Analysis

  • max time kernel
    229s
  • max time network
    290s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/03/2025, 13:52

General

  • Target

    SuperViewer Installer/Volume/bin/p25/mkl64.msi

  • Size

    1.1MB

  • MD5

    13a5f0b1864ed36a5bd09b4d3b364dd3

  • SHA1

    987ef2579f446fb0756c42cca92130619431cf2a

  • SHA256

    1f18b174d921e9b745919e13f6f5c14caec276c5b1869be50419c2ddf07bbbc8

  • SHA512

    a2e645eb54193b172205dd34c4aca55dddcb351011ec0abe9ed80af9a8b745bae2ceaaf95223d0eac320bf33ff573df06b46d00dabf3d8e28624cddc8bb265e5

  • SSDEEP

    24576:tFatvZo/3G1L4U+TQNxshTK+63S3ZgTqGgeSZUf/:tFatvF+C2PJg6Uf

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 19 IoCs
  • Loads dropped DLL 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p25\mkl64.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:5500
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 3EFC41D5E03111F89BC566913CAAE818 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4676
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:5984
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 1FB89D83DACAA7D4CDD089A7378241A2
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4532
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:1900

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e58413b.rbs

      Filesize

      9KB

      MD5

      fce58db63af58f79e08d1c207538d740

      SHA1

      14b3cf7dc2978010163024c3dc1d85b28f2ae167

      SHA256

      40809216d993aed847342d6aed841e56f41a3052fde90c9df42511a734c0875d

      SHA512

      a409cf677f42b4041be5a01d8520ed5be3a50ddd9358309eca04cf4cbcc6f1556db9392bed53db9e4bc0d72177efb2ba22f3a582dd980068ffd5b04997f353de

    • C:\Users\Admin\AppData\Local\Temp\MSIAA0B.tmp

      Filesize

      639KB

      MD5

      c6417930af8969f9f2cb431acd76ec89

      SHA1

      d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b

      SHA256

      1b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b

      SHA512

      f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      24.6MB

      MD5

      8961ac8d22390d57a3abfe3ab53c6f31

      SHA1

      0ce40c497f8ea7042acc10449934cbf889f6ff20

      SHA256

      f1321fed11100ef3b837f8c0759363945fd2e57c38b135d636f2278831329349

      SHA512

      f7063cb0b20c78b31d334f282b11d510bba0d3ae726c2565678df48e032dbe026579d66f3841d8c864fce0b682f8f1cd2847da6bdafe07071a7bcb39e699f96a

    • \??\Volume{365369b0-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f431f795-3def-4636-a549-4deb0a287d37}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      cbc2907926c01c0a1e43855597fbee8b

      SHA1

      82140e4faeb81c093da487728fcafd16f3d02340

      SHA256

      273b83196a1a0ef051927c208979c3517639f8038a0dd8ef8055a2e99c8adadc

      SHA512

      bde94bf446688fbf1732760bc7d157216f9b3b1f30cb91d7a25084463519ff7bd4f3a37cf65ed08cf6d7ddc76943640302da0f238da322fa7e04b972df9363ac