9acec82250082db98a156292e9aebc2ba22ae177f8003fe29d7e59b220e14ebc

Analysis

max time kernel
219s
max time network
212s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SuperViewer Installer/Volume/bin/p6/KillBit.msi
Size

1.2MB
MD5

dec9097b8561d2eb3998a8a5b1c4f1b5
SHA1

f1b859f548877ebb9494521e106c17ad5dcd1432
SHA256

7ca06688301358c71996aefe516171e9a6f4bbfbe94cb04e6f25c15e9e99c89a
SHA512

9eeac308426bd178ba91e013fc128b125bba9ac0be8cd45d749c275b636ad064dfaed9a27a9daa3fac8cb67d7b6929fe5d8ab6e14cbeb2a7f6ae22828eb6d2ed
SSDEEP

24576:bF3PRDtqa17yo/3G5ETj+TQNxshTK+63S3ZgTqGgeSZUf/T:bFVthME2C2PJg6Uf

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\National Instruments\_Legal Information\NI Security Update (KB 67L8LCQW) 2.10.49152 {64ECB814-3A6A-4E48-9D2F-D6C2EDD725B7}\notice.txt	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\MDF\Manifests\NI Security Update (KB 67L8LCQW) {64ECB814-3A6A-4E48-9D2F-D6C2EDD725B7}.xml	msiexec.exe
File created	C:\Program Files (x86)\National Instruments\Shared\WinMIF\ni-securityupdate-kb67l8lcqw-killbits_2.1.0.49152- {64ECB814-3A6A-4E48-9D2F-D6C2EDD725B7}.control	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI251B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF604B6931F61653E4.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{64ECB814-3A6A-4E48-9D2F-D6C2EDD725B7}	msiexec.exe
File created	C:\Windows\Installer\e5822b8.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE9B545C8A543ECDD.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e5822b6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25A9.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI248B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI249C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI250A.tmp	msiexec.exe
File created	C:\Windows\Installer\e5822b6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI22F4.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFDC2A4F46FD47B90E.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25C9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27BE.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF829AF3D4514DA590.TMP	msiexec.exe

Loads dropped DLL 11 IoCs

pid	Process
3624	MsiExec.exe
3624	MsiExec.exe
3624	MsiExec.exe
3624	MsiExec.exe
5084	MsiExec.exe
5084	MsiExec.exe
5084	MsiExec.exe
5084	MsiExec.exe
5084	MsiExec.exe
5084	MsiExec.exe
5084	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d78eac4ea3e6401f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d78eac4e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d78eac4e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd78eac4e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d78eac4e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E28E25AA-15FA-409A-A1BC-A823958A9F03}\Compatibility Flags = "1024"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D940E4D2-6079-11CE-88CB-0020AF6845F6}\AlternateCLSID = "{17383836-89A0-4249-A9AD-79F10EFB92EE}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66D45D1E-3108-4930-AA93-CDEF429A3C54}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{388AE6E1-F9C0-4E17-A228-F20D8FEE1BD9}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5C626B92-B718-11D3-B04D-00A024D8324D}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5450B137-791F-4C94-9F96-345BC5C85ACB}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{14EA1470-B71C-11D3-A126-006097B79EFD}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F9052D99-F6C6-44F1-A411-C55B0A73C546}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{90A7FB49-80B5-46EC-B5E6-F35514F48E63}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C900211D-B1FD-4D0C-8CA0-5B59CA8A038C}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F2375F38-B71B-11D3-A126-006097B79EFD}\Compatibility Flags = "1024"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A7244E66-5F5F-4DA2-95B0-2EEE3F455C9A}\AlternateCLSID = "{7B0793B4-BC9F-48F3-B7D8-957C05F2342E}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{45C9BE66-D2A8-49F7-BF5C-04A37034D4A1}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6D2A8D80-4BC3-11D1-B608-00A024D63828}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C8ACB3EC-E18A-40C7-BD9C-DBB7CEEF1340}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FB7BBDDB-F16A-4BCE-9B89-74F9E7C06EA8}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0D7C9D9A-B134-4F09-851B-CA3F98C76146}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{60877094-70B4-11D0-93E4-00A02411EC65}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B98EC626-AA6E-11CF-A544-0020AF1E73B9}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{90C87CBB-229D-4C32-A609-48D598C2E284}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E1360549-CAF3-4C4E-AE15-E62B0EF5FB42}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2FDDE938-F33A-4226-A386-0921B71537A6}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{60DAC4BC-5251-480E-80DD-8190AD795A46}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CDC0948-B6BE-4B96-8370-17BC8783CA98}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CBD4E1F5-9DC7-4C02-9CF6-9E30C5522815}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{97F3BD7F-1FB2-4750-A9C4-348405CA2256}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F22F8FF2-687D-3932-8BEB-FD4B6F0E9987}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0CCC09C1-0BBC-11D0-B979-0020AFE6BEB3}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{97180942-AE76-445C-B360-1037714E89F8}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2CBBBDE5-AA4A-4069-A751-7260793C7D71}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9D0D3820-E6E4-484A-9EBE-87580DBBFE92}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{044E1AFA-BD90-44AF-B2BB-73091DCE0B0E}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8655EE93-D864-11D0-B521-00A024D63828}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F2375EE9-B71B-11D3-A126-006097B79EFD}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7E779271-E05B-492D-9038-6B3DDDC44A35}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C1BFC82C-B795-4D7E-912A-C72E85C15088}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A1DF24A8-39D5-49AC-B7F7-D7D8E29A7DA9}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{576CE3C8-6190-42CA-A35C-F589DBD048F6}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{576CE3C8-6190-42CA-A35C-F589DBD048F6}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A6CC68EF-F165-4EDC-AF64-DB6193F18713}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ABA32E4E-1FF8-4090-AEA8-865308FB246A}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2FDDE938-F33A-4226-A386-0921B71537A6}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{830F2C9C-6664-46DE-9EA5-B2A35E1AE1E4}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BCB610A6-76FF-43FE-A60E-0CF3460C8B88}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9988331B-A409-4474-8342-18F886FE2939}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BCB610A6-76FF-43FE-A60E-0CF3460C8B88}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F2375EFC-B71B-11D3-A126-006097B79EFD}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E14AEF24-7B32-4A00-928F-7C5BCED63DE9}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{EA93EEBC-3767-4BBF-8D36-6DAC682AF39E}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D072763D-2AD6-476B-8A22-11B679A0AB5E}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A1DF24A8-39D5-49AC-B7F7-D7D8E29A7DA9}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{45C9BE66-D2A8-49F7-BF5C-04A37034D4A1}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{14EA1429-B71C-11D3-A126-006097B79EFD}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4C51F2F4-37EF-4E4A-B3FF-9D9AD77DC549}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E82F6C4F-7CE1-40EA-806C-DE0FD99D1C82}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{14EA1426-B71C-11D3-A126-006097B79EFD}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66D45D1E-3108-4930-AA93-CDEF429A3C54}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6CDC0948-B6BE-4B96-8370-17BC8783CA98}\Compatibility Flags = "1024"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E8EAC710-4952-11D1-B606-00A024D63828}\Compatibility Flags = "1024"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{550149C0-7F25-43DE-8C77-7CB14B4CF7D9}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{855180AA-8513-4A64-BB87-BD942592A96A}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E3019F68-A637-4F2C-992A-8AE31B78D750}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{59819537-4FD2-454E-9743-8E5D12ECA354}\Compatibility Flags = "1024"	msiexec.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\418BCE46A6A384E4D9F26D2CDE7D527B\NIMUFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\ProductName = "NI Security Update (KB 67L8LCQW)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\Version = "34258944"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p6\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\418BCE46A6A384E4D9F26D2CDE7D527B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\Language = "9"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p6\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\418BCE46A6A384E4D9F26D2CDE7D527B\Kill_Bit_Patch.NI.KILLBIT.210	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D98AA19CDF3949144A3DC0F244918609	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D98AA19CDF3949144A3DC0F244918609\418BCE46A6A384E4D9F26D2CDE7D527B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\SourceList\Media\2 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\PackageCode = "95AD41D4B125F9243AF0F24FC8EE38F8"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\SourceList\PackageName = "KillBit.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\418BCE46A6A384E4D9F26D2CDE7D527B\SourceList\Media	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1572	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1572	msiexec.exe
Token: SeSecurityPrivilege	5748	msiexec.exe
Token: SeCreateTokenPrivilege	1572	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1572	msiexec.exe
Token: SeLockMemoryPrivilege	1572	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1572	msiexec.exe
Token: SeMachineAccountPrivilege	1572	msiexec.exe
Token: SeTcbPrivilege	1572	msiexec.exe
Token: SeSecurityPrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeLoadDriverPrivilege	1572	msiexec.exe
Token: SeSystemProfilePrivilege	1572	msiexec.exe
Token: SeSystemtimePrivilege	1572	msiexec.exe
Token: SeProfSingleProcessPrivilege	1572	msiexec.exe
Token: SeIncBasePriorityPrivilege	1572	msiexec.exe
Token: SeCreatePagefilePrivilege	1572	msiexec.exe
Token: SeCreatePermanentPrivilege	1572	msiexec.exe
Token: SeBackupPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeShutdownPrivilege	1572	msiexec.exe
Token: SeDebugPrivilege	1572	msiexec.exe
Token: SeAuditPrivilege	1572	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1572	msiexec.exe
Token: SeChangeNotifyPrivilege	1572	msiexec.exe
Token: SeRemoteShutdownPrivilege	1572	msiexec.exe
Token: SeUndockPrivilege	1572	msiexec.exe
Token: SeSyncAgentPrivilege	1572	msiexec.exe
Token: SeEnableDelegationPrivilege	1572	msiexec.exe
Token: SeManageVolumePrivilege	1572	msiexec.exe
Token: SeImpersonatePrivilege	1572	msiexec.exe
Token: SeCreateGlobalPrivilege	1572	msiexec.exe
Token: SeCreateTokenPrivilege	1572	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1572	msiexec.exe
Token: SeLockMemoryPrivilege	1572	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1572	msiexec.exe
Token: SeMachineAccountPrivilege	1572	msiexec.exe
Token: SeTcbPrivilege	1572	msiexec.exe
Token: SeSecurityPrivilege	1572	msiexec.exe
Token: SeTakeOwnershipPrivilege	1572	msiexec.exe
Token: SeLoadDriverPrivilege	1572	msiexec.exe
Token: SeSystemProfilePrivilege	1572	msiexec.exe
Token: SeSystemtimePrivilege	1572	msiexec.exe
Token: SeProfSingleProcessPrivilege	1572	msiexec.exe
Token: SeIncBasePriorityPrivilege	1572	msiexec.exe
Token: SeCreatePagefilePrivilege	1572	msiexec.exe
Token: SeCreatePermanentPrivilege	1572	msiexec.exe
Token: SeBackupPrivilege	1572	msiexec.exe
Token: SeRestorePrivilege	1572	msiexec.exe
Token: SeShutdownPrivilege	1572	msiexec.exe
Token: SeDebugPrivilege	1572	msiexec.exe
Token: SeAuditPrivilege	1572	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1572	msiexec.exe
Token: SeChangeNotifyPrivilege	1572	msiexec.exe
Token: SeRemoteShutdownPrivilege	1572	msiexec.exe
Token: SeUndockPrivilege	1572	msiexec.exe
Token: SeSyncAgentPrivilege	1572	msiexec.exe
Token: SeEnableDelegationPrivilege	1572	msiexec.exe
Token: SeManageVolumePrivilege	1572	msiexec.exe
Token: SeImpersonatePrivilege	1572	msiexec.exe
Token: SeCreateGlobalPrivilege	1572	msiexec.exe
Token: SeCreateTokenPrivilege	1572	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1572	msiexec.exe
Token: SeLockMemoryPrivilege	1572	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1572	msiexec.exe
1572	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5748 wrote to memory of 3624	5748	msiexec.exe	81
PID 5748 wrote to memory of 3624	5748	msiexec.exe	81
PID 5748 wrote to memory of 3624	5748	msiexec.exe	81
PID 5748 wrote to memory of 6096	5748	msiexec.exe	85
PID 5748 wrote to memory of 6096	5748	msiexec.exe	85
PID 5748 wrote to memory of 5084	5748	msiexec.exe	87
PID 5748 wrote to memory of 5084	5748	msiexec.exe	87
PID 5748 wrote to memory of 5084	5748	msiexec.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p6\KillBit.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1572

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5748
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 754BAAD930F9CF819B130F91E31A0855 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3624
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:6096
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 032A4A56F14A818C4CB681D365039C94
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5822b7.rbs

Filesize
114KB

MD5
6250695ffe9605808c3c8d3a2938e57f

SHA1
bce1d9dea533eb760e39516427d72d9abd811a34

SHA256
55e1def516eb97aa1bfa7a4f265200e7a4630156b98a38696b5ab04f719ba3e8

SHA512
3fcb2085bf01cfcad84c1a2fceee25105e6c8252b19edbf8a79c0637ab2c8613a06424171ae10232b7b7a552f3fc61d70af2a09249d5407a6ace866cd6e228f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8DB9.tmp

Filesize
639KB

MD5
c6417930af8969f9f2cb431acd76ec89

SHA1
d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b

SHA256
1b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b

SHA512
f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
93d575e613beade00e98f44ee6fb4d47

SHA1
393b711ad83ebaaf3a4a0097c8f6b2f0ef30d9a3

SHA256
5d1ea942ba32d85e78b2c4e46056d1d8cb7fd4857e36db00628380057b393490

SHA512
b5a6e0dae64aad6dd0d49652687da1c132b4c72db32838bf9537387b115249016d31bd3762ae20a3c6c3cdf828f5c6631baca62614d3863852d375777d3c5ce7

Download Submit
\??\Volume{4eac8ed7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{02ee82ba-d85a-4581-916d-122577b5ea0c}_OnDiskSnapshotProp

Filesize
6KB

MD5
c85387055b7299edb0b2f132d146c8ee

SHA1
fe767fad3065761395c641ae25154df115c840d5

SHA256
1f07a7bdb272b5eb6b03b7a169a89b6f8237d76859432564c3e1df7065463d51

SHA512
29aa34fdd23df9ffccc4445ef5912a1380d0cc774b98e254614dcafda996288ac95e51de2913fa84f825af1dcb7724bb11cdad74454cc9d138af57e142a90fbd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads