File name:

file1.exe

Full analysis: https://app.any.run/tasks/9b33d4ff-0388-4af0-a7ad-e1160890279d
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 11:46:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ransomware
teslacrypt
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 8 sections
MD5:

9CE01DFBF25DFEA778E57D8274675D6F

SHA1:

1BD767BEB5BC36B396CA6405748042640AD57526

SHA256:

5343947829609F69E84FE7E8172C38EE018EDE3C9898D4895275F596AC54320D

SSDEEP:

6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwuq:4qZb8oR3D6R5QHXZJy/Q50imAvBq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • oqrraatgxwlg.exe (PID: 6244)

    • Deletes shadow copies

      • oqrraatgxwlg.exe (PID: 6244)

    • TESLACRYPT has been detected (SURICATA)

      • oqrraatgxwlg.exe (PID: 6244)

    • Connects to the CnC server

      • oqrraatgxwlg.exe (PID: 6244)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • file1.exe (PID: 648)

    • Reads security settings of Internet Explorer

      • file1.exe (PID: 648)
      • oqrraatgxwlg.exe (PID: 6244)

    • Starts itself from another location

      • file1.exe (PID: 648)

    • Starts CMD.EXE for commands execution

      • file1.exe (PID: 648)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6708)

    • Checks Windows Trust Settings

      • oqrraatgxwlg.exe (PID: 6244)

    • Contacting a server suspected of hosting an CnC

      • oqrraatgxwlg.exe (PID: 6244)

  • INFO

    • Reads the computer name

      • file1.exe (PID: 648)
      • oqrraatgxwlg.exe (PID: 6244)

    • The sample compiled with english language support

      • file1.exe (PID: 648)

    • Checks supported languages

      • file1.exe (PID: 648)
      • oqrraatgxwlg.exe (PID: 6244)

    • Process checks computer location settings

      • file1.exe (PID: 648)
      • oqrraatgxwlg.exe (PID: 6244)

    • The process uses the downloaded file

      • file1.exe (PID: 648)
      • oqrraatgxwlg.exe (PID: 6244)

    • Reads the machine GUID from the registry

      • oqrraatgxwlg.exe (PID: 6244)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6568)

    • Checks proxy server information

      • oqrraatgxwlg.exe (PID: 6244)

    • Reads the software policy settings

      • oqrraatgxwlg.exe (PID: 6244)

    • Creates files or folders in the user directory

      • oqrraatgxwlg.exe (PID: 6244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:02:28 18:15:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, 32-bit, No debug
PEType: PE32
LinkerVersion: 8
CodeSize: 16384
InitializedDataSize: 626688
UninitializedDataSize: -
EntryPoint: 0x3c40
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.1.2600.5512
ProductVersionNumber: 5.1.2600.5512
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: nah nah Corporation
FileDescription: nah nahApp
FileVersion: 1.600.5512
InternalName: nah nah
LegalCopyright: ©nah nah Corporation. All rights reserved.
OriginalFileName: nah nah
ProductName: nah nah®
ProductVersion: 1.9.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start file1.exe #TESLACRYPT oqrraatgxwlg.exe cmd.exe no specs conhost.exe no specs wmic.exe conhost.exe no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
648"C:\Users\admin\AppData\Local\Temp\file1.exe" C:\Users\admin\AppData\Local\Temp\file1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\file1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6244C:\Users\admin\Documents\oqrraatgxwlg.exeC:\Users\admin\Documents\oqrraatgxwlg.exe
file1.exe
User:
admin
Company:
nah nah Corporation
Integrity Level:
MEDIUM
Description:
nah nahApp
Version:
1.600.5512
Modules
Images
c:\users\admin\documents\oqrraatgxwlg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6292"C:\WINDOWS\system32\cmd.exe" /c DEL C:\Users\admin\AppData\Local\Temp\file1.exeC:\Windows\SysWOW64\cmd.exefile1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6308\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6568"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive C:\Windows\System32\wbem\WMIC.exe
oqrraatgxwlg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749890
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
6576\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6708C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 065
Read events
4 058
Write events
7
Delete events
0

Modification events

(PID) Process:(6244) oqrraatgxwlg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:fcreulonbmnk
Value:
C:\WINDOWS\system32\cmd.exe /c start "" "C:\Users\admin\Documents\oqrraatgxwlg.exe"
(PID) Process:(6244) oqrraatgxwlg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLinkedConnections
Value:
1
(PID) Process:(6244) oqrraatgxwlg.exeKey:HKEY_CURRENT_USER\SOFTWARE\xxxsys
Operation:writeName:ID
Value:
370709A69BB7F491
(PID) Process:(6244) oqrraatgxwlg.exeKey:HKEY_CURRENT_USER\SOFTWARE\3779A69BB7F491
Operation:writeName:data
Value:
314A334275396471667A56437763394A50596632724735576134346458385A597954000000000000000000000000000004491F0144FF0474F9B5DE6BD9AADFBE8DE8A5529EA6DC74A2FAF8C75104FBF0E197491BDE0C7DCEADE907A74885979C03F1A42807ABF300E93C0DE5AB98F45D4CED92F83115340BD16520DB0CFD7F71A34FBF19A75E33C0AEDABF1786ED6543E100000000000000000000000000000000000000000000000000000000000000044638DC9578E36EAE3AAB62B05376D9147DB9FFCDACEA0D531B89551A5E3F0613C6B973E3B338BAF27CEAB5DC56AFF86422DF8A53564A61BDC5DE1DB4F367EB6C000000000000000D705D6700000000
(PID) Process:(6244) oqrraatgxwlg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6244) oqrraatgxwlg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6244) oqrraatgxwlg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
962
Text files
361
Unknown types
1

Dropped files

PID
Process
Filename
Type
6244oqrraatgxwlg.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\_RECOVERY_+ochcl.htmlhtml
MD5:AB89E540A8E90ED48DC18EA61AD2F9CA
SHA256:15306F61E8617F4B4E5B9220927F657232987078EC3B36B899A3DCC2CFEF8918
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_100_percent.pak.mp3binary
MD5:75BDE7E59C026D905113201AF6FDD813
SHA256:DCBF1790738D70C8A9E3925B37CEC54BA31234E8B803D608A256797DED3719A0
6244oqrraatgxwlg.exeC:\Users\admin\Documents\recover_file_iqpmhsfly.txttext
MD5:5D8E5A38E1C94886769CC991C48126D4
SHA256:6717FE8323FDEB5AD2F50185E8360991E079512071E718BFDD161303E5C0AB50
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\resources.pak
MD5:
SHA256:
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\resources.pak.mp3
MD5:
SHA256:
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_100_percent.pakbinary
MD5:75BDE7E59C026D905113201AF6FDD813
SHA256:DCBF1790738D70C8A9E3925B37CEC54BA31234E8B803D608A256797DED3719A0
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\locales\en-US.pakbinary
MD5:8E9186306C0D29DC2F9BAC04934A6976
SHA256:146E1C096CC98B3EC728B9D9E23D9C2402493B9D1E1D5D312CD494442A78C289
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.mp3binary
MD5:FF8EAE8DC5D3E98ED0D446B17100B2BB
SHA256:654481920D8109830DE349280AFD0DAB24E02914D40648760CEE9DF385A3BD58
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\LICENSE.txt.mp3binary
MD5:6D56A16689F1615154AAD08028426059
SHA256:1D832BC75B27FEEA8C82212BC9151408C50D49580D036D6FDD433F897F047925
6244oqrraatgxwlg.exeC:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_200_percent.pakbinary
MD5:8DB869AFF2379F0A0ED111F1EC3F51A5
SHA256:71EA8F2E5D397AF9C24E7A91926B5EE2531E195DFBB63D17014C38F1031839F5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
40
DNS requests
25
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6244
oqrraatgxwlg.exe
POST
301
162.241.224.203:80
http://biocarbon.com.ec/wp-content/uploads/bstr.php
unknown
malicious
6244
oqrraatgxwlg.exe
GET
200
23.32.238.82:80
http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgPdudvodJRcElz6vtmmu4TyWg%3D%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6244
oqrraatgxwlg.exe
POST
200
85.128.128.104:80
http://stacon.eu/bstr.php
unknown
malicious
6244
oqrraatgxwlg.exe
POST
98.85.201.66:80
http://surrogacyandadoption.com/bstr.php
unknown
malicious
6244
oqrraatgxwlg.exe
POST
200
107.178.223.183:80
http://worldisonefamily.info/zz/libraries/bstr.php
unknown
malicious
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6160
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5340
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.160:443
www.bing.com
Akamai International B.V.
DE
whitelisted
6244
oqrraatgxwlg.exe
162.241.224.203:80
biocarbon.com.ec
UNIFIEDLAYER-AS-1
US
malicious
6244
oqrraatgxwlg.exe
162.241.224.203:443
biocarbon.com.ec
UNIFIEDLAYER-AS-1
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.156
  • 23.48.23.147
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.bing.com
  • 104.126.37.160
  • 104.126.37.147
  • 104.126.37.168
  • 104.126.37.154
  • 104.126.37.152
  • 104.126.37.155
  • 104.126.37.170
  • 104.126.37.163
  • 104.126.37.153
whitelisted
biocarbon.com.ec
  • 162.241.224.203
malicious
r10.o.lencr.org
  • 23.32.238.82
  • 23.32.238.27
whitelisted
login.live.com
  • 40.126.32.136
  • 40.126.32.76
  • 20.190.160.20
  • 40.126.32.74
  • 40.126.32.72
  • 20.190.160.14
  • 20.190.160.17
  • 20.190.160.22
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted

Threats

PID
Process
Class
Message
6244
oqrraatgxwlg.exe
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
6244
oqrraatgxwlg.exe
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
6244
oqrraatgxwlg.exe
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
6244
oqrraatgxwlg.exe
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
file1.exe