File name:

file1.exe

Full analysis: https://app.any.run/tasks/00115926-5a14-4957-a142-fa5776ec3adb
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 11:15:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ransomware
teslacrypt
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 8 sections
MD5:

9CE01DFBF25DFEA778E57D8274675D6F

SHA1:

1BD767BEB5BC36B396CA6405748042640AD57526

SHA256:

5343947829609F69E84FE7E8172C38EE018EDE3C9898D4895275F596AC54320D

SSDEEP:

6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwuq:4qZb8oR3D6R5QHXZJy/Q50imAvBq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • ytreivcustlc.exe (PID: 5496)

    • Deletes shadow copies

      • ytreivcustlc.exe (PID: 5496)

    • Connects to the CnC server

      • ytreivcustlc.exe (PID: 5496)

    • TESLACRYPT has been detected (SURICATA)

      • ytreivcustlc.exe (PID: 5496)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • file1.exe (PID: 5000)
      • ytreivcustlc.exe (PID: 5496)

    • Starts itself from another location

      • file1.exe (PID: 5000)

    • Starts CMD.EXE for commands execution

      • file1.exe (PID: 5000)

    • There is functionality for taking screenshot (YARA)

      • ytreivcustlc.exe (PID: 5496)

    • Checks Windows Trust Settings

      • ytreivcustlc.exe (PID: 5496)

    • Executable content was dropped or overwritten

      • file1.exe (PID: 5000)

    • Contacting a server suspected of hosting an CnC

      • ytreivcustlc.exe (PID: 5496)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6208)

  • INFO

    • Checks supported languages

      • file1.exe (PID: 5000)
      • ytreivcustlc.exe (PID: 5496)

    • The process uses the downloaded file

      • file1.exe (PID: 5000)
      • ytreivcustlc.exe (PID: 5496)

    • Reads the computer name

      • file1.exe (PID: 5000)
      • ytreivcustlc.exe (PID: 5496)

    • Process checks computer location settings

      • file1.exe (PID: 5000)
      • ytreivcustlc.exe (PID: 5496)

    • The sample compiled with english language support

      • file1.exe (PID: 5000)

    • Checks proxy server information

      • ytreivcustlc.exe (PID: 5496)

    • Reads the machine GUID from the registry

      • ytreivcustlc.exe (PID: 5496)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5268)

    • Reads the software policy settings

      • ytreivcustlc.exe (PID: 5496)

    • Creates files or folders in the user directory

      • ytreivcustlc.exe (PID: 5496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:02:28 18:15:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, 32-bit, No debug
PEType: PE32
LinkerVersion: 8
CodeSize: 16384
InitializedDataSize: 626688
UninitializedDataSize: -
EntryPoint: 0x3c40
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.1.2600.5512
ProductVersionNumber: 5.1.2600.5512
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: nah nah Corporation
FileDescription: nah nahApp
FileVersion: 1.600.5512
InternalName: nah nah
LegalCopyright: ©nah nah Corporation. All rights reserved.
OriginalFileName: nah nah
ProductName: nah nah®
ProductVersion: 1.9.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start file1.exe #TESLACRYPT ytreivcustlc.exe cmd.exe no specs conhost.exe no specs wmic.exe conhost.exe no specs vssvc.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
448\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4544"C:\WINDOWS\system32\cmd.exe" /c DEL C:\Users\admin\AppData\Local\Temp\file1.exeC:\Windows\SysWOW64\cmd.exefile1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5000"C:\Users\admin\AppData\Local\Temp\file1.exe" C:\Users\admin\AppData\Local\Temp\file1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\file1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5268"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive C:\Windows\System32\wbem\WMIC.exe
ytreivcustlc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749890
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
5300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5496C:\Users\admin\Documents\ytreivcustlc.exeC:\Users\admin\Documents\ytreivcustlc.exe
file1.exe
User:
admin
Company:
nah nah Corporation
Integrity Level:
MEDIUM
Description:
nah nahApp
Version:
1.600.5512
Modules
Images
c:\users\admin\documents\ytreivcustlc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6208C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 065
Read events
4 058
Write events
7
Delete events
0

Modification events

(PID) Process:(5496) ytreivcustlc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:gxlprvcbljes
Value:
C:\WINDOWS\system32\cmd.exe /c start "" "C:\Users\admin\Documents\ytreivcustlc.exe"
(PID) Process:(5496) ytreivcustlc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLinkedConnections
Value:
1
(PID) Process:(5496) ytreivcustlc.exeKey:HKEY_CURRENT_USER\SOFTWARE\xxxsys
Operation:writeName:ID
Value:
660BBB984C80E97C
(PID) Process:(5496) ytreivcustlc.exeKey:HKEY_CURRENT_USER\SOFTWARE\66BBB984C80E97C
Operation:writeName:data
Value:
31424A6468436267373368346A597977394D637551364E67787055745A6F41466A45000000000000000000000000000004992B322D4B6D176E40281828A2348E83E6BE599B42DFB95A9A125D13AFEF8D8D738F5DA68C57BFC056CC17767275A94A5C8F46ECD6432A2798EF258107F9AED70B25E7790F12A73E42FC3A087DC2641941445A05B0842F6EEC0D0142188BFFDA000000000000000000000000000000000000000000000000000000000000000436C3C629E8A0494A6A65110511A38E0D6745845197E2CBE9C013EFB0072526F1C24BD35C90442F497D2D473BB3313D667EAF1D7F6555EF4978A76D0A9B1F659000000000000000E6685D6700000000
(PID) Process:(5496) ytreivcustlc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5496) ytreivcustlc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5496) ytreivcustlc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
979
Text files
373
Unknown types
0

Dropped files

PID
Process
Filename
Type
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_100_percent.pakbinary
MD5:5116D567FB0CB1A806729D1448C3F7FC
SHA256:9458BD13DD21185EACCD74797060A6082EEDE2B22A70DC3216E25CA4C3BF74C5
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdfbinary
MD5:B3CC1F67637F340D390CC1E7345BD1A6
SHA256:A862BAA2978AC699FB8F499C33648DC3745B4BDF30E5927AEA26358EF340A63F
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.pngbinary
MD5:E66C923CC3D137DBEF3526609C5C80FF
SHA256:56D18B0BA2BF0ABE021502BD9BFBA9393EE3AFB8CE9C98BAB0B292D23F2A257F
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\resources.pak
MD5:
SHA256:
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\resources.pak.mp3
MD5:
SHA256:
5000file1.exeC:\Users\admin\Documents\ytreivcustlc.exeexecutable
MD5:9CE01DFBF25DFEA778E57D8274675D6F
SHA256:5343947829609F69E84FE7E8172C38EE018EDE3C9898D4895275F596AC54320D
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_200_percent.pakbinary
MD5:A40B68DA8314CB387828A6810760949C
SHA256:442E4B98DC2CDFC647A20CBDE85EA7CD8A3CD19A739FCF10985CEF8B17A1A00B
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\LICENSE.txt.mp3binary
MD5:908103403881DEECA4C208A1397F8126
SHA256:AC854582C2A99520BE6B1AA7E946E47412507A8EF197288F5F88EDA9C05C2147
5496ytreivcustlc.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\_RECOVERY_+lnjuu.pngimage
MD5:FD1DD7B337892527867B45C033568E10
SHA256:AEECAF717DF94A62E88FA160ADEAB5986A9C4EEE820BB9B9C0C69136BB321A18
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\en-US.pakbinary
MD5:41A3CDC4EFBD59042FA34526B252F9CC
SHA256:5FFB12E98260362CE26E66F104D755A4CE69D21F39A13EC96E32896D39D7BC79
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
38
DNS requests
21
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
ytreivcustlc.exe
POST
301
162.241.224.203:80
http://biocarbon.com.ec/wp-content/uploads/bstr.php
unknown
malicious
5496
ytreivcustlc.exe
POST
200
85.128.128.104:80
http://stacon.eu/bstr.php
unknown
malicious
5496
ytreivcustlc.exe
GET
200
23.32.238.49:80
http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPdudvodJRcElz6vtmmu4TyWg%3D%3D
unknown
whitelisted
5496
ytreivcustlc.exe
POST
200
104.155.138.21:80
http://worldisonefamily.info/zz/libraries/bstr.php
unknown
malicious
3508
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3508
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3612
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6836
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3128
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3508
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.154:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5496
ytreivcustlc.exe
162.241.224.203:80
biocarbon.com.ec
UNIFIEDLAYER-AS-1
US
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.174
whitelisted
www.bing.com
  • 104.126.37.154
  • 104.126.37.130
  • 104.126.37.145
  • 104.126.37.144
  • 104.126.37.139
  • 104.126.37.153
  • 104.126.37.128
  • 104.126.37.137
  • 104.126.37.136
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.71
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.73
  • 20.190.159.4
  • 40.126.31.69
  • 20.190.159.71
whitelisted
biocarbon.com.ec
  • 162.241.224.203
malicious
r10.o.lencr.org
  • 23.32.238.49
  • 23.32.238.82
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
imagescroll.com
unknown
music.mbsaeger.com
unknown
stacon.eu
  • 85.128.128.104
malicious

Threats

PID
Process
Class
Message
5496
ytreivcustlc.exe
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
5496
ytreivcustlc.exe
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
5496
ytreivcustlc.exe
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
5496
ytreivcustlc.exe
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
file1.exe