File name:

spmtsetup.exe

Full analysis: https://app.any.run/tasks/e2c8fdc9-bc39-4168-9f22-8fe290f4ac35
Verdict: Malicious activity
Analysis date: May 26, 2024, 00:56:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

39614FFBE4135F5B215A3C0AE9B34DBC

SHA1:

43058E6E70D01F9281A583F10949F3EAD5F1D6E3

SHA256:

991C1E4C02022CC50BAF814D43FAAE42823EA70A4E593290AB083E71E7FF0A5A

SSDEEP:

49152:UGAeNaoaveamgCxzpZ2N9mN67XI5oJwjmxDAkc8UnmbrcIW+u+HYS4WMzwnJ0EOQ:PAU8mgCFpZ2s67bwAAx8rb9puaYSfO4V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

  • SUSPICIOUS

    • Reads the Internet Settings

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

    • Reads settings of System Certificates

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

    • Adds/modifies Windows certificates

      • spmtsetup.exe (PID: 4076)

    • Executable content was dropped or overwritten

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

    • Reads security settings of Internet Explorer

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

    • Process drops legitimate windows executable

      • InstallerClient.exe (PID: 2116)

    • The process creates files with name similar to system file names

      • InstallerClient.exe (PID: 2116)

    • The process drops C-runtime libraries

      • InstallerClient.exe (PID: 2116)

    • Creates a software uninstall entry

      • InstallerClient.exe (PID: 2116)

    • Searches for installed software

      • InstallerClient.exe (PID: 2116)

    • Checks Windows Trust Settings

      • InstallerClient.exe (PID: 2116)

  • INFO

    • Reads the computer name

      • spmtsetup.exe (PID: 4076)
      • wmpnscfg.exe (PID: 748)
      • InstallerClient.exe (PID: 2116)

    • Disables trace logs

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

    • Reads the machine GUID from the registry

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

    • Checks supported languages

      • spmtsetup.exe (PID: 4076)
      • wmpnscfg.exe (PID: 748)
      • InstallerClient.exe (PID: 2116)

    • Reads Environment values

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 748)

    • Reads the software policy settings

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

    • Create files in a temporary directory

      • spmtsetup.exe (PID: 4076)

    • Creates files or folders in the user directory

      • InstallerClient.exe (PID: 2116)

    • Creates files in the program directory

      • InstallerClient.exe (PID: 2116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2091:10:31 22:09:06+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 1536000
InitializedDataSize: 92160
UninitializedDataSize: -
EntryPoint: 0x178fca
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.121.8
ProductVersionNumber: 1.0.121.8
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: SPMTSetup
CompanyName: Microsoft
FileDescription: SPMTSetup
FileVersion: 1.0.121.8
InternalName: SPMTSetup.exe
LegalCopyright: Copyright © 2019
LegalTrademarks: -
OriginalFileName: SPMTSetup.exe
ProductName: Microsoft SharePoint Migration Tool
ProductVersion: 1.0.121.8
AssemblyVersion: 1.0.121.8
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start spmtsetup.exe wmpnscfg.exe no specs installerclient.exe spmtsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
748"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2116"C:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\InstallerClient.exe" "C:\Users\admin\AppData\Local\Temp\spmtsetup.exe"C:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\InstallerClient.exe
spmtsetup.exe
User:
admin
Integrity Level:
HIGH
Description:
ApplicationInstaller
Exit code:
0
Version:
1.0.121.8
Modules
Images
c:\users\admin\appdata\local\temp\spmtinstall\installerclient\installerclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3964"C:\Users\admin\AppData\Local\Temp\spmtsetup.exe" C:\Users\admin\AppData\Local\Temp\spmtsetup.exeexplorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
SPMTSetup
Exit code:
3221226540
Version:
1.0.121.8
Modules
Images
c:\users\admin\appdata\local\temp\spmtsetup.exe
c:\windows\system32\ntdll.dll
4076"C:\Users\admin\AppData\Local\Temp\spmtsetup.exe" C:\Users\admin\AppData\Local\Temp\spmtsetup.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
SPMTSetup
Exit code:
0
Version:
1.0.121.8
Modules
Images
c:\users\admin\appdata\local\temp\spmtsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
30 278
Read events
30 189
Write events
84
Delete events
5

Modification events

(PID) Process:(4076) spmtsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
spmtsetup.exe
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASMANCS
Operation:writeName:FileTracingMask
Value:
Executable files
154
Suspicious files
77
Text files
31
Unknown types
19

Dropped files

PID
Process
Filename
Type
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\en-US\microsoft.sharepoint.migrationtool.remoteinstall.resources.dllexecutable
MD5:65B313958B210E08C2C9CDDD2459D1C7
SHA256:8874FCB0EB0BE504197F32B372DFB00C0B87257ABFFEE553197C713831CEF9AE
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient.zipcompressed
MD5:9E0133ECD2B8EAFE477EBACD9800892A
SHA256:2D52BB500E82A4A3E85143BC4D59A29B77CD43395DC1E236FAB9B9EB68D6DAF9
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\InstallerClient.exeexecutable
MD5:C05F0CE3C185FA0CC32F3DF9D0C7CA84
SHA256:558A2A906D215F3D07A3FE56597EE4FBA40BAB9762965375FB469FA3665B49FB
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\es\microsoft.sharepoint.migrationtool.remoteinstall.resources.dllexecutable
MD5:27D78C0A2BCA0984C16B501D2F192593
SHA256:18C6D65B6D329FD71C6BE949D42656ED3940C49BC8217A5A09D13EF2E01AE23D
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\ja\microsoft.sharepoint.migrationtool.remoteinstall.resources.dllexecutable
MD5:E3AEE14AFD11E35748E1A558471C4E4B
SHA256:91C96AF0ADBEA66C4FA9AB62CC996055B86FB954C012354DA808E075F46AB043
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\fr\microsoft.sharepoint.migrationtool.remoteinstall.resources.dllexecutable
MD5:C1702128A30C2456F2D9F1E0590C5EA9
SHA256:86A2AAB2E9E1A98CACD7C07882FA46F436FB47C09E169FB489A64FD7E965C78A
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\it\microsoft.sharepoint.migrationtool.remoteinstall.resources.dllexecutable
MD5:C0AED8B0A7ACA27755B259FC088E8AFF
SHA256:C38ACFC67B0BF0DE365368CF3728A3DCD0EAA283A5202A9A97312A0E17F2B2E9
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\de\microsoft.sharepoint.migrationtool.remoteinstall.resources.dllexecutable
MD5:554143396F2C5EF99B3F26FDF2C74DAD
SHA256:DAC170AD5DA0C72C5FFFE9E6172ABA866E43F0FBF390B1CC9B11DDAF516234E0
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\Microsoft.Bond.dllexecutable
MD5:7A8687BEF4AE58D3CBFD0F437CED41AA
SHA256:AFBFBAEC4102C88020671AF863001C1E004F49E048F0E43715A40A6B6D368E5B
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\Microsoft.Applications.Telemetry.dllexecutable
MD5:B4F7137D2027E9F4F6E030EA93F2BDAD
SHA256:492A457A70D5D0A3EBB61134939ED04E595BCDB3DC1BB5FBB84082630D9002B7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
10
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
4076
spmtsetup.exe
23.47.113.237:443
aka.ms
AKAMAI-AS
AE
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
4076
spmtsetup.exe
95.101.150.2:443
learn.microsoft.com
Akamai International B.V.
NL
unknown
2116
InstallerClient.exe
13.107.246.43:443
spmt.sharepointonline.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2116
InstallerClient.exe
20.52.64.200:443
server3.pipe.aria.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
DE
unknown

DNS requests

Domain
IP
Reputation
aka.ms
  • 23.47.113.237
whitelisted
learn.microsoft.com
  • 95.101.150.2
whitelisted
spmt.sharepointonline.com
  • 13.107.246.43
unknown
server3.pipe.aria.microsoft.com
  • 20.52.64.200
unknown

Threats

No threats detected
Process
Message
InstallerClient.exe
InstallerClient.exe Information: 0 :
InstallerClient.exe
TelemetryManagerImpl creation started
InstallerClient.exe
Starting TelemetryManager constructor
InstallerClient.exe
InstallerClient.exe Information: 0 :
InstallerClient.exe
Performance counters are disabled. Skipping creation of counters category.
InstallerClient.exe
InstallerClient.exe Information: 0 :
InstallerClient.exe
InstallerClient.exe Information: 0 :
InstallerClient.exe
RecordBatcherTask with ID 12 started.
InstallerClient.exe
InstallerClient.exe Information: 0 :
InstallerClient.exe
InstallerClient.exe Information: 0 :
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
spmtsetup.exe