Overview

overview

7

Static

static

3

SuperViewe...th.msi

windows11-21h2-x64

6

SuperViewe...64.msi

windows11-21h2-x64

6

SuperViewe...rl.msi

windows11-21h2-x64

6

SuperViewe...64.msi

windows11-21h2-x64

6

SuperViewe...TE.msi

windows11-21h2-x64

6

SuperViewe...XT.msi

windows11-21h2-x64

6

SuperViewe...64.msi

windows11-21h2-x64

6

SuperViewe...rt.msi

windows11-21h2-x64

6

SuperViewe...or.exe

windows11-21h2-x64

3

SuperViewe...er.msi

windows11-21h2-x64

6

SuperViewe...er.msi

windows11-21h2-x64

6

SuperViewe...re.msi

windows11-21h2-x64

6

SuperViewe...er.exe

windows11-21h2-x64

3

SuperViewe...64.exe

windows11-21h2-x64

7

SuperViewe...86.exe

windows11-21h2-x64

7

SuperViewe...ex.msi

windows11-21h2-x64

6

SuperViewe...64.msi

windows11-21h2-x64

6

SuperViewe...kl.msi

windows11-21h2-x64

6

SuperViewe...64.msi

windows11-21h2-x64

6

SuperViewe...os.msi

windows11-21h2-x64

SuperViewe...64.msi

windows11-21h2-x64

6

SuperViewe...es.msi

windows11-21h2-x64

6

SuperViewe...et.msi

windows11-21h2-x64

6

SuperViewe...me.msi

windows11-21h2-x64

SuperViewe...ph.msi

windows11-21h2-x64

6

SuperViewe...ls.msi

windows11-21h2-x64

6

SuperViewe...pp.msi

windows11-21h2-x64

6

SuperViewe...rk.msi

windows11-21h2-x64

6

SuperViewe...it.msi

windows11-21h2-x64

6

SuperViewe...64.msi

windows11-21h2-x64

6

SuperViewe...ne.msi

windows11-21h2-x64

6

SuperViewe...64.msi

windows11-21h2-x64

6

Analysis

  • max time kernel
    237s
  • max time network
    307s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/03/2025, 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SuperViewer Installer/Volume/bin/p16/nicurl64.msi

  • Size

    1.1MB

  • MD5

    34f3d3c76b5e1768c1e33354d12b86cd

  • SHA1

    cfa71a635fc18eba072b4eba4066d6074ca7f354

  • SHA256

    fb745d3bd330f229f03693368db3dac75ce6262865a6997ac1c0a6b9ae75e151

  • SHA512

    a1dcb2e8b6897ab8a04998dfe4e498a36967e41a028431eefde610d1f64c3aa824b1039aaaf020133b2041778b9cb0462ba897d828c3b9b7009a328ec3be861d

  • SSDEEP

    24576:pFitUXZo/3G1Xu+TQNxshTK+63S3ZgTqGgeSZUf/:pFitmFfC2PJg6Uf

Score
6/10
discovery

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 19 IoCs
  • Loads dropped DLL 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\SuperViewer Installer\Volume\bin\p16\nicurl64.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4860
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3960
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F4CC3E0DACD9DB19461B3757A6DBA890 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3124
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2016
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding D8E8A3E20235503579EA281D156C3D92
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4496
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:5872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e582bbf.rbs
      Filesize

      9KB

      MD5

      1c494c329a4c67d5181607a41161acf4

      SHA1

      67eb50036ee7ba8cda3720fcb1e094322d7ac2e2

      SHA256

      a3a0cf223c8c6277840fe3872a900ea6731155d956cb950bb7cd782d87d7477d

      SHA512

      f86b38aca6cb977f79cf97077efc1762d1076a2b74d615c74713616321171aebe0efc55f84c46b57b3b983e8b6914bf082418f649f448274235444cd0b6fe2e7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI902A.tmp
      Filesize

      639KB

      MD5

      c6417930af8969f9f2cb431acd76ec89

      SHA1

      d2f2dc9b44f5f79348f7f36091b26a5465ad4f2b

      SHA256

      1b89704532113150fc7a8a06b5367ee26937c346635a860e93662e1fbb5cd79b

      SHA512

      f30d7a5b51f5d866ccabf3e15a45d3b4013e28a9bdaaf2176e8b121fbd4ab41a8e67c059b2ece8db5bc7a0ce043e76bbc4e3f6400fb9cd2886e1ffcd9e65d79b

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.6MB

      MD5

      6e14fee13fd384c8c42f15110b8d77a1

      SHA1

      3362b2748b5c1422e94c2fb99496153eb096f82f

      SHA256

      6581c181c30ac46556dd020a9909a520fe262391c8b854dbf214a8a60ccd7b5f

      SHA512

      571d43ed39b7bf75158369afcb211cfff4b746d2897effbb7a625c6cc74c15f0bc6888b1a26b7d74ea091fe2402c55c013aa63b118b4aeff229d507ef4bf62d3

      Download Submit

    • \??\Volume{4e15f56f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dc9b5c7c-c262-4a4c-a2a7-aa73916d02bd}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      bbf4fc995286ff607adb988ccd457ce2

      SHA1

      8d58171ec8605a688575b6f96f4c3d264fa6f813

      SHA256

      5cbdba8941451d6fdd2c6ebd25b52125da255571a525c84eaf3e3a5844e952c3

      SHA512

      576dc9b232611fd04a0e2f7b55f67192f977e0d894d6ec2c2637d41b6f14db708cfb8ad85a182c9cc1e92bbf2256f85d621e81fab36f61b454526693071dccbf

      Download Submit