File name:

file1.exe

Full analysis: https://app.any.run/tasks/00115926-5a14-4957-a142-fa5776ec3adb
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 11:15:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ransomware
teslacrypt
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 8 sections
MD5:

9CE01DFBF25DFEA778E57D8274675D6F

SHA1:

1BD767BEB5BC36B396CA6405748042640AD57526

SHA256:

5343947829609F69E84FE7E8172C38EE018EDE3C9898D4895275F596AC54320D

SSDEEP:

6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwuq:4qZb8oR3D6R5QHXZJy/Q50imAvBq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • ytreivcustlc.exe (PID: 5496)

    • TESLACRYPT has been detected (SURICATA)

      • ytreivcustlc.exe (PID: 5496)

    • Connects to the CnC server

      • ytreivcustlc.exe (PID: 5496)

    • Changes the autorun value in the registry

      • ytreivcustlc.exe (PID: 5496)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • ytreivcustlc.exe (PID: 5496)
      • file1.exe (PID: 5000)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6208)

    • Starts CMD.EXE for commands execution

      • file1.exe (PID: 5000)

    • Executable content was dropped or overwritten

      • file1.exe (PID: 5000)

    • Checks Windows Trust Settings

      • ytreivcustlc.exe (PID: 5496)

    • There is functionality for taking screenshot (YARA)

      • ytreivcustlc.exe (PID: 5496)

    • Contacting a server suspected of hosting an CnC

      • ytreivcustlc.exe (PID: 5496)

    • Starts itself from another location

      • file1.exe (PID: 5000)

  • INFO

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5268)

    • Checks supported languages

      • file1.exe (PID: 5000)
      • ytreivcustlc.exe (PID: 5496)

    • Reads the machine GUID from the registry

      • ytreivcustlc.exe (PID: 5496)

    • The sample compiled with english language support

      • file1.exe (PID: 5000)

    • The process uses the downloaded file

      • ytreivcustlc.exe (PID: 5496)
      • file1.exe (PID: 5000)

    • Process checks computer location settings

      • ytreivcustlc.exe (PID: 5496)
      • file1.exe (PID: 5000)

    • Reads the computer name

      • ytreivcustlc.exe (PID: 5496)
      • file1.exe (PID: 5000)

    • Reads the software policy settings

      • ytreivcustlc.exe (PID: 5496)

    • Creates files or folders in the user directory

      • ytreivcustlc.exe (PID: 5496)

    • Checks proxy server information

      • ytreivcustlc.exe (PID: 5496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

ProductVersion: 1.9.0
ProductName: nah nah®
OriginalFileName: nah nah
LegalCopyright: ©nah nah Corporation. All rights reserved.
InternalName: nah nah
FileVersion: 1.600.5512
FileDescription: nah nahApp
CompanyName: nah nah Corporation
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 5.1.2600.5512
FileVersionNumber: 5.1.2600.5512
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x3c40
UninitializedDataSize: -
InitializedDataSize: 626688
CodeSize: 16384
LinkerVersion: 8
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, 32-bit, No debug
TimeStamp: 2016:02:28 18:15:11+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start svchost.exe file1.exe #TESLACRYPT ytreivcustlc.exe cmd.exe no specs conhost.exe no specs wmic.exe conhost.exe no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5000"C:\Users\admin\AppData\Local\Temp\file1.exe" C:\Users\admin\AppData\Local\Temp\file1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\file1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5496C:\Users\admin\Documents\ytreivcustlc.exeC:\Users\admin\Documents\ytreivcustlc.exe
file1.exe
User:
admin
Company:
nah nah Corporation
Integrity Level:
MEDIUM
Description:
nah nahApp
Version:
1.600.5512
Modules
Images
c:\users\admin\documents\ytreivcustlc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4544"C:\WINDOWS\system32\cmd.exe" /c DEL C:\Users\admin\AppData\Local\Temp\file1.exeC:\Windows\SysWOW64\cmd.exefile1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
448\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5268"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive C:\Windows\System32\wbem\WMIC.exe
ytreivcustlc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749890
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
5300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6208C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 065
Read events
4 058
Write events
7
Delete events
0

Modification events

(PID) Process:(5496) ytreivcustlc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:gxlprvcbljes
Value:
C:\WINDOWS\system32\cmd.exe /c start "" "C:\Users\admin\Documents\ytreivcustlc.exe"
(PID) Process:(5496) ytreivcustlc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLinkedConnections
Value:
1
(PID) Process:(5496) ytreivcustlc.exeKey:HKEY_CURRENT_USER\SOFTWARE\xxxsys
Operation:writeName:ID
Value:
660BBB984C80E97C
(PID) Process:(5496) ytreivcustlc.exeKey:HKEY_CURRENT_USER\SOFTWARE\66BBB984C80E97C
Operation:writeName:data
Value:
31424A6468436267373368346A597977394D637551364E67787055745A6F41466A45000000000000000000000000000004992B322D4B6D176E40281828A2348E83E6BE599B42DFB95A9A125D13AFEF8D8D738F5DA68C57BFC056CC17767275A94A5C8F46ECD6432A2798EF258107F9AED70B25E7790F12A73E42FC3A087DC2641941445A05B0842F6EEC0D0142188BFFDA000000000000000000000000000000000000000000000000000000000000000436C3C629E8A0494A6A65110511A38E0D6745845197E2CBE9C013EFB0072526F1C24BD35C90442F497D2D473BB3313D667EAF1D7F6555EF4978A76D0A9B1F659000000000000000E6685D6700000000
(PID) Process:(5496) ytreivcustlc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5496) ytreivcustlc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5496) ytreivcustlc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
979
Text files
373
Unknown types
0

Dropped files

PID
Process
Filename
Type
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdfbinary
MD5:B3CC1F67637F340D390CC1E7345BD1A6
SHA256:A862BAA2978AC699FB8F499C33648DC3745B4BDF30E5927AEA26358EF340A63F
5496ytreivcustlc.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\_RECOVERY_+lnjuu.txttext
MD5:BF316D99E6C26C8A200E67DB7F00AD6A
SHA256:7BEDC293CE1F03B6347B9D3C3A1622702D658F1D88773F74AB520376D1637148
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\en-US.pakbinary
MD5:41A3CDC4EFBD59042FA34526B252F9CC
SHA256:5FFB12E98260362CE26E66F104D755A4CE69D21F39A13EC96E32896D39D7BC79
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\COPYING.LGPLv2.1.txt.mp3binary
MD5:082F216AFDD6706ECCA8044F981EEA02
SHA256:AB2EF68877CB783AE8BF55542709E9FECFA34F514F5EBD0E12782D1CD35C465E
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.mp3binary
MD5:E66C923CC3D137DBEF3526609C5C80FF
SHA256:56D18B0BA2BF0ABE021502BD9BFBA9393EE3AFB8CE9C98BAB0B292D23F2A257F
5496ytreivcustlc.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\_RECOVERY_+lnjuu.htmlhtml
MD5:6107226266BFD5858D9C9E0C024C7218
SHA256:6F0A70D7483DDB05922275EFE71ED8E6EEB3744BA362A45EBD919CD1022A71B1
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_200_percent.pakbinary
MD5:A40B68DA8314CB387828A6810760949C
SHA256:442E4B98DC2CDFC647A20CBDE85EA7CD8A3CD19A739FCF10985CEF8B17A1A00B
5496ytreivcustlc.exeC:\Users\admin\Documents\recover_file_rvpyygjpa.txttext
MD5:79D8EDD3EF29D893C9B837EC59D71384
SHA256:F9899B6E38252E9B8226D8C7D229088D21A255C712329F65164BAAC88A755D00
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\COPYING.LGPLv2.1.txtbinary
MD5:082F216AFDD6706ECCA8044F981EEA02
SHA256:AB2EF68877CB783AE8BF55542709E9FECFA34F514F5EBD0E12782D1CD35C465E
5496ytreivcustlc.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_200_percent.pak.mp3binary
MD5:A40B68DA8314CB387828A6810760949C
SHA256:442E4B98DC2CDFC647A20CBDE85EA7CD8A3CD19A739FCF10985CEF8B17A1A00B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
38
DNS requests
21
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
ytreivcustlc.exe
POST
301
162.241.224.203:80
http://biocarbon.com.ec/wp-content/uploads/bstr.php
unknown
malicious
3612
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3508
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3508
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
ytreivcustlc.exe
POST
200
104.155.138.21:80
http://worldisonefamily.info/zz/libraries/bstr.php
unknown
malicious
5496
ytreivcustlc.exe
GET
200
23.32.238.49:80
http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPdudvodJRcElz6vtmmu4TyWg%3D%3D
unknown
whitelisted
3612
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6836
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3128
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3508
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.154:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5496
ytreivcustlc.exe
162.241.224.203:80
biocarbon.com.ec
UNIFIEDLAYER-AS-1
US
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.174
whitelisted
www.bing.com
  • 104.126.37.154
  • 104.126.37.130
  • 104.126.37.145
  • 104.126.37.144
  • 104.126.37.139
  • 104.126.37.153
  • 104.126.37.128
  • 104.126.37.137
  • 104.126.37.136
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.71
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.73
  • 20.190.159.4
  • 40.126.31.69
  • 20.190.159.71
whitelisted
biocarbon.com.ec
  • 162.241.224.203
malicious
r10.o.lencr.org
  • 23.32.238.49
  • 23.32.238.82
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
imagescroll.com
unknown
music.mbsaeger.com
unknown
stacon.eu
  • 85.128.128.104
malicious

Threats

PID
Process
Class
Message
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
file1.exe