File name:

MSUpdate.exe

Full analysis: https://app.any.run/tasks/e28cee4d-3ff3-45b7-abfa-00e158f44ba5
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 19, 2024, 09:46:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
teslacrypt
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

9CE01DFBF25DFEA778E57D8274675D6F

SHA1:

1BD767BEB5BC36B396CA6405748042640AD57526

SHA256:

5343947829609F69E84FE7E8172C38EE018EDE3C9898D4895275F596AC54320D

SSDEEP:

6144:4qZbqZToxIizLBZ6R56VkGM4ceLJ5vs5JGJceO/QCErIiuNAvwuq:4qZb8oR3D6R5QHXZJy/Q50imAvBq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • MSUpdate.exe (PID: 2752)

    • TeslaCrypt is detected

      • ociexdxtxqhx.exe (PID: 2960)

    • Changes the autorun value in the registry

      • ociexdxtxqhx.exe (PID: 2960)

    • Deletes shadow copies

      • ociexdxtxqhx.exe (PID: 2960)

    • Connects to the CnC server

      • ociexdxtxqhx.exe (PID: 2960)

    • Modifies files in the Chrome extension folder

      • ociexdxtxqhx.exe (PID: 2960)

    • Actions looks like stealing of personal data

      • ociexdxtxqhx.exe (PID: 2960)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • MSUpdate.exe (PID: 2752)

    • Starts CMD.EXE for commands execution

      • MSUpdate.exe (PID: 2752)

    • Starts itself from another location

      • MSUpdate.exe (PID: 2752)

    • Reads security settings of Internet Explorer

      • MSUpdate.exe (PID: 2752)
      • ociexdxtxqhx.exe (PID: 2960)

    • Reads the Internet Settings

      • ociexdxtxqhx.exe (PID: 2960)
      • MSUpdate.exe (PID: 2752)
      • WMIC.exe (PID: 2840)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3696)

    • Contacting a server suspected of hosting an CnC

      • ociexdxtxqhx.exe (PID: 2960)

    • There is functionality for taking screenshot (YARA)

      • ociexdxtxqhx.exe (PID: 2960)

  • INFO

    • Reads the computer name

      • MSUpdate.exe (PID: 2752)
      • ociexdxtxqhx.exe (PID: 2960)

    • Checks supported languages

      • MSUpdate.exe (PID: 2752)
      • ociexdxtxqhx.exe (PID: 2960)

    • Reads the machine GUID from the registry

      • MSUpdate.exe (PID: 2752)
      • ociexdxtxqhx.exe (PID: 2960)

    • Checks proxy server information

      • ociexdxtxqhx.exe (PID: 2960)

    • Create files in a temporary directory

      • ociexdxtxqhx.exe (PID: 2960)

    • Creates files or folders in the user directory

      • ociexdxtxqhx.exe (PID: 2960)

    • Dropped object may contain TOR URL's

      • ociexdxtxqhx.exe (PID: 2960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:02:28 18:15:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, 32-bit, No debug
PEType: PE32
LinkerVersion: 8
CodeSize: 16384
InitializedDataSize: 626688
UninitializedDataSize: -
EntryPoint: 0x3c40
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.1.2600.5512
ProductVersionNumber: 5.1.2600.5512
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: nah nah Corporation
FileDescription: nah nahApp
FileVersion: 1.600.5512
InternalName: nah nah
LegalCopyright: ©nah nah Corporation. All rights reserved.
OriginalFileName: nah nah
ProductName: nah nah®
ProductVersion: 1.9.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msupdate.exe #TESLACRYPT ociexdxtxqhx.exe cmd.exe no specs wmic.exe no specs vssvc.exe no specs wmpnscfg.exe no specs msupdate.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
540"C:\Windows\system32\cmd.exe" /c DEL C:\Users\admin\AppData\Local\Temp\MSUpdate.exeC:\Windows\System32\cmd.exeMSUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2752"C:\Users\admin\AppData\Local\Temp\MSUpdate.exe" C:\Users\admin\AppData\Local\Temp\MSUpdate.exe
explorer.exe
User:
admin
Company:
nah nah Corporation
Integrity Level:
HIGH
Description:
nah nahApp
Exit code:
1
Version:
1.600.5512
Modules
Images
c:\users\admin\appdata\local\temp\msupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptdll.dll
2840"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive C:\Windows\System32\wbem\WMIC.exeociexdxtxqhx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2960C:\Windows\ociexdxtxqhx.exeC:\Windows\ociexdxtxqhx.exe
MSUpdate.exe
User:
admin
Company:
nah nah Corporation
Integrity Level:
HIGH
Description:
nah nahApp
Version:
1.600.5512
Modules
Images
c:\windows\ociexdxtxqhx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptdll.dll
3384"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3520"C:\Users\admin\AppData\Local\Temp\MSUpdate.exe" C:\Users\admin\AppData\Local\Temp\MSUpdate.exeexplorer.exe
User:
admin
Company:
nah nah Corporation
Integrity Level:
MEDIUM
Description:
nah nahApp
Exit code:
3221226540
Version:
1.600.5512
Modules
Images
c:\users\admin\appdata\local\temp\msupdate.exe
c:\windows\system32\ntdll.dll
3696C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
4 844
Read events
4 789
Write events
46
Delete events
9

Modification events

(PID) Process:(2752) MSUpdate.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2752) MSUpdate.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2752) MSUpdate.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2752) MSUpdate.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2960) ociexdxtxqhx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:eetbfhcqdssu
Value:
C:\Windows\system32\cmd.exe /c start "" "C:\Windows\ociexdxtxqhx.exe"
(PID) Process:(2960) ociexdxtxqhx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLinkedConnections
Value:
1
(PID) Process:(2960) ociexdxtxqhx.exeKey:HKEY_CURRENT_USER\Software\xxxsys
Operation:writeName:ID
Value:
5FAB3963F11AC86A
(PID) Process:(2960) ociexdxtxqhx.exeKey:HKEY_CURRENT_USER\Software\5FAB3963F11AC86A
Operation:writeName:data
Value:
3138344A523279726A58775278466D43634B4C57516B444147554347675038335348000000000000000000000000000004E0CE153BA1EB2F315169616F93F20735B19EDFFDF009D42077F4572FBC432936EBC0ECA010AEB2EC923949809B0DE7B2B945B2D9DE7B736DEC8D45C9890C2ACA5BB311F1CD8E7FEBA6F325A831A48D44BAE34929DFFE194D6CDD61093DDBAF350000000000000000000000000000000000000000000000000000000000000004D6337591BD581CF593061144A6E69A1E1ABAE98F6FC9E58B9710AFE9F594EB457281B9D7AB8713469FB911CCC2B9E25F199922E8A6D35BACC61522C9FBECB4430000000000000007369A6600000000
(PID) Process:(2960) ociexdxtxqhx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2960) ociexdxtxqhx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
1
Suspicious files
788
Text files
2 245
Unknown types
0

Dropped files

PID
Process
Filename
Type
2752MSUpdate.exeC:\Windows\ociexdxtxqhx.exeexecutable
MD5:9CE01DFBF25DFEA778E57D8274675D6F
SHA256:5343947829609F69E84FE7E8172C38EE018EDE3C9898D4895275F596AC54320D
2960ociexdxtxqhx.exeC:\Users\admin\Documents\recover_file_xpdywatnv.txttext
MD5:84B7C1AF0363F1809AEA415D5ED15F39
SHA256:D6F62386913950D6583C4409F9C65A6B113937A9CB880FA122CC5DA6B56EA2B3
2960ociexdxtxqhx.exeC:\$Recycle.Bin\_RECOVERY_+ajqjp.txttext
MD5:F3C6E81DD58DAF67E8C0E6218ECE8C35
SHA256:C27BBBA837F042CD26BA381399DA840A7EC4B7D4BFC23B7988570A436485DE09
2960ociexdxtxqhx.exeC:\Users\_RECOVERY_+ajqjp.txttext
MD5:F3C6E81DD58DAF67E8C0E6218ECE8C35
SHA256:C27BBBA837F042CD26BA381399DA840A7EC4B7D4BFC23B7988570A436485DE09
2960ociexdxtxqhx.exeC:\Users\_RECOVERY_+ajqjp.htmlhtml
MD5:AB5B01CDB2D03F1977FE6D197587CE22
SHA256:3A835EF312B851A635965BA80AEA7FAEAC083380E045ABD4E459716354476378
2960ociexdxtxqhx.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\_RECOVERY_+ajqjp.pngimage
MD5:595E890A35B800F679CA0B433615DE71
SHA256:4CE3C8E454E43878FF0E4F06C6914C6E33FB1314BB3E64E7406C6389189C4BFA
2960ociexdxtxqhx.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\_RECOVERY_+ajqjp.txttext
MD5:F3C6E81DD58DAF67E8C0E6218ECE8C35
SHA256:C27BBBA837F042CD26BA381399DA840A7EC4B7D4BFC23B7988570A436485DE09
2960ociexdxtxqhx.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\_RECOVERY_+ajqjp.txttext
MD5:F3C6E81DD58DAF67E8C0E6218ECE8C35
SHA256:C27BBBA837F042CD26BA381399DA840A7EC4B7D4BFC23B7988570A436485DE09
2960ociexdxtxqhx.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\_RECOVERY_+ajqjp.htmlhtml
MD5:AB5B01CDB2D03F1977FE6D197587CE22
SHA256:3A835EF312B851A635965BA80AEA7FAEAC083380E045ABD4E459716354476378
2960ociexdxtxqhx.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\_RECOVERY_+ajqjp.htmlhtml
MD5:AB5B01CDB2D03F1977FE6D197587CE22
SHA256:3A835EF312B851A635965BA80AEA7FAEAC083380E045ABD4E459716354476378
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
20
DNS requests
13
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
2960
ociexdxtxqhx.exe
POST
301
162.241.224.203:80
http://biocarbon.com.ec/wp-content/uploads/bstr.php
unknown
unknown
2960
ociexdxtxqhx.exe
POST
85.128.188.138:80
http://stacon.eu/bstr.php
unknown
unknown
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?60bcd71e49d094b3
unknown
whitelisted
2960
ociexdxtxqhx.exe
POST
404
3.94.41.167:80
http://surrogacyandadoption.com/bstr.php
unknown
unknown
2960
ociexdxtxqhx.exe
POST
200
104.155.138.21:80
http://worldisonefamily.info/zz/libraries/bstr.php
unknown
unknown
1372
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2960
ociexdxtxqhx.exe
162.241.224.203:80
biocarbon.com.ec
UNIFIEDLAYER-AS-1
US
unknown
2960
ociexdxtxqhx.exe
162.241.224.203:443
biocarbon.com.ec
UNIFIEDLAYER-AS-1
US
unknown
2960
ociexdxtxqhx.exe
85.128.188.138:80
stacon.eu
Nazwa.pl Sp.z.o.o.
PL
unknown
2960
ociexdxtxqhx.exe
3.94.41.167:80
surrogacyandadoption.com
AMAZON-AES
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
biocarbon.com.ec
  • 162.241.224.203
malicious
imagescroll.com
unknown
music.mbsaeger.com
unknown
stacon.eu
  • 85.128.188.138
unknown
surrogacyandadoption.com
  • 3.94.41.167
  • 52.86.6.113
unknown
worldisonefamily.info
  • 104.155.138.21
  • 107.178.223.183
unknown
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.216
  • 23.50.131.200
  • 199.232.214.172
  • 199.232.210.172
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted

Threats

PID
Process
Class
Message
2960
ociexdxtxqhx.exe
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
2960
ociexdxtxqhx.exe
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
2960
ociexdxtxqhx.exe
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
2960
ociexdxtxqhx.exe
Malware Command and Control Activity Detected
ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MSUpdate.exe