Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01/06/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
SurfsharkSetup.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
SurfsharkSetup.exe
Resource
win10v2004-20240426-en
General
-
Target
SurfsharkSetup.exe
-
Size
67.7MB
-
MD5
77b6871672fc1d2889727c59561929a5
-
SHA1
3c7a82ead916320b9d9a811a42e1f351f23a0fab
-
SHA256
6fd046161cbc348e88750cc1f896308b56015192870530add24be07ae5b180db
-
SHA512
8e72cea21bd17882c33f3e96c972bbb3978ca175ac2335109294d136927e816671c9b6ac2f194734eebf70eb5b919292b64e26042a8fb00b51f5e33580e0588d
-
SSDEEP
1572864:xnB8SZ7Acgu3ORmu7B2G/COpjXfxwQkR7JpE4kI3nUx+WPnvtv+:xnB7ZEueAW2KZpjXJwQkRJ+4n3nqHPZ+
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 2036 SurfsharkSetup.exe 2016 MsiExec.exe 2016 MsiExec.exe 2016 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: SurfsharkSetup.exe File opened (read-only) \??\M: SurfsharkSetup.exe File opened (read-only) \??\R: SurfsharkSetup.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: SurfsharkSetup.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: SurfsharkSetup.exe File opened (read-only) \??\U: SurfsharkSetup.exe File opened (read-only) \??\V: SurfsharkSetup.exe File opened (read-only) \??\X: SurfsharkSetup.exe File opened (read-only) \??\Z: SurfsharkSetup.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: SurfsharkSetup.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: SurfsharkSetup.exe File opened (read-only) \??\I: SurfsharkSetup.exe File opened (read-only) \??\O: SurfsharkSetup.exe File opened (read-only) \??\P: SurfsharkSetup.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: SurfsharkSetup.exe File opened (read-only) \??\N: SurfsharkSetup.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: SurfsharkSetup.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: SurfsharkSetup.exe File opened (read-only) \??\L: SurfsharkSetup.exe File opened (read-only) \??\S: SurfsharkSetup.exe File opened (read-only) \??\W: SurfsharkSetup.exe File opened (read-only) \??\Y: SurfsharkSetup.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: SurfsharkSetup.exe File opened (read-only) \??\X: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2016 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 1072 msiexec.exe Token: SeTakeOwnershipPrivilege 1072 msiexec.exe Token: SeSecurityPrivilege 1072 msiexec.exe Token: SeCreateTokenPrivilege 2036 SurfsharkSetup.exe Token: SeAssignPrimaryTokenPrivilege 2036 SurfsharkSetup.exe Token: SeLockMemoryPrivilege 2036 SurfsharkSetup.exe Token: SeIncreaseQuotaPrivilege 2036 SurfsharkSetup.exe Token: SeMachineAccountPrivilege 2036 SurfsharkSetup.exe Token: SeTcbPrivilege 2036 SurfsharkSetup.exe Token: SeSecurityPrivilege 2036 SurfsharkSetup.exe Token: SeTakeOwnershipPrivilege 2036 SurfsharkSetup.exe Token: SeLoadDriverPrivilege 2036 SurfsharkSetup.exe Token: SeSystemProfilePrivilege 2036 SurfsharkSetup.exe Token: SeSystemtimePrivilege 2036 SurfsharkSetup.exe Token: SeProfSingleProcessPrivilege 2036 SurfsharkSetup.exe Token: SeIncBasePriorityPrivilege 2036 SurfsharkSetup.exe Token: SeCreatePagefilePrivilege 2036 SurfsharkSetup.exe Token: SeCreatePermanentPrivilege 2036 SurfsharkSetup.exe Token: SeBackupPrivilege 2036 SurfsharkSetup.exe Token: SeRestorePrivilege 2036 SurfsharkSetup.exe Token: SeShutdownPrivilege 2036 SurfsharkSetup.exe Token: SeDebugPrivilege 2036 SurfsharkSetup.exe Token: SeAuditPrivilege 2036 SurfsharkSetup.exe Token: SeSystemEnvironmentPrivilege 2036 SurfsharkSetup.exe Token: SeChangeNotifyPrivilege 2036 SurfsharkSetup.exe Token: SeRemoteShutdownPrivilege 2036 SurfsharkSetup.exe Token: SeUndockPrivilege 2036 SurfsharkSetup.exe Token: SeSyncAgentPrivilege 2036 SurfsharkSetup.exe Token: SeEnableDelegationPrivilege 2036 SurfsharkSetup.exe Token: SeManageVolumePrivilege 2036 SurfsharkSetup.exe Token: SeImpersonatePrivilege 2036 SurfsharkSetup.exe Token: SeCreateGlobalPrivilege 2036 SurfsharkSetup.exe Token: SeCreateTokenPrivilege 2036 SurfsharkSetup.exe Token: SeAssignPrimaryTokenPrivilege 2036 SurfsharkSetup.exe Token: SeLockMemoryPrivilege 2036 SurfsharkSetup.exe Token: SeIncreaseQuotaPrivilege 2036 SurfsharkSetup.exe Token: SeMachineAccountPrivilege 2036 SurfsharkSetup.exe Token: SeTcbPrivilege 2036 SurfsharkSetup.exe Token: SeSecurityPrivilege 2036 SurfsharkSetup.exe Token: SeTakeOwnershipPrivilege 2036 SurfsharkSetup.exe Token: SeLoadDriverPrivilege 2036 SurfsharkSetup.exe Token: SeSystemProfilePrivilege 2036 SurfsharkSetup.exe Token: SeSystemtimePrivilege 2036 SurfsharkSetup.exe Token: SeProfSingleProcessPrivilege 2036 SurfsharkSetup.exe Token: SeIncBasePriorityPrivilege 2036 SurfsharkSetup.exe Token: SeCreatePagefilePrivilege 2036 SurfsharkSetup.exe Token: SeCreatePermanentPrivilege 2036 SurfsharkSetup.exe Token: SeBackupPrivilege 2036 SurfsharkSetup.exe Token: SeRestorePrivilege 2036 SurfsharkSetup.exe Token: SeShutdownPrivilege 2036 SurfsharkSetup.exe Token: SeDebugPrivilege 2036 SurfsharkSetup.exe Token: SeAuditPrivilege 2036 SurfsharkSetup.exe Token: SeSystemEnvironmentPrivilege 2036 SurfsharkSetup.exe Token: SeChangeNotifyPrivilege 2036 SurfsharkSetup.exe Token: SeRemoteShutdownPrivilege 2036 SurfsharkSetup.exe Token: SeUndockPrivilege 2036 SurfsharkSetup.exe Token: SeSyncAgentPrivilege 2036 SurfsharkSetup.exe Token: SeEnableDelegationPrivilege 2036 SurfsharkSetup.exe Token: SeManageVolumePrivilege 2036 SurfsharkSetup.exe Token: SeImpersonatePrivilege 2036 SurfsharkSetup.exe Token: SeCreateGlobalPrivilege 2036 SurfsharkSetup.exe Token: SeCreateTokenPrivilege 2036 SurfsharkSetup.exe Token: SeAssignPrimaryTokenPrivilege 2036 SurfsharkSetup.exe Token: SeLockMemoryPrivilege 2036 SurfsharkSetup.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1072 wrote to memory of 2016 1072 msiexec.exe 29 PID 1072 wrote to memory of 2016 1072 msiexec.exe 29 PID 1072 wrote to memory of 2016 1072 msiexec.exe 29 PID 1072 wrote to memory of 2016 1072 msiexec.exe 29 PID 1072 wrote to memory of 2016 1072 msiexec.exe 29 PID 1072 wrote to memory of 2016 1072 msiexec.exe 29 PID 1072 wrote to memory of 2016 1072 msiexec.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\SurfsharkSetup.exe"C:\Users\Admin\AppData\Local\Temp\SurfsharkSetup.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 159FA0A359CEDC224366AD2731D94276 C2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a
-
Filesize
1.1MB
MD558c6476771f68f57661d0f6533cb70ef
SHA18080de39939f0a8f1e0c529cca30bf38b0e6abf2
SHA2567eb240ef6e75de05b2a199bc55fdc8d13f467d5b4e58457011653312fffcc65f
SHA5122b4b4e4466a7eea2d28631a80f257ced0a7263aa81c945105b793371534580dff1b66779bab36b9157b596c352c234a19c568e105faa1ba8681aa39feb5950c5
-
Filesize
835KB
MD53fe648959c7496beb28a3638fcc2e944
SHA16c73ebcdf517e2b30ad90f046f50f9e64c7a636c
SHA256e6d18685b2e231f9166909764c3b90bbc3c51f30736d18873166e5dc9133e290
SHA5121be58c011987b67396e052d32b6b3576823d612e4e678a18641a55fb6159b32e106cadeeebc22f179aa07902e1bbf517cc10d1ebf7233bf68fe198de3f20bca2
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
7.6MB
MD51b8da8cf30262aed2af0ef7ca16bf018
SHA190a97c363f4f19f2447d972b395afa4f45e4db53
SHA256c2b72dd9c2048776f58d76a4358421c8749d29a50badc4246c93ba8c5f9be909
SHA5126689a07724a930527ce9cf1daef31baeb1262ca7c0ddc2025538cfed3850faa177b953692bed82c84f70f32e034db55697642830fea29878ffacb798b7869ee9
-
Filesize
1.0MB
MD5806e65956064190d6154d5de5cc96a5e
SHA1f2fa1b10dec6f4166b79e710d81147c9028c4198
SHA25617f79990c5455ac18abbca13fcd8f8584518881487f9fedcbd7cbbdbe003c6f8
SHA512ae72ec2fe5895ca5e9e44b6c5e677356f9b7ba342d686a59be42b16027013d4b7c8c83ed0530705d792ac7b5881d10ec72dff546c2ee3c1452372d363501c62f