ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gameguard_setup.msi
Size

7.7MB
MD5

68bd8f9af44479db013a77c806f1c674
SHA1

0cbb2b63c78b42e13b1818964bb2cf43e46c5052
SHA256

ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376
SHA512

991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852
SSDEEP

196608:mELpCPNYnYCCJLuMo3nmkmKf+GNI1Xjn5CD9ilxw:fLpCVY7CtuMo2kmcNmsiLw

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

4 1656 msiexec.exe
6 1656 msiexec.exe
8 1656 msiexec.exe
51 3676 msiexec.exe
52 3676 msiexec.exe

flow	pid	process
4	1656	msiexec.exe
6	1656	msiexec.exe
8	1656	msiexec.exe
51	3676	msiexec.exe
52	3676	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

acsvc.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation acsvc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

gameguard.exegameguard.exe

pid process

2272 gameguard.exe
2272 gameguard.exe
4908 gameguard.exe
4908 gameguard.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	acsvc.exe

pid	process
2272	gameguard.exe
2272	gameguard.exe
4908	gameguard.exe
4908	gameguard.exe

Drops file in Program Files directory 8 IoCs

Processes:

gameguard.exeacsvc.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GameGuard\acsvc.exe	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\cache\lwskkl.cache	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\gameguard.exe	acsvc.exe
File opened for modification	C:\Program Files (x86)\GameGuard\gameguard.exe	acsvc.exe
File created	C:\Program Files (x86)\GameGuard\acsvc.exe	msiexec.exe
File created	C:\Program Files (x86)\GameGuard\gameguard.exe	msiexec.exe
File created	C:\Program Files (x86)\GameGuard\cache\sjdgfve.cache	gameguard.exe
File created	C:\Program Files (x86)\GameGuard\acsvc.exe	gameguard.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e584a06.msi	msiexec.exe
File created	C:\Windows\Installer\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\icon.ico	msiexec.exe
File created	C:\Windows\Installer\e584a04.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e584a04.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DB58A440-02BB-433B-AE99-D0B8AF31A839}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4FB1.tmp	msiexec.exe

Executes dropped EXE 5 IoCs

Processes:

acsvc.exegameguard.exeacsvc.exeacsvc.exegameguard.exe

pid process

4844 acsvc.exe
2272 gameguard.exe
544 acsvc.exe
4688 acsvc.exe
4908 gameguard.exe
Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

3512 MsiExec.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

1656 msiexec.exe

pid	process
4844	acsvc.exe
2272	gameguard.exe
544	acsvc.exe
4688	acsvc.exe
4908	gameguard.exe

pid	process
3512	MsiExec.exe

pid	process
1656	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

gameguard.exeacsvc.exeacsvc.exegameguard.exeMsiExec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gameguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gameguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000532ba7f3274a467a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000532ba7f30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900532ba7f3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d532ba7f3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000532ba7f300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 46 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gameguard\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\URL Protocol	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\ProductIcon = "C:\\Windows\\Installer\\{DB58A440-02BB-433B-AE99-D0B8AF31A839}\\icon.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gameguard	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open\command\ = "\"C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ggac\DefaultIcon	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Version = "16777216"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\ = "URL:GameGuard Protocol"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gameguard\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\DefaultIcon\ = "C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe,1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open\command\ = "\"C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93\DesktopShortcutFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\ProductName = "GameGuard"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\PackageCode = "FCF74D9E87639FE42A3F49F0B413967A"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList\PackageName = "gameguard_setup.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ggac	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14D8C6FEA992C334C8E1F1E30B83F8E1\044A85BDBB20B334EA990D8BFA138A93	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\044A85BDBB20B334EA990D8BFA138A93\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gameguard\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\ = "URL:GameGuard Protocol"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ggac\DefaultIcon\ = "C:\\Program Files (x86)\\GameGuard\\\\gameguard.exe,1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ggac\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\044A85BDBB20B334EA990D8BFA138A93\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14D8C6FEA992C334C8E1F1E30B83F8E1	msiexec.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msiexec.exegameguard.exegameguard.exe

pid process

3676 msiexec.exe
3676 msiexec.exe
2272 gameguard.exe
2272 gameguard.exe
2272 gameguard.exe
2272 gameguard.exe
4908 gameguard.exe
4908 gameguard.exe

pid	process
3676	msiexec.exe
3676	msiexec.exe
2272	gameguard.exe
2272	gameguard.exe
2272	gameguard.exe
2272	gameguard.exe
4908	gameguard.exe
4908	gameguard.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	1656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1656	msiexec.exe
Token: SeSecurityPrivilege	3676	msiexec.exe
Token: SeCreateTokenPrivilege	1656	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1656	msiexec.exe
Token: SeLockMemoryPrivilege	1656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1656	msiexec.exe
Token: SeMachineAccountPrivilege	1656	msiexec.exe
Token: SeTcbPrivilege	1656	msiexec.exe
Token: SeSecurityPrivilege	1656	msiexec.exe
Token: SeTakeOwnershipPrivilege	1656	msiexec.exe
Token: SeLoadDriverPrivilege	1656	msiexec.exe
Token: SeSystemProfilePrivilege	1656	msiexec.exe
Token: SeSystemtimePrivilege	1656	msiexec.exe
Token: SeProfSingleProcessPrivilege	1656	msiexec.exe
Token: SeIncBasePriorityPrivilege	1656	msiexec.exe
Token: SeCreatePagefilePrivilege	1656	msiexec.exe
Token: SeCreatePermanentPrivilege	1656	msiexec.exe
Token: SeBackupPrivilege	1656	msiexec.exe
Token: SeRestorePrivilege	1656	msiexec.exe
Token: SeShutdownPrivilege	1656	msiexec.exe
Token: SeDebugPrivilege	1656	msiexec.exe
Token: SeAuditPrivilege	1656	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1656	msiexec.exe
Token: SeChangeNotifyPrivilege	1656	msiexec.exe
Token: SeRemoteShutdownPrivilege	1656	msiexec.exe
Token: SeUndockPrivilege	1656	msiexec.exe
Token: SeSyncAgentPrivilege	1656	msiexec.exe
Token: SeEnableDelegationPrivilege	1656	msiexec.exe
Token: SeManageVolumePrivilege	1656	msiexec.exe
Token: SeImpersonatePrivilege	1656	msiexec.exe
Token: SeCreateGlobalPrivilege	1656	msiexec.exe
Token: SeBackupPrivilege	3880	vssvc.exe
Token: SeRestorePrivilege	3880	vssvc.exe
Token: SeAuditPrivilege	3880	vssvc.exe
Token: SeBackupPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msiexec.exegameguard.exe

pid process

1656 msiexec.exe
1656 msiexec.exe
2272 gameguard.exe
2272 gameguard.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

gameguard.exe

pid process

2272 gameguard.exe
2272 gameguard.exe

pid	process
1656	msiexec.exe
1656	msiexec.exe
2272	gameguard.exe
2272	gameguard.exe

pid	process
2272	gameguard.exe
2272	gameguard.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

msiexec.exeMsiExec.exeacsvc.exeacsvc.exe

description	pid	process	target process
PID 3676 wrote to memory of 2520	3676	msiexec.exe	srtasks.exe
PID 3676 wrote to memory of 2520	3676	msiexec.exe	srtasks.exe
PID 3676 wrote to memory of 3512	3676	msiexec.exe	MsiExec.exe
PID 3676 wrote to memory of 3512	3676	msiexec.exe	MsiExec.exe
PID 3676 wrote to memory of 3512	3676	msiexec.exe	MsiExec.exe
PID 3512 wrote to memory of 2272	3512	MsiExec.exe	gameguard.exe
PID 3512 wrote to memory of 2272	3512	MsiExec.exe	gameguard.exe
PID 3512 wrote to memory of 2272	3512	MsiExec.exe	gameguard.exe
PID 544 wrote to memory of 4688	544	acsvc.exe	acsvc.exe
PID 544 wrote to memory of 4688	544	acsvc.exe	acsvc.exe
PID 544 wrote to memory of 4688	544	acsvc.exe	acsvc.exe
PID 4688 wrote to memory of 4908	4688	acsvc.exe	gameguard.exe
PID 4688 wrote to memory of 4908	4688	acsvc.exe	gameguard.exe
PID 4688 wrote to memory of 4908	4688	acsvc.exe	gameguard.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gameguard_setup.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1656

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2520

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6DF8E507F029E969EFE3612C5085B179 C
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512

C:\Program Files (x86)\GameGuard\gameguard.exe
"C:\Program Files (x86)\GameGuard\gameguard.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Program Files (x86)\GameGuard\acsvc.exe
"C:\Program Files (x86)\GameGuard\acsvc.exe"
1⤵
- Executes dropped EXE
PID:4844

C:\Program Files (x86)\GameGuard\acsvc.exe
"C:\Program Files (x86)\GameGuard\acsvc.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:544

C:\Program Files (x86)\GameGuard\acsvc.exe
"C:\Program Files (x86)\GameGuard\acsvc.exe" --run="C:\Program Files (x86)\GameGuard\gameguard.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4688

C:\Program Files (x86)\GameGuard\gameguard.exe
"C:\Program Files (x86)\GameGuard\gameguard.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e584a05.rbs

Filesize
11KB

MD5
fe1a169f57ad917c71a240ff99f9b147

SHA1
a788c256bc13137cca676c9924b8fae7931557ce

SHA256
fa75b9a64531539d72989d4c110867b0a15de9426a0aabb14127aaba466775bc

SHA512
58154b4171d066a391120cdfe875f86d09979a86352f2a799fa52dd0f77bca28528ac5edf76981c66133451e3d084dbd938a9aa00c780d228cf15bc101fa3bb8

Download Submit
C:\Program Files (x86)\GameGuard\acsvc.exe

Filesize
316KB

MD5
7ec55f85dd4740e6f146d3ee54e01201

SHA1
44fcf3bb83a006ab6ca90d728bec43c031e0cada

SHA256
7997c3e9c03c0e91b8b07cb482c97066afdd483d2dbab1f292f749f4fe97e229

SHA512
7b6a494b5506e249e67e63c32fe42895227ec53a49f37e9b3884f628fd7bcc29f1f8bf96d616b8b741adc48540fc8eda7e64701a459acb707569bd1e36ee143b

Download Submit
C:\Program Files (x86)\GameGuard\cache\lwskkl.cache

Filesize
15.3MB

MD5
1ac7965867072e615fea1ee20dc2300e

SHA1
d175990d7fe808931ee915470b130a2c37283ee8

SHA256
0cb8174d1aeb9bb9efa6cca18f09df5941e5f48d23240d207e15a25f20ac70fc

SHA512
4bdf16ff4c50d1e04dd4b9fa9cb3949c8a061bc7a2a5d86bc5cff07ad55ccafd5314a36189eb12e9164fc73b46830db5f54f553bb3d5112c0aee5dd22bb0dcf1

Download Submit
C:\Program Files (x86)\GameGuard\cache\sjdgfve.cache

Filesize
330KB

MD5
b966184ae28d7bc96756bc3ed001c701

SHA1
8c620632624e9bc9b3e7d7a672072bdb6952df87

SHA256
f2b6185392b98f27da4a7a8c74b585ae00d6e69bd7f97727dca0953aa3ab0324

SHA512
8b9ad0bec94ed9a44a0c8aa8b8ca1b80fc6aecc46a2d74a2eb3830394ece82a77bed121c49ccbc6fb4fb7c05edbc90c17d591c2ee0f88bd3018893bc4cd0e003

Download Submit
C:\Program Files (x86)\GameGuard\gameguard.exe

Filesize
7.2MB

MD5
81ed38976254bb646c0ecee753324027

SHA1
c3fe70f9daff9e66b315b2adc9481a7d39d7e7c6

SHA256
cf169e7a746c574f3e2ec653a6739ca71fe0e34aa76f604cd36706fe45536be7

SHA512
476a6f9f65857d015661dc8504c537efff00fbd69014ab2e36aeed393b69083962195b3aa6e4485aa46f7471aa59aec21a6e56a687fc6474cc7a62b9c47ca018

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60B3F7207DEB992031C120EB71F562CD

Filesize
4KB

MD5
94bf0bf032ce32469dd74f4f1f5320e6

SHA1
86bff704a2f82816f346a6a374250f35743de3b0

SHA256
54f08bfd73dd3477610059c4a1d92723e698def0efa7ad4661584a51d9aab79b

SHA512
ac62c42bfe02a35739dfed5df012bb3ef1f7bdbde1f4d9dce9448812bb6d25891dbacc2591e859f644c95151bdb7179f4f8e355b81a2a38ca7afce4980a79901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037

Filesize
1KB

MD5
004eba2a24fda787318ce19fec383d25

SHA1
f9e5b03ce43664c60c7937c8998d4c12165af3ca

SHA256
ed5bd4c2310d2d1ce382a7b847ae6468a93b019a41004820e6ce2cf75f0f8a2e

SHA512
fb14058d341c5d5a426a73b43f9ccf1781197972969fbf3d82b4928c14d9181a090f11d073cdd8d0eb78ab1766fa815f62fc5c5cb30bab0dcf95ab1fc7a8f4f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60B3F7207DEB992031C120EB71F562CD

Filesize
222B

MD5
20e3f77990ae11487f724aa97c84b0b1

SHA1
f76372871ccd50976eaaa17a7a18306118dd5147

SHA256
5f8915c289bcd32eff8f7a447f78d72d5a8754533e332cae48e64b6f8f2069ee

SHA512
b9beb5db4e4a2974604493c9082a0e89f4b03002c37b4b0504828c85b6c128abc5635215df7ce8cdcdd148f44a0896b145e07bad3e1221f73e16e0b70ac8e245

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037

Filesize
498B

MD5
b5845676e8717eadb3f705f41b197c03

SHA1
2a3e7b1805bd0c33eb80df8b6ba9b24383fb869a

SHA256
f11fafbc9de8bbf474229188ac9abe5ab364ff3efe14ddb61fea629fe98012f3

SHA512
a9f91ed29979a52e52f0ee9098321feb29978edf109bd8f37f78a58e70f3454a1aa3671ad39718ccbeca3db631fd5d8754b3f6b5e9246946d54d47eca8d5c38c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF8D319B9741B9E1EBE906AACEA5CBBA_750FF3DD16195A328CB56C56AF693E3C

Filesize
448B

MD5
492539486c92666f6537454eb644af2d

SHA1
cc4937eaf714f50d90dc7a809bed497a397a23d4

SHA256
6742bbaf08b9a87308956698b5a2170f41b4ce56734c309d8701bcca1e963bd4

SHA512
b7381925a61b7be3c5e388dfd229001436172943459c92ba399ad03cf7cecc87f5413df6754051dc5d4c51ddaac56721ce74f6fb736d7edad27664de50e7c1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5D7D.tmp

Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Windows\Installer\e584a04.msi

Filesize
7.7MB

MD5
68bd8f9af44479db013a77c806f1c674

SHA1
0cbb2b63c78b42e13b1818964bb2cf43e46c5052

SHA256
ac9ac5a95273064ba09af8be049124ba52db7a59075d69a94d12427917dbc376

SHA512
991f703293b984beeeda44cc72cacc0cd69bd4cb1856b2b1c5cf2a2d06d7f58e8469af70c2ecece05d98643937c52f8a944b9892e2925738457d2ac238867852

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
f9e316c81c516855f495d13cac055cba

SHA1
6e90625f146310814bfb706af6b6e669ca98b6b4

SHA256
91d5dd3a3b4b65e39e617cb597075f72219a82874737786e27c1d0eaf183e00d

SHA512
2a6ddeca10c5f61f2c9a1eba264ec74e713c839623270ba63e4d87b1273326da507ac7ed7686a05fd85779dc593b279ab1375e722500d96530f8a46342e98d80

Download Submit
\??\Volume{f3a72b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1667d4e1-7525-4eed-a9a8-0249fea2fd66}_OnDiskSnapshotProp

Filesize
6KB

MD5
4c32fdb50c138e3cbc31eb26a246d0e0

SHA1
c6d60597c502dbb8a7d578ff623d9f37365b31f2

SHA256
83f917a610881d7e434eee5aa7a08b7df43477e2108bf8cb67f4cd6561068b6b

SHA512
146d941d21267be0def4fdc895db31a5f92f10c4a938e8c8cfa41498919dba93bcb09c0a77d8d32eae26d87f9cc9c639081269ec59672a0014c0e0a97198c9ba

Download Submit
memory/2272-88-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/2272-86-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2272-90-0x00000000005C0000-0x000000000117E000-memory.dmp

Filesize
11.7MB

Download
memory/2272-87-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2272-85-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/2272-81-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2272-82-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2272-83-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/2272-84-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/4908-108-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/4908-110-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4908-112-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/4908-113-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/4908-111-0x0000000003C70000-0x0000000003C71000-memory.dmp

Filesize
4KB

Download
memory/4908-115-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/4908-114-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

Filesize
4KB

Download
memory/4908-109-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4908-117-0x0000000000310000-0x0000000001C1C000-memory.dmp

Filesize
25.0MB

Download