File name:

file1.exe

Full analysis: https://app.any.run/tasks/9b33d4ff-0388-4af0-a7ad-e1160890279d
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 11:46:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ransomware
teslacrypt
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 8 sections
MD5:

9CE01DFBF25DFEA778E57D8274675D6F

SHA1:

1BD767BEB5BC36B396CA6405748042640AD57526

SHA256:

5343947829609F69E84FE7E8172C38EE018EDE3C9898D4895275F596AC54320D

SSDEEP:

6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwuq:4qZb8oR3D6R5QHXZJy/Q50imAvBq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TESLACRYPT has been detected (SURICATA)

      • oqrraatgxwlg.exe (PID: 6244)

    • Deletes shadow copies

      • oqrraatgxwlg.exe (PID: 6244)

    • Connects to the CnC server

      • oqrraatgxwlg.exe (PID: 6244)

    • Changes the autorun value in the registry

      • oqrraatgxwlg.exe (PID: 6244)

  • SUSPICIOUS

    • Starts itself from another location

      • file1.exe (PID: 648)

    • Reads security settings of Internet Explorer

      • file1.exe (PID: 648)
      • oqrraatgxwlg.exe (PID: 6244)

    • Starts CMD.EXE for commands execution

      • file1.exe (PID: 648)

    • Executable content was dropped or overwritten

      • file1.exe (PID: 648)

    • Checks Windows Trust Settings

      • oqrraatgxwlg.exe (PID: 6244)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6708)

    • Contacting a server suspected of hosting an CnC

      • oqrraatgxwlg.exe (PID: 6244)

  • INFO

    • The process uses the downloaded file

      • oqrraatgxwlg.exe (PID: 6244)
      • file1.exe (PID: 648)

    • Reads the computer name

      • file1.exe (PID: 648)
      • oqrraatgxwlg.exe (PID: 6244)

    • Process checks computer location settings

      • file1.exe (PID: 648)
      • oqrraatgxwlg.exe (PID: 6244)

    • Checks supported languages

      • file1.exe (PID: 648)
      • oqrraatgxwlg.exe (PID: 6244)

    • The sample compiled with english language support

      • file1.exe (PID: 648)

    • Reads the software policy settings

      • oqrraatgxwlg.exe (PID: 6244)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6568)

    • Checks proxy server information

      • oqrraatgxwlg.exe (PID: 6244)

    • Reads the machine GUID from the registry

      • oqrraatgxwlg.exe (PID: 6244)

    • Creates files or folders in the user directory

      • oqrraatgxwlg.exe (PID: 6244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

ProductVersion: 1.9.0
ProductName: nah nah®
OriginalFileName: nah nah
LegalCopyright: ©nah nah Corporation. All rights reserved.
InternalName: nah nah
FileVersion: 1.600.5512
FileDescription: nah nahApp
CompanyName: nah nah Corporation
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 5.1.2600.5512
FileVersionNumber: 5.1.2600.5512
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x3c40
UninitializedDataSize: -
InitializedDataSize: 626688
CodeSize: 16384
LinkerVersion: 8
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, 32-bit, No debug
TimeStamp: 2016:02:28 18:15:11+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start file1.exe #TESLACRYPT oqrraatgxwlg.exe cmd.exe no specs conhost.exe no specs wmic.exe conhost.exe no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
648"C:\Users\admin\AppData\Local\Temp\file1.exe" C:\Users\admin\AppData\Local\Temp\file1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\file1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6244C:\Users\admin\Documents\oqrraatgxwlg.exeC:\Users\admin\Documents\oqrraatgxwlg.exe
file1.exe
User:
admin
Company:
nah nah Corporation
Integrity Level:
MEDIUM
Description:
nah nahApp
Version:
1.600.5512
Modules
Images
c:\users\admin\documents\oqrraatgxwlg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6292"C:\WINDOWS\system32\cmd.exe" /c DEL C:\Users\admin\AppData\Local\Temp\file1.exeC:\Windows\SysWOW64\cmd.exefile1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6308\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6568"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive C:\Windows\System32\wbem\WMIC.exe
oqrraatgxwlg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749890
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
6576\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6708C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 065
Read events
4 058
Write events
7
Delete events
0

Modification events

(PID) Process:(6244) oqrraatgxwlg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:fcreulonbmnk
Value:
C:\WINDOWS\system32\cmd.exe /c start "" "C:\Users\admin\Documents\oqrraatgxwlg.exe"
(PID) Process:(6244) oqrraatgxwlg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLinkedConnections
Value:
1
(PID) Process:(6244) oqrraatgxwlg.exeKey:HKEY_CURRENT_USER\SOFTWARE\xxxsys
Operation:writeName:ID
Value:
370709A69BB7F491
(PID) Process:(6244) oqrraatgxwlg.exeKey:HKEY_CURRENT_USER\SOFTWARE\3779A69BB7F491
Operation:writeName:data
Value:
314A334275396471667A56437763394A50596632724735576134346458385A597954000000000000000000000000000004491F0144FF0474F9B5DE6BD9AADFBE8DE8A5529EA6DC74A2FAF8C75104FBF0E197491BDE0C7DCEADE907A74885979C03F1A42807ABF300E93C0DE5AB98F45D4CED92F83115340BD16520DB0CFD7F71A34FBF19A75E33C0AEDABF1786ED6543E100000000000000000000000000000000000000000000000000000000000000044638DC9578E36EAE3AAB62B05376D9147DB9FFCDACEA0D531B89551A5E3F0613C6B973E3B338BAF27CEAB5DC56AFF86422DF8A53564A61BDC5DE1DB4F367EB6C000000000000000D705D6700000000
(PID) Process:(6244) oqrraatgxwlg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6244) oqrraatgxwlg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6244) oqrraatgxwlg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
962
Text files
361
Unknown types
1

Dropped files

PID
Process
Filename
Type
6244oqrraatgxwlg.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\_RECOVERY_+ochcl.htmlhtml
MD5:AB89E540A8E90ED48DC18EA61AD2F9CA
SHA256:15306F61E8617F4B4E5B9220927F657232987078EC3B36B899A3DCC2CFEF8918
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_200_percent.pak.mp3binary
MD5:8DB869AFF2379F0A0ED111F1EC3F51A5
SHA256:71EA8F2E5D397AF9C24E7A91926B5EE2531E195DFBB63D17014C38F1031839F5
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_100_percent.pakbinary
MD5:75BDE7E59C026D905113201AF6FDD813
SHA256:DCBF1790738D70C8A9E3925B37CEC54BA31234E8B803D608A256797DED3719A0
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_200_percent.pakbinary
MD5:8DB869AFF2379F0A0ED111F1EC3F51A5
SHA256:71EA8F2E5D397AF9C24E7A91926B5EE2531E195DFBB63D17014C38F1031839F5
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\COPYING.LGPLv2.1.txt.mp3binary
MD5:737C3419764C06051232D6989E6DB5CB
SHA256:020ED99264DD547D530401D5F976102923579DBB41636CDB8C91611B0D1F7B1E
6244oqrraatgxwlg.exeC:\Users\admin\Documents\recover_file_iqpmhsfly.txttext
MD5:5D8E5A38E1C94886769CC991C48126D4
SHA256:6717FE8323FDEB5AD2F50185E8360991E079512071E718BFDD161303E5C0AB50
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdfbinary
MD5:FF8EAE8DC5D3E98ED0D446B17100B2BB
SHA256:654481920D8109830DE349280AFD0DAB24E02914D40648760CEE9DF385A3BD58
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.pngbinary
MD5:F54C13347CCD2D3356AE973171577AD2
SHA256:B338573FD27BF375D2AA69599EDB03669A0AFB59CED1C8337BA1EAC0958E7F5A
6244oqrraatgxwlg.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\_RECOVERY_+ochcl.pngimage
MD5:7E6758001A6CA71B2BFE49200C764E30
SHA256:9BA20504700D5D02664FCC694E64D0E359DBB6A009DF3BB1BBBFB0683D62FF29
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.mp3binary
MD5:F54C13347CCD2D3356AE973171577AD2
SHA256:B338573FD27BF375D2AA69599EDB03669A0AFB59CED1C8337BA1EAC0958E7F5A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
40
DNS requests
25
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6160
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6244
oqrraatgxwlg.exe
POST
98.85.201.66:80
http://surrogacyandadoption.com/bstr.php
unknown
malicious
6244
oqrraatgxwlg.exe
POST
200
85.128.128.104:80
http://stacon.eu/bstr.php
unknown
malicious
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6244
oqrraatgxwlg.exe
POST
200
107.178.223.183:80
http://worldisonefamily.info/zz/libraries/bstr.php
unknown
malicious
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1580
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6160
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5340
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.160:443
www.bing.com
Akamai International B.V.
DE
whitelisted
6244
oqrraatgxwlg.exe
162.241.224.203:80
biocarbon.com.ec
UNIFIEDLAYER-AS-1
US
malicious
6244
oqrraatgxwlg.exe
162.241.224.203:443
biocarbon.com.ec
UNIFIEDLAYER-AS-1
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.156
  • 23.48.23.147
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.bing.com
  • 104.126.37.160
  • 104.126.37.147
  • 104.126.37.168
  • 104.126.37.154
  • 104.126.37.152
  • 104.126.37.155
  • 104.126.37.170
  • 104.126.37.163
  • 104.126.37.153
whitelisted
biocarbon.com.ec
  • 162.241.224.203
malicious
r10.o.lencr.org
  • 23.32.238.82
  • 23.32.238.27
whitelisted
login.live.com
  • 40.126.32.136
  • 40.126.32.76
  • 20.190.160.20
  • 40.126.32.74
  • 40.126.32.72
  • 20.190.160.14
  • 20.190.160.17
  • 20.190.160.22
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted

Threats

PID
Process
Class
Message
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
file1.exe