File name:

MSTeamsSetup_c_l_.exe

Full analysis: https://app.any.run/tasks/833be975-7da6-4916-8122-2e93142185b8
Verdict: Malicious activity
Analysis date: April 21, 2024, 08:21:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

092BFF0405AB418FE22C565E231BE2BA

SHA1:

8AEF2B7D83B3D5AE55B24F25AB6621BB2DEA9287

SHA256:

156CAFA6DA98A57E481AAB74EF748726BD4DCE2912536FB59E65D9A57A3AE7A7

SSDEEP:

24576:4NYuPOTryV7OXRiYZgJw2K9KS74fVyhfP0dhyaz/PxSbQOUP8oSf37Z3/UyD:MOX6743ZvFKS74Nwfahyazx0LZ3jD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • MSTeamsSetup_c_l_.exe (PID: 3416)
      • Update.exe (PID: 324)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • MSTeamsSetup_c_l_.exe (PID: 3416)
      • Update.exe (PID: 324)

    • Executable content was dropped or overwritten

      • MSTeamsSetup_c_l_.exe (PID: 3416)
      • Update.exe (PID: 324)

    • Reads the Internet Settings

      • Update.exe (PID: 324)

    • Reads settings of System Certificates

      • Update.exe (PID: 324)

  • INFO

    • Checks supported languages

      • MSTeamsSetup_c_l_.exe (PID: 3416)
      • Update.exe (PID: 324)

    • Creates files or folders in the user directory

      • MSTeamsSetup_c_l_.exe (PID: 3416)
      • Update.exe (PID: 324)

    • Reads the machine GUID from the registry

      • Update.exe (PID: 324)

    • Reads the computer name

      • Update.exe (PID: 324)

    • Reads Environment values

      • Update.exe (PID: 324)

    • Reads Microsoft Office registry keys

      • Update.exe (PID: 324)

    • Reads the software policy settings

      • Update.exe (PID: 324)

    • Create files in a temporary directory

      • Update.exe (PID: 324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:19 22:24:16+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 215040
InitializedDataSize: 1187840
UninitializedDataSize: -
EntryPoint: 0x14510
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.4.4.0
ProductVersionNumber: 1.4.4.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Installer for Squirrel-based applications
FileVersion: 1.4.4.0
InternalName: Setup.exe
LegalCopyright: Copyright (C) 2014
OriginalFileName: Setup.exe
ProductName: Squirrel-based application
ProductVersion: 1.4.4.0
SquirrelAwareVersion: 1
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msteamssetup_c_l_.exe update.exe

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=MSTeamsSetup_c_l_.exe --bootstrapperModeC:\Users\admin\AppData\Local\SquirrelTemp\Update.exe
MSTeamsSetup_c_l_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Teams
Version:
3.1.2.0
Modules
Images
c:\users\admin\appdata\local\squirreltemp\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3416"C:\Users\admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exe" C:\Users\admin\AppData\Local\Temp\MSTeamsSetup_c_l_.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Installer for Squirrel-based applications
Version:
1.4.4.0
Modules
Images
c:\users\admin\appdata\local\temp\msteamssetup_c_l_.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
5 088
Read events
5 061
Write events
27
Delete events
0

Modification events

(PID) Process:(324) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(324) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(324) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(324) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(324) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(324) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(324) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(324) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(324) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(324) Update.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Update_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
2
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
324Update.exeC:\Users\admin\AppData\Local\SquirrelTemp\setup.jsonbinary
MD5:F57CCF6F5B9C1E2AAC3C144605B53AA5
SHA256:A92CCAA545B4AF7A81AC10C260291C3C33FB68197D150F8A42D1FBF74EB27648
3416MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\downloading.gifimage
MD5:3488A1749B859E969C01BA981036FAB6
SHA256:C3FA333FDBCE95D504AEE31912993DC17AB31324428F557AC774F7E98B049B99
324Update.exeC:\Users\admin\AppData\Local\Microsoft\Teams\Update.exeexecutable
MD5:55D2BE3EA0DC1DCAEEFDDD7ED12C05E9
SHA256:5CACCD37E4DF62DCF709605DE3F79664DE7190534B56CD69BCC96BDF0F939437
3416MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\Update.exeexecutable
MD5:55D2BE3EA0DC1DCAEEFDDD7ED12C05E9
SHA256:5CACCD37E4DF62DCF709605DE3F79664DE7190534B56CD69BCC96BDF0F939437
324Update.exeC:\Users\admin\AppData\Roaming\Microsoft\Teams\teams_install_session.jsonbinary
MD5:3FB8EB726BEBC7A177B372A1CFCAE996
SHA256:A7D74D3B404E010F6349937DBFA1FE726BA376CDA7FABCC58CB496A63580AA99
324Update.exeC:\Users\admin\AppData\Roaming\Microsoft\Teams\SquirrelTelemetry.logtext
MD5:C2C7EE70C33FDA1AF69019FE1E5AA651
SHA256:5F9485AC6FCA84150DBB062114954EA05AB289C77CFF8ACC5465CE16218FA757
3416MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\endpoint.jsonbinary
MD5:677CAB9A8B50AD026CFA7625A35DD2D7
SHA256:07890DDA20815E1E57DCA9553F5DFCFF1B85F4A4369685D4991599E2618978F0
3416MSTeamsSetup_c_l_.exeC:\Users\admin\AppData\Local\SquirrelTemp\background.gifimage
MD5:FF1F29DCA0451246C3CA6CB7B023434F
SHA256:753D7D351E427246E2B6CC86C45E21F952939E306C3EB2FDB1BD7D67842C64B8
324Update.exeC:\Users\admin\AppData\Local\Microsoft\Teams\setup.jsonbinary
MD5:F57CCF6F5B9C1E2AAC3C144605B53AA5
SHA256:A92CCAA545B4AF7A81AC10C260291C3C33FB68197D150F8A42D1FBF74EB27648
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
324
Update.exe
52.113.194.132:443
teams.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
324
Update.exe
52.123.129.14:443
teams.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
324
Update.exe
2.18.244.199:443
statics.teams.cdn.office.net
Akamai International B.V.
FR
unknown
324
Update.exe
20.189.173.27:443
mobile.pipe.aria.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
teams.live.com
  • 52.113.194.132
unknown
teams.microsoft.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
statics.teams.cdn.office.net
  • 2.18.244.199
  • 2.18.244.197
whitelisted
mobile.pipe.aria.microsoft.com
  • 20.189.173.27
whitelisted

Threats

No threats detected
Process
Message
Update.exe
TelemetryManagerImpl creation started
Update.exe
Update.exe Information: 0 :
Update.exe
Update.exe Information: 0 :
Update.exe
Starting TelemetryManager constructor
Update.exe
Update.exe Information: 0 :
Update.exe
Performance counters are disabled. Skipping creation of counters category.
Update.exe
RecordBatcherTask with ID 4 started.
Update.exe
Update.exe Information: 0 :
Update.exe
DataPackageSender with UserAgent name: AST-exe-C#, version: 3.1.2.0, [Ast_Default_Source]
Update.exe
SendTask with ID 6 started
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MSTeamsSetup_c_l_.exe