Analysis
-
max time kernel
85s -
max time network
88s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2022 12:29
Behavioral task
behavioral1
Sample
Suricata-6.0.6-1-64bit.msi
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Suricata-6.0.6-1-64bit.msi
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
Suricata-6.0.6-1-64bit.msi
Resource
win10v2004-20220812-en
General
-
Target
Suricata-6.0.6-1-64bit.msi
-
Size
22.6MB
-
MD5
8b9258c77ca6bebff5a0cbf116c02129
-
SHA1
750ecdf0c3d3b63ae0f5d3f753731345e59caedc
-
SHA256
ce545bb7539dd09990bc9cf9d8a78492124d6a132f9d86d0b5fa60c0ae4186b2
-
SHA512
cd1a0847d70497c4abe2a7d538d0b13461806250340158677c9f5de9258ef99ec625c5366a853a05d8809dcb7c1dd616c2cdcb249a25fb20bfcd995198f69219
-
SSDEEP
393216:Zv+Pjv1e3OWSr1hE0UElR69nfSbkC5ZUnD8+2QZpmRuqzQbtitLPEjTJ1YkfFnJt:ZAsOWn+6UhZM8+Bm4qzQpUbKT6
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exeflow pid process 5 2636 msiexec.exe 7 2636 msiexec.exe 9 2636 msiexec.exe 11 2636 msiexec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Drops file in Program Files directory 43 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files\Suricata\libyaml-0-2.dll msiexec.exe File created C:\Program Files\Suricata\zlib1.dll msiexec.exe File created C:\Program Files\Suricata\batch.bat msiexec.exe File created C:\Program Files\Suricata\HOW_TO_Windows.pdf msiexec.exe File created C:\Program Files\Suricata\libwinpthread-1.dll msiexec.exe File created C:\Program Files\Suricata\lua54.dll msiexec.exe File created C:\Program Files\Suricata\magic.mgc msiexec.exe File created C:\Program Files\Suricata\rules\mqtt-events.rules msiexec.exe File created C:\Program Files\Suricata\msvcrt.dll msiexec.exe File created C:\Program Files\Suricata\rules\smtp-events.rules msiexec.exe File created C:\Program Files\Suricata\rules\decoder-events.rules msiexec.exe File created C:\Program Files\Suricata\rules\dnp3-events.rules msiexec.exe File created C:\Program Files\Suricata\libpcre-1.dll msiexec.exe File created C:\Program Files\Suricata\rules\stream-events.rules msiexec.exe File created C:\Program Files\Suricata\suricata.exe msiexec.exe File created C:\Program Files\Suricata\rules\http-events.rules msiexec.exe File created C:\Program Files\Suricata\liblzma-5.dll msiexec.exe File created C:\Program Files\Suricata\libssp-0.dll msiexec.exe File created C:\Program Files\Suricata\rules\ntp-events.rules msiexec.exe File created C:\Program Files\Suricata\reference.config msiexec.exe File created C:\Program Files\Suricata\rules\dhcp-events.rules msiexec.exe File created C:\Program Files\Suricata\libplc4.dll msiexec.exe File created C:\Program Files\Suricata\nssutil3.dll msiexec.exe File created C:\Program Files\Suricata\libnspr4.dll msiexec.exe File created C:\Program Files\Suricata\classification.config msiexec.exe File created C:\Program Files\Suricata\libGeoIP-1.dll msiexec.exe File created C:\Program Files\Suricata\libmaxminddb-0.dll msiexec.exe File created C:\Program Files\Suricata\rules\ipsec-events.rules msiexec.exe File created C:\Program Files\Suricata\rules\kerberos-events.rules msiexec.exe File created C:\Program Files\Suricata\LICENSE msiexec.exe File created C:\Program Files\Suricata\rules\modbus-events.rules msiexec.exe File created C:\Program Files\Suricata\nss3.dll msiexec.exe File created C:\Program Files\Suricata\rules\app-layer-events.rules msiexec.exe File created C:\Program Files\Suricata\rules\files.rules msiexec.exe File created C:\Program Files\Suricata\rules\http2-events.rules msiexec.exe File created C:\Program Files\Suricata\rules\smb-events.rules msiexec.exe File created C:\Program Files\Suricata\libjansson-4.dll msiexec.exe File created C:\Program Files\Suricata\rules\nfs-events.rules msiexec.exe File created C:\Program Files\Suricata\rules\tls-events.rules msiexec.exe File created C:\Program Files\Suricata\suricata.yaml msiexec.exe File created C:\Program Files\Suricata\rules\dns-events.rules msiexec.exe File created C:\Program Files\Suricata\liblz4.dll msiexec.exe File created C:\Program Files\Suricata\libplds4.dll msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{42AB4288-8940-4B7D-97E2-75901A1D188F} msiexec.exe File opened for modification C:\Windows\Installer\MSI68DC.tmp msiexec.exe File created C:\Windows\Installer\e5766ab.msi msiexec.exe File created C:\Windows\Installer\e5766a9.msi msiexec.exe File opened for modification C:\Windows\Installer\e5766a9.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 2700 msiexec.exe 2700 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 2636 msiexec.exe Token: SeIncreaseQuotaPrivilege 2636 msiexec.exe Token: SeSecurityPrivilege 2700 msiexec.exe Token: SeCreateTokenPrivilege 2636 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2636 msiexec.exe Token: SeLockMemoryPrivilege 2636 msiexec.exe Token: SeIncreaseQuotaPrivilege 2636 msiexec.exe Token: SeMachineAccountPrivilege 2636 msiexec.exe Token: SeTcbPrivilege 2636 msiexec.exe Token: SeSecurityPrivilege 2636 msiexec.exe Token: SeTakeOwnershipPrivilege 2636 msiexec.exe Token: SeLoadDriverPrivilege 2636 msiexec.exe Token: SeSystemProfilePrivilege 2636 msiexec.exe Token: SeSystemtimePrivilege 2636 msiexec.exe Token: SeProfSingleProcessPrivilege 2636 msiexec.exe Token: SeIncBasePriorityPrivilege 2636 msiexec.exe Token: SeCreatePagefilePrivilege 2636 msiexec.exe Token: SeCreatePermanentPrivilege 2636 msiexec.exe Token: SeBackupPrivilege 2636 msiexec.exe Token: SeRestorePrivilege 2636 msiexec.exe Token: SeShutdownPrivilege 2636 msiexec.exe Token: SeDebugPrivilege 2636 msiexec.exe Token: SeAuditPrivilege 2636 msiexec.exe Token: SeSystemEnvironmentPrivilege 2636 msiexec.exe Token: SeChangeNotifyPrivilege 2636 msiexec.exe Token: SeRemoteShutdownPrivilege 2636 msiexec.exe Token: SeUndockPrivilege 2636 msiexec.exe Token: SeSyncAgentPrivilege 2636 msiexec.exe Token: SeEnableDelegationPrivilege 2636 msiexec.exe Token: SeManageVolumePrivilege 2636 msiexec.exe Token: SeImpersonatePrivilege 2636 msiexec.exe Token: SeCreateGlobalPrivilege 2636 msiexec.exe Token: SeBackupPrivilege 3248 vssvc.exe Token: SeRestorePrivilege 3248 vssvc.exe Token: SeAuditPrivilege 3248 vssvc.exe Token: SeBackupPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe Token: SeTakeOwnershipPrivilege 2700 msiexec.exe Token: SeRestorePrivilege 2700 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2636 msiexec.exe 2636 msiexec.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
msiexec.exedescription pid process target process PID 2700 wrote to memory of 2920 2700 msiexec.exe srtasks.exe PID 2700 wrote to memory of 2920 2700 msiexec.exe srtasks.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Suricata-6.0.6-1-64bit.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17Filesize
2KB
MD59b6aa6b016605338fb3cd2008b29ba2f
SHA1d25f576eb5ff15f96689fc7895cef0381ba2a765
SHA2568be33bfe5ed298c9b38c4c38d3995465d303b8c987d6744b4c41857872471d72
SHA512bb2a63d9332033b31940368876d30096786b5c487716693e89ed188f9c0676eb23b3440b4f7bca4c35cb51774e21df7bd2c4e8b136e2ea8bb5d3b145c78e595b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD5edcd4c783b2b2c906602519bd8f697f4
SHA1fc56fded4065d6960c6507cac4264dfd2b038004
SHA256367e0ac4e24f1d1530de05a6abf81d6b572c0546b5aa134c246fa1514582fd90
SHA512cb23a82c06211121e39ed0dbec5928b1a85aca7c25f2c060d609350e3a94bf82e9159a2a4d5e67295fc29bac22c95d525ea2461a0000d24c6c4cb630520f68d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_5A754446CB863DF3C298CB4E94FD802EFilesize
510B
MD5b19ef5487c354b415d4ebaf3d57908fb
SHA1997e76d19fb386dac3d16aeab96cabdb9a07952f
SHA256dfb737aafdf4d1fd4484cf6c83cf72a242d15650e792258de22c16df5dc453fa
SHA5127fb06d23e0063c2c658ddb0cd5c50518b93e814c50839da5f4adb4e26b628be677402ebcd9e25576df2a927f233dbb1a244398f4683421d2fa3044dae85aa9d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17Filesize
488B
MD5c03c05601d7856fc86af7638185612f8
SHA1f137ae6693ecd0f826e75fd97b381d112d58a27b
SHA2569937519cd7cfbd43fba4bb450370d0bf65b1d76e61547c983d0b3c244d9f69e4
SHA5121f4e5d63537c34002183ad523ac412e938d83f30e19242664605fc5bd38d406698ce4a6453009f4ed047d4bd71860cc2ca8c8e95010694798293e57b4c8b469f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
482B
MD580d781bdb81bd786fa2fc31f7d569275
SHA1f14ea18c3f8a95c79d8bfe09259df4e0384be403
SHA256274eecc34dd048f74a56c58184a8aebdac204350a4b71e30205bd80b5441a0c0
SHA512406eea695d262d19743600f5965d4fb23e505fdf3c64c22d89c5acd3d023d8968f4c8a52404fdbcf5d218dd97dfcd8767a95c7a9713836c1c57b8d9c66f08115
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_5A754446CB863DF3C298CB4E94FD802EFilesize
484B
MD5c62bd5d0bed5b46b2618065ea4587919
SHA1839b91db7d9b3fd577459f2225fd7b8abcab8f44
SHA2567ba1f5d6dcc0d79d178239bee94a6654b5e6307ac481118e10b8889450f27b4b
SHA5125b336fe13eed205cb11f9e8e69edeaf53528f3977690d479278ffd1a6fbd29fc3e251258516ee32b0a73125e6b52ae14a1855ccb5800fe171276127b480c5f83
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD504a85a5f4d67f4b92eafd2992839f010
SHA122e87b9792320cdff35f11931bf073be54e45e26
SHA2563e50e8d9ff38e485231881589bd287b7e4c20d05c88867662dc7a2c6e3d0a290
SHA5128626cf8b3a7228ba58c7c71bdbb71cd2aed2f77b56bc47d21708da058bbadfaca1dff061ca47d317824f166f3d2f17d7402f923874621011a9f2aac846c97c4b
-
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b24d8b78-cba0-47ca-94f0-aa683bf2ce16}_OnDiskSnapshotPropFilesize
5KB
MD50a4a844eb86501738523ea4e5fb332e7
SHA154cf4fa9d654ce4fda799e385971254cb49d5b8c
SHA2564f4e8fb4740f190bf498cccd9958f426c5da069a69d434a9e1d899a258fbb1e6
SHA51259ed8af1a7b43f53fa9d871fc432ba6bd9ba0b992ee64579d82577ca62bb21d7332f0769450e1fbcbb1adf61c527d58559598def8650b16c1288f6b20408e773
-
memory/2920-132-0x0000000000000000-mapping.dmp