analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

InstallBC201401.exe

Full analysis: https://app.any.run/tasks/4bcb7975-66af-4d1d-81da-fa3449743986
Verdict: Malicious activity
Analysis date: August 25, 2019, 15:35:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

CAFF801A280D42DBD1AD6B1266D3C43A

SHA1:

08B9F5874AD1DC3EE1093C9CD08737645F33F13F

SHA256:

834D1DBFAB8330EA5F1844F6E905ED0AC19D1033EE9A9F1122AD2051C56783DC

SSDEEP:

196608:1UDU1mprZJy2p/HvE/uUhM32f0J0s6mW6W1rsWrzSWas5+VBI/93eiJGDXWku7:10UMpr3dvsM3+nmHW1DS/s5WQRVG3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • InstallBC201401.exe (PID: 2456)
      • regsvr32.exe (PID: 3636)
      • regsvr32.exe (PID: 3768)
      • regsvr32.exe (PID: 2588)
      • regsvr32.exe (PID: 2708)
      • regsvr32.exe (PID: 2756)
      • regsvr32.exe (PID: 3144)
      • regsvr32.exe (PID: 3664)
      • regsvr32.exe (PID: 3576)
      • regsvr32.exe (PID: 3480)
      • regsvr32.exe (PID: 2512)
      • regsvr32.exe (PID: 3348)
      • regsvr32.exe (PID: 2404)
      • regsvr32.exe (PID: 2436)
      • regsvr32.exe (PID: 3344)
      • regsvr32.exe (PID: 3168)
      • regsvr32.exe (PID: 1264)
      • regsvr32.exe (PID: 1428)
      • BC14.exe (PID: 3456)
    • Application was dropped or rewritten from another process

      • regsvr32.exe (PID: 3144)
      • regsvr32.exe (PID: 3664)
      • regsvr32.exe (PID: 3232)
      • regsvr32.exe (PID: 2452)
      • regsvr32.exe (PID: 3372)
      • regsvr32.exe (PID: 2844)
      • regsvr32.exe (PID: 2752)
      • regsvr32.exe (PID: 3788)
      • regsvr32.exe (PID: 2756)
      • regsvr32.exe (PID: 2708)
      • regsvr32.exe (PID: 3636)
      • regsvr32.exe (PID: 3768)
      • regsvr32.exe (PID: 2524)
      • regsvr32.exe (PID: 2588)
      • regsvr32.exe (PID: 3540)
      • regsvr32.exe (PID: 3548)
      • regsvr32.exe (PID: 2512)
      • regsvr32.exe (PID: 1132)
      • regsvr32.exe (PID: 2600)
      • regsvr32.exe (PID: 3680)
      • regsvr32.exe (PID: 2528)
      • regsvr32.exe (PID: 3576)
      • regsvr32.exe (PID: 3344)
      • regsvr32.exe (PID: 2404)
      • regsvr32.exe (PID: 3348)
      • regsvr32.exe (PID: 3480)
      • regsvr32.exe (PID: 2512)
      • regsvr32.exe (PID: 2436)
      • regsvr32.exe (PID: 1428)
      • regsvr32.exe (PID: 1264)
      • regsvr32.exe (PID: 3168)
      • BC14.exe (PID: 3456)
  • SUSPICIOUS

    • Creates files in the Windows directory

      • InstallBC201401.exe (PID: 2456)
    • Executable content was dropped or overwritten

      • InstallBC201401.exe (PID: 2456)
    • Removes files from Windows directory

      • InstallBC201401.exe (PID: 2456)
    • Creates files in the program directory

      • InstallBC201401.exe (PID: 2456)
    • Creates COM task schedule object

      • regsvr32.exe (PID: 3664)
      • regsvr32.exe (PID: 3144)
      • regsvr32.exe (PID: 2756)
      • regsvr32.exe (PID: 3768)
      • regsvr32.exe (PID: 2708)
      • regsvr32.exe (PID: 3636)
      • regsvr32.exe (PID: 3548)
      • regsvr32.exe (PID: 2588)
    • Creates a software uninstall entry

      • InstallBC201401.exe (PID: 2456)
    • Starts Internet Explorer

      • BC14.exe (PID: 3456)
    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 4088)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • InstallBC201401.exe (PID: 2456)
    • Manual execution by user

      • BC14.exe (PID: 3456)
    • Application launched itself

      • iexplore.exe (PID: 3832)
    • Changes internet zones settings

      • iexplore.exe (PID: 3832)
    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 4088)
      • iexplore.exe (PID: 2180)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2180)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:12:25 03:09:40+01:00
PEType: PE32
LinkerVersion: 8
CodeSize: 7680
InitializedDataSize: 13362176
UninitializedDataSize: -
EntryPoint: 0x1495
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2014.1.4.1230
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: Special build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
ProductName: CSRS-FERS Benefits Calculator and Retirement Analyzer
ProductVersion: v14.01
CompanyName: Decision Support Software LLC
LegalCopyright: Copyright © 2014 Decision Support Software LLC
Email: [email protected]
WebSite: http://www.FedRetireSoftware.com
FileDescription: Installer for CSRS-FERS Benefits Calculator and Retirement Analy
FileVersion: 2014.1.4.1230
InternalName: TSULoader
OriginalFileName: TSULoader.exe
Comments: WinNT (x86) Unicode Lib Rel
ProductCode: {1E453EA8-BB42-419D-8067-D2477A36B761}
PackageCode: {D449BC32-6D28-4AF0-BB00-AB3391EF0F9A}
Arguments: -
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
73
Monitored processes
37
Malicious processes
3
Suspicious processes
10

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start start installbc201401.exe no specs installbc201401.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs bc14.exe no specs iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3940"C:\Users\admin\AppData\Local\Temp\InstallBC201401.exe" C:\Users\admin\AppData\Local\Temp\InstallBC201401.exeexplorer.exe
User:
admin
Company:
Decision Support Software LLC
Integrity Level:
MEDIUM
Description:
Installer for CSRS-FERS Benefits Calculator and Retirement Analy
Exit code:
3221226540
Version:
2014.1.4.1230
2456"C:\Users\admin\AppData\Local\Temp\InstallBC201401.exe" C:\Users\admin\AppData\Local\Temp\InstallBC201401.exe
explorer.exe
User:
admin
Company:
Decision Support Software LLC
Integrity Level:
HIGH
Description:
Installer for CSRS-FERS Benefits Calculator and Retirement Analy
Exit code:
0
Version:
2014.1.4.1230
3144"C:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exe" "C:\Windows\system32\msstkprp.dll" /rC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exeInstallBC201401.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Out-of-process DLL registration helper
Exit code:
0
Version:
2013.12.25.1059U
3664"C:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exe" "C:\Windows\system32\MSSTDFMT.DLL" /rC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exeInstallBC201401.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Out-of-process DLL registration helper
Exit code:
0
Version:
2013.12.25.1059U
3232"C:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exe" "C:\Windows\system32\comdlg32.ocx" /rC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exeInstallBC201401.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Out-of-process DLL registration helper
Exit code:
0
Version:
2013.12.25.1059U
3372"C:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exe" "C:\Windows\system32\mswinsck.ocx" /rC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exeInstallBC201401.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Out-of-process DLL registration helper
Exit code:
0
Version:
2013.12.25.1059U
2452"C:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exe" "C:\Windows\system32\mscomctl.ocx" /rC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exeInstallBC201401.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Out-of-process DLL registration helper
Exit code:
0
Version:
2013.12.25.1059U
2752"C:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exe" "C:\Windows\system32\mscomct2.ocx" /rC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exeInstallBC201401.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Out-of-process DLL registration helper
Exit code:
0
Version:
2013.12.25.1059U
2844"C:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exe" "C:\Windows\system32\TabCtl32.Ocx" /rC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exeInstallBC201401.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Out-of-process DLL registration helper
Exit code:
0
Version:
2013.12.25.1059U
3788"C:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exe" "C:\Windows\system32\RICHTX32.OCX" /rC:\ProgramData\InstallMate\{1E453EA8-BB42-419D-8067-D2477A36B761}\x86\regsvr32.exeInstallBC201401.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Out-of-process DLL registration helper
Exit code:
0
Version:
2013.12.25.1059U
Total events
3 492
Read events
737
Write events
0
Delete events
0

Modification events

No data
Executable files
49
Suspicious files
6
Text files
106
Unknown types
11

Dropped files

PID
Process
Filename
Type
2456InstallBC201401.exeC:\Users\admin\AppData\Local\Temp\AB0967B1.dat
MD5:
SHA256:
2456InstallBC201401.exeC:\Users\Public\Documents\bc13SupportFiles\Table13.SPT._tm
MD5:
SHA256:
2456InstallBC201401.exeC:\Users\Public\Documents\bc13SupportFiles\BCHELP.pdf._tm
MD5:
SHA256:
2456InstallBC201401.exeC:\Users\Public\Documents\bc13SupportFiles\BCHELP.pdf
MD5:
SHA256:
2456InstallBC201401.exeC:\Users\Public\Documents\bc13SupportFiles\SINGLE _USER_ LICENSE_ AGREEMENT.pdf._tm
MD5:
SHA256:
2456InstallBC201401.exeC:\Users\Public\Documents\bc13SupportFiles\FEGLIcod.pdf._tm
MD5:
SHA256:
2456InstallBC201401.exeC:\Program Files\BenFit14\BC14.exe._tm
MD5:
SHA256:
2456InstallBC201401.exeC:\Windows\system32\ChilkatMail_v8.dll._tm
MD5:
SHA256:
2456InstallBC201401.exeC:\Windows\system32\ChilkatZip2.dll._tm
MD5:
SHA256:
2456InstallBC201401.exeC:\Windows\system32\ChilkatFtp2.dll._tm
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
42
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2180
iexplore.exe
GET
301
143.95.37.230:80
http://www.fedretiresoftware.com/
US
binary
20 b
whitelisted
3832
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3832
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2180
iexplore.exe
172.217.16.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2180
iexplore.exe
74.125.133.82:443
html5shiv.googlecode.com
Google Inc.
US
whitelisted
2180
iexplore.exe
143.95.37.230:443
www.fedretiresoftware.com
Colo4, LLC
US
malicious
2180
iexplore.exe
172.217.22.72:443
www.googletagmanager.com
Google Inc.
US
whitelisted
2180
iexplore.exe
143.95.37.230:80
www.fedretiresoftware.com
Colo4, LLC
US
malicious
172.217.16.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2180
iexplore.exe
172.217.23.142:443
www.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.fedretiresoftware.com
  • 143.95.37.230
whitelisted
html5shiv.googlecode.com
  • 74.125.133.82
whitelisted
www.googletagmanager.com
  • 172.217.22.72
whitelisted
fonts.googleapis.com
  • 172.217.16.170
whitelisted
www.google-analytics.com
  • 172.217.23.142
whitelisted

Threats

No threats detected
No debug info