File name:

Artemis.zip

Full analysis: https://app.any.run/tasks/19008014-24fb-41cd-8c7e-cfcc66011f47
Verdict: Malicious activity
Analysis date: November 02, 2023, 00:23:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

2599847A7535908F7C0DB0A6B16DBF0E

SHA1:

702EFBA00D45134BF229D352280F7BA6274D7282

SHA256:

4FCE8D0D64CCEA6E75440354FB309D72E9C91C4D9F344B543952FB18FDD18C4F

SSDEEP:

393216:6rGzQvxdnEOSvGon7f527yj/yuvCGR3O3v:WGMvx9EpvGAdZjxv53O3v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file the system directory

      • InstallBC201401.exe (PID: 1688)

    • Drops the executable file immediately after the start

      • InstallBC201401.exe (PID: 1688)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • InstallBC201401.exe (PID: 1688)

    • Process drops legitimate windows executable

      • InstallBC201401.exe (PID: 1688)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 3792)

    • Reads the Internet Settings

      • BC14.exe (PID: 1840)
      • BC14.exe (PID: 312)
      • UpChek14.exe (PID: 3992)

    • Reads Microsoft Outlook installation path

      • UpChek14.exe (PID: 3992)

    • Reads Internet Explorer settings

      • UpChek14.exe (PID: 3992)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3552)

    • Checks supported languages

      • InstallBC201401.exe (PID: 1688)
      • regsvr32.exe (PID: 1128)
      • regsvr32.exe (PID: 3864)
      • regsvr32.exe (PID: 3340)
      • regsvr32.exe (PID: 3352)
      • regsvr32.exe (PID: 3792)
      • regsvr32.exe (PID: 3688)
      • regsvr32.exe (PID: 3940)
      • regsvr32.exe (PID: 1016)
      • regsvr32.exe (PID: 2824)
      • regsvr32.exe (PID: 760)
      • regsvr32.exe (PID: 3216)
      • regsvr32.exe (PID: 2004)
      • regsvr32.exe (PID: 3760)
      • regsvr32.exe (PID: 1820)
      • regsvr32.exe (PID: 3772)
      • regsvr32.exe (PID: 2040)
      • regsvr32.exe (PID: 1860)
      • regsvr32.exe (PID: 3548)
      • regsvr32.exe (PID: 1192)
      • regsvr32.exe (PID: 820)
      • regsvr32.exe (PID: 3888)
      • regsvr32.exe (PID: 3072)
      • regsvr32.exe (PID: 3348)
      • regsvr32.exe (PID: 4028)
      • regsvr32.exe (PID: 3500)
      • regsvr32.exe (PID: 3488)
      • regsvr32.exe (PID: 3876)
      • regsvr32.exe (PID: 3252)
      • regsvr32.exe (PID: 2560)
      • regsvr32.exe (PID: 2216)
      • BC14.exe (PID: 1840)
      • BC14.exe (PID: 312)
      • UpChek14.exe (PID: 3992)
      • regsvr32.exe (PID: 1876)

    • Reads the computer name

      • InstallBC201401.exe (PID: 1688)
      • regsvr32.exe (PID: 3864)
      • regsvr32.exe (PID: 3340)
      • regsvr32.exe (PID: 3688)
      • regsvr32.exe (PID: 3792)
      • regsvr32.exe (PID: 3940)
      • regsvr32.exe (PID: 1016)
      • regsvr32.exe (PID: 760)
      • regsvr32.exe (PID: 3352)
      • regsvr32.exe (PID: 3500)
      • regsvr32.exe (PID: 1192)
      • regsvr32.exe (PID: 3252)
      • regsvr32.exe (PID: 2560)
      • BC14.exe (PID: 1840)
      • BC14.exe (PID: 312)
      • UpChek14.exe (PID: 3992)

    • Manual execution by a user

      • InstallBC201401.exe (PID: 860)
      • InstallBC201401.exe (PID: 1688)
      • BC14.exe (PID: 1840)
      • BC14.exe (PID: 312)

    • Reads Environment values

      • InstallBC201401.exe (PID: 1688)

    • Create files in a temporary directory

      • InstallBC201401.exe (PID: 1688)
      • BC14.exe (PID: 312)
      • BC14.exe (PID: 1840)
      • UpChek14.exe (PID: 3992)

    • Reads Microsoft Office registry keys

      • InstallBC201401.exe (PID: 1688)

    • Creates files in the program directory

      • InstallBC201401.exe (PID: 1688)

    • Reads the machine GUID from the registry

      • InstallBC201401.exe (PID: 1688)
      • BC14.exe (PID: 312)
      • BC14.exe (PID: 1840)
      • UpChek14.exe (PID: 3992)

    • Reads mouse settings

      • regsvr32.exe (PID: 3792)
      • regsvr32.exe (PID: 3940)

    • Application launched itself

      • msedge.exe (PID: 1908)

    • Checks proxy server information

      • UpChek14.exe (PID: 3992)

    • Creates files or folders in the user directory

      • UpChek14.exe (PID: 3992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2014:01:04 22:33:38
ZipCRC: 0x6ac677af
ZipCompressedSize: 13362568
ZipUncompressedSize: 13370880
ZipFileName: InstallBC201401.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
95
Monitored processes
50
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs installbc201401.exe no specs installbc201401.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs bc14.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs bc14.exe no specs upchek14.exe no specs upchek14.exe

Process information

PID
CMD
Path
Indicators
Parent process
312"C:\Program Files\BenFit14\BC14.exe" C:\Program Files\BenFit14\BC14.exeexplorer.exe
User:
admin
Company:
Decision Support Software LLC
Integrity Level:
MEDIUM
Description:
CSRS-FERS Benefits Calculator and Retirement Affordability Analyzer
Exit code:
0
Version:
14.00
Modules
Images
c:\program files\benfit14\bc14.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
460"C:\Program Files\BenFit14\UpChek14.exe" C:\Program Files\BenFit14\UpChek14.exeBC14.exe
User:
admin
Company:
Decision Support Software LLC
Integrity Level:
MEDIUM
Description:
CSRS and FERS Benefits Calculator and Retirement Analyzer update check program
Exit code:
3221226540
Version:
14.00
Modules
Images
c:\program files\benfit14\upchek14.exe
c:\windows\system32\ntdll.dll
760"C:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exe" "C:\Windows\system32\vbSendMail.dll" /rC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exeInstallBC201401.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Out-of-process DLL registration helper
Exit code:
0
Version:
2013.12.25.1059U
Modules
Images
c:\programdata\installmate\{1e453ea8-bb42-419d-8067-d2477a36b761}\x86\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
820"C:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exe" "C:\Windows\system32\CSCapt32.ocx" /rC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exeInstallBC201401.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Out-of-process DLL registration helper
Exit code:
0
Version:
2013.12.25.1059U
Modules
Images
c:\programdata\installmate\{1e453ea8-bb42-419d-8067-d2477a36b761}\x86\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
860"C:\Users\admin\Desktop\InstallBC201401.exe" C:\Users\admin\Desktop\InstallBC201401.exeexplorer.exe
User:
admin
Company:
Decision Support Software LLC
Integrity Level:
MEDIUM
Description:
Installer for CSRS-FERS Benefits Calculator and Retirement Analy
Exit code:
3221226540
Version:
2014.1.4.1230
Modules
Images
c:\users\admin\desktop\installbc201401.exe
c:\windows\system32\ntdll.dll
1016"C:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exe" "C:\Windows\system32\TabCtl32.Ocx" /rC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exeInstallBC201401.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Out-of-process DLL registration helper
Exit code:
0
Version:
2013.12.25.1059U
Modules
Images
c:\programdata\installmate\{1e453ea8-bb42-419d-8067-d2477a36b761}\x86\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1128"C:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exe" "C:\Windows\system32\msstkprp.dll" /rC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exeInstallBC201401.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Out-of-process DLL registration helper
Exit code:
0
Version:
2013.12.25.1059U
Modules
Images
c:\programdata\installmate\{1e453ea8-bb42-419d-8067-d2477a36b761}\x86\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1192"C:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exe" "C:\Windows\system32\RMChart.ocx" /rC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exeInstallBC201401.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Out-of-process DLL registration helper
Exit code:
0
Version:
2013.12.25.1059U
Modules
Images
c:\programdata\installmate\{1e453ea8-bb42-419d-8067-d2477a36b761}\x86\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1648"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1500 --field-trial-handle=1260,i,17531025528775315216,6249779330791231545,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1688"C:\Users\admin\Desktop\InstallBC201401.exe" C:\Users\admin\Desktop\InstallBC201401.exe
explorer.exe
User:
admin
Company:
Decision Support Software LLC
Integrity Level:
HIGH
Description:
Installer for CSRS-FERS Benefits Calculator and Retirement Analy
Exit code:
0
Version:
2014.1.4.1230
Modules
Images
c:\users\admin\desktop\installbc201401.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
Total events
4 669
Read events
4 473
Write events
101
Delete events
95

Modification events

(PID) Process:(3552) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3552) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3552) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3552) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3552) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3552) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3552) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3552) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1688) InstallBC201401.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Operation:writeName:C:\Windows\system32\mscomctl.ocx
Value:
1
(PID) Process:(1128) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7EBDAAE1-8120-11CF-899F-00AA00688B10}
Operation:delete keyName:(default)
Value:
Executable files
94
Suspicious files
116
Text files
151
Unknown types
0

Dropped files

PID
Process
Filename
Type
1688InstallBC201401.exeC:\Users\Public\Documents\bc13SupportFiles\BCHELP.pdf._tm
MD5:
SHA256:
1688InstallBC201401.exeC:\Users\Public\Documents\bc13SupportFiles\BCHELP.pdf
MD5:
SHA256:
1688InstallBC201401.exeC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\Readme.txttext
MD5:741E8AAD1477503D201A622321D3A49A
SHA256:7936796E1A2A732AF971E7F137960EEF4891981379D2ED103B377002E8C6C59D
1688InstallBC201401.exeC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\_Setup.dllexecutable
MD5:76DDA4C8CE17DF4591C5B9A7363854CE
SHA256:735A433ADE90EAF829FD9C11C4BF6A33DCF712F5451BBAB0B6B9435EDE7B6259
1688InstallBC201401.exeC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\Setup.icoimage
MD5:C3926CEF276C0940DADBC8142153CEC9
SHA256:0EC48E3C1886BC0169A4BC262F012E9B7914E3B440BB0ECC4D8123924ABC9B93
1688InstallBC201401.exeC:\Users\admin\AppData\Local\Temp\135E2990\Readme.txttext
MD5:741E8AAD1477503D201A622321D3A49A
SHA256:7936796E1A2A732AF971E7F137960EEF4891981379D2ED103B377002E8C6C59D
1688InstallBC201401.exeC:\Users\admin\AppData\Local\Temp\135E2990\Setup.icoimage
MD5:C3926CEF276C0940DADBC8142153CEC9
SHA256:0EC48E3C1886BC0169A4BC262F012E9B7914E3B440BB0ECC4D8123924ABC9B93
1688InstallBC201401.exeC:\Users\admin\AppData\Local\Temp\135E2990.datbinary
MD5:B0A7109B74113B1A5A532D4BAD90A8B5
SHA256:77098FBEB11A37C5AAF858B4255BE416FE0847CEBD99331641FAF01038D838C9
3552WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3552.12763\InstallBC201401.exeexecutable
MD5:CAFF801A280D42DBD1AD6B1266D3C43A
SHA256:834D1DBFAB8330EA5F1844F6E905ED0AC19D1033EE9A9F1122AD2051C56783DC
1688InstallBC201401.exeC:\Users\admin\AppData\Local\Temp\135E2990\Setup.exeexecutable
MD5:39C78ACD07821DF6F706F695B5E566AB
SHA256:6C70D20E43651F4F40A39F0F5B9346157C17A9BBB0E2C738C713F545550FE58F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
28
DNS requests
38
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3884
msedge.exe
GET
301
209.182.199.110:80
http://www.fedretiresoftware.com/
unknown
html
242 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
3884
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1908
msedge.exe
239.255.255.250:1900
unknown
3884
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3884
msedge.exe
20.31.251.109:443
nav-edge.smartscreen.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
3884
msedge.exe
209.182.199.110:80
www.fedretiresoftware.com
IMH-IAD
US
unknown
3884
msedge.exe
209.182.199.110:443
www.fedretiresoftware.com
IMH-IAD
US
unknown

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.42.16
unknown
www.fedretiresoftware.com
  • 209.182.199.110
unknown
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
unknown
nav-edge.smartscreen.microsoft.com
  • 20.31.251.109
unknown
data-edge.smartscreen.microsoft.com
  • 20.31.251.109
unknown
fedretiresoftware.com
  • 209.182.199.110
unknown
fonts.gstatic.com
  • 142.250.185.67
unknown
fonts.googleapis.com
  • 172.217.18.10
unknown
www.googletagmanager.com
  • 142.250.184.200
unknown
hcaptcha.com
  • 104.19.219.90
  • 104.19.218.90
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Artemis.zip