Windows Analysis Report
OfficeSetup.exe

Overview

General Information

Sample name:	OfficeSetup.exe
Analysis ID:	1542002
MD5:	71dde4df92b2284f19491087e637b040
SHA1:	341c931af7e64277b2a755a0cce550b2cd5fd153
SHA256:	bd4f0d84b3a1592ff124bf718fb59a2d284793cbbde9870ec06dcf0b858b408a

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Query firmware table information (likely to detect VMs)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Stores large binary data to the registry

Uses 32bit PE files

Classification

Signatures

Uses 32bit PE files

Source: OfficeSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: OfficeSetup.exe

Static PE information: certificate valid

Source: OfficeSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Uses 32bit PE files

Source: OfficeSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: classification engine

Classification label: sus22.evad.winEXE@3/5@0/55

Source: C:\Users\user\Desktop\OfficeSetup.exe

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6A2A77FA-00BE-4D75-BE01-6F0AFA1F7768

Source: C:\Users\user\Desktop\OfficeSetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\2BF388D5-6F8C-40A0-A7EE-996D005C4E14_Office16
Source: C:\Users\user\Desktop\OfficeSetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\OfficeSetupBootstrapper
Source: C:\Users\user\Desktop\OfficeSetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Office.16.916BB0BF-2D21-4499-83C7-555DB4C3F8E8

Source: C:\Users\user\Desktop\OfficeSetup.exe

File created: C:\Users\user\AppData\Local\Temp\284992-20241025-0629.log

Source: OfficeSetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OfficeSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\OfficeSetup.exe

File read: C:\Users\user\Desktop\OfficeSetup.exe

Source: unknown	Process created: C:\Users\user\Desktop\OfficeSetup.exe "C:\Users\user\Desktop\OfficeSetup.exe"
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process created: C:\Users\user\Desktop\OfficeSetup.exe OfficeSetup.exe RELAUNCHED
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process created: C:\Users\user\Desktop\OfficeSetup.exe OfficeSetup.exe RELAUNCHED

Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: msi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: windows.ui.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: inputhost.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: webio.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: netprofm.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: npmproxy.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: webservices.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: windows.security.authentication.onlineid.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: bitsproxy.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: cryptnet.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: cabinet.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: devrtl.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: msxml6.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: oleacc.dll

Source: C:\Users\user\Desktop\OfficeSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Users\user\Desktop\OfficeSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Source: OfficeSetup.exe

Static PE information: certificate valid

Source: OfficeSetup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: OfficeSetup.exe

Static file information: File size 7556032 > 1048576

Source: OfficeSetup.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x45ba00
Source: OfficeSetup.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1f3a00

Source: OfficeSetup.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: OfficeSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: OfficeSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: OfficeSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: OfficeSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: OfficeSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: OfficeSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: OfficeSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: OfficeSetup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: OfficeSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: OfficeSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: OfficeSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: OfficeSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: OfficeSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains an invalid checksum

Source: OfficeSetup.exe

Static PE information: real checksum: 0x743a86 should be: 0x7386ca

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\OfficeSetup.exe	Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Source: C:\Users\user\Desktop\OfficeSetup.exe	Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Stores large binary data to the registry

Source: C:\Users\user\Desktop\OfficeSetup.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData 1.16

Source: C:\Users\user\Desktop\OfficeSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\OfficeSetup.exe

System information queried: FirmwareTableInformation

Source: C:\Users\user\Desktop\OfficeSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.168.117.171	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.89.18	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.89.117	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.19.126.146	unknown	European Union	16625	AKAMAI-ASUS	false

ID:	1542002
Product:	CloudBasic
Start time:	12:28:44
Start date:	25.10.2024
Sample:	OfficeSetup.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	71dde4df92b2284f19491087e637b040
SHA1:	341c931af7e64277b2a755a0cce550b2cd5fd153
SHA256:	bd4f0d84b3a1592ff124bf718fb59a2d284793cbbde9870ec06dcf0b858b408a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6A2A77FA-00BE-4D75-BE01-6F0AFA1F7768	XML 1.0 document, ASCII text, with CRLF line terminators	E7CE8689FB701B7AFC669339F56B9A48	22646AA613CDFB4508B28F99B2B717DE5A0ED1CF	12DAFB02D57E1C7D1D0FF56636BDBCCCCE643E2F497590F2A222867500D16735
C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db	SQLite 3.x database, user version 1, last written using SQLite version 3034001, writer version 2, read version 2, file counter 5, database pages 6, cookie 0x3, schema 4, largest root page 6, UTF-8, version-valid-for 5	9FAB7A9788F83440EDB66D77B34075A7	86F1A61AC81FCF262212C58C7147CE901CE5C111	26E194E12E517CED81732DDB345357228700DC9E559E80993D03A91122DDFDF9
C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shm	data	E6ACF06F6B2793B6956F48107646D5A0	F5C05B170F7806AF2F74EFC2DC61F03DCDB08ED8	93C2FD9FB835BEABB5A6119D849AB8738897E7EDBD63B7933344FD9CF49D03DA
C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-wal	SQLite Write-Ahead Log, version 3007000	10CB87351CAAD9BCE30EA458C6392B83	7BE7426BE74BD54F54EB86F429ED23B71C2EB433	64234A2ABDF38E00B98407B522E833FFF02651EC0CBF2A23913123B8EF217DE9
C:\Users\user\AppData\Local\Temp\284992-20241025-0629.log	Unicode text, UTF-16, little-endian text, with very long lines (2215), with CRLF line terminators	9856298354E6F24D00239E64EB533636	8FDCF5786E8A97EDA49AA846E9012FD90F4F8F8E	5E5243EBB9798C5540823DCAF516366211F0118A5B538FBB54579F13FD9099D3

Windows Analysis Report
OfficeSetup.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Windows Analysis Report OfficeSetup.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Windows Analysis Report
OfficeSetup.exe