Overview

overview

6

Static

static

1

gameguard_setup.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    86s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-uk
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-uklocale:uk-uaos:windows10-2004-x64systemwindows
  • submitted
    21-09-2024 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gameguard_setup.msi

  • Size

    7.7MB

  • MD5

    68bd8f9af44479db013a77c806f1c674

  • SHA1

    0cbb2b63c78b42e13b1818964bb2cf43e46c5052

  • SHA256

    ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376

  • SHA512

    991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852

  • SSDEEP

    196608:mELpCPNYnYCCJLuMo3nmkmKf+GNI1Xjn5CD9ilxw:fLpCVY7CtuMo2kmcNmsiLw

Score
6/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gameguard_setup.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4012
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2220
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding F62B38AD1FC3600F16BFDA377AB50BCB C
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\Program Files (x86)\GameGuard\gameguard.exe
          "C:\Program Files (x86)\GameGuard\gameguard.exe"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4968
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=uk --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,953679255148167322,11941616348703188819,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8
      1⤵
        PID:1572
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:640
      • C:\Program Files (x86)\GameGuard\acsvc.exe
        "C:\Program Files (x86)\GameGuard\acsvc.exe"
        1⤵
        • Executes dropped EXE
        PID:4048
      • C:\Program Files (x86)\GameGuard\acsvc.exe
        "C:\Program Files (x86)\GameGuard\acsvc.exe"
        1⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Program Files (x86)\GameGuard\acsvc.exe
          "C:\Program Files (x86)\GameGuard\acsvc.exe" --run="C:\Program Files (x86)\GameGuard\gameguard.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1872
          • C:\Program Files (x86)\GameGuard\gameguard.exe
            "C:\Program Files (x86)\GameGuard\gameguard.exe"
            3⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3436
      • C:\Program Files (x86)\GameGuard\gameguard.exe
        "C:\Program Files (x86)\GameGuard\gameguard.exe"
        1⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3788
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte024045dh7294h4298hb36bh2dba71b896a5
        1⤵
          PID:5288

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\e58e8a7.rbs
          Filesize

          11KB

          MD5

          7806e284be9d78b75bedafd4db8634ce

          SHA1

          948404b677f0f9eee8509828370fee9f05d3d5a7

          SHA256

          58e7f8af6474a5665981bd9dd854cd21c1b518d19426a49e87401760334c72e5

          SHA512

          3a2e9b94954740037464f3ab3da312f43a29b72a7ff1f04c6e160e8f38ee85db2970773de9a4050cfb2baca8e83caf88a0637e7136c6a96365ece2fddb006c83

          Download Submit

        • C:\Program Files (x86)\GameGuard\acsvc.exe
          Filesize

          316KB

          MD5

          7ec55f85dd4740e6f146d3ee54e01201

          SHA1

          44fcf3bb83a006ab6ca90d728bec43c031e0cada

          SHA256

          7997c3e9c03c0e91b8b07cb482c97066afdd483d2dbab1f292f749f4fe97e229

          SHA512

          7b6a494b5506e249e67e63c32fe42895227ec53a49f37e9b3884f628fd7bcc29f1f8bf96d616b8b741adc48540fc8eda7e64701a459acb707569bd1e36ee143b

          Download Submit

        • C:\Program Files (x86)\GameGuard\cache\fuhwvfe.cache
          Filesize

          330KB

          MD5

          b966184ae28d7bc96756bc3ed001c701

          SHA1

          8c620632624e9bc9b3e7d7a672072bdb6952df87

          SHA256

          f2b6185392b98f27da4a7a8c74b585ae00d6e69bd7f97727dca0953aa3ab0324

          SHA512

          8b9ad0bec94ed9a44a0c8aa8b8ca1b80fc6aecc46a2d74a2eb3830394ece82a77bed121c49ccbc6fb4fb7c05edbc90c17d591c2ee0f88bd3018893bc4cd0e003

          Download Submit

        • C:\Program Files (x86)\GameGuard\cache\itbxabe.cache
          Filesize

          15.3MB

          MD5

          1ac7965867072e615fea1ee20dc2300e

          SHA1

          d175990d7fe808931ee915470b130a2c37283ee8

          SHA256

          0cb8174d1aeb9bb9efa6cca18f09df5941e5f48d23240d207e15a25f20ac70fc

          SHA512

          4bdf16ff4c50d1e04dd4b9fa9cb3949c8a061bc7a2a5d86bc5cff07ad55ccafd5314a36189eb12e9164fc73b46830db5f54f553bb3d5112c0aee5dd22bb0dcf1

          Download Submit

        • C:\Program Files (x86)\GameGuard\gameguard.exe
          Filesize

          7.2MB

          MD5

          81ed38976254bb646c0ecee753324027

          SHA1

          c3fe70f9daff9e66b315b2adc9481a7d39d7e7c6

          SHA256

          cf169e7a746c574f3e2ec653a6739ca71fe0e34aa76f604cd36706fe45536be7

          SHA512

          476a6f9f65857d015661dc8504c537efff00fbd69014ab2e36aeed393b69083962195b3aa6e4485aa46f7471aa59aec21a6e56a687fc6474cc7a62b9c47ca018

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60B3F7207DEB992031C120EB71F562CD
          Filesize

          4KB

          MD5

          94bf0bf032ce32469dd74f4f1f5320e6

          SHA1

          86bff704a2f82816f346a6a374250f35743de3b0

          SHA256

          54f08bfd73dd3477610059c4a1d92723e698def0efa7ad4661584a51d9aab79b

          SHA512

          ac62c42bfe02a35739dfed5df012bb3ef1f7bdbde1f4d9dce9448812bb6d25891dbacc2591e859f644c95151bdb7179f4f8e355b81a2a38ca7afce4980a79901

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
          Filesize

          1KB

          MD5

          004eba2a24fda787318ce19fec383d25

          SHA1

          f9e5b03ce43664c60c7937c8998d4c12165af3ca

          SHA256

          ed5bd4c2310d2d1ce382a7b847ae6468a93b019a41004820e6ce2cf75f0f8a2e

          SHA512

          fb14058d341c5d5a426a73b43f9ccf1781197972969fbf3d82b4928c14d9181a090f11d073cdd8d0eb78ab1766fa815f62fc5c5cb30bab0dcf95ab1fc7a8f4f0

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C
          Filesize

          5B

          MD5

          5bfa51f3a417b98e7443eca90fc94703

          SHA1

          8c015d80b8a23f780bdd215dc842b0f5551f63bd

          SHA256

          bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

          SHA512

          4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60B3F7207DEB992031C120EB71F562CD
          Filesize

          222B

          MD5

          3f0a4a69ea0fba014d56ff67a7d533e5

          SHA1

          e4869fb0f9754087d5c836e1d70e833d4aeb340c

          SHA256

          6d4a57a041503f66fb7a948e58b6db171f90db5f53eff97829e68f4676674914

          SHA512

          d1152af8a9bd61ededad02d4dab70f581c78ab60e2f5b1ed1aa90e2f9b01e926fe6a974614d3e0e2a31993f7490594cc8ed4879e8e5772a013586d2f821082e0

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037
          Filesize

          498B

          MD5

          7262afe8adb586699b1e1589f4f9c1cd

          SHA1

          fbf756973a01c46a6d5df0391028ab02b1bce8fe

          SHA256

          550807b31a2464c585038fd1fcbd08f09042fc4b140a651ea1c9efebf598efd1

          SHA512

          e668220bc5f1397f8f291c5495b91dd996258ad7b535d20ec1202e57584959bb230188d0c1f355362283c2826aaf6ec32ac285c7b9c6cfa371afb478e1be2518

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C
          Filesize

          448B

          MD5

          0219858575a0b64c27be3d24bb3f542d

          SHA1

          29092ffca29ac5533f63449e32b9dd3ac171e4bd

          SHA256

          adc69b6f9ab726dbeffaf4b89f290013fdde3d1de135f0f4446fb71d477f599a

          SHA512

          0e65941405dfe23ab17d00a5be922e504d0129f15774b46a900d64dd7675414de2e1f5968e7608f75808e95b2ed7a5a678a7ff1371a79cebd63b969b5ebcccc5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MSID45.tmp
          Filesize

          202KB

          MD5

          d773d9bd091e712df7560f576da53de8

          SHA1

          165cfbdce1811883360112441f7237b287cf0691

          SHA256

          e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

          SHA512

          15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

          Download Submit

        • C:\Windows\Installer\e58e8a6.msi
          Filesize

          7.7MB

          MD5

          68bd8f9af44479db013a77c806f1c674

          SHA1

          0cbb2b63c78b42e13b1818964bb2cf43e46c5052

          SHA256

          ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376

          SHA512

          991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852

          Download Submit

        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
          Filesize

          23.7MB

          MD5

          13ca294ca7c450fab4642bdcf395e9b7

          SHA1

          1b17e0dbc4ddef455a78adf3f75afa2828718eeb

          SHA256

          fdf7dab95977e3ace76b5429f9717149779c82bf1a09c0e4224ddca8af13e8e6

          SHA512

          17e2341a21f998b47e0f55b7889a0f599760fe3573589a893d4dc0db0297a7d833f27520b06832afdd0cc480236c1c71e9f637ff79a691713bf0eb52254fcb23

          Download Submit

        • \??\Volume{ff3ab8f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e946d275-d641-48f0-a44f-ebef489f9f18}_OnDiskSnapshotProp
          Filesize

          6KB

          MD5

          7ed3ebf36c36f0c7a5d0398853e00d02

          SHA1

          4d17061c98d79d4732b90b225e12c7528bc7d7bb

          SHA256

          286f907f556a77821d9d36ffbd87c4b4f84b30fbeb93e12bf32ad8442fcfa0c2

          SHA512

          77f707a14dc9a59c66bf383ee653b7c4a77f3d9105a4b8a7cd9228519e8dcf54671d45bda7e68aac4ed1828ed34d6c7fd36d12d3a6e73a7bd5f28b2d7c4f440b

          Download Submit

        • memory/3436-114-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-108-0x0000000002C30000-0x0000000002C31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-116-0x0000000000CC0000-0x00000000025CC000-memory.dmp

          Filesize

          25.0MB

          Download

        • memory/3436-115-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-113-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-112-0x0000000002C90000-0x0000000002C91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-111-0x0000000002C80000-0x0000000002C81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-110-0x0000000002C50000-0x0000000002C51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-109-0x0000000002C40000-0x0000000002C41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3788-121-0x00000000025F0000-0x00000000025F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3788-124-0x0000000004340000-0x0000000004341000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3788-128-0x0000000000CC0000-0x00000000025CC000-memory.dmp

          Filesize

          25.0MB

          Download

        • memory/3788-127-0x0000000004370000-0x0000000004371000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3788-126-0x0000000004360000-0x0000000004361000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3788-125-0x0000000004350000-0x0000000004351000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3788-123-0x0000000002890000-0x0000000002891000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3788-122-0x0000000002880000-0x0000000002881000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3788-120-0x00000000025E0000-0x00000000025E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4968-85-0x00000000005B0000-0x00000000005B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4968-86-0x0000000001280000-0x0000000001281000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4968-83-0x0000000000450000-0x0000000000451000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4968-84-0x0000000000460000-0x0000000000461000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4968-88-0x0000000002E80000-0x0000000002E81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4968-89-0x0000000002E90000-0x0000000002E91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4968-91-0x00000000005C0000-0x000000000117E000-memory.dmp

          Filesize

          11.7MB

          Download

        • memory/4968-90-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4968-87-0x0000000002E70000-0x0000000002E71000-memory.dmp

          Filesize

          4KB

          Download