Edit tour

Windows Analysis Report
OfficeSetup.exe

Overview

General Information

Sample name:	OfficeSetup.exe
Analysis ID:	1542002
MD5:	71dde4df92b2284f19491087e637b040
SHA1:	341c931af7e64277b2a755a0cce550b2cd5fd153
SHA256:	bd4f0d84b3a1592ff124bf718fb59a2d284793cbbde9870ec06dcf0b858b408a

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Query firmware table information (likely to detect VMs)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Stores large binary data to the registry

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

OfficeSetup.exe (PID: 6868 cmdline: "C:\Users\user\Desktop\OfficeSetup.exe" MD5: 71DDE4DF92B2284F19491087E637B040)

OfficeSetup.exe (PID: 6904 cmdline: OfficeSetup.exe RELAUNCHED MD5: 71DDE4DF92B2284F19491087E637B040)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: OfficeSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: OfficeSetup.exe

Static PE information: certificate valid

Source: OfficeSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: OfficeSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: classification engine

Classification label: sus22.evad.winEXE@3/5@0/55

Source: C:\Users\user\Desktop\OfficeSetup.exe

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6A2A77FA-00BE-4D75-BE01-6F0AFA1F7768

Source: C:\Users\user\Desktop\OfficeSetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\2BF388D5-6F8C-40A0-A7EE-996D005C4E14_Office16
Source: C:\Users\user\Desktop\OfficeSetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\OfficeSetupBootstrapper
Source: C:\Users\user\Desktop\OfficeSetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Office.16.916BB0BF-2D21-4499-83C7-555DB4C3F8E8

Source: C:\Users\user\Desktop\OfficeSetup.exe

File created: C:\Users\user\AppData\Local\Temp\284992-20241025-0629.log

Source: OfficeSetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OfficeSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\OfficeSetup.exe

File read: C:\Users\user\Desktop\OfficeSetup.exe

Source: unknown	Process created: C:\Users\user\Desktop\OfficeSetup.exe "C:\Users\user\Desktop\OfficeSetup.exe"
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process created: C:\Users\user\Desktop\OfficeSetup.exe OfficeSetup.exe RELAUNCHED
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process created: C:\Users\user\Desktop\OfficeSetup.exe OfficeSetup.exe RELAUNCHED

Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: msi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: windows.ui.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: inputhost.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: webio.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: netprofm.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: npmproxy.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: webservices.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: windows.security.authentication.onlineid.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: bitsproxy.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: cryptnet.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: cabinet.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: devrtl.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: msxml6.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\OfficeSetup.exe	Section loaded: oleacc.dll

Source: C:\Users\user\Desktop\OfficeSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Users\user\Desktop\OfficeSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office

Source: OfficeSetup.exe

Static PE information: certificate valid

Source: OfficeSetup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: OfficeSetup.exe

Static file information: File size 7556032 > 1048576

Source: OfficeSetup.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x45ba00
Source: OfficeSetup.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1f3a00

Source: OfficeSetup.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: OfficeSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: OfficeSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: OfficeSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: OfficeSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: OfficeSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: OfficeSetup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: OfficeSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: OfficeSetup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: OfficeSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: OfficeSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: OfficeSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: OfficeSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: OfficeSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: OfficeSetup.exe

Static PE information: real checksum: 0x743a86 should be: 0x7386ca

Source: C:\Users\user\Desktop\OfficeSetup.exe	Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Source: C:\Users\user\Desktop\OfficeSetup.exe	Registry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Source: C:\Users\user\Desktop\OfficeSetup.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData 1.16

Source: C:\Users\user\Desktop\OfficeSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OfficeSetup.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\OfficeSetup.exe

System information queried: FirmwareTableInformation

Source: C:\Users\user\Desktop\OfficeSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Virtualization/Sandbox Evasion	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
OfficeSetup.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.168.117.171	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.89.18	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.89.117	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.19.126.146	unknown	European Union	16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542002
Start date and time:	2024-10-25 12:28:44 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	OfficeSetup.exe
Detection:	SUS
Classification:	sus22.evad.winEXE@3/5@0/55
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.113.194.132, 52.109.89.18, 52.109.89.117, 2.19.126.146, 2.19.126.140, 52.168.117.171, 20.242.39.171
Excluded domains from analysis (whitelisted): f.c2r.ts.cdn.office.net, ecs.office.com, fs.microsoft.com, slscr.update.microsoft.com, mrodevicemgr.officeapps.live.com, prod.configsvc1.live.com.akadns.net, a245.dscd.akamai.net, weu-azsc-config.officeapps.live.com, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, office-cdn.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, prod.mrodevicemgr.live.com.akadns.net, s-0005.s-msedge.net, config.officeapps.live.com, onedscolprdeus16.eastus.cloudapp.azure.com, office-f-net.trafficmanager.net, glb.cws.prod.dcat.dsp.trafficmanager.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: OfficeSetup.exe

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6A2A77FA-00BE-4D75-BE01-6F0AFA1F7768

Download File

Process:	C:\Users\user\Desktop\OfficeSetup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	178267
Entropy (8bit):	5.290269745252121
Encrypted:	false
SSDEEP:
MD5:	E7CE8689FB701B7AFC669339F56B9A48
SHA1:	22646AA613CDFB4508B28F99B2B717DE5A0ED1CF
SHA-256:	12DAFB02D57E1C7D1D0FF56636BDBCCCCE643E2F497590F2A222867500D16735
SHA-512:	F4FBCD511ABA76F3FA40B1C47266C83B22FD5B2C51C75C386E7392E6821ACF38C41238C8B3B12DCA6F0FE2DE53F45AC871A2CA95950A298586A6C7227B0C4701
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-25T10:29:20">.. Build: 16.0.18209.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db

Download File

Process:	C:\Users\user\Desktop\OfficeSetup.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3034001, writer version 2, read version 2, file counter 5, database pages 6, cookie 0x3, schema 4, largest root page 6, UTF-8, version-valid-for 5
Category:	modified
Size (bytes):	24576
Entropy (8bit):	0.2787693849997949
Encrypted:	false
SSDEEP:
MD5:	9FAB7A9788F83440EDB66D77B34075A7
SHA1:	86F1A61AC81FCF262212C58C7147CE901CE5C111
SHA-256:	26E194E12E517CED81732DDB345357228700DC9E559E80993D03A91122DDFDF9
SHA-512:	2E55F120B32A7A22C1D630A0806284AC180153EE2770DC754FD7D3C23866E649C609A7D8D00B97B084902118F599E7E142B524B99C4665ADAFD5FB1BFF355CD1
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................K..........#.....g....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shm

Download File

Process:	C:\Users\user\Desktop\OfficeSetup.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03610628277380418
Encrypted:	false
SSDEEP:
MD5:	E6ACF06F6B2793B6956F48107646D5A0
SHA1:	F5C05B170F7806AF2F74EFC2DC61F03DCDB08ED8
SHA-256:	93C2FD9FB835BEABB5A6119D849AB8738897E7EDBD63B7933344FD9CF49D03DA
SHA-512:	8B37D3632871B32CE0ED0CF2AF85B78B46D59D21D7DDE369210CEFBFAE0795ED7A3CC70FE4BE95770248849E69C0D7DA2872526B3F5BCC3A4025689EA64C3BC8
Malicious:	false
Reputation:	unknown
Preview:	..-..................... .HT.Dt...Y.g.7.Q...n..-..................... .HT.Dt...Y.g.7.Q...n........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-wal

Download File

Process:	C:\Users\user\Desktop\OfficeSetup.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	4152
Entropy (8bit):	1.3838061524964311
Encrypted:	false
SSDEEP:
MD5:	10CB87351CAAD9BCE30EA458C6392B83
SHA1:	7BE7426BE74BD54F54EB86F429ED23B71C2EB433
SHA-256:	64234A2ABDF38E00B98407B522E833FFF02651EC0CBF2A23913123B8EF217DE9
SHA-512:	662D6F4B70A812193EC703F1065DC3B24B7E34488D32A150AAC3CAFD8FE0859A6CB316F2A3D2B230D3E9BB014D225333989F22F548839DEC41B35BA06EF16DB1
Malicious:	false
Reputation:	unknown
Preview:	7....-............Y.g..g....%...........Y.g.TH. .tD.SQLite format 3......@ ..........................................................................K..........#.....g............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\284992-20241025-0629.log

Download File

Process:	C:\Users\user\Desktop\OfficeSetup.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (2215), with CRLF line terminators
Category:	dropped
Size (bytes):	536828
Entropy (8bit):	3.8320006454059397
Encrypted:	false
SSDEEP:
MD5:	9856298354E6F24D00239E64EB533636
SHA1:	8FDCF5786E8A97EDA49AA846E9012FD90F4F8F8E
SHA-256:	5E5243EBB9798C5540823DCAF516366211F0118A5B538FBB54579F13FD9099D3
SHA-512:	FAEB78E876023C321D8676267B9F1AA3E27A86127248755A4651BB9ED7C2D1A4643D70D58F92DF365A5CCD688C560FB36EF185D3A857910D8E03139B83897918
Malicious:	false
Reputation:	unknown
Preview:	..T.i.m.e.s.t.a.m.p...P.r.o.c.e.s.s...T.I.D...A.r.e.a...C.a.t.e.g.o.r.y...E.v.e.n.t.I.D...L.e.v.e.l...M.e.s.s.a.g.e...C.o.r.r.e.l.a.t.i.o.n.....1.0./.2.5./.2.0.2.4. .0.6.:.2.9.:.1.8...4.1.4...O.F.F.I.C.E.~.1. .(.0.x.1.a.f.8.)...0.x.1.a.f.c.....C.l.i.c.k.-.T.o.-.R.u.n. .G.e.n.e.r.a.l. .T.e.l.e.m.e.t.r.y...a.q.k.h.c...M.e.d.i.u.m...I.n.i.t.L.o.g.g.i.n.g. .{.".M.a.c.h.i.n.e.I.d.".:. .".b.2.d.f.2.e.3.5.5.e.3.c.0.2.4.9.9.1.f.2.8.6.e.1.9.a.9.5.b.9.c.3.".,. .".S.e.s.s.i.o.n.I.D.".:. .".0.9.7.c.7.7.f.b.-.5.d.5.d.-.4.8.6.8.-.8.6.0.b.-.0.9.f.4.e.5.b.5.0.a.5.3.".,. .".G.e.o.I.D.".:. .2.2.3.,. .".V.e.r.".:. .".0...0...0...0.".,. .".C.2.R.C.l.i.e.n.t.V.e.r.".:. .".1.6...0...1.8.0.2.5...2.0.1.6.0.".,. .".C.o.n.t.e.x.t.D.a.t.a.".:. .".{.\.".A.p.p.V.V.e.r.s.i.o.n.\.".:.\.".0...0.\.".,.\.".B.i.t.n.e.s.s.\.".:.\.".3.2.\.".,.\.".C.o.m.m.a.n.d.L.i.n.e.\.".:.\.".R.E.L.A.U.N.C.H.E.D. .\.".,.\.".E.x.e.V.e.r.\.".:.\.".1.6...0...1.8.0.2.5...2.0.1.6.0.\.".,.\.".I.n.t.e.g.r.i.t.y.L.e.v.e.l.\.".:.\.".0.x.3.0.0.0.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.580573303659152
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OfficeSetup.exe
File size:	7'556'032 bytes
MD5:	71dde4df92b2284f19491087e637b040
SHA1:	341c931af7e64277b2a755a0cce550b2cd5fd153
SHA256:	bd4f0d84b3a1592ff124bf718fb59a2d284793cbbde9870ec06dcf0b858b408a
SHA512:	573d525092dac5b519cf21022dd684c6284aa124f40fda9c115f87508ae7c0109e9b10fd6e74922fa12f76713ddd45f9edd298babac7f58d03f9f071f092098a
SSDEEP:	196608:k5yeJSOxmp+8jIh/FdF3bx30bqGdiZhQNGIwWar45iPaI6HMaJTtGblkQ:EQj+8jyF73V3xZ7tkQ
TLSH:	F6767C33A6D6CC36F5B7E2F0AD7DAF1944BABE720930801F6384D64D1AB0982D525727
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................O...."......."......c.......c...................................v...."......."......."T.......<....

File Icon


Icon Hash:	0707323170731b0e

Static PE Info

General

Entrypoint:	0x7e2f62
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x670DAF8F [Mon Oct 14 23:55:59 2024 UTC]
TLS Callbacks:	0x7e3dc3, 0x7e3ebc
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	ca7d3169e7c7942080190cde3c16c7c7

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	22/08/2024 21:25:57 05/07/2025 21:25:57
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	BB60DC2DCCA0C553168F41C88E7C1F49
Thumbprint SHA-1:	7920AC8FB05E0FFFE21E8FF4B4F03093BA6AC16E
Thumbprint SHA-256:	60B9838C9BBFE3F6A754CE52E15513D983DC34F4A9695E15A4DA8130CC556295
Serial:	33000005A7B88FFB975D3584EC0000000005A7

Entrypoint Preview

Instruction
call 00007F10DD655642h
jmp 00007F10DD65418Fh
cmp ecx, dword ptr [00A51540h]
jne 00007F10DD654DBEh
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F10DD65432Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F10DD65431Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F10DD65431Eh
add edx, 28h
cmp edx, esi
jne 00007F10DD6542FCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F10DD65430Bh
push esi
call 00007F10DD65591Bh
test eax, eax
je 00007F10DD654332h
mov eax, dword ptr fs:[00000018h]
mov esi, 00A74ED0h
mov edx, dword ptr [eax+04h]
jmp 00007F10DD654316h
cmp edx, eax
je 00007F10DD654322h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F10DD654302h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F10DD654319h
mov byte ptr [00A74ED4h], 00000001h
call 00007F10DD654F00h
call 00007F10DD658E23h
test al, al
jne 00007F10DD654316h
xor al, al
pop ebp
ret
call 00007F10DD67CE3Dh
test al, al
jne 00007F10DD65431Ch
push 00000000h
call 00007F10DD658E2Ah
pop ecx
jmp 00007F10DD6542FBh
mov al, 01h
pop ebp
ret
push ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x64e188	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x686000	0x5594c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x72f600	0x55c0	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6dc000	0x5d09c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x650798	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5f5070	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x484090	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x45d000	0x658	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x64c45c	0x380	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x45b967	0x45ba00	06c02264b3799eaf925ed4a5cd53b17b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x45d000	0x1f38ec	0x1f3a00	7e9ad15c9e59a0b59ccb58c35b260c49	False	0.301407696397298	data	5.2482651702037195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x651000	0x347d8	0x2d200	9334f63f5ddea28439f3f7256a967c8a	False	0.1952259349030471	OpenPGP Public Key	4.798418366501863	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x686000	0x5594c	0x55a00	368c244fdc5cd0ab40db51143f61cf0c	False	0.25993099908759126	data	5.064572368136891	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6dc000	0x5d09c	0x5d200	b716cf8fe461d662552a6ae1a6d59f9f	False	0.38413643036912754	data	6.480641119860878	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x68730c	0x10c	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0149253731343284
PNG	0x687418	0x1ec	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States	1.0223577235772359
PNG	0x687604	0x13a	PNG image data, 24 x 25, 8-bit/color RGBA, non-interlaced	English	United States	1.0254777070063694
PNG	0x687740	0x141	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.0155763239875388
PNG	0x687884	0xb5	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States	0.994475138121547
PNG	0x68793c	0xb3	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States	0.994413407821229
PNG	0x6879f0	0x158	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States	1.0203488372093024
PNG	0x687b48	0xe3	PNG image data, 24 x 25, 8-bit/color RGBA, non-interlaced	English	United States	1.0088105726872247
PNG	0x687c2c	0xfa	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.008
PNG	0x687d28	0x15c	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States	1.0172413793103448
PNG	0x687e84	0xe7	PNG image data, 24 x 25, 8-bit/color RGBA, non-interlaced	English	United States	1.0086580086580086
PNG	0x687f6c	0xf1	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.008298755186722
PNG	0x688060	0x132	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0098039215686274
PNG	0x688194	0x284	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States	1.0170807453416149
PNG	0x688418	0x1c3	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.024390243902439
PNG	0x6885dc	0x1d5	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.023454157782516
PNG	0x6887b4	0xda	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0091743119266054
PNG	0x688890	0xd2	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0047619047619047
PNG	0x688964	0x1bd	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States	1.0202247191011236
PNG	0x688b24	0x152	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.0236686390532543
PNG	0x688c78	0x145	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.0184615384615385
PNG	0x688dc0	0x1d3	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States	1.0235546038543897
PNG	0x688f94	0x146	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.021472392638037
PNG	0x6890dc	0x13c	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.0158227848101267
PNG	0x689218	0x5d4	PNG image data, 108 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.007372654155496
PNG	0x6897ec	0xf1f	PNG image data, 324 x 72, 8-bit/color RGBA, non-interlaced	English	United States	0.999483337638853
PNG	0x68a70c	0x83f	PNG image data, 163 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.005210800568451
PNG	0x68af4c	0xa6d	PNG image data, 216 x 48, 8-bit/color RGBA, non-interlaced	English	United States	1.004121393780442
PNG	0x68b9bc	0x43c	PNG image data, 108 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.0101476014760147
PNG	0x68bdf8	0x3e3	PNG image data, 108 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.0110552763819096
PNG	0x68c1dc	0xb9f	PNG image data, 324 x 72, 8-bit/color RGBA, non-interlaced	English	United States	0.9969747899159664
PNG	0x68cd7c	0x5eb	PNG image data, 163 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0072607260726072
PNG	0x68d368	0x7cd	PNG image data, 216 x 48, 8-bit/color RGBA, non-interlaced	English	United States	1.0055082623935905
PNG	0x68db38	0xc81	PNG image data, 324 x 72, 8-bit/color RGBA, non-interlaced	English	United States	0.9968759762574195
PNG	0x68e7bc	0x661	PNG image data, 163 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0067360685854256
PNG	0x68ee20	0x87a	PNG image data, 216 x 48, 8-bit/color RGBA, non-interlaced	English	United States	1.0050691244239631
PNG	0x68f69c	0x93	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States	0.9795918367346939
PNG	0x68f730	0xa5	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States	0.9575757575757575
PNG	0x68f7d8	0xab	PNG image data, 24 x 25, 8-bit/color RGBA, non-interlaced	English	United States	1.0
PNG	0x68f884	0x9c	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States	0.9807692307692307
PNG	0x68f920	0x8d	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States	0.9787234042553191
PNG	0x68f9b0	0x8b	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States	0.9856115107913669
PNG	0x68fa3c	0x9c	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States	0.9551282051282052
PNG	0x68fad8	0x9a	PNG image data, 24 x 25, 8-bit/color RGBA, non-interlaced	English	United States	0.9805194805194806
PNG	0x68fb74	0x92	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States	0.9794520547945206
PNG	0x68fc08	0x9f	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States	0.949685534591195
PNG	0x68fca8	0x99	PNG image data, 24 x 25, 8-bit/color RGBA, non-interlaced	English	United States	0.9934640522875817
PNG	0x68fd44	0x98	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States	0.9736842105263158
RT_ICON	0x68fddc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.6870567375886525
RT_ICON	0x690244	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.47115384615384615
RT_ICON	0x6912ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.3904564315352697
RT_ICON	0x693894	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	English	United States	0.17336967778205167
RT_STRING	0x6d58bc	0xba	Matlab v4 mat-file (little endian) _, numeric, rows 0, columns 0	English	United States	0.6129032258064516
RT_STRING	0x6d5978	0x2a	data	English	United States	0.5952380952380952
RT_STRING	0x6d59a4	0x30	data	English	United States	0.5
RT_STRING	0x6d59d4	0x82e	data	English	United States	0.33954154727793695
RT_STRING	0x6d6204	0xae0	data	English	United States	0.26185344827586204
RT_STRING	0x6d6ce4	0x938	data	English	United States	0.21906779661016948
RT_STRING	0x6d761c	0x436	data	English	United States	0.3580705009276438
RT_STRING	0x6d7a54	0x518	data	English	United States	0.37806748466257667
RT_STRING	0x6d7f6c	0xb34	data	English	United States	0.2810320781032078
RT_STRING	0x6d8aa0	0x5e4	data	English	United States	0.32625994694960214
RT_STRING	0x6d9084	0xc62	data	English	United States	0.22618296529968454
RT_STRING	0x6d9ce8	0x9e0	data	English	United States	0.24406645569620253
RT_STRING	0x6da6c8	0x5d2	data	English	United States	0.3268456375838926
RT_STRING	0x6dac9c	0x12c	data	English	United States	0.58
RT_GROUP_ICON	0x6dadc8	0x3e	data	English	United States	0.7903225806451613
RT_VERSION	0x6dae08	0x430	data	English	United States	0.373134328358209
RT_MANIFEST	0x6db238	0x711	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4350469872857933

Imports

DLL	Import
ADVAPI32.dll	ConvertSidToStringSidW, OpenProcessToken, GetTokenInformation, RegSetValueExW, RegQueryValueExW, RegCreateKeyExW, RegOpenKeyExW, RegCloseKey, CryptAcquireContextW, CryptCreateHash, CryptHashData, CryptGetHashParam, CryptDestroyHash, CryptReleaseContext, CreateWellKnownSid, CheckTokenMembership, RegEnumKeyExW, RegQueryInfoKeyW, RegEnumValueW, RegDeleteTreeW, RegDeleteKeyW, RegGetValueW, RegDeleteValueW, IsValidSid, GetSidSubAuthorityCount, GetSidSubAuthority, EventWriteTransfer, EventRegister, EventUnregister, EventSetInformation, RegNotifyChangeKeyValue, RevertToSelf, OpenThreadToken, GetLengthSid, CopySid, InitializeAcl, AddAccessAllowedAce, AllocateAndInitializeSid, FreeSid, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, GetSecurityDescriptorDacl, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidA, EqualSid, RegEnumValueA, RegDeleteValueA, RegGetValueA, EventWrite, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenSCManagerW, CloseServiceHandle, OpenServiceW, QueryServiceStatusEx, QueryServiceConfigW, StartServiceW, ControlService, EnumDependentServicesW, ChangeServiceConfigW
ole32.dll	CoInitialize, CLSIDFromString, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, StringFromCLSID, CoCreateInstance, CoSetProxyBlanket, CoCreateGuid, StringFromGUID2, CoCreateFreeThreadedMarshaler, IIDFromString, CoInitializeSecurity, CoInitializeEx, CoEnableCallCancellation, CoDisableCallCancellation, CoCancelCall, CoUninitialize
OLEAUT32.dll	GetErrorInfo, SysFreeString, VariantInit, VariantClear, SetErrorInfo, SysAllocString, SysStringLen
GDI32.dll	CreateFontW, SetBkColor, SetTextColor, DeleteObject, Rectangle, SetDCPenColor, CreatePen, GetTextExtentPoint32W, SelectObject, CreateSolidBrush, SetDCBrushColor, GetTextMetricsW, GetStockObject, GetDeviceCaps
KERNEL32.dll	RtlUnwind, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCPInfo, EncodePointer, CreateTimerQueueTimer, ExitProcess, GetOEMCP, CloseHandle, GetLastError, GetModuleHandleW, GetProcAddress, LoadLibraryW, SetLastError, GetModuleFileNameW, OutputDebugStringA, CompareStringEx, LocalFree, HeapFree, GetProcessHeap, GetCurrentProcess, GetCurrentProcessId, FreeLibrary, CreateThread, GetCurrentThreadId, GetExitCodeThread, SetProcessMitigationPolicy, CreateEventExW, WriteFile, DeleteFileW, WideCharToMultiByte, IsWow64Process, GetModuleHandleExW, ExpandEnvironmentStringsW, GlobalFree, MultiByteToWideChar, InitializeCriticalSectionEx, DeleteCriticalSection, DecodePointer, CreateMutexW, GetNativeSystemInfo, VerSetConditionMask, VerifyVersionInfoW, GetUserDefaultLocaleName, FlsFree, FlsAlloc, AttachConsole, AllocConsole, GetStdHandle, WriteConsoleW, FreeConsole, LocaleNameToLCID, FindClose, UnmapViewOfFile, CreateFileA, GetFileSize, CreateFileMappingW, MapViewOfFile, Sleep, GetStringTypeExW, GetUserDefaultLCID, LoadLibraryA, LCMapStringW, FormatMessageA, RaiseException, InitializeSRWLock, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, OpenProcess, GetExitCodeProcess, GetProcessTimes, GetTickCount64, GetSystemTimeAsFileTime, TerminateProcess, GetModuleFileNameA, GetShortPathNameA, K32GetModuleFileNameExW, CreateProcessW, LoadLibraryExW, FindResourceW, SizeofResource, LoadResource, GlobalMemoryStatusEx, GetVersionExW, IsValidCodePage, GetSystemTime, SystemTimeToFileTime, FileTimeToSystemTime, GetCPInfoExW, GetDiskFreeSpaceExW, CreateFileW, DeviceIoControl, SetErrorMode, GetComputerNameW, MulDiv, FormatMessageW, GetLogicalProcessorInformation, GetSystemDirectoryW, HeapAlloc, CreateEventW, SetEvent, WaitForSingleObject, ReleaseSemaphore, EnumSystemLocalesW, WaitForMultipleObjectsEx, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, CloseThreadpoolTimer, SetThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CreateThreadpoolTimer, CloseThreadpoolWait, SetThreadpoolWait, WaitForThreadpoolWaitCallbacks, CreateThreadpoolWait, CreateThreadpoolWork, SubmitThreadpoolWork, QueryDepthSList, TryEnterCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeSListHead, InterlockedPushEntrySList, InterlockedPopEntrySList, RtlCaptureStackBackTrace, TzSpecificLocalTimeToSystemTime, QueryUnbiasedInterruptTime, OpenEventW, ReleaseMutex, CreateMutexExW, OpenMutexW, GetTempPathW, GetLongPathNameW, GetFinalPathNameByHandleW, TlsAlloc, TlsFree, FlsGetValue, TlsGetValue, FlsSetValue, TlsSetValue, ResetEvent, IsDebuggerPresent, GetFileAttributesExW, FindFirstFileExW, MoveFileExW, FindNextFileW, CreateDirectoryW, SetFileAttributesW, ReadFile, SetFilePointerEx, SetEndOfFile, GetFileSizeEx, FlushFileBuffers, LockFileEx, UnlockFileEx, GetFileInformationByHandleEx, GetCurrentDirectoryW, GetTempFileNameW, CopyFileExW, GetVolumePathNamesForVolumeNameW, SetFileInformationByHandle, WaitForMultipleObjects, K32EnumProcessModulesEx, OpenThread, GetFileType, SetFilePointer, GetOverlappedResult, GetFileAttributesW, GetFileTime, CopyFileW, QueryPerformanceCounter, QueryPerformanceFrequency, GlobalAlloc, LockResource, LCIDToLocaleName, SetFileTime, CancelIoEx, GetProcessAffinityMask, CreateWaitableTimerW, SetWaitableTimerEx, CancelWaitableTimer, GetTickCount, InitOnceExecuteOnce, WerRegisterMemoryBlock, WerUnregisterMemoryBlock, QueryFullProcessImageNameW, CreateIoCompletionPort, PostQueuedCompletionStatus, GetThreadIOPendingFlag, GetCurrentThread, GetQueuedCompletionStatus, GetStartupInfoW, CreateMemoryResourceNotification, GetSystemPowerStatus, IsSystemResumeAutomatic, OutputDebugStringW, OpenEventA, CreateEventA, OpenMutexA, CreateMutexA, OpenSemaphoreA, CreateSemaphoreA, OpenFileMappingA, CreateFileMappingA, LocalAlloc, GetLocaleInfoEx, LCMapStringEx, IsValidLocale, GetSystemDefaultLCID, ResolveLocaleName, EnumSystemLocalesEx, GetSystemDefaultLocaleName, GetFileAttributesA, LoadLibraryExA, GetUserGeoID, GetLocaleInfoW, GetUserPreferredUILanguages, GetACP, GetTimeZoneInformation, AreFileApisANSI, HeapCreate, GetFullPathNameW, GetDiskFreeSpaceW, LockFile, InitializeCriticalSection, GetFullPathNameA, HeapValidate, HeapSize, GetTempPathA, GetDiskFreeSpaceA, FlushViewOfFile, DeleteFileA, HeapReAlloc, GetSystemInfo, HeapCompact, HeapDestroy, UnlockFile, K32GetProcessMemoryInfo, GetPhysicallyInstalledSystemMemory, GetProductInfo, SwitchToThread, InitializeCriticalSectionAndSpinCount, FindFirstFileW, GetThreadLocale, lstrcmpW, ProcessIdToSessionId, GetCommandLineW, SetEnvironmentVariableW, GetPriorityClass, K32EnumProcesses, IsProcessorFeaturePresent, InitOnceComplete, InitOnceBeginInitialize, CreateSymbolicLinkW, DeleteTimerQueueTimer, GetThreadTimes, FreeLibraryAndExitThread, ExitThread, GetConsoleMode, ReadConsoleW, GetConsoleOutputCP, RemoveDirectoryW, GetFileInformationByHandle, GetStringTypeW, TryAcquireSRWLockExclusive, CompareStringW, SetStdHandle, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, VirtualProtect, VirtualQuery, GetLocalTime, WaitForSingleObjectEx, GetSystemPreferredUILanguages, K32GetProcessImageFileNameW, GetDateFormatW, GetTimeFormatW, GetDriveTypeW
SETUPAPI.dll	SetupIterateCabinetW
gdiplus.dll	GdipDeleteGraphics, GdiplusStartup, GdipCreateFromHDC, GdipDrawImageRectI, GdipLoadImageFromStream, GdipFree, GdipFillRectangleI, GdipCloneBrush, GdipDeleteBrush, GdipCreateSolidFill, GdipGetImageGraphicsContext, GdipGetImageWidth, GdipGetImageHeight, GdipCreateBitmapFromScan0, GdipDisposeImage, GdipCloneImage, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OfficeSetup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6A2A77FA-00BE-4D75-BE01-6F0AFA1F7768

C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db

C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-wal

C:\Users\user\AppData\Local\Temp\284992-20241025-0629.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
OfficeSetup.exe