Overview
overview
7Static
static
3SuperViewe...th.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...rl.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...TE.msi
windows11-21h2-x64
6SuperViewe...XT.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...rt.msi
windows11-21h2-x64
6SuperViewe...or.exe
windows11-21h2-x64
3SuperViewe...er.msi
windows11-21h2-x64
6SuperViewe...er.msi
windows11-21h2-x64
6SuperViewe...re.msi
windows11-21h2-x64
6SuperViewe...er.exe
windows11-21h2-x64
3SuperViewe...64.exe
windows11-21h2-x64
7SuperViewe...86.exe
windows11-21h2-x64
7SuperViewe...ex.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...kl.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...os.msi
windows11-21h2-x64
SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...es.msi
windows11-21h2-x64
6SuperViewe...et.msi
windows11-21h2-x64
6SuperViewe...me.msi
windows11-21h2-x64
SuperViewe...ph.msi
windows11-21h2-x64
6SuperViewe...ls.msi
windows11-21h2-x64
6SuperViewe...pp.msi
windows11-21h2-x64
6SuperViewe...rk.msi
windows11-21h2-x64
6SuperViewe...it.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...ne.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6Analysis
-
max time kernel
221s -
max time network
288s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/03/2025, 13:52
Behavioral task
behavioral1
Sample
SuperViewer Installer/Volume/bin/p15/niauth.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
SuperViewer Installer/Volume/bin/p15/niauth64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
SuperViewer Installer/Volume/bin/p16/nicurl.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
SuperViewer Installer/Volume/bin/p16/nicurl64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
SuperViewer Installer/Volume/bin/p17/LabVI00/NIWebServer_LVRTE.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
SuperViewer Installer/Volume/bin/p18/LogosXT.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
SuperViewer Installer/Volume/bin/p18/LogosXT64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
SuperViewer Installer/Volume/bin/p19/ni_error/ni_error_report.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
SuperViewer Installer/Volume/bin/p2/SystemRequirementsError.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
SuperViewer Installer/Volume/bin/p2/VC2015-32Wrapper.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
SuperViewer Installer/Volume/bin/p2/VC2015-64Wrapper.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
SuperViewer Installer/Volume/bin/p2/VC2015Core.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
SuperViewer Installer/Volume/bin/p2/VCRunTimeInstaller.exe
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
SuperViewer Installer/Volume/bin/p2/vc_redist.x64.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
SuperViewer Installer/Volume/bin/p2/vc_redist.x86.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
SuperViewer Installer/Volume/bin/p20/activex.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
SuperViewer Installer/Volume/bin/p20/activex64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
SuperViewer Installer/Volume/bin/p25/mkl.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
SuperViewer Installer/Volume/bin/p25/mkl64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
SuperViewer Installer/Volume/bin/p26/logos.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
SuperViewer Installer/Volume/bin/p26/logos64.msi
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
SuperViewer Installer/Volume/bin/p27/lvrteres/LV2019rteres.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
SuperViewer Installer/Volume/bin/p28/LV2019rtdnet.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral24
Sample
SuperViewer Installer/Volume/bin/p28/LV2019runtime.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
SuperViewer Installer/Volume/bin/p29/MStudioCW3DGraph.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral26
Sample
SuperViewer Installer/Volume/bin/p3/NISys00/NISysLogUtils.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral27
Sample
SuperViewer Installer/Volume/bin/p4/sslLVRTE/ssl_LVRTEsupp.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral28
Sample
SuperViewer Installer/Volume/bin/p5/NI_De00/dep_framework.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral29
Sample
SuperViewer Installer/Volume/bin/p6/KillBit.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral30
Sample
SuperViewer Installer/Volume/bin/p6/KillBit64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral31
Sample
SuperViewer Installer/Volume/bin/p7/NITraceEngine.msi
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral32
Sample
SuperViewer Installer/Volume/bin/p7/NITraceEngine64.msi
Resource
win11-20250314-en
windows11-21h2-x64
General
-
Target
SuperViewer Installer/Volume/bin/p4/sslLVRTE/ssl_LVRTEsupp.msi
-
Size
1.1MB
-
MD5
020941f07ec3a8b4f5e2bcf26e090b3b
-
SHA1
b07a9317affb44ee186e8e6713ba25bcbc673114
-
SHA256
199251c8315a1723a126e91f5b1adf43c859dae837d7e2f8364896a190c18722
-
SHA512
8080da35bae43acd9c28a8d72901fa34e88b752e4949e381a2e6ead8463714dfd9aa776459a9aee1b3c29a06a63c933851eb9339a9e2f17c6f82e55a5299e0ab
-
SSDEEP
24576:CFot6+o/3GfYr+TQNxshTK+63S3ZgTqGgeSZUf/:CFot6EdC2PJg6Uf
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\National Instruments\_Legal Information\NI SSL LabVIEW RTE 2019 Support 19.00.49152 {B18B5A4C-AFA8-40D3-AEB8-F9DA8D9964D6}\notice.txt msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\MDF\Manifests\NI SSL LabVIEW RTE_2019 Support {B18B5A4C-AFA8-40D3-AEB8-F9DA8D9964D6}.xml msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-ssl-labview-2019-runtime-engine-x86-support_19. {B18B5A4C-AFA8-40D3-AEB8-F9DA8D9964D6}.control msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-ssl-labview-2019-runtime-engine-x86-support_19. {B18B5A4C-AFA8-40D3-AEB8-F9DA8D9964D6}.instructions msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\LabVIEW Run-Time\2019\webserver\modules\mod_nissl.dll msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\LabVIEW Run-Time\2019\webserver\modules\mod_ssl.dll msiexec.exe File created C:\Program Files (x86)\National Instruments\Shared\LabVIEW Run-Time\2019\webserver\modules\libmprssl.dll msiexec.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{B18B5A4C-AFA8-40D3-AEB8-F9DA8D9964D6} msiexec.exe File created C:\Windows\SystemTemp\~DFC1999A330390A3E8.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI801E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8129.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFA1A9AF6CE50191AE.TMP msiexec.exe File opened for modification C:\Windows\Installer\e587cdc.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI7F30.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF0C184F616F8A064F.TMP msiexec.exe File created C:\Windows\Installer\e587cdc.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7D3A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7FDD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7F0F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7FCD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7FEE.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e587cde.msi msiexec.exe File created C:\Windows\SystemTemp\~DF341FE0E298056290.TMP msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Loads dropped DLL 11 IoCs
pid Process 1444 MsiExec.exe 1444 MsiExec.exe 1444 MsiExec.exe 1444 MsiExec.exe 2160 MsiExec.exe 2160 MsiExec.exe 2160 MsiExec.exe 2160 MsiExec.exe 2160 MsiExec.exe 2160 MsiExec.exe 2160 MsiExec.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b49cff4fc6d8ed1d0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b49cff4f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b49cff4f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db49cff4f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b49cff4f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E msiexec.exe -
Modifies registry class 25 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BF82B1E17B35A8441940B0E9F410317F\C4A5B81B8AFA3D04EA8B9FADD899466D msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p4\\sslLVRTE\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\Language = "9" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\Version = "318816256" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BF82B1E17B35A8441940B0E9F410317F msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\SourceList\PackageName = "ssl_LVRTEsupp.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\SourceList\Media\2 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4A5B81B8AFA3D04EA8B9FADD899466D msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4A5B81B8AFA3D04EA8B9FADD899466D\ssllvrte.LV.SSLRTE2019 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4A5B81B8AFA3D04EA8B9FADD899466D\NIMUFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\ProductName = "NI SSL LabVIEW RTE 2019 Support" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\PackageCode = "A3E202D12C885464B8EBBCC394A61AB7" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p4\\sslLVRTE\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A5B81B8AFA3D04EA8B9FADD899466D msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4124 msiexec.exe Token: SeIncreaseQuotaPrivilege 4124 msiexec.exe Token: SeSecurityPrivilege 1140 msiexec.exe Token: SeCreateTokenPrivilege 4124 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4124 msiexec.exe Token: SeLockMemoryPrivilege 4124 msiexec.exe Token: SeIncreaseQuotaPrivilege 4124 msiexec.exe Token: SeMachineAccountPrivilege 4124 msiexec.exe Token: SeTcbPrivilege 4124 msiexec.exe Token: SeSecurityPrivilege 4124 msiexec.exe Token: SeTakeOwnershipPrivilege 4124 msiexec.exe Token: SeLoadDriverPrivilege 4124 msiexec.exe Token: SeSystemProfilePrivilege 4124 msiexec.exe Token: SeSystemtimePrivilege 4124 msiexec.exe Token: SeProfSingleProcessPrivilege 4124 msiexec.exe Token: SeIncBasePriorityPrivilege 4124 msiexec.exe Token: SeCreatePagefilePrivilege 4124 msiexec.exe Token: SeCreatePermanentPrivilege 4124 msiexec.exe Token: SeBackupPrivilege 4124 msiexec.exe Token: SeRestorePrivilege 4124 msiexec.exe Token: SeShutdownPrivilege 4124 msiexec.exe Token: SeDebugPrivilege 4124 msiexec.exe Token: SeAuditPrivilege 4124 msiexec.exe Token: SeSystemEnvironmentPrivilege 4124 msiexec.exe Token: SeChangeNotifyPrivilege 4124 msiexec.exe Token: SeRemoteShutdownPrivilege 4124 msiexec.exe Token: SeUndockPrivilege 4124 msiexec.exe Token: SeSyncAgentPrivilege 4124 msiexec.exe Token: SeEnableDelegationPrivilege 4124 msiexec.exe Token: SeManageVolumePrivilege 4124 msiexec.exe Token: SeImpersonatePrivilege 4124 msiexec.exe Token: SeCreateGlobalPrivilege 4124 msiexec.exe Token: SeCreateTokenPrivilege 4124 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4124 msiexec.exe Token: SeLockMemoryPrivilege 4124 msiexec.exe Token: SeIncreaseQuotaPrivilege 4124 msiexec.exe Token: SeMachineAccountPrivilege 4124 msiexec.exe Token: SeTcbPrivilege 4124 msiexec.exe Token: SeSecurityPrivilege 4124 msiexec.exe Token: SeTakeOwnershipPrivilege 4124 msiexec.exe Token: SeLoadDriverPrivilege 4124 msiexec.exe Token: SeSystemProfilePrivilege 4124 msiexec.exe Token: SeSystemtimePrivilege 4124 msiexec.exe Token: SeProfSingleProcessPrivilege 4124 msiexec.exe Token: SeIncBasePriorityPrivilege 4124 msiexec.exe Token: SeCreatePagefilePrivilege 4124 msiexec.exe Token: SeCreatePermanentPrivilege 4124 msiexec.exe Token: SeBackupPrivilege 4124 msiexec.exe Token: SeRestorePrivilege 4124 msiexec.exe Token: SeShutdownPrivilege 4124 msiexec.exe Token: SeDebugPrivilege 4124 msiexec.exe Token: SeAuditPrivilege 4124 msiexec.exe Token: SeSystemEnvironmentPrivilege 4124 msiexec.exe Token: SeChangeNotifyPrivilege 4124 msiexec.exe Token: SeRemoteShutdownPrivilege 4124 msiexec.exe Token: SeUndockPrivilege 4124 msiexec.exe Token: SeSyncAgentPrivilege 4124 msiexec.exe Token: SeEnableDelegationPrivilege 4124 msiexec.exe Token: SeManageVolumePrivilege 4124 msiexec.exe Token: SeImpersonatePrivilege 4124 msiexec.exe Token: SeCreateGlobalPrivilege 4124 msiexec.exe Token: SeCreateTokenPrivilege 4124 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4124 msiexec.exe Token: SeLockMemoryPrivilege 4124 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4124 msiexec.exe 4124 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1140 wrote to memory of 1444 1140 msiexec.exe 85 PID 1140 wrote to memory of 1444 1140 msiexec.exe 85 PID 1140 wrote to memory of 1444 1140 msiexec.exe 85 PID 1140 wrote to memory of 4428 1140 msiexec.exe 89 PID 1140 wrote to memory of 4428 1140 msiexec.exe 89 PID 1140 wrote to memory of 2160 1140 msiexec.exe 91 PID 1140 wrote to memory of 2160 1140 msiexec.exe 91 PID 1140 wrote to memory of 2160 1140 msiexec.exe 91 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p4\sslLVRTE\ssl_LVRTEsupp.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4124
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C80EB72C3F0EC2AC8027989F6BEBF2C4 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1444
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4428
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E02511502295ADD1D0C31285E4C0A38B2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2160
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5bae905b5866972301752ceb287a895fc
SHA1aff20816ad1d9b3ec3427cf0a785088bbaef15ce
SHA2568cbfbe9643897213c6e886080256ab5f5c8a5d8beb5b3d01a2bd41be8cab57d7
SHA512c606aeb91e831bc8d4bcc9118633fdcbd4df26d4e59cae9ed2832806ce38efd97db3dad7e4432728ce40385d8cddf7fb6360e377b203f281fa901b8adcf1d3eb
-
Filesize
639KB
MD5c6417930af8969f9f2cb431acd76ec89
SHA1d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b
SHA2561b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b
SHA512f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b
-
Filesize
24.6MB
MD541d99f4a8d1f4699b8b526deaae2b29b
SHA1d9e703f67a735973d29764561fd49ca38298574f
SHA25658769d7a6d99c38d720da5305214753d6eeac97a3e13f5ae575427289c52b22a
SHA512566dd8cd32d9a74cb4f9bdbb75992918719001c1c9f34f721c3d5568fd646f888bb47b0edd0fd7b9ed09770bfaa4c3637fd3ba9091949107f7dc58a869f65860
-
\??\Volume{4fff9cb4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{507b2e78-757e-4fb1-b94d-078053c5d850}_OnDiskSnapshotProp
Filesize6KB
MD5390fbb70371235373517d7d90d75d825
SHA13cb9d663b412cb5c6611031e535137fc41a63cc2
SHA2564ed4677db306bcf0fd110211db4353b62017829c11784bf496888815d972e802
SHA51290790a6673c032e18576f3599ce550f73c749d8ef9e729e97ec250bf10bf58aa50c71479ac5f371c0234c951ccb16499e7499f8ca8d9933521aa9a764b830613