Overview

overview

7

Static

static

3

SuperViewe...th.msi

windows11-21h2-x64

6

SuperViewe...64.msi

windows11-21h2-x64

6

SuperViewe...rl.msi

windows11-21h2-x64

6

SuperViewe...64.msi

windows11-21h2-x64

6

SuperViewe...TE.msi

windows11-21h2-x64

6

SuperViewe...XT.msi

windows11-21h2-x64

6

SuperViewe...64.msi

windows11-21h2-x64

6

SuperViewe...rt.msi

windows11-21h2-x64

6

SuperViewe...or.exe

windows11-21h2-x64

3

SuperViewe...er.msi

windows11-21h2-x64

6

SuperViewe...er.msi

windows11-21h2-x64

6

SuperViewe...re.msi

windows11-21h2-x64

6

SuperViewe...er.exe

windows11-21h2-x64

3

SuperViewe...64.exe

windows11-21h2-x64

7

SuperViewe...86.exe

windows11-21h2-x64

7

SuperViewe...ex.msi

windows11-21h2-x64

6

SuperViewe...64.msi

windows11-21h2-x64

6

SuperViewe...kl.msi

windows11-21h2-x64

6

SuperViewe...64.msi

windows11-21h2-x64

6

SuperViewe...os.msi

windows11-21h2-x64

SuperViewe...64.msi

windows11-21h2-x64

6

SuperViewe...es.msi

windows11-21h2-x64

6

SuperViewe...et.msi

windows11-21h2-x64

6

SuperViewe...me.msi

windows11-21h2-x64

SuperViewe...ph.msi

windows11-21h2-x64

6

SuperViewe...ls.msi

windows11-21h2-x64

6

SuperViewe...pp.msi

windows11-21h2-x64

6

SuperViewe...rk.msi

windows11-21h2-x64

6

SuperViewe...it.msi

windows11-21h2-x64

6

SuperViewe...64.msi

windows11-21h2-x64

6

SuperViewe...ne.msi

windows11-21h2-x64

6

SuperViewe...64.msi

windows11-21h2-x64

6

Analysis

  • max time kernel
    220s
  • max time network
    279s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/03/2025, 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SuperViewer Installer/Volume/bin/p20/activex64.msi

  • Size

    1.1MB

  • MD5

    d6dac71061c0dcd7c3051db051e9ac6a

  • SHA1

    ded20bb6293bc88e9fa8df75399e721c716945df

  • SHA256

    d8d87ddda62473108468170340b6624699b9952f278bc7db69296c081320be09

  • SHA512

    028864d0c43d1e3b6b163405cd60e6f6cd8812ada09a5aa13f82a83d6fe386952acd3c11f16a1ab689b83ef8d5da8d3f4b2fff4a1b14d64eb6763a3f2339aa3c

  • SSDEEP

    24576:st6nFJo/3G1yQ+TQNxshTK+63S3ZgTqGgeSZUf/:st6nF1mC2PJg6Uf

Score
6/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 19 IoCs
  • Loads dropped DLL 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p20\activex64.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1520
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 177750B080B3F4C7E2E3B9B13504F1CF C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3088
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4608
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 116BEDD5C65A973ED796C59E7A985D59
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2288
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e5859f3.rbs
      Filesize

      14KB

      MD5

      4a7bc5d09a8998e0b72a7b7278cad7a3

      SHA1

      25b2e05aa5df1ceccf024a8e77083b54df81c5c9

      SHA256

      2190dcda440961faf37db89b30933c31bcad870700cc4deb04ab8070e8342fe1

      SHA512

      1a7c0c876fc7b6c9f333de5b52f45aadfb2068f950abcea9327e835b53af0c0d08575d045c6d7f33b825ba7c170989fc8cdb47df77473a98b1ad7e3b11e7cf8a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIBE5E.tmp
      Filesize

      639KB

      MD5

      c6417930af8969f9f2cb431acd76ec89

      SHA1

      d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b

      SHA256

      1b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b

      SHA512

      f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.6MB

      MD5

      0d2d928fa9282b3f98ad6c6488bd7ff5

      SHA1

      f0dbac92ed09c9904410ced54308bf3730642dc3

      SHA256

      763a938b96ca069cb90125520c9db8f73dc6626a792c70b6fd15e26564fb2384

      SHA512

      3b2d50ec67f4682e8d2428316787ea12c872679930866e7b3d6f19a493318d47b9cfedfa99d7f8e8a3a602ec87398823a3ada0bd88feb17d832101b45bb3776f

      Download Submit

    • \??\Volume{4fff9cb4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8ec32bfc-c4a3-44bb-bc90-57eba47a1059}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      4f9d132623e5a2e40f7c29b28d344ac1

      SHA1

      a56c4d6a2f8bc02d19c6b31e517110c8a92c7593

      SHA256

      6ee200569fc2ba3112fa811ab193592dfae6de74975d7b4aea2e3769ec808778

      SHA512

      01670da73ebb13ca1bbf7e38a16b87e46aab09112cc641f0c31c825da8d6263b68cbe2e308cbf89d9ad89013498364aa2dcda73f61fabbde11724d6142d22931

      Download Submit