9acec82250082db98a156292e9aebc2ba22ae177f8003fe29d7e59b220e14ebc

Analysis

max time kernel
56s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 13:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

SuperViewer Installer/Volume/bin/p26/logos.msi
Size

1.5MB
MD5

a1b0ac1fe3989aab3e6a85dc85d8dcd6
SHA1

6b86ad7bf3e4995a3c9123844379af34bd3dab4d
SHA256

c9dbfb1c4c398f8bbe787bf42535e7b23fef8b8a74a5b290964bf812c1e51d59
SHA512

24e4a9f852cf8e6a6b2c2af59300bd9aadb199637a1c556f500d7e28d9b706b6b4287ad3741ee22245c55b1e4d98f9cbe9a219dad4e1c759547d6ce2c8d23775
SSDEEP

49152:SFytInONSSYAP+sYSO/trwQKZvTAwVC2PJg6Uf:SFjhwQ4VC2

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lookout.sec	msiexec.exe
File created	C:\Windows\SysWOW64\lksock.dll	msiexec.exe
File created	C:\Windows\SysWOW64\lkstime.dll	msiexec.exe
File created	C:\Windows\SysWOW64\logos_scs_wrapper.dll	msiexec.exe
File created	C:\Windows\SysWOW64\lkbrow.dll	msiexec.exe
File created	C:\Windows\SysWOW64\nidscmem.dll	msiexec.exe
File created	C:\Windows\SysWOW64\lkobenv.dll	msiexec.exe
File created	C:\Windows\SysWOW64\lkproc.dll	msiexec.exe
File created	C:\Windows\SysWOW64\lksec.dll	msiexec.exe
File created	C:\Windows\SysWOW64\lkdynam.dll	msiexec.exe
File created	C:\Windows\SysWOW64\lkads.exe	msiexec.exe
File created	C:\Windows\SysWOW64\lktsrv.exe	msiexec.exe
File created	C:\Windows\SysWOW64\lkrealt.dll	msiexec.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\National Instruments\Shared\Security\nidmsrv.exe	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Security\ko\dmanager.mo	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Logos\lkopc.exe	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Security\dmanager.exe	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Logos\smgr.exe	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Security\nidm_context.dll	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Security\ja\dmanager.mo	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\_Legal Information\NI Logos 19.0 19.00.49152 {60684600-163F-45D7-83DB-E247FA48D81F}\notice.txt	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Security\zh\dmanager.mo	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Security\nidm_client_manager.dll	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Logos\usrmgr.exe	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Security\nidm_client_thinauth.dll	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Logos\usrmgr.chm	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Security\nidm_discovery.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Merge Modules\logos.msm	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Security\de\dmanager.mo	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Logos\lkopc.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Merge Modules\logos64.msm	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\Security\fr\dmanager.mo	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\MDF\Manifests\NI Logos 19.0 {60684600-163F-45D7-83DB-E247FA48D81F}.xml	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-logos_19.0.0.49152-0+f0_windows_all {60684600-163F-45D7-83DB-E247FA48D81F}.control	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6E77.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6EB7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F26.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF299B77566C3BF4D0.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6AFA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D0E.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF91608F6252E417E9.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F95.tmp	msiexec.exe
File created	C:\Windows\Installer\e586a8e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e586a8c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7320.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6EC7.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC529851174BF4969.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{60684600-163F-45D7-83DB-E247FA48D81F}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0653A9BBAC3C189E.TMP	msiexec.exe
File created	C:\Windows\Installer\e586a8c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D1F.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1508	MSI6EC7.tmp

Loads dropped DLL 11 IoCs

pid	Process
6048	MsiExec.exe
6048	MsiExec.exe
6048	MsiExec.exe
6048	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI6EC7.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000863705d3f43de89a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000863705d30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900863705d3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d863705d3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000863705d300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "58"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4AD541-1307-11D3-8CB0-006008C16337}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\PackageCode = "17AC34FD518EC5E47B9F3F3B3BB3EE55"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\lkopc.exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\lkopc.exe\AppId = "{3C4AD541-1307-11d3-8CB0-006008C16337}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\National Instruments.LookoutOPCServer.1\CLSID\ = "{3C4AD541-1307-11d3-8CB0-006008C16337}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\National Instruments.LookoutOPCServer\OPC\Vendor	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00648606F3617D5438BD2E74AF848DF1\LogosMSM.LV.LOGOS.1900 = "logos.LV.LOGOS.1900"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00648606F3617D5438BD2E74AF848DF1\NIMUFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p26\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\National Instruments.LookoutOPCServer\OPC	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\Language = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\National Instruments.LookoutOPCServer\CurVer\ = "National Instruments.LookoutOPCServer.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4AD541-1307-11D3-8CB0-006008C16337}\VersionIndependentProgID\ = "National Instruments.LookoutOPCServer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\National Instruments.LookoutOPCServer\CLSID\ = "{3C4AD541-1307-11d3-8CB0-006008C16337}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00648606F3617D5438BD2E74AF848DF1\logos.LV.LOGOS.1900	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\ProductName = "NI Logos 19.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\SourceList\Media\2 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4AD541-1307-11D3-8CB0-006008C16337}\InprocServer32\ThreadingModel = "Free"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\SourceList\PackageName = "logos.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\National Instruments.LookoutOPCServer	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4AD541-1307-11D3-8CB0-006008C16337}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00648606F3617D5438BD2E74AF848DF1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\Version = "318816256"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\National Instruments.LookoutOPCServer\OPC\Vendor\ = "National Instruments, Inc."	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4AD541-1307-11D3-8CB0-006008C16337}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4AD541-1307-11D3-8CB0-006008C16337}\AppID = "{3C4AD541-1307-11d3-8CB0-006008C16337}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3C4AD541-1307-11d3-8CB0-006008C16337}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3EC4A4E560D44D11B8220006801C3673	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4AD541-1307-11D3-8CB0-006008C16337}\ = "OPC Server Interface to Lookout"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3EC4A4E560D44D11B8220006801C3673\00648606F3617D5438BD2E74AF848DF1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\National Instruments.LookoutOPCServer.1\CLSID	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p26\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\National Instruments.LookoutOPCServer\CurVer	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3C4AD541-1307-11d3-8CB0-006008C16337}\ = "OPC Server Interface to Lookout"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00648606F3617D5438BD2E74AF848DF1\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4AD541-1307-11D3-8CB0-006008C16337}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4AD541-1307-11D3-8CB0-006008C16337}\InprocServer32\ = "C:\\Program Files (x86)\\National Instruments\\Shared\\Logos\\lkopc.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4AD541-1307-11D3-8CB0-006008C16337}\LocalServer32\ = "C:\\Program Files (x86)\\National Instruments\\Shared\\Logos\\lkopc.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\National Instruments.LookoutOPCServer\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\National Instruments.LookoutOPCServer\ = "OPC Server Interface to Lookout"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4AD541-1307-11D3-8CB0-006008C16337}\ProgID\ = "National Instruments.LookoutOPCServer.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\National Instruments.LookoutOPCServer.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\National Instruments.LookoutOPCServer.1\ = "OPC Server Interface to Lookout"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C4AD541-1307-11D3-8CB0-006008C16337}\VersionIndependentProgID	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4884	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4884	msiexec.exe
Token: SeSecurityPrivilege	4952	msiexec.exe
Token: SeCreateTokenPrivilege	4884	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4884	msiexec.exe
Token: SeLockMemoryPrivilege	4884	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4884	msiexec.exe
Token: SeMachineAccountPrivilege	4884	msiexec.exe
Token: SeTcbPrivilege	4884	msiexec.exe
Token: SeSecurityPrivilege	4884	msiexec.exe
Token: SeTakeOwnershipPrivilege	4884	msiexec.exe
Token: SeLoadDriverPrivilege	4884	msiexec.exe
Token: SeSystemProfilePrivilege	4884	msiexec.exe
Token: SeSystemtimePrivilege	4884	msiexec.exe
Token: SeProfSingleProcessPrivilege	4884	msiexec.exe
Token: SeIncBasePriorityPrivilege	4884	msiexec.exe
Token: SeCreatePagefilePrivilege	4884	msiexec.exe
Token: SeCreatePermanentPrivilege	4884	msiexec.exe
Token: SeBackupPrivilege	4884	msiexec.exe
Token: SeRestorePrivilege	4884	msiexec.exe
Token: SeShutdownPrivilege	4884	msiexec.exe
Token: SeDebugPrivilege	4884	msiexec.exe
Token: SeAuditPrivilege	4884	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4884	msiexec.exe
Token: SeChangeNotifyPrivilege	4884	msiexec.exe
Token: SeRemoteShutdownPrivilege	4884	msiexec.exe
Token: SeUndockPrivilege	4884	msiexec.exe
Token: SeSyncAgentPrivilege	4884	msiexec.exe
Token: SeEnableDelegationPrivilege	4884	msiexec.exe
Token: SeManageVolumePrivilege	4884	msiexec.exe
Token: SeImpersonatePrivilege	4884	msiexec.exe
Token: SeCreateGlobalPrivilege	4884	msiexec.exe
Token: SeCreateTokenPrivilege	4884	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4884	msiexec.exe
Token: SeLockMemoryPrivilege	4884	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4884	msiexec.exe
Token: SeMachineAccountPrivilege	4884	msiexec.exe
Token: SeTcbPrivilege	4884	msiexec.exe
Token: SeSecurityPrivilege	4884	msiexec.exe
Token: SeTakeOwnershipPrivilege	4884	msiexec.exe
Token: SeLoadDriverPrivilege	4884	msiexec.exe
Token: SeSystemProfilePrivilege	4884	msiexec.exe
Token: SeSystemtimePrivilege	4884	msiexec.exe
Token: SeProfSingleProcessPrivilege	4884	msiexec.exe
Token: SeIncBasePriorityPrivilege	4884	msiexec.exe
Token: SeCreatePagefilePrivilege	4884	msiexec.exe
Token: SeCreatePermanentPrivilege	4884	msiexec.exe
Token: SeBackupPrivilege	4884	msiexec.exe
Token: SeRestorePrivilege	4884	msiexec.exe
Token: SeShutdownPrivilege	4884	msiexec.exe
Token: SeDebugPrivilege	4884	msiexec.exe
Token: SeAuditPrivilege	4884	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4884	msiexec.exe
Token: SeChangeNotifyPrivilege	4884	msiexec.exe
Token: SeRemoteShutdownPrivilege	4884	msiexec.exe
Token: SeUndockPrivilege	4884	msiexec.exe
Token: SeSyncAgentPrivilege	4884	msiexec.exe
Token: SeEnableDelegationPrivilege	4884	msiexec.exe
Token: SeManageVolumePrivilege	4884	msiexec.exe
Token: SeImpersonatePrivilege	4884	msiexec.exe
Token: SeCreateGlobalPrivilege	4884	msiexec.exe
Token: SeCreateTokenPrivilege	4884	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4884	msiexec.exe
Token: SeLockMemoryPrivilege	4884	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4884	msiexec.exe
4884	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1096	LogonUI.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 6048	4952	msiexec.exe	86
PID 4952 wrote to memory of 6048	4952	msiexec.exe	86
PID 4952 wrote to memory of 6048	4952	msiexec.exe	86
PID 4952 wrote to memory of 1920	4952	msiexec.exe	90
PID 4952 wrote to memory of 1920	4952	msiexec.exe	90
PID 4952 wrote to memory of 756	4952	msiexec.exe	92
PID 4952 wrote to memory of 756	4952	msiexec.exe	92
PID 4952 wrote to memory of 756	4952	msiexec.exe	92
PID 4952 wrote to memory of 1508	4952	msiexec.exe	93
PID 4952 wrote to memory of 1508	4952	msiexec.exe	93
PID 4952 wrote to memory of 1508	4952	msiexec.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p26\logos.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4884

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C0A7583E3E48D012ED52B7BA1478A795 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6048
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1920
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 968571B35A1339F403EA255195F51F3A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:756
- C:\Windows\Installer\MSI6EC7.tmp
  "C:\Windows\Installer\MSI6EC7.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4484

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a36855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e586a8d.rbs

Filesize
33KB

MD5
11b57dd0cc22420d8f80cdffc5aca8ce

SHA1
5dfa00e4cee8936a4449bbf243b8365a11924c0c

SHA256
4090a37482a1ca2e45519ffbec8b066f664fa18ba2c6075552f1a4defc8831f9

SHA512
18274e0f23819d0bac953e73618f630f52a54bee6fc6bced6bed6713cf4278a0c5ae98ad2288c4ff348bac909f0767c91e4a29e8a8c82a3ac25a28195dd13a44

Download Submit
C:\ProgramData\National Instruments\Shared\LV Help Index\usrmgr.chm\_0.cfs

Filesize
11KB

MD5
7ebad66675321f3b1542caf7d45dbbb6

SHA1
204b12e72aacf1ca85c1ddcdf99b7108d1d7a927

SHA256
4a8750f00d67a85e5287329ab67d2b5f9dd7226d8d5244155c29d81c6b1c0daa

SHA512
2fa9fd9d0612947359857b38a8494f27047b656e811c73a7e52a34f994f3fd1a0a1a394f66c4a94d44ab6180957eff129bf4cb1a7fa91da68cc0dcefa6ef8b5a

Download Submit
C:\ProgramData\National Instruments\Shared\LV Help Index\usrmgr.chm\segments.gen

Filesize
20B

MD5
2eb2668d2bf13379fa3584b9a9867b46

SHA1
86ee9f040505bb2f9ad01472bfc6c3f10f6f0091

SHA256
ab308562fd6f5404d34e923152ee70ff7bddaab2f421a6c58730ba731bd09182

SHA512
15dec785f3fd190336f8561a827566d90865d174f33f6c7947da7b298734aad887f522d2fc625353c8a798e4c6cfeef27bec59131fdab3384dba0fcdd50f8415

Download Submit
C:\ProgramData\National Instruments\Shared\LV Help Index\usrmgr.chm\segments_2

Filesize
211B

MD5
d891952b2875dd23809fd7d895701b0c

SHA1
d24804055cba97681d74d46231ffde988955ba4b

SHA256
8252b9943a22c45c50997a1626985b45813bfe16f598f88fd5f3bf50ac3f6f4d

SHA512
f4138e7caa574e42f2299432efdbe2f85a976ee19f7f926aaa60ed2a6d560b6c42144ecda6cf61ed2ff36d298845c8f206b2744826e1175cad2864b797f0c26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB8F0.tmp

Filesize
639KB

MD5
c6417930af8969f9f2cb431acd76ec89

SHA1
d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b

SHA256
1b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b

SHA512
f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b

Download Submit
C:\Windows\Installer\MSI6EC7.tmp

Filesize
396KB

MD5
f0b82c3c95271382907b1adf047c7ec7

SHA1
98054465b8974a63c9e79f865eb43ec8cfbe0e07

SHA256
0f3531cb26b48dd1314c74916dc0f7cdfe1bfe1da222f361896ab5c27cf521ce

SHA512
b204d262fb16078d4a976807f3acc597c5353e419a8b48ac273a2256e7e2eb59061aa7d0a71d8955f856b10856fa5687075e866606083d2d9f5372f5a291eaed

Download Submit
memory/1920-108-0x00007FF7AFCE0000-0x00007FF7AFCF3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads