Resubmissions

05-10-2024 06:05

241005-gtcm3szarm 8

05-10-2024 06:02

241005-grrzzstdjh 3

General

  • Target

    FortiClientVPNOnlineInstaller.exe

  • Size

    2.7MB

  • Sample

    241005-gtcm3szarm

  • MD5

    11bfc265fc53ac4756e4ef2759ca10eb

  • SHA1

    e3d2bf11618c39dfd036bb33ea96aa5f989fed25

  • SHA256

    2e520faa2b71ba56643153b77c2908c0d6da34a2f6f9abaa7cbadab9278dc99e

  • SHA512

    6b1e802f82002c5f8162a48440e09631da12fbfa283fc03bbf405938406955581764cda3ae57021d9e1b821a128b227e77b38dd6994a655f438ac5081f5ae689

  • SSDEEP

    49152:nZ2d2wu+8ewJobcRgEekPZ99ztx5IX0hL5m6bgy:nZ2dnu+AMW9x2O

Malware Config

Targets

    • Target

      FortiClientVPNOnlineInstaller.exe

    • Size

      2.7MB

    • MD5

      11bfc265fc53ac4756e4ef2759ca10eb

    • SHA1

      e3d2bf11618c39dfd036bb33ea96aa5f989fed25

    • SHA256

      2e520faa2b71ba56643153b77c2908c0d6da34a2f6f9abaa7cbadab9278dc99e

    • SHA512

      6b1e802f82002c5f8162a48440e09631da12fbfa283fc03bbf405938406955581764cda3ae57021d9e1b821a128b227e77b38dd6994a655f438ac5081f5ae689

    • SSDEEP

      49152:nZ2d2wu+8ewJobcRgEekPZ99ztx5IX0hL5m6bgy:nZ2dnu+AMW9x2O

    • Drops file in Drivers directory

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

MITRE ATT&CK Enterprise v15

Tasks