File name:

Twain Install.exe

Full analysis: https://app.any.run/tasks/a2b11af5-3877-4480-8710-46c7f24de810
Verdict: Malicious activity
Analysis date: January 25, 2024, 04:57:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5:

D52037F2EDA0D3197052298C0CB84DB9

SHA1:

90627861E9FB6809913CB9E41701752554C8E8D2

SHA256:

8C10CD4EEF88FEE9EC39AEA4E8C03A16ECC6709257015782EFEBC932673E9E29

SSDEEP:

24576:UIQnrTXGxwuHeHVoWO2YM1+jIev2WvPrakxOQVFsICBxZDsBFT//6czwOTu:UIGrjLuHklYM1+j2pk4cpCDZsmwjK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Twain Install.exe (PID: 2640)
      • Sp40TWAINSetup.exe (PID: 2060)
      • Sp40TWAINSetup.tmp (PID: 2788)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Twain Install.exe (PID: 2640)
      • Sp40TWAINSetup.exe (PID: 2060)
      • Sp40TWAINSetup.tmp (PID: 2788)

    • Process drops legitimate windows executable

      • Twain Install.exe (PID: 2640)
      • Sp40TWAINSetup.tmp (PID: 2788)

    • Reads the Internet Settings

      • Twain Install.exe (PID: 2640)
      • avvio.exe (PID: 552)
      • Install.exe (PID: 1556)

    • Reads the Windows owner or organization settings

      • Sp40TWAINSetup.tmp (PID: 2788)

    • Drops a system driver (possible attempt to evade defenses)

      • Sp40TWAINSetup.tmp (PID: 2788)

    • Uses ICACLS.EXE to modify access control lists

      • Install.exe (PID: 1556)

  • INFO

    • Reads the computer name

      • Twain Install.exe (PID: 2640)
      • avvio.exe (PID: 552)
      • Install.exe (PID: 1556)
      • Sp40TWAINSetup.tmp (PID: 2788)

    • Checks supported languages

      • Twain Install.exe (PID: 2640)
      • avvio.exe (PID: 552)
      • Install.exe (PID: 1556)
      • Sp40TWAINSetup.exe (PID: 2060)
      • Sp40TWAINSetup.tmp (PID: 2788)

    • Create files in a temporary directory

      • Twain Install.exe (PID: 2640)
      • Sp40TWAINSetup.exe (PID: 2060)
      • Sp40TWAINSetup.tmp (PID: 2788)

    • Reads the machine GUID from the registry

      • avvio.exe (PID: 552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | WinRAR Self Extracting archive (94.3)
.scr | Windows screen saver (2.3)
.dll | Win32 Dynamic Link Library (generic) (1.1)
.exe | Win32 Executable (generic) (0.8)
.exe | Win32 Executable Watcom C++ (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:09:16 16:17:44+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5
CodeSize: 81920
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
7
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start twain install.exe avvio.exe no specs install.exe sp40twainsetup.exe sp40twainsetup.tmp icacls.exe no specs icacls.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
552"C:\Users\admin\AppData\Local\Temp\RarSFX0\avvio.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\avvio.exeTwain Install.exe
User:
admin
Company:
Compuprint srl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\avvio.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\rarsfx0\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1556"C:\Users\admin\AppData\Local\Temp\RarSFX0\Install.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\Install.exe
avvio.exe
User:
admin
Company:
Compuprint
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\rarsfx0\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2060"C:\Users\admin\AppData\Local\Temp\RarSFX0\Sp40TWAINSetup.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\Sp40TWAINSetup.exe
Install.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Sp40Lib TWAIN layer Ver. 2.01.0 Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\sp40twainsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2640"C:\Users\admin\AppData\Local\Temp\Twain Install.exe" C:\Users\admin\AppData\Local\Temp\Twain Install.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\twain install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
2788"C:\Users\admin\AppData\Local\Temp\is-HQG9Q.tmp\Sp40TWAINSetup.tmp" /SL5="$1801A6,281342,54272,C:\Users\admin\AppData\Local\Temp\RarSFX0\Sp40TWAINSetup.exe" C:\Users\admin\AppData\Local\Temp\is-HQG9Q.tmp\Sp40TWAINSetup.tmp
Sp40TWAINSetup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-hqg9q.tmp\sp40twainsetup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2896"C:\Windows\System32\icacls.exe" "C:\Windows\twain_32\COMPUPRINT\sp40lib.ini" /grant:r "Users":F "Administrators":F "SYSTEM":F /inheritance:rC:\Windows\System32\icacls.exeInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntmarta.dll
2908"C:\Windows\System32\icacls.exe" "C:\Windows\twain_32\COMPUPRINT\SP40CONFIG.INI" /grant:r "Users":F "Administrators":F "SYSTEM":F /inheritance:rC:\Windows\System32\icacls.exeInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntmarta.dll
Total events
2 332
Read events
2 308
Write events
24
Delete events
0

Modification events

(PID) Process:(2640) Twain Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2640) Twain Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2640) Twain Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2640) Twain Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(552) avvio.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(552) avvio.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(552) avvio.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(552) avvio.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1556) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1556) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
29
Suspicious files
7
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2060Sp40TWAINSetup.exeC:\Users\admin\AppData\Local\Temp\is-HQG9Q.tmp\Sp40TWAINSetup.tmpexecutable
MD5:67C5A4F36E1C91A3B85E440EDD7AD026
SHA256:99C299D6565AB53D9AF66E0146737DC0ECFBC52ECF4740825B552DB0CC4210C6
2640Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\COMCAT.DLLexecutable
MD5:3B180DA2B50B954A55FE37AFBA58D428
SHA256:96D04CDFAF4F4D7B8722B139A15074975D4C244302F78034B7BE65DF1A92FD03
2640Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\ASYCFILT.DLLexecutable
MD5:23787FC93B88A2863348382CD4B8DFBF
SHA256:F3A15C2491E8CAE712C00DDF94CFC65E38CB7360870707D27637D9F56486BA67
2640Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\VB6STKIT.DLLexecutable
MD5:CFF867572B44212B01B711C1FA009537
SHA256:DF6E2F111773ADEC3B33DCB0B31E2A4D21EF7D51740706335F411E2C999C0E6B
2788Sp40TWAINSetup.tmpC:\Users\admin\AppData\Local\Temp\is-F6S96.tmp\_isetup\_RegDLL.tmpexecutable
MD5:0EE914C6F0BB93996C75941E1AD629C6
SHA256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
2640Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\msvbvm60.dllexecutable
MD5:351BC7471A9874ACACF7D386FA8BE227
SHA256:20CBF8835F6FD3878ACACBB7868F7B95A7AAE6C2C9D5D0A926337ED31378FA7A
2640Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Install.exeexecutable
MD5:39012805961CD05C5E2AE3177A5305DA
SHA256:8636DEACAD76B976B97412EE0E6515F18CBD2FB8D3C805E1D9023CD2C73CB6B8
2640Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\OLEAUT32.DLLexecutable
MD5:273522F30E18757B37404128C92145C7
SHA256:D11D9ECC6D2D5956BC133E8DF567BE6D10AFBFA243E1E389A2FD0572F6CAC30D
2788Sp40TWAINSetup.tmpC:\Users\admin\AppData\Local\Temp\is-F6S96.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
2640Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Sp40TWAINSetup.exeexecutable
MD5:86BC3DE87B56D3333C30A98ADBAFB78A
SHA256:1BAE321E452C2691E02F23E349F8363D510F6D08CD95F0BE9D62C299F1A9A66A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Twain Install.exe