Overview
overview
7Static
static
3SuperViewe...th.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...rl.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...TE.msi
windows11-21h2-x64
6SuperViewe...XT.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...rt.msi
windows11-21h2-x64
6SuperViewe...or.exe
windows11-21h2-x64
3SuperViewe...er.msi
windows11-21h2-x64
6SuperViewe...er.msi
windows11-21h2-x64
6SuperViewe...re.msi
windows11-21h2-x64
6SuperViewe...er.exe
windows11-21h2-x64
3SuperViewe...64.exe
windows11-21h2-x64
7SuperViewe...86.exe
windows11-21h2-x64
7SuperViewe...ex.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...kl.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...os.msi
windows11-21h2-x64
SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...es.msi
windows11-21h2-x64
6SuperViewe...et.msi
windows11-21h2-x64
6SuperViewe...me.msi
windows11-21h2-x64
SuperViewe...ph.msi
windows11-21h2-x64
6SuperViewe...ls.msi
windows11-21h2-x64
6SuperViewe...pp.msi
windows11-21h2-x64
6SuperViewe...rk.msi
windows11-21h2-x64
6SuperViewe...it.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6SuperViewe...ne.msi
windows11-21h2-x64
6SuperViewe...64.msi
windows11-21h2-x64
6Analysis
-
max time kernel
220s -
max time network
280s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/03/2025, 13:52
Behavioral task
behavioral1
Sample
SuperViewer Installer/Volume/bin/p15/niauth.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
SuperViewer Installer/Volume/bin/p15/niauth64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
SuperViewer Installer/Volume/bin/p16/nicurl.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
SuperViewer Installer/Volume/bin/p16/nicurl64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
SuperViewer Installer/Volume/bin/p17/LabVI00/NIWebServer_LVRTE.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
SuperViewer Installer/Volume/bin/p18/LogosXT.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
SuperViewer Installer/Volume/bin/p18/LogosXT64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
SuperViewer Installer/Volume/bin/p19/ni_error/ni_error_report.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
SuperViewer Installer/Volume/bin/p2/SystemRequirementsError.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
SuperViewer Installer/Volume/bin/p2/VC2015-32Wrapper.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
SuperViewer Installer/Volume/bin/p2/VC2015-64Wrapper.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
SuperViewer Installer/Volume/bin/p2/VC2015Core.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
SuperViewer Installer/Volume/bin/p2/VCRunTimeInstaller.exe
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
SuperViewer Installer/Volume/bin/p2/vc_redist.x64.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
SuperViewer Installer/Volume/bin/p2/vc_redist.x86.exe
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
SuperViewer Installer/Volume/bin/p20/activex.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
SuperViewer Installer/Volume/bin/p20/activex64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
SuperViewer Installer/Volume/bin/p25/mkl.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
SuperViewer Installer/Volume/bin/p25/mkl64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
SuperViewer Installer/Volume/bin/p26/logos.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
SuperViewer Installer/Volume/bin/p26/logos64.msi
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
SuperViewer Installer/Volume/bin/p27/lvrteres/LV2019rteres.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
SuperViewer Installer/Volume/bin/p28/LV2019rtdnet.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral24
Sample
SuperViewer Installer/Volume/bin/p28/LV2019runtime.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
SuperViewer Installer/Volume/bin/p29/MStudioCW3DGraph.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral26
Sample
SuperViewer Installer/Volume/bin/p3/NISys00/NISysLogUtils.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral27
Sample
SuperViewer Installer/Volume/bin/p4/sslLVRTE/ssl_LVRTEsupp.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral28
Sample
SuperViewer Installer/Volume/bin/p5/NI_De00/dep_framework.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral29
Sample
SuperViewer Installer/Volume/bin/p6/KillBit.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral30
Sample
SuperViewer Installer/Volume/bin/p6/KillBit64.msi
Resource
win11-20250313-en
windows11-21h2-x64
Behavioral task
behavioral31
Sample
SuperViewer Installer/Volume/bin/p7/NITraceEngine.msi
Resource
win11-20250314-en
windows11-21h2-x64
Behavioral task
behavioral32
Sample
SuperViewer Installer/Volume/bin/p7/NITraceEngine64.msi
Resource
win11-20250314-en
windows11-21h2-x64
General
-
Target
SuperViewer Installer/Volume/bin/p6/KillBit64.msi
-
Size
1.1MB
-
MD5
5c7c1bfb5b96ae0cae0ca5071a2d6ab3
-
SHA1
70048b3384fcd6acd768376e5e461030a5a1a5ab
-
SHA256
ac7e090826f58b754d49441c9e5f5a23b91cd25afc87a57b2d80762b962d4cc4
-
SHA512
013a80e24ed8e6db8f1a79457a8616871b497bc7a10252eb16433599183e71a8369d04d246d809dde22089d4e6bb89ef1dedededfb76a2fa37bb4017e431a6ee
-
SSDEEP
24576:oFBOtVWyo/3G54+TQNxshTK+63S3ZgTqGgeSZUf/:oFstsMZC2PJg6Uf
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF1A9671CEE85A4AEF.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{3BD1EEE5-2B3D-428A-9CAB-4DE4A38070C4} msiexec.exe File created C:\Windows\Installer\e58537c.msi msiexec.exe File opened for modification C:\Windows\Installer\e58537a.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DF55B8C88ED948CEFD.TMP msiexec.exe File created C:\Windows\Installer\e58537a.msi msiexec.exe File created C:\Windows\SystemTemp\~DF4EF22992085001EB.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI5631.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF3542DE2ED6F15C78.TMP msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI53D8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI54C3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI54F3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5561.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5582.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI55A2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI55C2.tmp msiexec.exe -
Loads dropped DLL 11 IoCs
pid Process 4776 MsiExec.exe 4776 MsiExec.exe 4776 MsiExec.exe 4776 MsiExec.exe 2260 MsiExec.exe 2260 MsiExec.exe 2260 MsiExec.exe 2260 MsiExec.exe 2260 MsiExec.exe 2260 MsiExec.exe 2260 MsiExec.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000863705d3f43de89a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000863705d30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900863705d3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d863705d3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000863705d300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F7A7C71B-246C-4B62-B3A2-40666F95BB8D}\AlternateCLSID = "{18A3FBF1-E52F-425e-AEDF-05B51D35C16D}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F9052D99-F6C6-44F1-A411-C55B0A73C546} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F9052D99-F6C6-44F1-A411-C55B0A73C546}\Compatibility Flags = "1024" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F9052D99-F6C6-44F1-A411-C55B0A73C546}\AlternateCLSID = "{B9CD5ABA-72AB-42a1-B7F8-B0B510233A9E}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F7A7C71B-246C-4B62-B3A2-40666F95BB8D} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F7A7C71B-246C-4B62-B3A2-40666F95BB8D}\Compatibility Flags = "1024" msiexec.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\SourceList\PackageName = "KillBit64.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p6\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\PackageCode = "00BB2BF5679CFB04AAC1A5E27CEA2A6F" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5EEE1DB3D3B2A824C9BAD44E3A08074C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5EEE1DB3D3B2A824C9BAD44E3A08074C\NIMUFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\Version = "34258944" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\SuperViewer Installer\\Volume\\bin\\p6\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5EEE1DB3D3B2A824C9BAD44E3A08074C\Kill_Bit_Patch_64.NI.KILLBIT_64.210 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\ProductName = "NI Security Update (KB 67L8LCQW) (64-bit)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\Language = "9" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\675F92D107DD9154E9D7808E594F904A msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\675F92D107DD9154E9D7808E594F904A\5EEE1DB3D3B2A824C9BAD44E3A08074C msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EEE1DB3D3B2A824C9BAD44E3A08074C\DeploymentFlags = "3" msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5772 msiexec.exe Token: SeIncreaseQuotaPrivilege 5772 msiexec.exe Token: SeSecurityPrivilege 4936 msiexec.exe Token: SeCreateTokenPrivilege 5772 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5772 msiexec.exe Token: SeLockMemoryPrivilege 5772 msiexec.exe Token: SeIncreaseQuotaPrivilege 5772 msiexec.exe Token: SeMachineAccountPrivilege 5772 msiexec.exe Token: SeTcbPrivilege 5772 msiexec.exe Token: SeSecurityPrivilege 5772 msiexec.exe Token: SeTakeOwnershipPrivilege 5772 msiexec.exe Token: SeLoadDriverPrivilege 5772 msiexec.exe Token: SeSystemProfilePrivilege 5772 msiexec.exe Token: SeSystemtimePrivilege 5772 msiexec.exe Token: SeProfSingleProcessPrivilege 5772 msiexec.exe Token: SeIncBasePriorityPrivilege 5772 msiexec.exe Token: SeCreatePagefilePrivilege 5772 msiexec.exe Token: SeCreatePermanentPrivilege 5772 msiexec.exe Token: SeBackupPrivilege 5772 msiexec.exe Token: SeRestorePrivilege 5772 msiexec.exe Token: SeShutdownPrivilege 5772 msiexec.exe Token: SeDebugPrivilege 5772 msiexec.exe Token: SeAuditPrivilege 5772 msiexec.exe Token: SeSystemEnvironmentPrivilege 5772 msiexec.exe Token: SeChangeNotifyPrivilege 5772 msiexec.exe Token: SeRemoteShutdownPrivilege 5772 msiexec.exe Token: SeUndockPrivilege 5772 msiexec.exe Token: SeSyncAgentPrivilege 5772 msiexec.exe Token: SeEnableDelegationPrivilege 5772 msiexec.exe Token: SeManageVolumePrivilege 5772 msiexec.exe Token: SeImpersonatePrivilege 5772 msiexec.exe Token: SeCreateGlobalPrivilege 5772 msiexec.exe Token: SeCreateTokenPrivilege 5772 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5772 msiexec.exe Token: SeLockMemoryPrivilege 5772 msiexec.exe Token: SeIncreaseQuotaPrivilege 5772 msiexec.exe Token: SeMachineAccountPrivilege 5772 msiexec.exe Token: SeTcbPrivilege 5772 msiexec.exe Token: SeSecurityPrivilege 5772 msiexec.exe Token: SeTakeOwnershipPrivilege 5772 msiexec.exe Token: SeLoadDriverPrivilege 5772 msiexec.exe Token: SeSystemProfilePrivilege 5772 msiexec.exe Token: SeSystemtimePrivilege 5772 msiexec.exe Token: SeProfSingleProcessPrivilege 5772 msiexec.exe Token: SeIncBasePriorityPrivilege 5772 msiexec.exe Token: SeCreatePagefilePrivilege 5772 msiexec.exe Token: SeCreatePermanentPrivilege 5772 msiexec.exe Token: SeBackupPrivilege 5772 msiexec.exe Token: SeRestorePrivilege 5772 msiexec.exe Token: SeShutdownPrivilege 5772 msiexec.exe Token: SeDebugPrivilege 5772 msiexec.exe Token: SeAuditPrivilege 5772 msiexec.exe Token: SeSystemEnvironmentPrivilege 5772 msiexec.exe Token: SeChangeNotifyPrivilege 5772 msiexec.exe Token: SeRemoteShutdownPrivilege 5772 msiexec.exe Token: SeUndockPrivilege 5772 msiexec.exe Token: SeSyncAgentPrivilege 5772 msiexec.exe Token: SeEnableDelegationPrivilege 5772 msiexec.exe Token: SeManageVolumePrivilege 5772 msiexec.exe Token: SeImpersonatePrivilege 5772 msiexec.exe Token: SeCreateGlobalPrivilege 5772 msiexec.exe Token: SeCreateTokenPrivilege 5772 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5772 msiexec.exe Token: SeLockMemoryPrivilege 5772 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5772 msiexec.exe 5772 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4936 wrote to memory of 4776 4936 msiexec.exe 86 PID 4936 wrote to memory of 4776 4936 msiexec.exe 86 PID 4936 wrote to memory of 4776 4936 msiexec.exe 86 PID 4936 wrote to memory of 4632 4936 msiexec.exe 90 PID 4936 wrote to memory of 4632 4936 msiexec.exe 90 PID 4936 wrote to memory of 2260 4936 msiexec.exe 92 PID 4936 wrote to memory of 2260 4936 msiexec.exe 92 PID 4936 wrote to memory of 2260 4936 msiexec.exe 92 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p6\KillBit64.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5772
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A8D800AFBF9EF59835505A4F54E5D205 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4776
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4632
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2CDBE1AE44A9D620FDB29A83C5D83D7E2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2260
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD564f974485c3131746ccb75e5cec64716
SHA120b1411931013432876693c9251f1dc3f939e467
SHA256681ad042134fca64f470d7a3aa1689f1b5aebd0d21a40701fbbb65b0c1d2a470
SHA512927d58cd01f63c32b24b288b7a4a891e4367968b0c1cbeb23a835d650f8124bb758e1cb8f539c3a382d51b10e1a4fc102800ba3957e0f8d174efd882a2efafaa
-
Filesize
639KB
MD5c6417930af8969f9f2cb431acd76ec89
SHA1d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b
SHA2561b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b
SHA512f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b
-
Filesize
24.6MB
MD5ace9b8b4a241f42c62d8617921fa67c9
SHA135c749a68815455b21f26349c06bfdb203ab03f8
SHA25683189a07b20287be9a19a6e63ba3086d158ef88b4719e4e3d22a862496fb34e1
SHA5129728fcf21f19eca2e7b60665d534d709c5853305d0b65500f1b35d28c9bb317ac8f87351ed50949d0e5ed75c903b0a20995eb9f096b7a6c3adb5f1179fa71563
-
\??\Volume{d3053786-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{59b1ce43-36f5-4408-9038-83bb687afa5b}_OnDiskSnapshotProp
Filesize6KB
MD5fd2e4db7dff5efd98b0eb2e7680552ca
SHA117600f2caddf2f582b017e5f5d6009455504cb0f
SHA2561df2a2c9d4ecd1055ba92a7c0f7c765d234e5d07ceaf1d8ee1b44ce0fc11c93a
SHA512620b02cff5f5fa2fc3a4713a35ede3701efe3b766b92e8511736d442f58cd331da2c7c1ec9c001b7bdc105b963bae1a040845dbb496856f79955a782d38a5f6c