2e520faa2b71ba56643153b77c2908c0d6da34a2f6f9abaa7cbadab9278dc99e

Analysis

max time kernel
414s
max time network
428s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FortiClientVPNOnlineInstaller.exe
Size

2.7MB
MD5

11bfc265fc53ac4756e4ef2759ca10eb
SHA1

e3d2bf11618c39dfd036bb33ea96aa5f989fed25
SHA256

2e520faa2b71ba56643153b77c2908c0d6da34a2f6f9abaa7cbadab9278dc99e
SHA512

6b1e802f82002c5f8162a48440e09631da12fbfa283fc03bbf405938406955581764cda3ae57021d9e1b821a128b227e77b38dd6994a655f438ac5081f5ae689
SSDEEP

49152:nZ2d2wu+8ewJobcRgEekPZ99ztx5IX0hL5m6bgy:nZ2dnu+AMW9x2O

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

FortiClientVPN.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	FortiClientVPN.exe
File opened (read-only)	\??\W:	FortiClientVPN.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	FortiClientVPN.exe
File opened (read-only)	\??\J:	FortiClientVPN.exe
File opened (read-only)	\??\V:	FortiClientVPN.exe
File opened (read-only)	\??\X:	FortiClientVPN.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	FortiClientVPN.exe
File opened (read-only)	\??\R:	FortiClientVPN.exe
File opened (read-only)	\??\U:	FortiClientVPN.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	FortiClientVPN.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	FortiClientVPN.exe
File opened (read-only)	\??\Q:	FortiClientVPN.exe
File opened (read-only)	\??\Y:	FortiClientVPN.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	FortiClientVPN.exe
File opened (read-only)	\??\K:	FortiClientVPN.exe
File opened (read-only)	\??\S:	FortiClientVPN.exe
File opened (read-only)	\??\T:	FortiClientVPN.exe
File opened (read-only)	\??\Z:	FortiClientVPN.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	FortiClientVPN.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	FortiClientVPN.exe
File opened (read-only)	\??\M:	FortiClientVPN.exe
File opened (read-only)	\??\O:	FortiClientVPN.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	FortiClientVPN.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

FortiClientVPN.exe

pid process

2732 FortiClientVPN.exe
Loads dropped DLL 4 IoCs

Processes:

MsiExec.exe

pid process

3664 MsiExec.exe
3664 MsiExec.exe
3664 MsiExec.exe
3664 MsiExec.exe

pid	process
2732	FortiClientVPN.exe

pid	process
3664	MsiExec.exe
3664	MsiExec.exe
3664	MsiExec.exe
3664	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

FortiClientVPNOnlineInstaller.exeFortiClientVPN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FortiClientVPNOnlineInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FortiClientVPN.exe

Modifies registry class 7 IoCs

Processes:

FortiClientVPNOnlineInstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\AppID = "{3947B3B8-553A-46D4-A4F9-F43E884B0D8D}"	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}	FortiClientVPNOnlineInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\ = "diskcopy.dll"	FortiClientVPNOnlineInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8052F904-874D-4d28-9380-AA9BDBF13AFD}\InProcServer32\ThreadingModel = "diskcopy.dll"	FortiClientVPNOnlineInstaller.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

FortiClientVPNOnlineInstaller.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	FortiClientVPNOnlineInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	FortiClientVPNOnlineInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	FortiClientVPNOnlineInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	FortiClientVPNOnlineInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	FortiClientVPNOnlineInstaller.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

FortiClientVPNOnlineInstaller.exe

pid process

2260 FortiClientVPNOnlineInstaller.exe
2260 FortiClientVPNOnlineInstaller.exe

pid	process
2260	FortiClientVPNOnlineInstaller.exe
2260	FortiClientVPNOnlineInstaller.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

FortiClientVPN.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2732	FortiClientVPN.exe
Token: SeIncreaseQuotaPrivilege	2732	FortiClientVPN.exe
Token: SeSecurityPrivilege	3296	msiexec.exe
Token: SeCreateTokenPrivilege	2732	FortiClientVPN.exe
Token: SeAssignPrimaryTokenPrivilege	2732	FortiClientVPN.exe
Token: SeLockMemoryPrivilege	2732	FortiClientVPN.exe
Token: SeIncreaseQuotaPrivilege	2732	FortiClientVPN.exe
Token: SeMachineAccountPrivilege	2732	FortiClientVPN.exe
Token: SeTcbPrivilege	2732	FortiClientVPN.exe
Token: SeSecurityPrivilege	2732	FortiClientVPN.exe
Token: SeTakeOwnershipPrivilege	2732	FortiClientVPN.exe
Token: SeLoadDriverPrivilege	2732	FortiClientVPN.exe
Token: SeSystemProfilePrivilege	2732	FortiClientVPN.exe
Token: SeSystemtimePrivilege	2732	FortiClientVPN.exe
Token: SeProfSingleProcessPrivilege	2732	FortiClientVPN.exe
Token: SeIncBasePriorityPrivilege	2732	FortiClientVPN.exe
Token: SeCreatePagefilePrivilege	2732	FortiClientVPN.exe
Token: SeCreatePermanentPrivilege	2732	FortiClientVPN.exe
Token: SeBackupPrivilege	2732	FortiClientVPN.exe
Token: SeRestorePrivilege	2732	FortiClientVPN.exe
Token: SeShutdownPrivilege	2732	FortiClientVPN.exe
Token: SeDebugPrivilege	2732	FortiClientVPN.exe
Token: SeAuditPrivilege	2732	FortiClientVPN.exe
Token: SeSystemEnvironmentPrivilege	2732	FortiClientVPN.exe
Token: SeChangeNotifyPrivilege	2732	FortiClientVPN.exe
Token: SeRemoteShutdownPrivilege	2732	FortiClientVPN.exe
Token: SeUndockPrivilege	2732	FortiClientVPN.exe
Token: SeSyncAgentPrivilege	2732	FortiClientVPN.exe
Token: SeEnableDelegationPrivilege	2732	FortiClientVPN.exe
Token: SeManageVolumePrivilege	2732	FortiClientVPN.exe
Token: SeImpersonatePrivilege	2732	FortiClientVPN.exe
Token: SeCreateGlobalPrivilege	2732	FortiClientVPN.exe
Token: SeCreateTokenPrivilege	2732	FortiClientVPN.exe
Token: SeAssignPrimaryTokenPrivilege	2732	FortiClientVPN.exe
Token: SeLockMemoryPrivilege	2732	FortiClientVPN.exe
Token: SeIncreaseQuotaPrivilege	2732	FortiClientVPN.exe
Token: SeMachineAccountPrivilege	2732	FortiClientVPN.exe
Token: SeTcbPrivilege	2732	FortiClientVPN.exe
Token: SeSecurityPrivilege	2732	FortiClientVPN.exe
Token: SeTakeOwnershipPrivilege	2732	FortiClientVPN.exe
Token: SeLoadDriverPrivilege	2732	FortiClientVPN.exe
Token: SeSystemProfilePrivilege	2732	FortiClientVPN.exe
Token: SeSystemtimePrivilege	2732	FortiClientVPN.exe
Token: SeProfSingleProcessPrivilege	2732	FortiClientVPN.exe
Token: SeIncBasePriorityPrivilege	2732	FortiClientVPN.exe
Token: SeCreatePagefilePrivilege	2732	FortiClientVPN.exe
Token: SeCreatePermanentPrivilege	2732	FortiClientVPN.exe
Token: SeBackupPrivilege	2732	FortiClientVPN.exe
Token: SeRestorePrivilege	2732	FortiClientVPN.exe
Token: SeShutdownPrivilege	2732	FortiClientVPN.exe
Token: SeDebugPrivilege	2732	FortiClientVPN.exe
Token: SeAuditPrivilege	2732	FortiClientVPN.exe
Token: SeSystemEnvironmentPrivilege	2732	FortiClientVPN.exe
Token: SeChangeNotifyPrivilege	2732	FortiClientVPN.exe
Token: SeRemoteShutdownPrivilege	2732	FortiClientVPN.exe
Token: SeUndockPrivilege	2732	FortiClientVPN.exe
Token: SeSyncAgentPrivilege	2732	FortiClientVPN.exe
Token: SeEnableDelegationPrivilege	2732	FortiClientVPN.exe
Token: SeManageVolumePrivilege	2732	FortiClientVPN.exe
Token: SeImpersonatePrivilege	2732	FortiClientVPN.exe
Token: SeCreateGlobalPrivilege	2732	FortiClientVPN.exe
Token: SeCreateTokenPrivilege	2732	FortiClientVPN.exe
Token: SeAssignPrimaryTokenPrivilege	2732	FortiClientVPN.exe
Token: SeLockMemoryPrivilege	2732	FortiClientVPN.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

FortiClientVPN.exe

pid process

2732 FortiClientVPN.exe

pid	process
2732	FortiClientVPN.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

FortiClientVPNOnlineInstaller.exemsiexec.exe

description	pid	process	target process
PID 2260 wrote to memory of 2732	2260	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 2260 wrote to memory of 2732	2260	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 2260 wrote to memory of 2732	2260	FortiClientVPNOnlineInstaller.exe	FortiClientVPN.exe
PID 3296 wrote to memory of 3664	3296	msiexec.exe	MsiExec.exe
PID 3296 wrote to memory of 3664	3296	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\FortiClientVPNOnlineInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\FortiClientVPNOnlineInstaller.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe
  C:\Users\Admin\AppData\Local\Temp\FortiClientVPN.exe
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 465BA26A774E60DA411D44CC7CEE2837 C
  2⤵
  - Loads dropped DLL
  PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
c9ef399a388c657e9b1ab92ca79b8472

SHA1
9685b1d73630979b498397f5ef8048b7c7c5aec4

SHA256
1210fe5cc6b44380ab8817cfb692534895ed3074757fc0c76bc9fe3d1143f6df

SHA512
314640863e559cb468d0dc332ea51ece035bf717f395d79d3be09690c88b5535c9071597338a3b119b31355a1228a60a6b465772a3d162658cca89031fca56ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_052D619A1738623B01B6A412349193C8

Filesize
727B

MD5
2249ec2bd0fe7a24408f7ebaadcdac9b

SHA1
adc9e5157c7c65cd2b061b1fefed1ce16a9eb1db

SHA256
bd805f7d4c3c9a1eea8c3b5313de6761f612c0bbaa70077ddb8431bdf2be0fb9

SHA512
b0d5257a326eeaa2329ce56935c7b50cfb2c616d5a6fbf3d6bd253f1c52896b0a5aa09c2e01e10b93abd61fa50845d8044db1ad18684f4bf6fa01f338ec0d790

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Filesize
1KB

MD5
d91299e84355cd8d5a86795a0118b6e9

SHA1
7b0f360b775f76c94a12ca48445aa2d2a875701c

SHA256
46011ede1c147eb2bc731a539b7c047b7ee93e48b9d3c3ba710ce132bbdfac6b

SHA512
6d11d03f2df2d931fac9f47ceda70d81d51a9116c1ef362d67b7874f91bf20915006f7af8ecebaea59d2dc144536b25ea091cc33c04c9a3808eefdc69c90e816

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
c210f6689aca680446c0d8ecdef2e46b

SHA1
66cba496d984f92fed05f77101c45734f193e211

SHA256
8f8540c24fcc6ddfddbcabf8f028f8052addf41601d5226ffe378a6e7d4caf5d

SHA512
9c62a6b2a129a50e2094566d88acd7c25ee29600ed1596e6972f684edd48d11366605dca0d90133d489b51eb38bbb6c1a5ad68d0ec9f81c8d23055d03e9540b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
c011802ccabb2e3c0a6dba774ade3313

SHA1
4e263d8ef55b784121cfd2c146e14dd31e304b2a

SHA256
b38a5a14e5ff337dc1b08ba8f1a1a099845d3a607b521d60d3a91e6521e697aa

SHA512
ab15fdd5735a9b80fc5009ff3a0591d4b287eec7b2930d7323aacb37d64504d8c59e0d2eabe662814b0b52d30d058d7db4d6433eddbcae33c2d2bc45b0f1901c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_052D619A1738623B01B6A412349193C8

Filesize
412B

MD5
a727d470b92ab638bb65b918cbe974dd

SHA1
d978be2a86f4bf291914109daecbb72b04eba60a

SHA256
081eede4a3e2ae085c2c977f5440bd4e22c88675cc92639ce81d745fa51743da

SHA512
17f37040cd340fb41490d660c6c3e40752b41e0102cd712d63d86890912c69956da7d996cade6740c0813a4e319c0c90e67bbcba07a5819dad586316fa28346c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Filesize
308B

MD5
f2eecbf42e8523e13df396bb200867ee

SHA1
f7b9ee1ea922b14e8724b9a6106fc403caf4f25e

SHA256
2dba227e8bf43882c11162790e36a9b3f843ba9e7905d68e944cfe6005d41fd0

SHA512
4d1de5ab8425ba864b1ba7f0ab072ac76714c7212694f6d368b82dd303e7973f47023fd18b3ae7974c0d8a0bf83e4eb0433f31798a2f322737973e4e0c1437c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
363e55a59224c1b553879964ae64d933

SHA1
70c0ec4c34fe230ee4ad9ac34b5b6c54889e0fbf

SHA256
505e04bf5932345f7dfc4d3d5409de89e44833d22631a818f8dd25f1c7032bbd

SHA512
1194871c74111a7132f189eac5f8f12caa86a240d69863bf295c0588150a9f831db08c3ba8d68b42cd873db59a652a0345bef88b3928fc786b1e3ddda6beba67

Download Submit
C:\Users\Admin\AppData\Local\Temp\FortiClient00000.log

Filesize
1KB

MD5
4a52ffb01d7e38d8a008aab27917accb

SHA1
1f0c4320ca9cac8d0a04d14e3bb11e6aa409911b

SHA256
bb0fc2c35c5f6d0bb0a143d90ef1cc7396106880bc112d70f9197bb75598eb5b

SHA512
7de36a07b392a9dd4ccc0a2636340c8db1c8b9c0c58c8353cac144ada013676555a009a901033dbe624b7fbdf30ea89e292c9669ecb7408c51350d4035c1b33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FortiClient00000.log

Filesize
4KB

MD5
ae03780d044582fe01ebbfe40ea99f9e

SHA1
ff427643d37dcdfad79f511fb60497f3c6433389

SHA256
0e156d635efb1d513c82078e1328e10ee7a0f883e578a2a862a49144245c672e

SHA512
9b58099af4251cf84832ff2ae2ea5f603d1581b6b78619583a30616ca916f4fabafea81a9bd2a7ac432535b99f636ce28229c283dc7b5405f305bc6f19ca077f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2404.tmp

Filesize
7.7MB

MD5
32efbffda3376ee49d78baff6bce3cc5

SHA1
fb1195e34a9034309d8bf4608b65e205cac0b930

SHA256
f64e2cad4cdcc53694ca3dbd78b941039064d31ea5892d4ded3a533f0fed627a

SHA512
af22120bb60d0e2394c83059b5d2e68afb40c0fd02e613515257bc80dd3cf55c6792df5325cb87ad2046724b24303e6c9e1a3c9eb2219bd776826e03bc738920

Download Submit