File name:

MBTB_Setup_V3.4.5.0.exe

Full analysis: https://app.any.run/tasks/aebfe2f9-b4ba-4bcc-a5ae-73c618f89ee6
Verdict: Malicious activity
Analysis date: November 12, 2023, 10:32:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

78C2526D1F01E9CBD48D73777C1A34DC

SHA1:

9BA2252736D1707166D44D6ACEE2FF7491B4E0EA

SHA256:

3C457DC7C5E316816F3F57E29AAA7DC9B9EBE73F798AC7FD551A386D4475C864

SSDEEP:

98304:0p+ocDnqKb2cX+8XsHRBAa3A2iwyEuKJtaNXrfyNLwt0qaYE3VCNUhueRmKjRc+W:nviU15h/hqV1xvv7UTDdWal1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • MBTB_Setup_V3.4.5.0.exe (PID: 2900)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • MBTB_Setup_V3.4.5.0.exe (PID: 2900)

    • Process drops legitimate windows executable

      • MBTB_Setup_V3.4.5.0.exe (PID: 2900)

    • Reads the Internet Settings

      • MBTB.UI.exe (PID: 3516)

    • The process creates files with name similar to system file names

      • MBTB_Setup_V3.4.5.0.exe (PID: 2900)

  • INFO

    • Create files in a temporary directory

      • MBTB_Setup_V3.4.5.0.exe (PID: 2900)

    • Reads the computer name

      • MBTB_Setup_V3.4.5.0.exe (PID: 2900)
      • MBTB.UI.exe (PID: 3516)

    • Checks supported languages

      • MBTB_Setup_V3.4.5.0.exe (PID: 2900)
      • MBTB.UI.exe (PID: 3516)

    • Reads the machine GUID from the registry

      • MBTB.UI.exe (PID: 3516)

    • Manual execution by a user

      • MBTB.UI.exe (PID: 3516)

    • Creates files or folders in the user directory

      • MBTB.UI.exe (PID: 3516)

    • Creates files in the program directory

      • MBTB_Setup_V3.4.5.0.exe (PID: 2900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 23:50:52+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24064
InitializedDataSize: 164864
UninitializedDataSize: 1024
EntryPoint: 0x30fa
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mbtb_setup_v3.4.5.0.exe mbtb.ui.exe no specs wisptis.exe no specs wisptis.exe mbtb_setup_v3.4.5.0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2900"C:\Users\admin\AppData\Local\Temp\MBTB_Setup_V3.4.5.0.exe" C:\Users\admin\AppData\Local\Temp\MBTB_Setup_V3.4.5.0.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\mbtb_setup_v3.4.5.0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3416"C:\Users\admin\AppData\Local\Temp\MBTB_Setup_V3.4.5.0.exe" C:\Users\admin\AppData\Local\Temp\MBTB_Setup_V3.4.5.0.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\mbtb_setup_v3.4.5.0.exe
c:\windows\system32\ntdll.dll
3516"C:\Morpho\MBTB\MBTB.UI.exe" C:\Morpho\MBTB\MBTB.UI.exeexplorer.exe
User:
admin
Company:
Groupe SAFRAN
Integrity Level:
MEDIUM
Description:
MBTB.UI
Exit code:
0
Version:
3.4.5
Modules
Images
c:\morpho\mbtb\mbtb.ui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3680"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\System32\wisptis.exeMBTB.UI.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Pen and Touch Input Component
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
3940"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\System32\wisptis.exe
MBTB.UI.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
24
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
1 725
Read events
1 715
Write events
10
Delete events
0

Modification events

(PID) Process:(3516) MBTB.UI.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3516) MBTB.UI.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3516) MBTB.UI.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3516) MBTB.UI.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3516) MBTB.UI.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
(PID) Process:(3940) wisptis.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
MBTB.UI.exe
Executable files
67
Suspicious files
5
Text files
60
Unknown types
0

Dropped files

PID
Process
Filename
Type
2900MBTB_Setup_V3.4.5.0.exeC:\Morpho\MBTB\MBTB.Common.dllexecutable
MD5:2839067272FE55FEA3AB2BCE7D745013
SHA256:DB4ACF19F962082A8D5938C1C91826620C6A65CA1B24D5E17044E25BCE272DE2
2900MBTB_Setup_V3.4.5.0.exeC:\Users\admin\AppData\Local\Temp\nsh70E0.tmp\UserInfo.dllexecutable
MD5:7579ADE7AE1747A31960A228CE02E666
SHA256:564C80DEC62D76C53497C40094DB360FF8A36E0DC1BDA8383D0F9583138997F5
2900MBTB_Setup_V3.4.5.0.exeC:\Morpho\MBTB\MBTB.AccessDevice.dllexecutable
MD5:1CCACAC492FA03AABE155CDF7F95DB3C
SHA256:770D2D04E62A25EEDF0D08B28983324D39F767DE1B8562C54F82CC43E183317F
2900MBTB_Setup_V3.4.5.0.exeC:\Users\admin\AppData\Local\Temp\nsh70E0.tmp\modern-wizard.bmpimage
MD5:BE1702FC37CAA60B47FDF4A296A608F7
SHA256:839D1620789DC55E2DE744C7AFF1D4D7D6CF5E34EB790FF5E27B79139F8B1BB4
2900MBTB_Setup_V3.4.5.0.exeC:\Users\admin\AppData\Local\Temp\nsh70E0.tmp\System.dllexecutable
MD5:C17103AE9072A06DA581DEC998343FC1
SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
2900MBTB_Setup_V3.4.5.0.exeC:\Morpho\MBTB\MBTB.PluginLoader.dllexecutable
MD5:17AA9E64AB93C58D57A7EB02720A8BE1
SHA256:8CF95B7AF87075B8938D141346AB5A0B2E3C99CF4C63C76396E99A0CE8FFEB1D
2900MBTB_Setup_V3.4.5.0.exeC:\Morpho\MBTB\MBTB.Device.dllexecutable
MD5:14C25A4499BB90396597FFE294B285DE
SHA256:0479F01A109FC19E9484C4553A4CB440D6ABB27AAB5BCF3EBD6B09E51C342F2A
2900MBTB_Setup_V3.4.5.0.exeC:\Morpho\MBTB\Microsoft.Practices.EnterpriseLibrary.Validation.dllexecutable
MD5:C28BA7019EA44971BEF19A54C48A8252
SHA256:F1A6A3431C3A2D0A599A04CD9E97D5611A2F557FAE222C7CCCE9E586E56ECE81
2900MBTB_Setup_V3.4.5.0.exeC:\Morpho\MBTB\cfg.lsttext
MD5:F36DBE9A8FAA3CD2D50E750190195B84
SHA256:5C89E64D165D310851B47A363C9DBF8DDBFDE52925326EB60E72E54B655ABE25
2900MBTB_Setup_V3.4.5.0.exeC:\Users\admin\AppData\Local\Temp\nsh70E0.tmp\nsDialogs.dllexecutable
MD5:C10E04DD4AD4277D5ADC951BB331C777
SHA256:E31AD6C6E82E603378CB6B80E67D0E0DCD9CF384E1199AC5A65CB4935680021A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MBTB_Setup_V3.4.5.0.exe