File name:

TSMSetup.exe

Full analysis: https://app.any.run/tasks/7f1e3607-ce25-4d03-ba97-8a4c0b15e6d6
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 29, 2024, 21:34:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

DB9E877FB2AA6FED5F8E729E44A8C823

SHA1:

0098E9ED1173A95F61E2E1712968353B5DA0892E

SHA256:

077F1659ADD338E217216ACD6F284634977C507F5E2DF5AC0E08BCADAEF8FD64

SSDEEP:

98304:7inwbtVakUZc76B8BTBfKFztGvfM12TcJs06B1wLeuTCFdjvZgEMbWwikTVMJR8x:Hddlpxzejlx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • TSMSetup.exe (PID: 6268)
      • MSTeamsSetup_c_l_.exe (PID: 6404)
      • Update.exe (PID: 6428)

    • Connects to the CnC server

      • rundll32.exe (PID: 6348)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • TSMSetup.exe (PID: 6268)
      • MSTeamsSetup_c_l_.exe (PID: 6404)

    • Executable content was dropped or overwritten

      • TSMSetup.exe (PID: 6268)
      • MSTeamsSetup_c_l_.exe (PID: 6404)
      • Update.exe (PID: 6428)

    • Process drops legitimate windows executable

      • TSMSetup.exe (PID: 6268)
      • MSTeamsSetup_c_l_.exe (PID: 6404)
      • Update.exe (PID: 6428)

    • Reads the date of Windows installation

      • TSMSetup.exe (PID: 6268)

    • Uses RUNDLL32.EXE to load library

      • TSMSetup.exe (PID: 6268)

    • Reads security settings of Internet Explorer

      • TSMSetup.exe (PID: 6268)
      • Update.exe (PID: 6428)

    • Checks Windows Trust Settings

      • Update.exe (PID: 6428)

  • INFO

    • Checks supported languages

      • TSMSetup.exe (PID: 6268)
      • Update.exe (PID: 6428)
      • MSTeamsSetup_c_l_.exe (PID: 6404)

    • Reads the computer name

      • TSMSetup.exe (PID: 6268)
      • Update.exe (PID: 6428)

    • Process checks computer location settings

      • TSMSetup.exe (PID: 6268)

    • Create files in a temporary directory

      • TSMSetup.exe (PID: 6268)
      • Update.exe (PID: 6428)

    • Creates files or folders in the user directory

      • MSTeamsSetup_c_l_.exe (PID: 6404)
      • Update.exe (PID: 6428)

    • Reads the machine GUID from the registry

      • Update.exe (PID: 6428)

    • Reads Environment values

      • Update.exe (PID: 6428)

    • Reads Microsoft Office registry keys

      • Update.exe (PID: 6428)

    • Disables trace logs

      • Update.exe (PID: 6428)

    • Checks proxy server information

      • Update.exe (PID: 6428)

    • Reads the software policy settings

      • Update.exe (PID: 6428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:03:07 06:19:40+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 234496
InitializedDataSize: 7798272
UninitializedDataSize: -
EntryPoint: 0x177c0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.7.0.3315
ProductVersionNumber: 1.7.0.3315
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Microsoft Teams
FileVersion: 1.7.00.3315
InternalName: Setup.exe
LegalCopyright: Copyright (C) 2016 Microsoft. All rights reserved.
OriginalFileName: Setup.exe
ProductName: Microsoft Teams
ProductVersion: 1.7.00.3315
SquirrelAwareVersion: 1
CompanyName: Microsoft Corporation
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start tsmsetup.exe rundll32.exe no specs rundll32.exe msteamssetup_c_l_.exe update.exe

Process information

PID
CMD
Path
Indicators
Parent process
6268"C:\Users\admin\Desktop\TSMSetup.exe" C:\Users\admin\Desktop\TSMSetup.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Exit code:
0
Version:
1.7.00.3315
Modules
Images
c:\users\admin\desktop\tsmsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6332"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\CleanUp.dll", TestC:\Windows\System32\rundll32.exeTSMSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
6348"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\CleanUp.dll", TestC:\Windows\SysWOW64\rundll32.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6404"C:\Users\admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exe" C:\Users\admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exe
TSMSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Version:
1.7.00.3315
Modules
Images
c:\users\admin\appdata\local\temp\msteamssetup_c_l_.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6428"C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=MSTeamsSetup_c_l_.exe --bootstrapperModeC:\Users\admin\AppData\Local\SquirrelTemp\Update.exe
MSTeamsSetup_c_l_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams classic
Version:
3.3.15.0
Modules
Images
c:\users\admin\appdata\local\squirreltemp\update.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
9 384
Read events
9 361
Write events
23
Delete events
0

Modification events

(PID) Process:(6268) TSMSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6268) TSMSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6268) TSMSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6268) TSMSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6428) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6428) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6428) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6428) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6428) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6428) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
Executable files
5
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6428Update.exeC:\Users\admin\AppData\Roaming\Microsoft\Teams\SquirrelTelemetry.logtext
MD5:49CC6759C2C21BBF65722EA541363126
SHA256:05C18252B73FF962BE1B247AB34CA1BE357AE8130D244D597AAE541E7EE89832
6404MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\Update.exeexecutable
MD5:8F0E958D7EF57D727ADCDA1C67C24C2B
SHA256:4955CC6E58049EF1E274F340C8425CC55B324278199C92AC0DE87DF05BFAD35D
6428Update.exeC:\Users\admin\AppData\Local\Microsoft\Teams\packages\RELEASES.exeexecutable
MD5:86214540E0711F6E145546C594D01417
SHA256:457C2984DF9FF6A57EF5626FBA4785890C7C88051DDAE7D253C852CFEBA13FDC
6268TSMSetup.exeC:\Users\admin\AppData\Local\Temp\CleanUp.dllexecutable
MD5:0BAFF046A82D85E88F7AE2C98D43F671
SHA256:8372B173704CF8D8737E426B34EFD43FBA74C4FCB0A248F6CE72682EBC0BD916
6268TSMSetup.exeC:\Users\admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exeexecutable
MD5:CF0E0F57B68A11D099EC944200A6069D
SHA256:73354811E3109E265821124A18B1B7D9FD3DD1207BB46C18937D250C6AB46DEC
6428Update.exeC:\Users\admin\AppData\Local\SquirrelTemp\setup.jsonbinary
MD5:F57CCF6F5B9C1E2AAC3C144605B53AA5
SHA256:A92CCAA545B4AF7A81AC10C260291C3C33FB68197D150F8A42D1FBF74EB27648
6404MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\endpoint.jsonbinary
MD5:677CAB9A8B50AD026CFA7625A35DD2D7
SHA256:07890DDA20815E1E57DCA9553F5DFCFF1B85F4A4369685D4991599E2618978F0
6428Update.exeC:\Users\admin\AppData\Roaming\Microsoft\Teams\teams_install_session.jsonbinary
MD5:5D2E5AAAF70897F5EE8C78F10FEA1931
SHA256:AF2C59BBA5D160994103FE87C5EC0D36E6AB618FF16FDE7FC93A34D54987376D
6404MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\downloading.gifimage
MD5:3488A1749B859E969C01BA981036FAB6
SHA256:C3FA333FDBCE95D504AEE31912993DC17AB31324428F557AC774F7E98B049B99
6404MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\background.gifimage
MD5:FF1F29DCA0451246C3CA6CB7B023434F
SHA256:753D7D351E427246E2B6CC86C45E21F952939E306C3EB2FDB1BD7D67842C64B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
34
DNS requests
8
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5228
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
636
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
636
RUXIMICS.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
POST
64.95.10.243:443
https://supfoundrysettlers.us/api/connectivity
unknown
GET
200
52.113.194.132:443
https://teams.live.com/downloads/getinstaller?intent=Life&arch=x64&platVersion=10.0.19045
unknown
binary
134 b
5140
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
200
184.24.107.9:443
https://statics.teams.cdn.office.net/production-windows-x64/1.7.00.13456/Teams-1.7.00.13456-full.nupkg
unknown
compressed
136 Mb
POST
64.95.10.243:443
https://supfoundrysettlers.us/api/connectivity
unknown
POST
200
20.42.65.91:443
https://mobile.pipe.aria.microsoft.com/Collector/3.0/
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4364
svchost.exe
239.255.255.250:1900
unknown
5228
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
636
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
636
RUXIMICS.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5228
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
636
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
supfoundrysettlers.us
  • 64.95.10.243
malicious
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
teams.live.com
  • 52.113.194.132
unknown
statics.teams.cdn.office.net
  • 2.19.126.151
  • 2.19.126.154
whitelisted
mobile.pipe.aria.microsoft.com
  • 52.168.112.67
whitelisted
self.events.data.microsoft.com
  • 51.116.246.105
whitelisted

Threats

Found threats are available for the paid subscriptions
11 ETPRO signatures available at the full report
Process
Message
Update.exe
Starting TelemetryManager constructor
Update.exe
Update.exe Information: 0 :
Update.exe
TelemetryManagerImpl creation started
Update.exe
Update.exe Information: 0 :
Update.exe
Update.exe Information: 0 :
Update.exe
Performance counters are disabled. Skipping creation of counters category.
Update.exe
Update.exe Information: 0 :
Update.exe
RecordBatcherTask with ID 4 started.
Update.exe
Update.exe Information: 0 :
Update.exe
SendTask with ID 5 started
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TSMSetup.exe