Analysis

  • max time kernel
    219s
  • max time network
    289s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/03/2025, 13:52

General

  • Target

    SuperViewer Installer/Volume/bin/p29/MStudioCW3DGraph.msi

  • Size

    1.2MB

  • MD5

    cd230033c44fdbce4ccad5b92768d72a

  • SHA1

    9a203100103225d442b871eb8636f5fcd340d1aa

  • SHA256

    d9b5a374295169de75dc574fa10be3214d074d8344ff1b9a5a7d9efa05a2142c

  • SHA512

    9bbd32c4f964f3df83e223cb4d9a9ea5737f2e17c5f6d9924f852ac151f4ea0b29adc35bdd8f5bdaf601044cf3a9bbf0b40920faa48fa2940d4c05f9144ea84d

  • SSDEEP

    24576:cao/3f1v+TQNxshTK+63S3ZgTqGgeSZUf/q:c5mC2PJg6Uf

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 20 IoCs
  • Loads dropped DLL 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p29\MStudioCW3DGraph.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4808
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 54BB6992951574BC6C76CF34D582C5A9 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3260
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4920
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 1D1481DBB4C3241BB30782619249826F
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4664
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 60070CCEF490038FEA1D17D341B0C313 M Global\MSI0000
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:2816
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57ff31.rbs

      Filesize

      146KB

      MD5

      5e49a2ebf75784ec65be8e478edacaa6

      SHA1

      c745bc164217af4cf4c957e07d00abfb1e255f27

      SHA256

      3817629a7b1ba493589d0f1f711bbb5a4ba8d366f6646e7ba32306c8f169127d

      SHA512

      7dd0c0427d2b524090eb93ec54bd3ff29eb94b275a7057cb4a2c80eea0930572c58404539c95fb0cb8d442402c0aa23e447f3bad4885b4c78062cd272ae7cb7a

    • C:\Program Files (x86)\Common Files\Merge Modules\metautil.ver

      Filesize

      8KB

      MD5

      f61d93d90eb8608d35d0824f56f55145

      SHA1

      7e37b897ade888941f77829c7fbf5c3c0439dfa6

      SHA256

      18685da958da055b282868e3d0de0d487e1d7bc83ac69449bd29e5eed6364fbe

      SHA512

      54a572b0c396aa57289ea31f00b11dc819f88fb650a6420f934c536f86edd4244d9da43576d6d888bb70f6dcd7657fd809785854c195cca6c7f057fa0ca82d2d

    • C:\Program Files (x86)\National Instruments\Shared\MeasurementStudio\Help\cw3dgrph.ver

      Filesize

      24KB

      MD5

      4f435082508bbe449d7fd3c746641a27

      SHA1

      01ef6a421c771e29348771d88d72cbdf92110850

      SHA256

      b6e7dabec0a95faf2ebe98263fbda52833ccf710628be714962b671cb2625bfd

      SHA512

      1307ea14dafd605ef63e16dee2b69851b8966d7e90d9c8f2fc0cf78f387218632c67bd84635fce4f6a47f27f0fee25e051e77b63bc85d1fcf7a7049a29a707f2

    • C:\Users\Admin\AppData\Local\Temp\MSIB6AD.tmp

      Filesize

      639KB

      MD5

      c6417930af8969f9f2cb431acd76ec89

      SHA1

      d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b

      SHA256

      1b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b

      SHA512

      f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b

    • C:\Windows\Installer\MSI669.tmp

      Filesize

      40KB

      MD5

      a12e556bc0b20db061dc0ccff84500cd

      SHA1

      c342af2882e60fb787e41afdfd2d099d1c6e9404

      SHA256

      1745281cb7beba6c3891b68900613c152fb0ef7c5945a469e0892cd988db6aef

      SHA512

      8b0665359ddee311cf58ffc9a73b8a92df5fd59ff52058ce4e7009ccbdcf937d626ffd1cb21a379bc8bec581eda48309f2c57b87907183c47dd421d1ce84ea53

    • C:\Windows\SysWOW64\cw3dgrph.ocx

      Filesize

      2.2MB

      MD5

      05f0181b9f995d02dcb5c546375b8086

      SHA1

      cdfa09197ea6a2cbee0cdd396b04dcbf08609e5a

      SHA256

      81b74eb09f7254f213a455f3d0a80ba10a55c5b943ead9bbfcb51d3fdbcf5605

      SHA512

      d114ced0825f6bf695e181457fec7fdd83b947bb6ab94f7c21e399a062e7adde1762404c49ade4bc68a006ff437cabe84f493d76452079d0845a6896b947ef28

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      24.6MB

      MD5

      7241843916718853288eb6b65bc11e6e

      SHA1

      6f1c08392d6407198efa91fa64711b777c84eef0

      SHA256

      0c32d5ef04124ce915c0504506b0cf97b5a4bfc4cb24a06b8299e3ec5cd6d0d9

      SHA512

      2ee5c3140b864d4ff441b747ca7e36e1f3430b5a65e3b758e8193840cce59c88b90b0c4b380805bb3dd45c5b73a67a9aff6c41ba29f5a2bb02b7091ef7b171c9

    • \??\Volume{475b57dd-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fc2c29ba-766d-426c-803a-cb844c5a0bbb}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      7e58dc8bf78e8766c423227858db5d51

      SHA1

      d924a6f3bebf225d34b07244b399945bdfca80de

      SHA256

      c4d65fefddf548469741a45986fb44a8301e1af43c835453fa8d268667024bfa

      SHA512

      c43aef55d588d3b90c469b1a0bfb234e3d40ccd67229cb9cbe1ca369c391984e60532b7d38c735397600f8c970b2e4962f0ca00afc51f172895d959b052fbab1