File name:

malware sample.exe

Full analysis: https://app.any.run/tasks/0ba44932-f892-439d-af18-9cddde5275f6
Verdict: Malicious activity
Analysis date: May 10, 2024, 14:49:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C6BF2BA00A017119CE0EDFBC8672CC91

SHA1:

DE4717F8C2C21A645E1D6277F44D758987F7689D

SHA256:

82214454A367AE2C003BA28F11F7FDCB433347661B99EA54ABE36B548CAA2AE8

SSDEEP:

98304:i+cD4dn88HgsM3mOBrA5rRhbpfbp3BV7KDCDt3ntTzYLy7xIDkpddsum5tfhALEd:FVRz6ivLCwZYTC2iOJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • malware sample.exe (PID: 3972)
      • malware sample.exe (PID: 1200)
      • malware sample.tmp (PID: 928)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • malware sample.tmp (PID: 928)

    • Executable content was dropped or overwritten

      • malware sample.exe (PID: 1200)
      • malware sample.exe (PID: 3972)
      • malware sample.tmp (PID: 928)

  • INFO

    • Reads the computer name

      • malware sample.tmp (PID: 3988)
      • malware sample.tmp (PID: 928)

    • Checks supported languages

      • malware sample.tmp (PID: 3988)
      • malware sample.exe (PID: 1200)
      • malware sample.tmp (PID: 928)
      • malware sample.exe (PID: 3972)

    • Creates files in the program directory

      • malware sample.tmp (PID: 928)

    • Create files in a temporary directory

      • malware sample.exe (PID: 1200)
      • malware sample.exe (PID: 3972)

    • Creates a software uninstall entry

      • malware sample.tmp (PID: 928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 38912
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: My Company, Inc.
FileDescription: Bank Master - SQR400 v9.1 Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: Bank Master - SQR400 v9.1
ProductVersion: 1.5
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start malware sample.exe malware sample.tmp no specs malware sample.exe malware sample.tmp

Process information

PID
CMD
Path
Indicators
Parent process
928"C:\Users\admin\AppData\Local\Temp\is-BMLM3.tmp\malware sample.tmp" /SL5="$2013A,10187784,781824,C:\Users\admin\AppData\Local\Temp\malware sample.exe" /SPAWNWND=$40130 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\is-BMLM3.tmp\malware sample.tmp
malware sample.exe
User:
admin
Company:
My Company, Inc.
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-bmlm3.tmp\malware sample.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1200"C:\Users\admin\AppData\Local\Temp\malware sample.exe" /SPAWNWND=$40130 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\malware sample.exe
malware sample.tmp
User:
admin
Company:
My Company, Inc.
Integrity Level:
HIGH
Description:
Bank Master - SQR400 v9.1 Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\malware sample.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3972"C:\Users\admin\AppData\Local\Temp\malware sample.exe" C:\Users\admin\AppData\Local\Temp\malware sample.exe
explorer.exe
User:
admin
Company:
My Company, Inc.
Integrity Level:
MEDIUM
Description:
Bank Master - SQR400 v9.1 Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\malware sample.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3988"C:\Users\admin\AppData\Local\Temp\is-FLQDQ.tmp\malware sample.tmp" /SL5="$20138,10187784,781824,C:\Users\admin\AppData\Local\Temp\malware sample.exe" C:\Users\admin\AppData\Local\Temp\is-FLQDQ.tmp\malware sample.tmpmalware sample.exe
User:
admin
Company:
My Company, Inc.
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-flqdq.tmp\malware sample.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
3 466
Read events
3 428
Write events
32
Delete events
6

Modification events

(PID) Process:(928) malware sample.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
A003000078303438E9A2DA01
(PID) Process:(928) malware sample.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
4216E2426DADFAB735E5AC110527B0E32B569D938A960420680800F2FCA447FA
(PID) Process:(928) malware sample.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(928) malware sample.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files\Bank Master - SQR400 v9.1\bankflash.exe
(PID) Process:(928) malware sample.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
20277B9298A44E4044AB361A9557B28F39D2CC5BA9E1B00F7594CFF484ECA576
(PID) Process:(928) malware sample.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids
Operation:writeName:BankMaster-SQR400v9.1File.myp
Value:
(PID) Process:(928) malware sample.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\bankflash.exe\SupportedTypes
Operation:writeName:.myp
Value:
(PID) Process:(928) malware sample.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D1909E11-1008-4B85-BC67-D4D1D201E94E}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.2
(PID) Process:(928) malware sample.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D1909E11-1008-4B85-BC67-D4D1D201E94E}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\Bank Master - SQR400 v9.1
(PID) Process:(928) malware sample.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D1909E11-1008-4B85-BC67-D4D1D201E94E}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\Bank Master - SQR400 v9.1\
Executable files
11
Suspicious files
44
Text files
13
Unknown types
3

Dropped files

PID
Process
Filename
Type
928malware sample.tmpC:\Program Files\Bank Master - SQR400 v9.1\data\is-FALKO.tmp
MD5:
SHA256:
928malware sample.tmpC:\Program Files\Bank Master - SQR400 v9.1\data\app.so
MD5:
SHA256:
3972malware sample.exeC:\Users\admin\AppData\Local\Temp\is-FLQDQ.tmp\malware sample.tmpexecutable
MD5:11E44C2A63D451042F20BE7925DAF156
SHA256:C6B3EE75C6B85AA030F1435F7E93F479A835CD0C7FDD5609569CFCE59F092D58
1200malware sample.exeC:\Users\admin\AppData\Local\Temp\is-BMLM3.tmp\malware sample.tmpexecutable
MD5:11E44C2A63D451042F20BE7925DAF156
SHA256:C6B3EE75C6B85AA030F1435F7E93F479A835CD0C7FDD5609569CFCE59F092D58
928malware sample.tmpC:\Program Files\Bank Master - SQR400 v9.1\data\icudtl.datbinary
MD5:DA48E432FE61F451154F0715B2A7B174
SHA256:65EA729083128DFCE1C00726BA932B91AAAF5E48736B5644DD37478E5F2875AC
928malware sample.tmpC:\Program Files\Bank Master - SQR400 v9.1\data\flutter_assets\is-JG61Q.tmpcompressed
MD5:F62374EF2BECB70787B4D99E648D26A2
SHA256:18A71BD57C3B8878A0BCED324723EA68328C3593C534315C5BD1BA916B3FEBC1
928malware sample.tmpC:\Program Files\Bank Master - SQR400 v9.1\is-QDVF2.tmpexecutable
MD5:3DD61ACA82B1D5F5E78D2AF286856A4D
SHA256:0829F06332A7437852C8A4AD6C4A0D069AE4CE3D4A6C9C554A1444AA6124A1E4
928malware sample.tmpC:\Program Files\Bank Master - SQR400 v9.1\data\flutter_assets\is-KLQSM.tmptext
MD5:2AD44F4C94CD018D5B0D622CA0A00622
SHA256:00707F4620F9BE76636EB9E62C975AB872CD9A2AC6D19796E26CDE4780E27542
928malware sample.tmpC:\Program Files\Bank Master - SQR400 v9.1\data\flutter_assets\AssetManifest.binbinary
MD5:AA737DFAA237C0CC3C7CEE497CC18C60
SHA256:4664C2316176D42101927E6817EB0ACAD5FFE977D34B8797C1CF189D269B286C
928malware sample.tmpC:\Program Files\Bank Master - SQR400 v9.1\is-U9H9V.tmpexecutable
MD5:42C5A6B7DB5911DD85DAF5B0FABDFF22
SHA256:28EB582019E20ADB30AF9756CC1622940F0F872ACDEF3A08327CB980CA6115EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
malware sample.exe