Overview
overview
7Static
static
3SuperViewe...th.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...rl.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...TE.msi
windows11-21h2-x64
6SuperViewe...XT.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...rt.msi
windows11-21h2-x64
6SuperViewe...or.exe
windows11-21h2-x64
3SuperViewe...er.msi
windows11-21h2-x64
6SuperViewe...er.msi
windows11-21h2-x64
6SuperViewe...re.msi
windows11-21h2-x64
6SuperViewe...er.exe
windows11-21h2-x64
3SuperViewe...64.exe
windows11-21h2-x64
7SuperViewe...86.exe
windows11-21h2-x64
7SuperViewe...ex.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...kl.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...os.msi
windows11-21h2-x64
SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...es.msi
windows11-21h2-x64
6SuperViewe...et.msi
windows11-21h2-x64
6SuperViewe...me.msi
windows11-21h2-x64
SuperViewe...ph.msi
windows11-21h2-x64
6SuperViewe...ls.msi
windows11-21h2-x64
6SuperViewe...pp.msi
windows11-21h2-x64
6SuperViewe...rk.msi
windows11-21h2-x64
6SuperViewe...it.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...ne.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6Analysis
-
max time kernel
227s -
max time network
187s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/03/2025, 13:52
Behavioral task
behavioral1
Sample
SuperViewer Installer/Volume/bin/p15/niauth.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
SuperViewer Installer/Volume/bin/p15/niauth64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
SuperViewer Installer/Volume/bin/p16/nicurl.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
SuperViewer Installer/Volume/bin/p16/nicurl64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
SuperViewer Installer/Volume/bin/p17/LabVI00/NIWebServer_LVRTE.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
SuperViewer Installer/Volume/bin/p18/LogosXT.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
SuperViewer Installer/Volume/bin/p18/LogosXT64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
SuperViewer Installer/Volume/bin/p19/ni_error/ni_error_report.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
SuperViewer Installer/Volume/bin/p2/SystemRequirementsError.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
SuperViewer Installer/Volume/bin/p2/VC2015-32Wrapper.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
SuperViewer Installer/Volume/bin/p2/VC2015-64Wrapper.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
SuperViewer Installer/Volume/bin/p2/VC2015Core.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
SuperViewer Installer/Volume/bin/p2/VCRunTimeInstaller.exe
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
SuperViewer Installer/Volume/bin/p2/vc_redist.x64.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
SuperViewer Installer/Volume/bin/p2/vc_redist.x86.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
SuperViewer Installer/Volume/bin/p20/activex.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
SuperViewer Installer/Volume/bin/p20/activex64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
SuperViewer Installer/Volume/bin/p25/mkl.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
SuperViewer Installer/Volume/bin/p25/mkl64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
SuperViewer Installer/Volume/bin/p26/logos.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
SuperViewer Installer/Volume/bin/p26/logos64.msi
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
SuperViewer Installer/Volume/bin/p27/lvrteres/LV2019rteres.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
SuperViewer Installer/Volume/bin/p28/LV2019rtdnet.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral24
Sample
SuperViewer Installer/Volume/bin/p28/LV2019runtime.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
SuperViewer Installer/Volume/bin/p29/MStudioCW3DGraph.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral26
Sample
SuperViewer Installer/Volume/bin/p3/NISys00/NISysLogUtils.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral27
Sample
SuperViewer Installer/Volume/bin/p4/sslLVRTE/ssl_LVRTEsupp.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral28
Sample
SuperViewer Installer/Volume/bin/p5/NI_De00/dep_framework.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral29
Sample
SuperViewer Installer/Volume/bin/p6/KillBit.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral30
Sample
SuperViewer Installer/Volume/bin/p6/KillBit64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral31
Sample
SuperViewer Installer/Volume/bin/p7/NITraceEngine.msi
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral32
Sample
SuperViewer Installer/Volume/bin/p7/NITraceEngine64.msi
Resource
win11-20250314-en
windows11-21h2-x64
General
-
Target
SuperViewer Installer/Volume/bin/p15/niauth64.msi
-
Size
1.1MB
-
MD5
a48782e200e523147b55bae4ec3c0cb7
-
SHA1
91e629e3249e72b416ffd6e4450cdf75a17db960
-
SHA256
f0d8f233ea0746bbb83213d106d340f4faa78e713cc5cfbf16688752dc2a2d47
-
SHA512
458cd5e19666f8ced064e9385fc3c79ce88cc784db6c0e5517f51cafe9267425098ec88163c59846b192530861347aef9875247fbafa2e52be7f60675f2b5790
-
SSDEEP
24576:pFdtXxZo/3G1OFQu+TQNxshTK+63S3ZgTqGgeSZUf/:pFdthFGUC2PJg6Uf
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\National Instruments\Shared\niauth\niauth.dll msiexec.exe File created C:\Program Files\National Instruments\Shared\niauth\niPortableRegistry.dll msiexec.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e58b764.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB7C2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB92B.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF1EC724E491E26DCE.TMP msiexec.exe File created C:\Windows\Installer\e58b764.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIB91B.tmp msiexec.exe File created C:\Windows\Installer\e58b766.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB99A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBA57.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{E6E380E8-65B5-403B-9CE5-2F8E61885864} msiexec.exe File created C:\Windows\SystemTemp\~DF1107D52BFE8F17B0.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIBAC6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB9AA.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DFD23994B0DA730E1B.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIBB53.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF29301A646DD2D3C5.TMP msiexec.exe -
Loads dropped DLL 11 IoCs
pid Process 4832 MsiExec.exe 4832 MsiExec.exe 4832 MsiExec.exe 4832 MsiExec.exe 5368 MsiExec.exe 5368 MsiExec.exe 5368 MsiExec.exe 5368 MsiExec.exe 5368 MsiExec.exe 5368 MsiExec.exe 5368 MsiExec.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000863705d3f43de89a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000863705d30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900863705d3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d863705d3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000863705d300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E msiexec.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\PackageCode = "B3E0D3FF5A5429340A1671CEDF62DF51" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\Version = "318816256" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F187052E25291B444928BECB0EC6B91E\8E083E6E5B56B304C95EF2E816888546 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E083E6E5B56B304C95EF2E816888546 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\ProductName = "NI Authentication 2019 (64-bit)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\SourceList\PackageName = "niauth64.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p15\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E083E6E5B56B304C95EF2E816888546\niauth64.NI.AUTH64.2019 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E083E6E5B56B304C95EF2E816888546\NIMUFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\Language = "9" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F187052E25291B444928BECB0EC6B91E msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E083E6E5B56B304C95EF2E816888546\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p15\\" msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5616 msiexec.exe Token: SeIncreaseQuotaPrivilege 5616 msiexec.exe Token: SeSecurityPrivilege 5712 msiexec.exe Token: SeCreateTokenPrivilege 5616 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5616 msiexec.exe Token: SeLockMemoryPrivilege 5616 msiexec.exe Token: SeIncreaseQuotaPrivilege 5616 msiexec.exe Token: SeMachineAccountPrivilege 5616 msiexec.exe Token: SeTcbPrivilege 5616 msiexec.exe Token: SeSecurityPrivilege 5616 msiexec.exe Token: SeTakeOwnershipPrivilege 5616 msiexec.exe Token: SeLoadDriverPrivilege 5616 msiexec.exe Token: SeSystemProfilePrivilege 5616 msiexec.exe Token: SeSystemtimePrivilege 5616 msiexec.exe Token: SeProfSingleProcessPrivilege 5616 msiexec.exe Token: SeIncBasePriorityPrivilege 5616 msiexec.exe Token: SeCreatePagefilePrivilege 5616 msiexec.exe Token: SeCreatePermanentPrivilege 5616 msiexec.exe Token: SeBackupPrivilege 5616 msiexec.exe Token: SeRestorePrivilege 5616 msiexec.exe Token: SeShutdownPrivilege 5616 msiexec.exe Token: SeDebugPrivilege 5616 msiexec.exe Token: SeAuditPrivilege 5616 msiexec.exe Token: SeSystemEnvironmentPrivilege 5616 msiexec.exe Token: SeChangeNotifyPrivilege 5616 msiexec.exe Token: SeRemoteShutdownPrivilege 5616 msiexec.exe Token: SeUndockPrivilege 5616 msiexec.exe Token: SeSyncAgentPrivilege 5616 msiexec.exe Token: SeEnableDelegationPrivilege 5616 msiexec.exe Token: SeManageVolumePrivilege 5616 msiexec.exe Token: SeImpersonatePrivilege 5616 msiexec.exe Token: SeCreateGlobalPrivilege 5616 msiexec.exe Token: SeCreateTokenPrivilege 5616 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5616 msiexec.exe Token: SeLockMemoryPrivilege 5616 msiexec.exe Token: SeIncreaseQuotaPrivilege 5616 msiexec.exe Token: SeMachineAccountPrivilege 5616 msiexec.exe Token: SeTcbPrivilege 5616 msiexec.exe Token: SeSecurityPrivilege 5616 msiexec.exe Token: SeTakeOwnershipPrivilege 5616 msiexec.exe Token: SeLoadDriverPrivilege 5616 msiexec.exe Token: SeSystemProfilePrivilege 5616 msiexec.exe Token: SeSystemtimePrivilege 5616 msiexec.exe Token: SeProfSingleProcessPrivilege 5616 msiexec.exe Token: SeIncBasePriorityPrivilege 5616 msiexec.exe Token: SeCreatePagefilePrivilege 5616 msiexec.exe Token: SeCreatePermanentPrivilege 5616 msiexec.exe Token: SeBackupPrivilege 5616 msiexec.exe Token: SeRestorePrivilege 5616 msiexec.exe Token: SeShutdownPrivilege 5616 msiexec.exe Token: SeDebugPrivilege 5616 msiexec.exe Token: SeAuditPrivilege 5616 msiexec.exe Token: SeSystemEnvironmentPrivilege 5616 msiexec.exe Token: SeChangeNotifyPrivilege 5616 msiexec.exe Token: SeRemoteShutdownPrivilege 5616 msiexec.exe Token: SeUndockPrivilege 5616 msiexec.exe Token: SeSyncAgentPrivilege 5616 msiexec.exe Token: SeEnableDelegationPrivilege 5616 msiexec.exe Token: SeManageVolumePrivilege 5616 msiexec.exe Token: SeImpersonatePrivilege 5616 msiexec.exe Token: SeCreateGlobalPrivilege 5616 msiexec.exe Token: SeCreateTokenPrivilege 5616 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5616 msiexec.exe Token: SeLockMemoryPrivilege 5616 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5616 msiexec.exe 5616 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5712 wrote to memory of 4832 5712 msiexec.exe 86 PID 5712 wrote to memory of 4832 5712 msiexec.exe 86 PID 5712 wrote to memory of 4832 5712 msiexec.exe 86 PID 5712 wrote to memory of 3348 5712 msiexec.exe 90 PID 5712 wrote to memory of 3348 5712 msiexec.exe 90 PID 5712 wrote to memory of 5368 5712 msiexec.exe 92 PID 5712 wrote to memory of 5368 5712 msiexec.exe 92 PID 5712 wrote to memory of 5368 5712 msiexec.exe 92 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p15\niauth64.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5616
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5712 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 148CF3DB3894E2B556570E412733FD1E C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4832
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3348
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D0EE753D38F66216EB3F5F9C41B922DF2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5368
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5a69e97f0505d5bde1e4b2a264e403eab
SHA1301ad4c4b1aad90712ac3ccdcfd706f63e70ba2a
SHA256a03d1377de6fda98eb84e49970f864490e195ddf461d0f40a65ffd9aeabf9c66
SHA512d9ef8050609e1e5380c81ae6153d13ef85ce10cf3aa7d15cb366d6c51bd845cfb7e42268575aa9970b8a23ba51d7c6f8aae52708d6f51d99dcafc9442ba23c07
-
Filesize
639KB
MD5c6417930af8969f9f2cb431acd76ec89
SHA1d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b
SHA2561b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b
SHA512f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b
-
Filesize
24.6MB
MD5a5bdcb7d81a701c3fefde20e17c6c040
SHA1b5e442767bd1fbc64f8b5f7dc5f9f5717f546be8
SHA2560dbc931331f9c5ba79bbf7c5817b5a173104803963ae74b97f112b69d8ab8c69
SHA512a14f665fbe27d17d68d8a1bda583b9a1abe452ce4cbb211d1940d35e0667a7c662603c0e5ee272b7505a33d50201b8d8182e640fdfee5ea51b5ce4572a05e27a
-
\??\Volume{d3053786-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6087ae58-f3d4-4615-9403-57e6c64703f7}_OnDiskSnapshotProp
Filesize6KB
MD5aca297608058dc42824764dfc4d05fc6
SHA154bfaf4256043d0ce0c3d68b7b2ee6ab727de3e4
SHA2565fdece41871072b57f666eb292eacac706cff6735c76ca2542a0548a8e799ca7
SHA512267c8b634c4b2b686e8e70432afc40dbf1c952a92ec2384e42ef98fa217cc33842dba8c1fc6c1e247661d124b2f4299bf355e0d25cfba3ea1564da2800e8917b