ce545bb7539dd09990bc9cf9d8a78492124d6a132f9d86d0b5fa60c0ae4186b2

General

Target

Suricata-6.0.6-1-64bit.msi
Size

22.6MB
MD5

8b9258c77ca6bebff5a0cbf116c02129
SHA1

750ecdf0c3d3b63ae0f5d3f753731345e59caedc
SHA256

ce545bb7539dd09990bc9cf9d8a78492124d6a132f9d86d0b5fa60c0ae4186b2
SHA512

cd1a0847d70497c4abe2a7d538d0b13461806250340158677c9f5de9258ef99ec625c5366a853a05d8809dcb7c1dd616c2cdcb249a25fb20bfcd995198f69219
SSDEEP

393216:Zv+Pjv1e3OWSr1hE0UElR69nfSbkC5ZUnD8+2QZpmRuqzQbtitLPEjTJ1YkfFnJt:ZAsOWn+6UhZM8+Bm4qzQpUbKT6

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

1 2576 msiexec.exe
3 2576 msiexec.exe
5 2576 msiexec.exe
7 2576 msiexec.exe

flow	pid	process
1	2576	msiexec.exe
3	2576	msiexec.exe
5	2576	msiexec.exe
7	2576	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Program Files directory 43 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\Suricata\libjansson-4.dll	msiexec.exe
File created	C:\Program Files\Suricata\magic.mgc	msiexec.exe
File created	C:\Program Files\Suricata\msvcrt.dll	msiexec.exe
File created	C:\Program Files\Suricata\suricata.exe	msiexec.exe
File created	C:\Program Files\Suricata\rules\files.rules	msiexec.exe
File created	C:\Program Files\Suricata\libmaxminddb-0.dll	msiexec.exe
File created	C:\Program Files\Suricata\libplds4.dll	msiexec.exe
File created	C:\Program Files\Suricata\lua54.dll	msiexec.exe
File created	C:\Program Files\Suricata\nssutil3.dll	msiexec.exe
File created	C:\Program Files\Suricata\reference.config	msiexec.exe
File created	C:\Program Files\Suricata\libGeoIP-1.dll	msiexec.exe
File created	C:\Program Files\Suricata\libpcre-1.dll	msiexec.exe
File created	C:\Program Files\Suricata\libssp-0.dll	msiexec.exe
File created	C:\Program Files\Suricata\LICENSE	msiexec.exe
File created	C:\Program Files\Suricata\rules\app-layer-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\liblz4.dll	msiexec.exe
File created	C:\Program Files\Suricata\nss3.dll	msiexec.exe
File created	C:\Program Files\Suricata\HOW_TO_Windows.pdf	msiexec.exe
File created	C:\Program Files\Suricata\liblzma-5.dll	msiexec.exe
File created	C:\Program Files\Suricata\libplc4.dll	msiexec.exe
File created	C:\Program Files\Suricata\libwinpthread-1.dll	msiexec.exe
File created	C:\Program Files\Suricata\rules\modbus-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\mqtt-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\nfs-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\ntp-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\classification.config	msiexec.exe
File created	C:\Program Files\Suricata\rules\decoder-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\http-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\libnspr4.dll	msiexec.exe
File created	C:\Program Files\Suricata\rules\smb-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\stream-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\tls-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\zlib1.dll	msiexec.exe
File created	C:\Program Files\Suricata\rules\dhcp-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\http2-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\ipsec-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\kerberos-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\libyaml-0-2.dll	msiexec.exe
File created	C:\Program Files\Suricata\batch.bat	msiexec.exe
File created	C:\Program Files\Suricata\rules\dnp3-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\dns-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\smtp-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\suricata.yaml	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{42AB4288-8940-4B7D-97E2-75901A1D188F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI19C2.tmp	msiexec.exe
File created	C:\Windows\Installer\e571753.msi	msiexec.exe
File created	C:\Windows\Installer\e571751.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e571751.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

4728 msiexec.exe
4728 msiexec.exe

pid	process
4728	msiexec.exe
4728	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	2576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2576	msiexec.exe
Token: SeSecurityPrivilege	4728	msiexec.exe
Token: SeCreateTokenPrivilege	2576	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2576	msiexec.exe
Token: SeLockMemoryPrivilege	2576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2576	msiexec.exe
Token: SeMachineAccountPrivilege	2576	msiexec.exe
Token: SeTcbPrivilege	2576	msiexec.exe
Token: SeSecurityPrivilege	2576	msiexec.exe
Token: SeTakeOwnershipPrivilege	2576	msiexec.exe
Token: SeLoadDriverPrivilege	2576	msiexec.exe
Token: SeSystemProfilePrivilege	2576	msiexec.exe
Token: SeSystemtimePrivilege	2576	msiexec.exe
Token: SeProfSingleProcessPrivilege	2576	msiexec.exe
Token: SeIncBasePriorityPrivilege	2576	msiexec.exe
Token: SeCreatePagefilePrivilege	2576	msiexec.exe
Token: SeCreatePermanentPrivilege	2576	msiexec.exe
Token: SeBackupPrivilege	2576	msiexec.exe
Token: SeRestorePrivilege	2576	msiexec.exe
Token: SeShutdownPrivilege	2576	msiexec.exe
Token: SeDebugPrivilege	2576	msiexec.exe
Token: SeAuditPrivilege	2576	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2576	msiexec.exe
Token: SeChangeNotifyPrivilege	2576	msiexec.exe
Token: SeRemoteShutdownPrivilege	2576	msiexec.exe
Token: SeUndockPrivilege	2576	msiexec.exe
Token: SeSyncAgentPrivilege	2576	msiexec.exe
Token: SeEnableDelegationPrivilege	2576	msiexec.exe
Token: SeManageVolumePrivilege	2576	msiexec.exe
Token: SeImpersonatePrivilege	2576	msiexec.exe
Token: SeCreateGlobalPrivilege	2576	msiexec.exe
Token: SeBackupPrivilege	4764	vssvc.exe
Token: SeRestorePrivilege	4764	vssvc.exe
Token: SeAuditPrivilege	4764	vssvc.exe
Token: SeBackupPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeTakeOwnershipPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeTakeOwnershipPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeTakeOwnershipPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeTakeOwnershipPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeTakeOwnershipPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeTakeOwnershipPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeTakeOwnershipPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeTakeOwnershipPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeTakeOwnershipPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeTakeOwnershipPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeTakeOwnershipPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeTakeOwnershipPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeTakeOwnershipPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2576 msiexec.exe
2576 msiexec.exe

pid	process
2576	msiexec.exe
2576	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4728 wrote to memory of 1104	4728	msiexec.exe	srtasks.exe
PID 4728 wrote to memory of 1104	4728	msiexec.exe	srtasks.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Suricata-6.0.6-1-64bit.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:1104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
Filesize
2KB

MD5
9b6aa6b016605338fb3cd2008b29ba2f

SHA1
d25f576eb5ff15f96689fc7895cef0381ba2a765

SHA256
8be33bfe5ed298c9b38c4c38d3995465d303b8c987d6744b4c41857872471d72

SHA512
bb2a63d9332033b31940368876d30096786b5c487716693e89ed188f9c0676eb23b3440b4f7bca4c35cb51774e21df7bd2c4e8b136e2ea8bb5d3b145c78e595b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
edcd4c783b2b2c906602519bd8f697f4

SHA1
fc56fded4065d6960c6507cac4264dfd2b038004

SHA256
367e0ac4e24f1d1530de05a6abf81d6b572c0546b5aa134c246fa1514582fd90

SHA512
cb23a82c06211121e39ed0dbec5928b1a85aca7c25f2c060d609350e3a94bf82e9159a2a4d5e67295fc29bac22c95d525ea2461a0000d24c6c4cb630520f68d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_5A754446CB863DF3C298CB4E94FD802E
Filesize
510B

MD5
b19ef5487c354b415d4ebaf3d57908fb

SHA1
997e76d19fb386dac3d16aeab96cabdb9a07952f

SHA256
dfb737aafdf4d1fd4484cf6c83cf72a242d15650e792258de22c16df5dc453fa

SHA512
7fb06d23e0063c2c658ddb0cd5c50518b93e814c50839da5f4adb4e26b628be677402ebcd9e25576df2a927f233dbb1a244398f4683421d2fa3044dae85aa9d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
Filesize
488B

MD5
fecf3280d167d121a01a14366f78ecaf

SHA1
42b6c854c83785d963363979548c4300e3e3d86e

SHA256
66a833499fd8b511f34e57132b56569f19cea05b232db2114cedf451ca360284

SHA512
176bef0c156597bae311f365f0f01bd9a81131902891ec7c381f8d97c76021eb2ce6c9abacb46bf21c40917e2dbe140f80155e1a258773599abda05f5158c6a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
709d1868321ce261266e12fe2146f64e

SHA1
451811cee2f22990b06859ae9e9baf6b32ea2203

SHA256
ee17bd1d176697a731e47bc9e32316c0d807e1df369ce6e510ebfb4ce0e7dab7

SHA512
bb18bb9e28b1fd2ec856f92578cd389c937343d9e8b02d16afbce6d20cd038dc982a00dbd2ea52d91cbfa6f88de5c3ddd3072b862c279415aa518a698f48c79b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_5A754446CB863DF3C298CB4E94FD802E
Filesize
484B

MD5
c17bb901a82aa34fec37eb4631532e82

SHA1
884673cf6ccf013f405a372019f36c34f185fe93

SHA256
f4c8851be8446cdd66653d78075b83983f0f10eccd35961c9119e725c4fda492

SHA512
70010d85b72e0c982ed2d3bc2453859e38bf8481e53f6883777ca8e6260f8f0605bc2c59541ab04f4d450511b62f188a4a6a9df5ceb25a26569393ed05bb1398

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
22.8MB

MD5
7fc58ecf66e05cb17b240624b4212719

SHA1
8ed0ca8d5b2e75be764e4940edef5d8237f511e6

SHA256
408685b55cd639a8eeb4edb8c69b1149ebd4013c3b1f3b4ec6a78ad9f502d3ff

SHA512
9d57f575528e7c884278e37917b6ac066d44f1258808e3cca00636f417044ef325388a3168b1a3ff73536363dcfee3a45338e01b772aac0036a9d8013b0408f0

Download Submit
\??\Volume{420c8c0f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5263609f-bf81-4904-b4dc-9266ea906c88}_OnDiskSnapshotProp
Filesize
5KB

MD5
6cf993ce226a07361a730146bee5ef07

SHA1
6b093200f70d69cbf6221b8a6dfb65379e1b5356

SHA256
45d463fc7b55ac5ccf9bd166500e2bc5e312970c4c750aa25d32b6cddfd7a72c

SHA512
57f767755caf2669ccdf126579820cd6d8f3f64ff1128bdf07c28abbb9b41daeab59cc7efd456b43a5795c71410ec09e8997a1252383e7c2c3e35845fa4b69bd

Download Submit
memory/1104-119-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads