ce545bb7539dd09990bc9cf9d8a78492124d6a132f9d86d0b5fa60c0ae4186b2

General

Target

Suricata-6.0.6-1-64bit.msi
Size

22.6MB
MD5

8b9258c77ca6bebff5a0cbf116c02129
SHA1

750ecdf0c3d3b63ae0f5d3f753731345e59caedc
SHA256

ce545bb7539dd09990bc9cf9d8a78492124d6a132f9d86d0b5fa60c0ae4186b2
SHA512

cd1a0847d70497c4abe2a7d538d0b13461806250340158677c9f5de9258ef99ec625c5366a853a05d8809dcb7c1dd616c2cdcb249a25fb20bfcd995198f69219
SSDEEP

393216:Zv+Pjv1e3OWSr1hE0UElR69nfSbkC5ZUnD8+2QZpmRuqzQbtitLPEjTJ1YkfFnJt:ZAsOWn+6UhZM8+Bm4qzQpUbKT6

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

5 2636 msiexec.exe
7 2636 msiexec.exe
9 2636 msiexec.exe
11 2636 msiexec.exe

flow	pid	process
5	2636	msiexec.exe
7	2636	msiexec.exe
9	2636	msiexec.exe
11	2636	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 43 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\Suricata\libyaml-0-2.dll	msiexec.exe
File created	C:\Program Files\Suricata\zlib1.dll	msiexec.exe
File created	C:\Program Files\Suricata\batch.bat	msiexec.exe
File created	C:\Program Files\Suricata\HOW_TO_Windows.pdf	msiexec.exe
File created	C:\Program Files\Suricata\libwinpthread-1.dll	msiexec.exe
File created	C:\Program Files\Suricata\lua54.dll	msiexec.exe
File created	C:\Program Files\Suricata\magic.mgc	msiexec.exe
File created	C:\Program Files\Suricata\rules\mqtt-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\msvcrt.dll	msiexec.exe
File created	C:\Program Files\Suricata\rules\smtp-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\decoder-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\dnp3-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\libpcre-1.dll	msiexec.exe
File created	C:\Program Files\Suricata\rules\stream-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\suricata.exe	msiexec.exe
File created	C:\Program Files\Suricata\rules\http-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\liblzma-5.dll	msiexec.exe
File created	C:\Program Files\Suricata\libssp-0.dll	msiexec.exe
File created	C:\Program Files\Suricata\rules\ntp-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\reference.config	msiexec.exe
File created	C:\Program Files\Suricata\rules\dhcp-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\libplc4.dll	msiexec.exe
File created	C:\Program Files\Suricata\nssutil3.dll	msiexec.exe
File created	C:\Program Files\Suricata\libnspr4.dll	msiexec.exe
File created	C:\Program Files\Suricata\classification.config	msiexec.exe
File created	C:\Program Files\Suricata\libGeoIP-1.dll	msiexec.exe
File created	C:\Program Files\Suricata\libmaxminddb-0.dll	msiexec.exe
File created	C:\Program Files\Suricata\rules\ipsec-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\kerberos-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\LICENSE	msiexec.exe
File created	C:\Program Files\Suricata\rules\modbus-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\nss3.dll	msiexec.exe
File created	C:\Program Files\Suricata\rules\app-layer-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\files.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\http2-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\smb-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\libjansson-4.dll	msiexec.exe
File created	C:\Program Files\Suricata\rules\nfs-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\rules\tls-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\suricata.yaml	msiexec.exe
File created	C:\Program Files\Suricata\rules\dns-events.rules	msiexec.exe
File created	C:\Program Files\Suricata\liblz4.dll	msiexec.exe
File created	C:\Program Files\Suricata\libplds4.dll	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{42AB4288-8940-4B7D-97E2-75901A1D188F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68DC.tmp	msiexec.exe
File created	C:\Windows\Installer\e5766ab.msi	msiexec.exe
File created	C:\Windows\Installer\e5766a9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5766a9.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2700 msiexec.exe
2700 msiexec.exe

pid	process
2700	msiexec.exe
2700	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	2636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2636	msiexec.exe
Token: SeSecurityPrivilege	2700	msiexec.exe
Token: SeCreateTokenPrivilege	2636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2636	msiexec.exe
Token: SeLockMemoryPrivilege	2636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2636	msiexec.exe
Token: SeMachineAccountPrivilege	2636	msiexec.exe
Token: SeTcbPrivilege	2636	msiexec.exe
Token: SeSecurityPrivilege	2636	msiexec.exe
Token: SeTakeOwnershipPrivilege	2636	msiexec.exe
Token: SeLoadDriverPrivilege	2636	msiexec.exe
Token: SeSystemProfilePrivilege	2636	msiexec.exe
Token: SeSystemtimePrivilege	2636	msiexec.exe
Token: SeProfSingleProcessPrivilege	2636	msiexec.exe
Token: SeIncBasePriorityPrivilege	2636	msiexec.exe
Token: SeCreatePagefilePrivilege	2636	msiexec.exe
Token: SeCreatePermanentPrivilege	2636	msiexec.exe
Token: SeBackupPrivilege	2636	msiexec.exe
Token: SeRestorePrivilege	2636	msiexec.exe
Token: SeShutdownPrivilege	2636	msiexec.exe
Token: SeDebugPrivilege	2636	msiexec.exe
Token: SeAuditPrivilege	2636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2636	msiexec.exe
Token: SeChangeNotifyPrivilege	2636	msiexec.exe
Token: SeRemoteShutdownPrivilege	2636	msiexec.exe
Token: SeUndockPrivilege	2636	msiexec.exe
Token: SeSyncAgentPrivilege	2636	msiexec.exe
Token: SeEnableDelegationPrivilege	2636	msiexec.exe
Token: SeManageVolumePrivilege	2636	msiexec.exe
Token: SeImpersonatePrivilege	2636	msiexec.exe
Token: SeCreateGlobalPrivilege	2636	msiexec.exe
Token: SeBackupPrivilege	3248	vssvc.exe
Token: SeRestorePrivilege	3248	vssvc.exe
Token: SeAuditPrivilege	3248	vssvc.exe
Token: SeBackupPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2636 msiexec.exe
2636 msiexec.exe

pid	process
2636	msiexec.exe
2636	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2700 wrote to memory of 2920	2700	msiexec.exe	srtasks.exe
PID 2700 wrote to memory of 2920	2700	msiexec.exe	srtasks.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Suricata-6.0.6-1-64bit.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2636

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
Filesize
2KB

MD5
9b6aa6b016605338fb3cd2008b29ba2f

SHA1
d25f576eb5ff15f96689fc7895cef0381ba2a765

SHA256
8be33bfe5ed298c9b38c4c38d3995465d303b8c987d6744b4c41857872471d72

SHA512
bb2a63d9332033b31940368876d30096786b5c487716693e89ed188f9c0676eb23b3440b4f7bca4c35cb51774e21df7bd2c4e8b136e2ea8bb5d3b145c78e595b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
edcd4c783b2b2c906602519bd8f697f4

SHA1
fc56fded4065d6960c6507cac4264dfd2b038004

SHA256
367e0ac4e24f1d1530de05a6abf81d6b572c0546b5aa134c246fa1514582fd90

SHA512
cb23a82c06211121e39ed0dbec5928b1a85aca7c25f2c060d609350e3a94bf82e9159a2a4d5e67295fc29bac22c95d525ea2461a0000d24c6c4cb630520f68d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_5A754446CB863DF3C298CB4E94FD802E
Filesize
510B

MD5
b19ef5487c354b415d4ebaf3d57908fb

SHA1
997e76d19fb386dac3d16aeab96cabdb9a07952f

SHA256
dfb737aafdf4d1fd4484cf6c83cf72a242d15650e792258de22c16df5dc453fa

SHA512
7fb06d23e0063c2c658ddb0cd5c50518b93e814c50839da5f4adb4e26b628be677402ebcd9e25576df2a927f233dbb1a244398f4683421d2fa3044dae85aa9d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
Filesize
488B

MD5
c03c05601d7856fc86af7638185612f8

SHA1
f137ae6693ecd0f826e75fd97b381d112d58a27b

SHA256
9937519cd7cfbd43fba4bb450370d0bf65b1d76e61547c983d0b3c244d9f69e4

SHA512
1f4e5d63537c34002183ad523ac412e938d83f30e19242664605fc5bd38d406698ce4a6453009f4ed047d4bd71860cc2ca8c8e95010694798293e57b4c8b469f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
80d781bdb81bd786fa2fc31f7d569275

SHA1
f14ea18c3f8a95c79d8bfe09259df4e0384be403

SHA256
274eecc34dd048f74a56c58184a8aebdac204350a4b71e30205bd80b5441a0c0

SHA512
406eea695d262d19743600f5965d4fb23e505fdf3c64c22d89c5acd3d023d8968f4c8a52404fdbcf5d218dd97dfcd8767a95c7a9713836c1c57b8d9c66f08115

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_5A754446CB863DF3C298CB4E94FD802E
Filesize
484B

MD5
c62bd5d0bed5b46b2618065ea4587919

SHA1
839b91db7d9b3fd577459f2225fd7b8abcab8f44

SHA256
7ba1f5d6dcc0d79d178239bee94a6654b5e6307ac481118e10b8889450f27b4b

SHA512
5b336fe13eed205cb11f9e8e69edeaf53528f3977690d479278ffd1a6fbd29fc3e251258516ee32b0a73125e6b52ae14a1855ccb5800fe171276127b480c5f83

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
04a85a5f4d67f4b92eafd2992839f010

SHA1
22e87b9792320cdff35f11931bf073be54e45e26

SHA256
3e50e8d9ff38e485231881589bd287b7e4c20d05c88867662dc7a2c6e3d0a290

SHA512
8626cf8b3a7228ba58c7c71bdbb71cd2aed2f77b56bc47d21708da058bbadfaca1dff061ca47d317824f166f3d2f17d7402f923874621011a9f2aac846c97c4b

Download Submit
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b24d8b78-cba0-47ca-94f0-aa683bf2ce16}_OnDiskSnapshotProp
Filesize
5KB

MD5
0a4a844eb86501738523ea4e5fb332e7

SHA1
54cf4fa9d654ce4fda799e385971254cb49d5b8c

SHA256
4f4e8fb4740f190bf498cccd9958f426c5da069a69d434a9e1d899a258fbb1e6

SHA512
59ed8af1a7b43f53fa9d871fc432ba6bd9ba0b992ee64579d82577ca62bb21d7332f0769450e1fbcbb1adf61c527d58559598def8650b16c1288f6b20408e773

Download Submit
memory/2920-132-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads