Windows
Analysis Report
FortiClientVPNOnlineInstaller.exe
Overview
General Information
Detection
Score: | 20 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 0% |
Signatures
Drops large PE files
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Drops PE files
Drops certificate files (DER)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses 32bit PE files
Classification
- System is w10x64
FortiClientVPNOnlineInstaller.exe (PID: 6036 cmdline:
"C:\Users\ user\Deskt op\FortiCl ientVPNOnl ineInstall er.exe" MD5: 11BFC265FC53AC4756E4EF2759CA10EB) FortiClientVPN.exe (PID: 5352 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\FortiCl ientVPN.ex e MD5: 43866BF1847EFD3BEF65E4D9EF603CA7)
msiexec.exe (PID: 1576 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) msiexec.exe (PID: 6136 cmdline:
C:\Windows \System32\ MsiExec.ex e -Embeddi ng 451EC6B B5F916B7CC FDA9FD6E2C 98FE7 C MD5: E5DA170027542E25EDE42FC54C929077)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Static PE information: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | IP Address: |
Source: | String found in binary or memory: |