiClientVPN.exe
File opened (read-only)	\??\Y:	FortiClientVPN.exe
File opened (read-only)	\??\I:	FortiClientVPN.exe
File opened (read-only)	\??\W:	FortiClientVPN.exe
File opened (read-only)	\??\U:	FortiClientVPN.exe

Executes dropped EXE 1 IoCs

Processes:

FortiClientVPN.exe

pid process

2236 FortiClientVPN.exe

pid	process
2236	FortiClientVPN.exe

Loads dropped DLL 14 IoCs

Processes:

FortiClientVPNOnlineInstaller.exeFortiClientVPN.exeMsiExec.exeWerFault.exe

pid	process
1700	FortiClientVPNOnlineInstaller.exe
2236	FortiClientVPN.exe
2236	FortiClientVPN.exe
2236	FortiClientVPN.exe
3004	MsiExec.exe
3004	MsiExec.exe
3004	MsiExec.exe
1248	WerFault.exe
1248	WerFault.exe
1248	WerFault.exe
1248	WerFault.exe
1248	WerFault.exe
1248	WerFault.exe
1248	WerFault.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1248 2236 WerFault.exe FortiClientVPN.exe

pid	pid_target	process	target process
1248	2236	WerFault.exe	FortiClientVPN.exe

Modifies registry class 7 IoCs

Processes:

FortiClientVPNOnlineInstaller.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}	FortiClientVPNOnlineInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\ = "diskcopy.dll"	FortiClientVPNOnlineInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\ThreadingModel = "diskcopy.dll"	FortiClientVPNOnlineInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\AppID = "{192D3C9D-416E-431A-93E2-A2212072487D}"	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	FortiClientVPNOnlineInstaller.exe

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

FortiClientVPNOnlineInstaller.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	FortiClientVPNOnlineInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	FortiClientVPNOnlineInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	FortiClientVPNOnlineInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	FortiClientVPNOnlineInstaller.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

FortiClientVPNOnlineInstaller.exe

pid process

1700 FortiClientVPNOnlineInstaller.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

FortiClientVPN.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2236	FortiClientVPN.exe
Token: SeIncreaseQuotaPrivilege	2236	FortiClientVPN.exe
Token: SeRestorePrivilege	2612	msiexec.exe
Token: SeTakeOwnershipPrivilege	2612	msiexec.exe
Token: SeSecurityPrivilege	2612	msiexec.exe
Token: SeCreateTokenPrivilege	2236	FortiClientVPN.exe
Token: SeAssignPrimaryTokenPrivilege	2236	FortiClientVPN.exe
Token: SeLockMemoryPrivilege	2236	FortiClientVPN.exe
Token: SeIncreaseQuotaPrivilege	2236	FortiClientVPN.exe
Token: SeMachineAccountPrivilege	2236	FortiClientVPN.exe
Token: SeTcbPrivilege	2236	FortiClientVPN.exe
Token: SeSecurityPrivilege	2236	FortiClientVPN.exe
Token: SeTakeOwnershipPrivilege	2236	FortiClientVPN.exe
Token: SeLoadDriverPrivilege	2236	FortiClientVPN.exe
Token: SeSystemProfilePrivilege	2236	FortiClientVPN.exe
Token: SeSystemtimePrivilege	2236	FortiClientVPN.exe
Token: SeProfSingleProcessPrivilege	2236	FortiClientVPN.exe
Token: SeIncBasePriorityPrivilege	2236	FortiClientVPN.exe
Token: SeCreatePagefilePrivilege	2236	FortiClientVPN.exe
Token: SeCreatePermanentPrivilege	2236	FortiClientVPN.exe
Token: SeBackupPrivilege	2236	FortiClientVPN.exe
Token: SeRestorePrivilege	2236	FortiClientVPN.exe
Token: SeShutdownPrivilege	2236	FortiClientVPN.exe
Token: SeDebugPrivilege	2236	FortiClientVPN.exe
Token: SeAuditPrivilege	2236	FortiClientVPN.exe
Token: SeSystemEnvironmentPrivilege	2236	FortiClientVPN.exe
Token: SeChangeNotifyPrivilege	2236	FortiClientVPN.exe
Token: SeRemoteShutdownPrivilege	2236	FortiClientVPN.exe
Token: SeUndockPrivilege	2236	FortiClientVPN.exe
Token: SeSyncAgentPrivilege	2236	FortiClientVPN.exe
Token: SeEnableDelegationPrivilege	2236	FortiClientVPN.exe
Token: SeManageVolumePrivilege	2236	FortiClientVPN.exe
Token: SeImpersonatePrivilege	2236	FortiClientVPN.exe
Token: SeCreateGlobalPrivilege	2236	FortiClientVPN.exe
Token: SeCreateTokenPrivilege	2236	FortiClientVPN.exe
Token: SeAssignPrimaryTokenPrivilege	2236	FortiClientVPN.exe
Token: SeLockMemoryPrivilege	2236	FortiClientVPN.exe
Token: SeIncreaseQuotaPrivilege	2236	FortiClientVPN.exe
Token: SeMachineAccountPrivilege	2236	FortiClientVPN.exe
Token: SeTcbPrivilege	2236	FortiClientVPN.exe
Token: SeSecurityPrivilege	2236	FortiClientVPN.exe
Token: SeTakeOwnershipPrivilege	2236	FortiClientVPN.exe
Token: SeLoadDriverPrivilege	2236	FortiClientVPN.exe
Token: SeSystemProfilePrivilege	2236	FortiClientVPN.exe
Token: SeSystemtimePrivilege	2236	FortiClientVPN.exe
Token: SeProfSingleProcessPrivilege	2236	FortiClientVPN.exe
Token: SeIncBasePriorityPrivilege	2236	FortiClientVPN.exe
Token: SeCreatePagefilePrivilege	2236	FortiClientVPN.exe
Token: SeCreatePermanentPrivilege	2236	FortiClientVPN.exe
Token: SeBackupPrivilege	2236	FortiClientVPN.exe
Token: SeRestorePrivilege	2236	FortiClientVPN.exe
Token: SeShutdownPrivilege	2236	FortiClientVPN.exe
Token: SeDebugPrivilege	2236	FortiClientVPN.exe
Token: SeAuditPrivilege	2236	FortiClientVPN.exe
Token: SeSystemEnvironmentPrivilege	2236	FortiClientVPN.exe
Token: SeChangeNotifyPrivilege	2236	FortiClientVPN.exe
Token: SeRemoteShutdownPrivilege	2236	FortiClientVPN.exe
Token: SeUndockPrivilege	2236	FortiClientVPN.exe
Token: SeSyncAgentPrivilege	2236	FortiClientVPN.exe
Token: SeEnableDelegationPrivilege	2236	FortiClientVPN.exe
Token: SeManageVolumePrivilege	2236	FortiClientVPN.exe
Token: SeImpersonatePrivilege	2236	FortiClientVPN.exe
Token: SeCreateGlobalPrivilege	2236	FortiClientVPN.exe
Token: SeCreateTokenPrivilege	2236	FortiClientVPN.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

FortiClientVPN.exe

pid process

2236 FortiClientVPN.exe
2236 FortiClientVPN.exe

pid	process
2236	FortiClientVPN.exe
2236	FortiClientVPN.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

FortiClientVPNOnlineInstaller.exemsiexec.exeFortiClientVPN.exe

description	pid	process	target process
PID 1700 wrote to memory of 2236	1700	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 1700 wrote to memory of 2236	1700	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 1700 wrote to memory of 2236	1700	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 1700 wrote to memory of 2236	1700	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 1700 wrote to memory of 2236	1700	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 1700 wrote to memory of 2236	1700	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 1700 wrote to memory of 2236	1700	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 2612 wrote to memory of 3004	2612	msiexec.exe	MsiExec.exe
PID 2612 wrote to memory of 3004	2612	msiexec.exe	MsiExec.exe
PID 2612 wrote to memory of 3004	2612	msiexec.exe	MsiExec.exe
PID 2612 wrote to memory of 3004	2612	msiexec.exe	MsiExec.exe
PID 2612 wrote to memory of 3004	2612	msiexec.exe	MsiExec.exe
PID 2236 wrote to memory of 1248	2236	FortiClientVPN.exe	WerFault.exe
PID 2236 wrote to memory of 1248	2236	FortiClientVPN.exe	WerFault.exe
PID 2236 wrote to memory of 1248	2236	FortiClientVPN.exe	WerFault.exe
PID 2236 wrote to memory of 1248	2236	FortiClientVPN.exe	WerFault.exe
PID 2236 wrote to memory of 1248	2236	FortiClientVPN.exe	WerFault.exe
PID 2236 wrote to memory of 1248	2236	FortiClientVPN.exe	WerFault.exe
PID 2236 wrote to memory of 1248	2236	FortiClientVPN.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\FortiClientVPNOnlineInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\FortiClientVPNOnlineInstaller.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe
C:\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe
2⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1032
3⤵
- Loads dropped DLL
- Program crash
PID:1248

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 3317FCC127F481D9DCEBDBDDA6172051 C
2⤵
- Loads dropped DLL
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
c102331e468eb05398ed0edac7c36c08

SHA1
4079e9062a246fcafae9223574c3d33cd7f699ab

SHA256
e58d1c15d8b7f32fdd5af1e4de65a4d0fb4a41e28fd6cbec2e1f82d5f29d2f1f

SHA512
fe814bbeaf41fdb4b6d73f1279ebf4b2e5c9d99e0ecac40fb2d4c5135f5faeb34bf6f90ec5b8a4d56dedd47e0a326f4accc4a3d97afaedf737a1e119caee80df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_052D619A1738623B01B6A412349193C8

Filesize
727B

MD5
dbce323a2c9f27c9a024d655fdf8d6db

SHA1
10613c350285622740d39b85e54e488cfd83ba1c

SHA256
d6a4d72fef234325d17314411e8362a7fd6baae16b62ca9fa2037a3f13bb6058

SHA512
a3ce7b9eb41e442c3ef7bfe1aa0e5c81c597a2b549d75dc9760304fd127c1bf374b9e1532f19f6c9d6675177037203b378192353e38a864942ca3dfe8742bbe4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Filesize
1KB

MD5
d91299e84355cd8d5a86795a0118b6e9

SHA1
7b0f360b775f76c94a12ca48445aa2d2a875701c

SHA256
46011ede1c147eb2bc731a539b7c047b7ee93e48b9d3c3ba710ce132bbdfac6b

SHA512
6d11d03f2df2d931fac9f47ceda70d81d51a9116c1ef362d67b7874f91bf20915006f7af8ecebaea59d2dc144536b25ea091cc33c04c9a3808eefdc69c90e816

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
0b88de29c08617bee5b28b7e00921e0d

SHA1
5ac0c8703b1ffbd892c89ce1f8baaba1392126ea

SHA256
c8633457cf30e01fe5624cc2d3a5cdb24c6fea13fb1ec9a65e746e5741a13e53

SHA512
59e8e92a4e78c377d127a393b98b089ce7880d70f4442b57fdcfff92634ece870960e3b02cc0c478c4c9d46b6ddd1270bff0936ec596b205ef5dce42012f65a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Filesize
1KB

MD5
78f2fcaa601f2fb4ebc937ba532e7549

SHA1
ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

SHA256
552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

SHA512
bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
8d794d382cc9e2bf2bbb50aee038c34f

SHA1
1a40c536eb0e6e483a1ba83e063c0f07ae22324f

SHA256
ae523c81422d5f83f7af704688cd7c895895da43a6543378231669e69d6987b5

SHA512
650093f547f70425e25597ca3d41d6d5b9fc444ba477fe2090f8453b4c4195ee556cb2a3d2f5b218eb6364c18d7b888142f82c9e2a614bcc0deb401d2042aede

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_052D619A1738623B01B6A412349193C8

Filesize
412B

MD5
16def8004be04c2454ec38dc1fe98016

SHA1
ca0434a1a34d504248f10c398da5394de4a67804

SHA256
2e6b97389e4a899376e19c63b5d503950cf0d7772be9a2503f04b60765a6c5de

SHA512
2050e387b9c3a855ca5ab6e508293217f89b89840466873e6d3acac27471cfeb2e308c2a519b09728239c1ccc77d613c2d982c0c3bf3b8c364951ced52a17154

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
10fa8f2b04c77856dbe91e78b7eb9c45

SHA1
93b4a729536866c6636b3b73094e1107a06f0fe0

SHA256
a8ef4c2f5b184adcdd64cf8286591e8224bbacbd861f1d3ddc91829368592ef6

SHA512
c7f28069ace1cda4aaff14df44a5838519ee7eecc75a7c84c092317cd734d0722bf89097a894092c6225d262f1bcb86dad3a298ac58b9392469e9a62e4a03eb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Filesize
308B

MD5
73eb97cdf83dec4d32e622a5b9515d01

SHA1
a1f84c4068c3af18b20245cd88a4e5c3bde30965

SHA256
5a3e9f770c17603534f110e33fa827782ba7b46207ecdcde3032b1e71a9cdedb

SHA512
a160c0071cea90945714cf126b2eda0111a8f566ca7663b5b987c174ac5a9e0ddd66fee4deae0cc345f8ab163f76b240756f07643f0df83d2f51b0c2611e9c63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
ee82aa236efa387cc4062abc06c546de

SHA1
d86f20a230f84ad4cc555402803bc1ccbafbac17

SHA256
c076db7d3e92edc9888ed46ecae4b9469d9b0a0a7b729d2e4d0e9bf7b54d58e5

SHA512
85d2894952d956b6ddb12ac5251eb4b0f5d061542be0b9ced08d4cd3982616fddff14d5c0ea883250469209477212a3fc957af8985337f97e71acc3dab334b8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Filesize
254B

MD5
921f1dfd52c39b0c35d8d3978b32acb3

SHA1
ae597373d0152d33481782fa09d43b874f6c812d

SHA256
bafcf1fe9d0b983edba274db43f2f7c79b4a2764629b1b49604a8b67a93f46ea

SHA512
aa298265fe4c1689977cf32e87bbe2467f5ba29819afc7eabcc49cb2f2776b45d523930241c8d9f1119c6e046c71026182f32c3294fc5ba8909564e0be472024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab23C8.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\FortiClient00000.log

Filesize
1KB

MD5
bd888fb9bc1c9c70a5090e9e8f22aa76

SHA1
c27a2d83896bf4fa7c34bcbc9e8bfbb8fbd4fe6e

SHA256
cf7db53a564ed631d30e2137fcb603d53d623c1b0310aa1dd1e232c38134431a

SHA512
e205a9129af5176dd350ffc68d8c23147194c56cafacd53df8954f85584d15ef23a7d021b4ff4b146bde01b3f9795aca006e30c0140419caed039c03345cf620

Download Submit
C:\Users\Admin\AppData\Local\Temp\FortiClient00000.log

Filesize
4KB

MD5
f6f0af3e8ca75904854ec7f96496b9b2

SHA1
4a3bbafcdb8cf3f1fdbad3cd2aec402ea605a815

SHA256
51c294213e7583c9516174852a4c4c2e23760f2f94d20f2015114cec2768c6a5

SHA512
f0f4557d7750494ecc750866ae5ec92a351b8c44a0c87903c042b3129ded093bc5166df5b380885d0ca934bae2bf1382d0de4fff119190a3fcc957c4968603c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI361C.tmp

Filesize
7.5MB

MD5
4476a7ca716aa3ddbaf1ed3c0624ee6f

SHA1
8800ed7a7c58209405a2e0a7a92d1deacc1c9d51

SHA256
43b6e75f70d0b2fd7bc9ac4eaa50a0d92e3810cfd9c691beece447ce7c5f44da

SHA512
7c0fd10fbf424d911a36cef4d18d5070523600152e01a9d83169c7ac8d5f02d9937680d09a226503bf717d5bb442096e53b829dec22942da78f631297c5eea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2503.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2691.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1700-0-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download