17d34e0800b8b984447019f2fe3383fe980ccd1fd3730d50710e6e05f7ce6d15

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21/08/2023, 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SurfsharkSetup.exe
Size

79.7MB
MD5

3028700f95a268d60f731443ef852655
SHA1

acc227ccc5b20204db536b613d4292bca5089492
SHA256

2543b1c4d3d54b0924254f1955016cc486da2d16422a746044e42ef6a99cfcdf
SHA512

928bce3e039cabab4d5ecbdc5c0d4608bb4f49e72214721485c34a12447cd4062861e078c073bbfac078457ba22800e65e1f3dee8bfed99a2bc8e73169c29301
SSDEEP

1572864:ZgPjcoauZ8GfGbGexUyivvc1+RZXkF1nCPyQK+AD1tWIn1k7cyUTgwgsFdTR/y+:ZqjF/Z88OxULkSKyj161tH1k7DAzFdTl

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2828	SurfsharkSetup.exe
1648	MsiExec.exe
1648	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	SurfsharkSetup.exe
File opened (read-only)	\??\G:	SurfsharkSetup.exe
File opened (read-only)	\??\Q:	SurfsharkSetup.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	SurfsharkSetup.exe
File opened (read-only)	\??\Y:	SurfsharkSetup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	SurfsharkSetup.exe
File opened (read-only)	\??\J:	SurfsharkSetup.exe
File opened (read-only)	\??\K:	SurfsharkSetup.exe
File opened (read-only)	\??\N:	SurfsharkSetup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	SurfsharkSetup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	SurfsharkSetup.exe
File opened (read-only)	\??\T:	SurfsharkSetup.exe
File opened (read-only)	\??\U:	SurfsharkSetup.exe
File opened (read-only)	\??\V:	SurfsharkSetup.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	SurfsharkSetup.exe
File opened (read-only)	\??\W:	SurfsharkSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	SurfsharkSetup.exe
File opened (read-only)	\??\O:	SurfsharkSetup.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	SurfsharkSetup.exe
File opened (read-only)	\??\L:	SurfsharkSetup.exe
File opened (read-only)	\??\P:	SurfsharkSetup.exe
File opened (read-only)	\??\X:	SurfsharkSetup.exe
File opened (read-only)	\??\M:	SurfsharkSetup.exe
File opened (read-only)	\??\T:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2532	msiexec.exe
Token: SeTakeOwnershipPrivilege	2532	msiexec.exe
Token: SeSecurityPrivilege	2532	msiexec.exe
Token: SeCreateTokenPrivilege	2828	SurfsharkSetup.exe
Token: SeAssignPrimaryTokenPrivilege	2828	SurfsharkSetup.exe
Token: SeLockMemoryPrivilege	2828	SurfsharkSetup.exe
Token: SeIncreaseQuotaPrivilege	2828	SurfsharkSetup.exe
Token: SeMachineAccountPrivilege	2828	SurfsharkSetup.exe
Token: SeTcbPrivilege	2828	SurfsharkSetup.exe
Token: SeSecurityPrivilege	2828	SurfsharkSetup.exe
Token: SeTakeOwnershipPrivilege	2828	SurfsharkSetup.exe
Token: SeLoadDriverPrivilege	2828	SurfsharkSetup.exe
Token: SeSystemProfilePrivilege	2828	SurfsharkSetup.exe
Token: SeSystemtimePrivilege	2828	SurfsharkSetup.exe
Token: SeProfSingleProcessPrivilege	2828	SurfsharkSetup.exe
Token: SeIncBasePriorityPrivilege	2828	SurfsharkSetup.exe
Token: SeCreatePagefilePrivilege	2828	SurfsharkSetup.exe
Token: SeCreatePermanentPrivilege	2828	SurfsharkSetup.exe
Token: SeBackupPrivilege	2828	SurfsharkSetup.exe
Token: SeRestorePrivilege	2828	SurfsharkSetup.exe
Token: SeShutdownPrivilege	2828	SurfsharkSetup.exe
Token: SeDebugPrivilege	2828	SurfsharkSetup.exe
Token: SeAuditPrivilege	2828	SurfsharkSetup.exe
Token: SeSystemEnvironmentPrivilege	2828	SurfsharkSetup.exe
Token: SeChangeNotifyPrivilege	2828	SurfsharkSetup.exe
Token: SeRemoteShutdownPrivilege	2828	SurfsharkSetup.exe
Token: SeUndockPrivilege	2828	SurfsharkSetup.exe
Token: SeSyncAgentPrivilege	2828	SurfsharkSetup.exe
Token: SeEnableDelegationPrivilege	2828	SurfsharkSetup.exe
Token: SeManageVolumePrivilege	2828	SurfsharkSetup.exe
Token: SeImpersonatePrivilege	2828	SurfsharkSetup.exe
Token: SeCreateGlobalPrivilege	2828	SurfsharkSetup.exe
Token: SeCreateTokenPrivilege	2828	SurfsharkSetup.exe
Token: SeAssignPrimaryTokenPrivilege	2828	SurfsharkSetup.exe
Token: SeLockMemoryPrivilege	2828	SurfsharkSetup.exe
Token: SeIncreaseQuotaPrivilege	2828	SurfsharkSetup.exe
Token: SeMachineAccountPrivilege	2828	SurfsharkSetup.exe
Token: SeTcbPrivilege	2828	SurfsharkSetup.exe
Token: SeSecurityPrivilege	2828	SurfsharkSetup.exe
Token: SeTakeOwnershipPrivilege	2828	SurfsharkSetup.exe
Token: SeLoadDriverPrivilege	2828	SurfsharkSetup.exe
Token: SeSystemProfilePrivilege	2828	SurfsharkSetup.exe
Token: SeSystemtimePrivilege	2828	SurfsharkSetup.exe
Token: SeProfSingleProcessPrivilege	2828	SurfsharkSetup.exe
Token: SeIncBasePriorityPrivilege	2828	SurfsharkSetup.exe
Token: SeCreatePagefilePrivilege	2828	SurfsharkSetup.exe
Token: SeCreatePermanentPrivilege	2828	SurfsharkSetup.exe
Token: SeBackupPrivilege	2828	SurfsharkSetup.exe
Token: SeRestorePrivilege	2828	SurfsharkSetup.exe
Token: SeShutdownPrivilege	2828	SurfsharkSetup.exe
Token: SeDebugPrivilege	2828	SurfsharkSetup.exe
Token: SeAuditPrivilege	2828	SurfsharkSetup.exe
Token: SeSystemEnvironmentPrivilege	2828	SurfsharkSetup.exe
Token: SeChangeNotifyPrivilege	2828	SurfsharkSetup.exe
Token: SeRemoteShutdownPrivilege	2828	SurfsharkSetup.exe
Token: SeUndockPrivilege	2828	SurfsharkSetup.exe
Token: SeSyncAgentPrivilege	2828	SurfsharkSetup.exe
Token: SeEnableDelegationPrivilege	2828	SurfsharkSetup.exe
Token: SeManageVolumePrivilege	2828	SurfsharkSetup.exe
Token: SeImpersonatePrivilege	2828	SurfsharkSetup.exe
Token: SeCreateGlobalPrivilege	2828	SurfsharkSetup.exe
Token: SeCreateTokenPrivilege	2828	SurfsharkSetup.exe
Token: SeAssignPrimaryTokenPrivilege	2828	SurfsharkSetup.exe
Token: SeLockMemoryPrivilege	2828	SurfsharkSetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1648	2532	msiexec.exe	29
PID 2532 wrote to memory of 1648	2532	msiexec.exe	29
PID 2532 wrote to memory of 1648	2532	msiexec.exe	29
PID 2532 wrote to memory of 1648	2532	msiexec.exe	29
PID 2532 wrote to memory of 1648	2532	msiexec.exe	29
PID 2532 wrote to memory of 1648	2532	msiexec.exe	29
PID 2532 wrote to memory of 1648	2532	msiexec.exe	29

C:\Users\Admin\AppData\Local\Temp\SurfsharkSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SurfsharkSetup.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D003718E59A8C038816EBA657628D0C9 C
  2⤵
  - Loads dropped DLL
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab8CD8.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9922.tmp

Filesize
549KB

MD5
822ec3c1b42ffdf6db9a15936f4512cf

SHA1
6ea07cae9eea92dd58bb6a81d3795033825e7045

SHA256
94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

SHA512
0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9A89.tmp

Filesize
631KB

MD5
825dfb5d9b0e8a8e6035741c984b60a8

SHA1
c6f9d30ec90eb4e814c45acacbe4822f1c8bf02a

SHA256
68d1fe2093524c1845f844e4ac9accb71b52aee735250225ecadd33a04f9e1aa

SHA512
4cdb95f81c29d4b26ce39fd781b4ef191a28f3961942dbfa345495db8b43b5d705b7310527cd4bd19ade5bb5c1d7d5f9fed6316d1e628e98e18ab938d729ff35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8D29.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Surfshark\Surfshark 5.0.3999\install\8AE53F5\SurfsharkSetup.msi

Filesize
12.3MB

MD5
e9e4abe22a93e74ccefa8a4f1031d2d9

SHA1
a30633e4bd785508dddca9f6ab82e8ceb753a53f

SHA256
a8a8732b7fd5929c1ce86b99b6b1ef39cf0ad9f70685360b017639d3b8ce4b94

SHA512
1a53e8797e0a4f891f2c07a30a33cb1fcff209ff95f5fc96381d11bbe292f186858eb2c51e468d399e5d7770bb1f44dde2ed600c9fa222ac7cac4b8af953995e

Download Submit
\Users\Admin\AppData\Local\Temp\MSI9922.tmp

Filesize
549KB

MD5
822ec3c1b42ffdf6db9a15936f4512cf

SHA1
6ea07cae9eea92dd58bb6a81d3795033825e7045

SHA256
94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

SHA512
0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

Download Submit
\Users\Admin\AppData\Local\Temp\MSI9A89.tmp

Filesize
631KB

MD5
825dfb5d9b0e8a8e6035741c984b60a8

SHA1
c6f9d30ec90eb4e814c45acacbe4822f1c8bf02a

SHA256
68d1fe2093524c1845f844e4ac9accb71b52aee735250225ecadd33a04f9e1aa

SHA512
4cdb95f81c29d4b26ce39fd781b4ef191a28f3961942dbfa345495db8b43b5d705b7310527cd4bd19ade5bb5c1d7d5f9fed6316d1e628e98e18ab938d729ff35

Download Submit
\Users\Admin\AppData\Roaming\Surfshark\Surfshark 5.0.3999\install\decoder.dll

Filesize
206KB

MD5
5c6b9cb41f88b5750c6124cbcf14fb0e

SHA1
d9844a084b543f0077cb11efbc53dd6235e16e15

SHA256
e015f8396aadd7c7734e1a95999eca5943402e8205d1f20b56d1aeb1a2fe0971

SHA512
10739e8e393dbbf7f1ca846427b323b3fddbe8dcb5de527942bfa5422f72ef3bca8265dc1729e670762e90b7bbe44b620ebf57238ce81f30086efeac49954f52

Download Submit