File name:

MSTeamsSetup_c_l_.exe

Full analysis: https://app.any.run/tasks/64044e17-0386-4768-92cc-a0f3dd58d99b
Verdict: Malicious activity
Analysis date: October 30, 2023, 15:55:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

092BFF0405AB418FE22C565E231BE2BA

SHA1:

8AEF2B7D83B3D5AE55B24F25AB6621BB2DEA9287

SHA256:

156CAFA6DA98A57E481AAB74EF748726BD4DCE2912536FB59E65D9A57A3AE7A7

SSDEEP:

24576:4NYuPOTryV7OXRiYZgJw2K9KS74fVyhfP0dhyaz/PxSbQOUP8oSf37Z3/UyD:MOX6743ZvFKS74Nwfahyazx0LZ3jD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • MSTeamsSetup_c_l_.exe (PID: 3852)

    • Application was dropped or rewritten from another process

      • Update.exe (PID: 3448)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • MSTeamsSetup_c_l_.exe (PID: 3852)

    • Reads the Internet Settings

      • Update.exe (PID: 3448)

    • Reads settings of System Certificates

      • Update.exe (PID: 3448)

    • Start notepad (likely ransomware note)

      • MSTeamsSetup_c_l_.exe (PID: 3852)

  • INFO

    • Checks supported languages

      • wmpnscfg.exe (PID: 3148)
      • MSTeamsSetup_c_l_.exe (PID: 3852)
      • Update.exe (PID: 3448)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3148)
      • Update.exe (PID: 3448)
      • MSTeamsSetup_c_l_.exe (PID: 3852)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3148)

    • Creates files or folders in the user directory

      • MSTeamsSetup_c_l_.exe (PID: 3852)
      • Update.exe (PID: 3448)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3148)
      • Update.exe (PID: 3448)

    • Reads Microsoft Office registry keys

      • Update.exe (PID: 3448)

    • Reads Environment values

      • Update.exe (PID: 3448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:20 00:24:16+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 215040
InitializedDataSize: 1187840
UninitializedDataSize: -
EntryPoint: 0x14510
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.4.4.0
ProductVersionNumber: 1.4.4.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Installer for Squirrel-based applications
FileVersion: 1.4.4.0
InternalName: Setup.exe
LegalCopyright: Copyright (C) 2014
OriginalFileName: Setup.exe
ProductName: Squirrel-based application
ProductVersion: 1.4.4.0
SquirrelAwareVersion: 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start msteamssetup_c_l_.exe no specs wmpnscfg.exe no specs update.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2744"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\SquirrelTemp\SquirrelSetup.logC:\Windows\System32\notepad.exeMSTeamsSetup_c_l_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3148"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
3448"C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=MSTeamsSetup_c_l_.exe --bootstrapperModeC:\Users\admin\AppData\Local\SquirrelTemp\Update.exe
MSTeamsSetup_c_l_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Exit code:
4294967295
Version:
3.1.2.0
3852"C:\Users\admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exe" C:\Users\admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Installer for Squirrel-based applications
Exit code:
4294967295
Version:
1.4.4.0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3852MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\background.gifimage
MD5:FF1F29DCA0451246C3CA6CB7B023434F
SHA256:753D7D351E427246E2B6CC86C45E21F952939E306C3EB2FDB1BD7D67842C64B8
3448Update.exeC:\Users\admin\AppData\Local\SquirrelTemp\SquirrelSetup.logtext
MD5:4B8D6317BCCA84EF1A11A49ADCCAA41C
SHA256:EA343B7503F80FFEE33003A09B163D33A1D794E37280B45889E7337C6C78EAD4
3852MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\endpoint.jsonbinary
MD5:677CAB9A8B50AD026CFA7625A35DD2D7
SHA256:07890DDA20815E1E57DCA9553F5DFCFF1B85F4A4369685D4991599E2618978F0
3852MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\downloading.gifimage
MD5:3488A1749B859E969C01BA981036FAB6
SHA256:C3FA333FDBCE95D504AEE31912993DC17AB31324428F557AC774F7E98B049B99
3852MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\Update.exeexecutable
MD5:55D2BE3EA0DC1DCAEEFDDD7ED12C05E9
SHA256:5CACCD37E4DF62DCF709605DE3F79664DE7190534B56CD69BCC96BDF0F939437
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3448
Update.exe
20.189.173.3:443
mobile.pipe.aria.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
mobile.pipe.aria.microsoft.com
  • 20.189.173.3
whitelisted

Threats

No threats detected
Process
Message
Update.exe
Starting TelemetryManager constructor
Update.exe
Update.exe Information: 0 :
Update.exe
Update.exe Information: 0 :
Update.exe
Performance counters are disabled. Skipping creation of counters category.
Update.exe
TelemetryManagerImpl creation started
Update.exe
Update.exe Information: 0 :
Update.exe
RecordBatcherTask with ID 4 started.
Update.exe
Update.exe Information: 0 :
Update.exe
Update.exe Information: 0 :
Update.exe
DataPackageSender with UserAgent name: AST-exe-C#, version: 3.1.2.0, [Ast_Default_Source]
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
MSTeamsSetup_c_l_.exe