File name:

Twain Install.exe

Full analysis: https://app.any.run/tasks/e66844e6-0134-44e3-961d-8995a5bd9c76
Verdict: Malicious activity
Analysis date: January 23, 2024, 07:09:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5:

D52037F2EDA0D3197052298C0CB84DB9

SHA1:

90627861E9FB6809913CB9E41701752554C8E8D2

SHA256:

8C10CD4EEF88FEE9EC39AEA4E8C03A16ECC6709257015782EFEBC932673E9E29

SSDEEP:

24576:UIQnrTXGxwuHeHVoWO2YM1+jIev2WvPrakxOQVFsICBxZDsBFT//6czwOTu:UIGrjLuHklYM1+j2pk4cpCDZsmwjK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Twain Install.exe (PID: 128)
      • Sp40TWAINSetup.exe (PID: 764)
      • Sp40TWAINSetup.tmp (PID: 1264)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • Twain Install.exe (PID: 128)
      • Sp40TWAINSetup.tmp (PID: 1264)

    • Reads the Internet Settings

      • avvio.exe (PID: 1404)
      • Twain Install.exe (PID: 128)
      • Install.exe (PID: 1604)

    • Executable content was dropped or overwritten

      • Twain Install.exe (PID: 128)
      • Sp40TWAINSetup.exe (PID: 764)
      • Sp40TWAINSetup.tmp (PID: 1264)

    • Reads the Windows owner or organization settings

      • Sp40TWAINSetup.tmp (PID: 1264)

    • Drops a system driver (possible attempt to evade defenses)

      • Sp40TWAINSetup.tmp (PID: 1264)

    • Uses ICACLS.EXE to modify access control lists

      • Install.exe (PID: 1604)

  • INFO

    • Reads the computer name

      • avvio.exe (PID: 1404)
      • Twain Install.exe (PID: 128)
      • Install.exe (PID: 1604)
      • Sp40TWAINSetup.tmp (PID: 1264)

    • Checks supported languages

      • Twain Install.exe (PID: 128)
      • avvio.exe (PID: 1404)
      • Sp40TWAINSetup.exe (PID: 764)
      • Install.exe (PID: 1604)
      • Sp40TWAINSetup.tmp (PID: 1264)

    • Create files in a temporary directory

      • Twain Install.exe (PID: 128)
      • Sp40TWAINSetup.exe (PID: 764)
      • Sp40TWAINSetup.tmp (PID: 1264)

    • Reads the machine GUID from the registry

      • avvio.exe (PID: 1404)

    • Manual execution by a user

      • explorer.exe (PID: 2444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | WinRAR Self Extracting archive (94.3)
.scr | Windows screen saver (2.3)
.dll | Win32 Dynamic Link Library (generic) (1.1)
.exe | Win32 Executable (generic) (0.8)
.exe | Win32 Executable Watcom C++ (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:09:16 16:17:44+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5
CodeSize: 81920
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
9
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start twain install.exe avvio.exe no specs install.exe sp40twainsetup.exe sp40twainsetup.tmp icacls.exe no specs icacls.exe no specs PhotoViewer.dll no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Users\admin\AppData\Local\Temp\Twain Install.exe" C:\Users\admin\AppData\Local\Temp\Twain Install.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\twain install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
764"C:\Users\admin\AppData\Local\Temp\RarSFX0\Sp40TWAINSetup.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\Sp40TWAINSetup.exe
Install.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Sp40Lib TWAIN layer Ver. 2.01.0 Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\sp40twainsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1264"C:\Users\admin\AppData\Local\Temp\is-RKQI9.tmp\Sp40TWAINSetup.tmp" /SL5="$3019A,281342,54272,C:\Users\admin\AppData\Local\Temp\RarSFX0\Sp40TWAINSetup.exe" C:\Users\admin\AppData\Local\Temp\is-RKQI9.tmp\Sp40TWAINSetup.tmp
Sp40TWAINSetup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-rkqi9.tmp\sp40twainsetup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1404"C:\Users\admin\AppData\Local\Temp\RarSFX0\avvio.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\avvio.exeTwain Install.exe
User:
admin
Company:
Compuprint srl
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\avvio.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\rarsfx0\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1540C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1604"C:\Users\admin\AppData\Local\Temp\RarSFX0\Install.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\Install.exe
avvio.exe
User:
admin
Company:
Compuprint
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\rarsfx0\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1796"C:\Windows\System32\icacls.exe" "C:\Windows\twain_32\COMPUPRINT\sp40lib.ini" /grant:r "Users":F "Administrators":F "SYSTEM":F /inheritance:rC:\Windows\System32\icacls.exeInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntmarta.dll
2128"C:\Windows\System32\icacls.exe" "C:\Windows\twain_32\COMPUPRINT\SP40CONFIG.INI" /grant:r "Users":F "Administrators":F "SYSTEM":F /inheritance:rC:\Windows\System32\icacls.exeInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntmarta.dll
2444"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
2 522
Read events
2 497
Write events
25
Delete events
0

Modification events

(PID) Process:(128) Twain Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(128) Twain Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(128) Twain Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(128) Twain Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1404) avvio.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1404) avvio.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1404) avvio.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1404) avvio.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1604) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1604) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
29
Suspicious files
7
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
128Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\OLEPRO32.DLLexecutable
MD5:0B975CD71FBE55EADFF409E9CE2DA37E
SHA256:23138AB6AD921A544694FA475FBF784F7C4682565FF1F00EA7B5DBD2458C7D99
128Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\OLEAUT32.DLLexecutable
MD5:273522F30E18757B37404128C92145C7
SHA256:D11D9ECC6D2D5956BC133E8DF567BE6D10AFBFA243E1E389A2FD0572F6CAC30D
128Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\vb6it.dllexecutable
MD5:6A5B1C929BC83BA6F81A61543682B001
SHA256:0F53CF070AD836D2126712124B6EBDC321A5F1DA12F3CEF76594F060DD824ADF
128Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Sp40TWAINSetup.exeexecutable
MD5:86BC3DE87B56D3333C30A98ADBAFB78A
SHA256:1BAE321E452C2691E02F23E349F8363D510F6D08CD95F0BE9D62C299F1A9A66A
1264Sp40TWAINSetup.tmpC:\Users\admin\AppData\Local\Temp\is-93ALL.tmp\_isetup\_RegDLL.tmpexecutable
MD5:0EE914C6F0BB93996C75941E1AD629C6
SHA256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
128Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\ASYCFILT.DLLexecutable
MD5:23787FC93B88A2863348382CD4B8DFBF
SHA256:F3A15C2491E8CAE712C00DDF94CFC65E38CB7360870707D27637D9F56486BA67
128Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\COMCAT.DLLexecutable
MD5:3B180DA2B50B954A55FE37AFBA58D428
SHA256:96D04CDFAF4F4D7B8722B139A15074975D4C244302F78034B7BE65DF1A92FD03
128Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\msvbvm60.dllexecutable
MD5:351BC7471A9874ACACF7D386FA8BE227
SHA256:20CBF8835F6FD3878ACACBB7868F7B95A7AAE6C2C9D5D0A926337ED31378FA7A
128Twain Install.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\avvio.exeexecutable
MD5:ED8D046370C4DE28BA232A31C5FB6314
SHA256:A3F85C30F09878DB255556E07B3224AA06D9F2F0ACEC17418AB9FB813FF5B031
764Sp40TWAINSetup.exeC:\Users\admin\AppData\Local\Temp\is-RKQI9.tmp\Sp40TWAINSetup.tmpexecutable
MD5:67C5A4F36E1C91A3B85E440EDD7AD026
SHA256:99C299D6565AB53D9AF66E0146737DC0ECFBC52ECF4740825B552DB0CC4210C6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Twain Install.exe