analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

setup.exe

Full analysis: https://app.any.run/tasks/9c802dbb-f5ac-42d5-be3b-3dcb9deddc02
Verdict: Malicious activity
Analysis date: March 21, 2019, 14:29:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, RAR self-extracting archive
MD5:

51AC066801A7A4D304230235E4AFE393

SHA1:

994245512D4DD6F45FA4B25CEADE4B6BF699B1FB

SHA256:

DA09DBAB45EB946296F2D43514B0012DA30E192E6D8A4526FB44CA8F2F11B8D3

SSDEEP:

393216:vLpDDLWKwKzN2oHj7YyoAQJNuelMs6vmEvsuke2BjnMRrpzxPsb:vLRZwgypARS/6vmXte2pnMg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Preload.exe (PID: 1308)
      • qmInstaller.exe (PID: 2620)
    • Loads dropped or rewritten executable

      • Preload.exe (PID: 1308)
    • Starts NET.EXE for service management

      • setup.exe (PID: 1892)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • setup.exe (PID: 1892)
      • Preload.exe (PID: 1308)
    • Reads internet explorer settings

      • qmInstaller.exe (PID: 2620)
    • Low-level read access rights to disk partition

      • qmInstaller.exe (PID: 2620)
    • Reads Internet Cache Settings

      • qmInstaller.exe (PID: 2620)
    • Creates files in the user directory

      • qmInstaller.exe (PID: 2620)
    • Creates COM task schedule object

      • Preload.exe (PID: 1308)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | WinRAR Self Extracting archive (88.2)
.exe | UPX compressed Win32 Executable (4.6)
.exe | Win32 EXE Yoda's Crypter (4.5)
.dll | Win32 Dynamic Link Library (generic) (1.1)
.exe | Win32 Executable (generic) (0.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x21bd0
UninitializedDataSize: 90112
InitializedDataSize: 8192
CodeSize: 45056
LinkerVersion: 5
PEType: PE32
TimeStamp: 2004:09:08 15:51:36+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 08-Sep-2004 13:51:36
Detected languages:
  • Russian - Russia

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000200

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 08-Sep-2004 13:51:36
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00016000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00017000
0x0000B000
0x0000AE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.89983
.rsrc
0x00022000
0x00002000
0x00001C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.75785

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.10885
531
UNKNOWN
Russian - Russia
RT_MANIFEST
2
3.88998
1384
UNKNOWN
Russian - Russia
RT_ICON
3
4.12176
744
UNKNOWN
Russian - Russia
RT_ICON
4
4.68705
2216
UNKNOWN
Russian - Russia
RT_ICON
7
7.52713
556
UNKNOWN
Russian - Russia
RT_STRING
8
7.64952
886
UNKNOWN
Russian - Russia
RT_STRING
9
7.52107
530
UNKNOWN
Russian - Russia
RT_STRING
10
7.56432
638
UNKNOWN
Russian - Russia
RT_STRING
100
2.6902
62
UNKNOWN
Russian - Russia
RT_GROUP_ICON
101
7.84911
2998
UNKNOWN
Russian - Russia
RT_BITMAP

Imports

ADVAPI32.DLL
COMCTL32.DLL
COMDLG32.DLL
GDI32.DLL
KERNEL32.DLL
OLE32.DLL
SHELL32.DLL
USER32.DLL
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start setup.exe no specs setup.exe net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs preload.exe qminstaller.exe

Process information

PID
CMD
Path
Indicators
Parent process
2676"C:\Users\admin\AppData\Local\Temp\setup.exe" C:\Users\admin\AppData\Local\Temp\setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
1892"C:\Users\admin\AppData\Local\Temp\setup.exe" C:\Users\admin\AppData\Local\Temp\setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2652"C:\Windows\system32\net.exe" stop qmMgrC:\Windows\system32\net.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3044C:\Windows\system32\net1 stop qmMgrC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1624"C:\Windows\system32\net.exe" stop qmwatchdogC:\Windows\system32\net.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1096C:\Windows\system32\net1 stop qmwatchdogC:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1308"C:\PSMeterBilling\Preload.exe" -HOST:www.psmeterbilling.co.uk -PATH:PSMeterBilling -LOGC:\PSMeterBilling\Preload.exe
setup.exe
User:
admin
Company:
PrintMIB, LLC
Integrity Level:
HIGH
Description:
PreLoad utility for DCA installer
Exit code:
0
Version:
3.01.0001
2620c:\PSMeterBilling\qmInstaller.exe -HOST:www.psmeterbilling.co.uk -PATH:PSMeterBilling -LOGc:\PSMeterBilling\qmInstaller.exe
Preload.exe
User:
admin
Company:
PrintMIB, LLC
Integrity Level:
HIGH
Description:
DCA Installer
Version:
3.01.0001
Total events
1 208
Read events
180
Write events
0
Delete events
0

Modification events

No data
Executable files
41
Suspicious files
0
Text files
59
Unknown types
7

Dropped files

PID
Process
Filename
Type
1892setup.exeC:\PSMeterBilling\PrintMIB3.mdb
MD5:
SHA256:
1892setup.exeC:\PSMeterBilling\MSWINSCK.OCXexecutable
MD5:E8A2190A9E8EE5E5D2E0B599BBF9DDA6
SHA256:80AB0B86DE58A657956B2A293BD9957F78E37E7383C86D6CD142208C153B6311
1892setup.exeC:\PSMeterBilling\Restart.exeexecutable
MD5:F4C0C94ABAA4132CF2ED8EF883A3DAEB
SHA256:2F2FB0093B302F395F40C1E8367DBBBF48F76D1798340A3750CA866DD3D8A56A
1892setup.exeC:\PSMeterBilling\DartZip.dllexecutable
MD5:4AA4B6C02A7D9975B06A5E709388502C
SHA256:127FBB9412758A4CC8051DCC6F243541D4A05EFB2BF38444C5BBF9F654284461
1892setup.exeC:\PSMeterBilling\lgOk.gifimage
MD5:D96ED064F3310BA0C96A811B08408093
SHA256:9AF6643B08D7C9F84517CB39E982EFF582A160804D7C3A30BA38D3EC0BC7508D
1892setup.exeC:\PSMeterBilling\ExtLVCTL.ocxexecutable
MD5:6C2A11CD8ADA481897A6C225435CFA53
SHA256:08F6949C912C95FE68CB468812EBF6DCF45D0295692ADA1759364B27295EC218
1892setup.exeC:\PSMeterBilling\ExtTimer.ocxexecutable
MD5:5741F4BEB5F4A97B375421B709C24E32
SHA256:130B18EF6EB958EE31A563CC0E1971DD8819F5528960924B857D0B10D21822C2
1892setup.exeC:\PSMeterBilling\rs.exeexecutable
MD5:D693BE03037D33F7AB8A1255ADDA9F8D
SHA256:91C56F0C69B728C2B3D57003C7E6FCCC998467B5C2A81CEF1E79E3E8FC6B09C2
1892setup.exeC:\PSMeterBilling\qmInstaller.exeexecutable
MD5:3D77D85B507CE77EB1AB298F49F51D0E
SHA256:66E7708D8F683123B6BF45AE5D528F4CF6CB337FCE9D4034B2CC69010B11323C
1892setup.exeC:\PSMeterBilling\Mscomct2.ocxexecutable
MD5:C1B4AF41A0370E4081D59AC99BCC929D
SHA256:2B7A1F905486736EDA8B51ADD1BC2590C2A6D9D5A9AB7565335D989F39C0EB8E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2620
qmInstaller.exe
GET
200
185.162.224.64:80
http://www.psmeterbilling.co.uk/install/login.asp?session=QM00001&sessiona=C4BA3647&instver=3.1.1&qmibver=3.2.6&tsclient=False&proxy=N&clientname=&varid=&groupid=&groupname=&hostmac=52:54:00:4A:04:AF&hostvm=false00
GB
html
4.95 Kb
malicious
2620
qmInstaller.exe
GET
200
185.162.224.64:80
http://www.psmeterbilling.co.uk/images/PS-Logo2.gif
GB
image
3.76 Kb
malicious
2620
qmInstaller.exe
GET
200
185.162.224.64:80
http://www.psmeterbilling.co.uk/install/install.css
GB
text
685 b
malicious
2620
qmInstaller.exe
GET
200
185.162.224.64:80
http://www.psmeterbilling.co.uk/install/images/login.gif
GB
image
916 b
malicious
2620
qmInstaller.exe
GET
404
185.162.224.64:80
http://www.psmeterbilling.co.uk/install/images/inputbg.gif
GB
html
4.78 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2620
qmInstaller.exe
185.162.224.64:80
www.psmeterbilling.co.uk
UKfastnet Ltd
GB
malicious

DNS requests

Domain
IP
Reputation
www.psmeterbilling.co.uk
  • 185.162.224.64
malicious

Threats

PID
Process
Class
Message
2620
qmInstaller.exe
Misc activity
SUSPICIOUS [PTsecurity] Possible TrojanDownloader
No debug info