File name:

spmtsetup.exe

Full analysis: https://app.any.run/tasks/e2c8fdc9-bc39-4168-9f22-8fe290f4ac35
Verdict: Malicious activity
Analysis date: May 26, 2024, 00:56:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

39614FFBE4135F5B215A3C0AE9B34DBC

SHA1:

43058E6E70D01F9281A583F10949F3EAD5F1D6E3

SHA256:

991C1E4C02022CC50BAF814D43FAAE42823EA70A4E593290AB083E71E7FF0A5A

SSDEEP:

49152:UGAeNaoaveamgCxzpZ2N9mN67XI5oJwjmxDAkc8UnmbrcIW+u+HYS4WMzwnJ0EOQ:PAU8mgCFpZ2s67bwAAx8rb9puaYSfO4V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

  • SUSPICIOUS

    • Reads the Internet Settings

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

    • Reads settings of System Certificates

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

    • Adds/modifies Windows certificates

      • spmtsetup.exe (PID: 4076)

    • Executable content was dropped or overwritten

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

    • Reads security settings of Internet Explorer

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

    • The process drops C-runtime libraries

      • InstallerClient.exe (PID: 2116)

    • Process drops legitimate windows executable

      • InstallerClient.exe (PID: 2116)

    • The process creates files with name similar to system file names

      • InstallerClient.exe (PID: 2116)

    • Checks Windows Trust Settings

      • InstallerClient.exe (PID: 2116)

    • Searches for installed software

      • InstallerClient.exe (PID: 2116)

    • Creates a software uninstall entry

      • InstallerClient.exe (PID: 2116)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 748)
      • InstallerClient.exe (PID: 2116)
      • spmtsetup.exe (PID: 4076)

    • Create files in a temporary directory

      • spmtsetup.exe (PID: 4076)

    • Reads the machine GUID from the registry

      • InstallerClient.exe (PID: 2116)
      • spmtsetup.exe (PID: 4076)

    • Reads Environment values

      • InstallerClient.exe (PID: 2116)
      • spmtsetup.exe (PID: 4076)

    • Disables trace logs

      • spmtsetup.exe (PID: 4076)
      • InstallerClient.exe (PID: 2116)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 748)

    • Checks supported languages

      • InstallerClient.exe (PID: 2116)
      • spmtsetup.exe (PID: 4076)
      • wmpnscfg.exe (PID: 748)

    • Creates files or folders in the user directory

      • InstallerClient.exe (PID: 2116)

    • Reads the software policy settings

      • InstallerClient.exe (PID: 2116)
      • spmtsetup.exe (PID: 4076)

    • Creates files in the program directory

      • InstallerClient.exe (PID: 2116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2091:10:31 22:09:06+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 1536000
InitializedDataSize: 92160
UninitializedDataSize: -
EntryPoint: 0x178fca
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.121.8
ProductVersionNumber: 1.0.121.8
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: SPMTSetup
CompanyName: Microsoft
FileDescription: SPMTSetup
FileVersion: 1.0.121.8
InternalName: SPMTSetup.exe
LegalCopyright: Copyright © 2019
LegalTrademarks: -
OriginalFileName: SPMTSetup.exe
ProductName: Microsoft SharePoint Migration Tool
ProductVersion: 1.0.121.8
AssemblyVersion: 1.0.121.8
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start spmtsetup.exe wmpnscfg.exe no specs installerclient.exe spmtsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
748"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2116"C:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\InstallerClient.exe" "C:\Users\admin\AppData\Local\Temp\spmtsetup.exe"C:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\InstallerClient.exe
spmtsetup.exe
User:
admin
Integrity Level:
HIGH
Description:
ApplicationInstaller
Exit code:
0
Version:
1.0.121.8
Modules
Images
c:\users\admin\appdata\local\temp\spmtinstall\installerclient\installerclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3964"C:\Users\admin\AppData\Local\Temp\spmtsetup.exe" C:\Users\admin\AppData\Local\Temp\spmtsetup.exeexplorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
SPMTSetup
Exit code:
3221226540
Version:
1.0.121.8
Modules
Images
c:\users\admin\appdata\local\temp\spmtsetup.exe
c:\windows\system32\ntdll.dll
4076"C:\Users\admin\AppData\Local\Temp\spmtsetup.exe" C:\Users\admin\AppData\Local\Temp\spmtsetup.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
SPMTSetup
Exit code:
0
Version:
1.0.121.8
Modules
Images
c:\users\admin\appdata\local\temp\spmtsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
30 278
Read events
30 189
Write events
84
Delete events
5

Modification events

(PID) Process:(4076) spmtsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
spmtsetup.exe
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4076) spmtsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spmtsetup_RASMANCS
Operation:writeName:FileTracingMask
Value:
Executable files
154
Suspicious files
77
Text files
31
Unknown types
19

Dropped files

PID
Process
Filename
Type
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\ru\microsoft.sharepoint.migrationtool.remoteinstall.resources.dllexecutable
MD5:E6633D22C763507B78EF33C35824EB32
SHA256:2EFD2848B9B7860A3ACDAE3278084F714D2533D1F1C6EF8CB30243AC18D29F8E
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\Microsoft.Bond.Interfaces.dllexecutable
MD5:1333B3721203691C1DE10F84AEAACADD
SHA256:ED5B7BA5F3D6146AF88F9DD8F96FC8D18620397A4053E1AA9B49086FB8C7EA5E
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\InstallerClient.exeexecutable
MD5:C05F0CE3C185FA0CC32F3DF9D0C7CA84
SHA256:558A2A906D215F3D07A3FE56597EE4FBA40BAB9762965375FB469FA3665B49FB
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\zh-cht\microsoft.sharepoint.migrationtool.remoteinstall.resources.dllexecutable
MD5:D9326D6D7C124A4502CB4EF08AFCE595
SHA256:A5370C87EE87C4820778D13D0DC619DD605296F294C81B47FA8C64D15CEFCB25
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\fr\microsoft.sharepoint.migrationtool.remoteinstall.resources.dllexecutable
MD5:C1702128A30C2456F2D9F1E0590C5EA9
SHA256:86A2AAB2E9E1A98CACD7C07882FA46F436FB47C09E169FB489A64FD7E965C78A
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\es\microsoft.sharepoint.migrationtool.remoteinstall.resources.dllexecutable
MD5:27D78C0A2BCA0984C16B501D2F192593
SHA256:18C6D65B6D329FD71C6BE949D42656ED3940C49BC8217A5A09D13EF2E01AE23D
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\zh-chs\microsoft.sharepoint.migrationtool.remoteinstall.resources.dllexecutable
MD5:90AE5FD43BE22C8B45EE5B31DA6C9609
SHA256:E5B2F40B739A802A4B8C371077D133C3014FC3236AF1ABCE71DD6394EC43B8E3
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\ko\microsoft.sharepoint.migrationtool.remoteinstall.resources.dllexecutable
MD5:EEB1C60AAEB49C50A671C00EDB6DC09F
SHA256:BA38F4E8CFD5881BE048F0B03B40AD16948C6E92A6121E478239017EC40D1AF3
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\Microsoft.Applications.Telemetry.dllexecutable
MD5:B4F7137D2027E9F4F6E030EA93F2BDAD
SHA256:492A457A70D5D0A3EBB61134939ED04E595BCDB3DC1BB5FBB84082630D9002B7
4076spmtsetup.exeC:\Users\admin\AppData\Local\Temp\SPMTInstall\InstallerClient\en-US\microsoft.sharepoint.migrationtool.remoteinstall.resources.dllexecutable
MD5:65B313958B210E08C2C9CDDD2459D1C7
SHA256:8874FCB0EB0BE504197F32B372DFB00C0B87257ABFFEE553197C713831CEF9AE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
10
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
4076
spmtsetup.exe
23.47.113.237:443
aka.ms
AKAMAI-AS
AE
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
4076
spmtsetup.exe
95.101.150.2:443
learn.microsoft.com
Akamai International B.V.
NL
unknown
2116
InstallerClient.exe
13.107.246.43:443
spmt.sharepointonline.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2116
InstallerClient.exe
20.52.64.200:443
server3.pipe.aria.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
DE
unknown

DNS requests

Domain
IP
Reputation
aka.ms
  • 23.47.113.237
whitelisted
learn.microsoft.com
  • 95.101.150.2
whitelisted
spmt.sharepointonline.com
  • 13.107.246.43
unknown
server3.pipe.aria.microsoft.com
  • 20.52.64.200
unknown

Threats

No threats detected
Process
Message
InstallerClient.exe
InstallerClient.exe Information: 0 :
InstallerClient.exe
TelemetryManagerImpl creation started
InstallerClient.exe
Starting TelemetryManager constructor
InstallerClient.exe
InstallerClient.exe Information: 0 :
InstallerClient.exe
Performance counters are disabled. Skipping creation of counters category.
InstallerClient.exe
InstallerClient.exe Information: 0 :
InstallerClient.exe
InstallerClient.exe Information: 0 :
InstallerClient.exe
RecordBatcherTask with ID 12 started.
InstallerClient.exe
InstallerClient.exe Information: 0 :
InstallerClient.exe
InstallerClient.exe Information: 0 :
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
spmtsetup.exe