OfficeSetup[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

OfficeSetup.exe
Size

6.2MB
MD5

116d7e5b18525a239fced04e1a26e915
SHA1

52000a81b01ad67c23f9cf1bfacf24d4ef6e7a9c
SHA256

a8dcba3d9fd7328b48c4f78b9cd1df31000e70caa49d58e7178fb1e274d6c8bc
SHA512

eed8fd9c7a993910ff5823bc7b8383cb73a052623e36a1067b6b07f68001621a719984494326af0c08201726644543cf77d691fcf7417cfb2b3e29fe240385d6
SSDEEP

196608:JQBLZLj02xT7OwJeaSZcufKUSsJ7Ge35Q0W+:JZ2xT7ObJ7z5W+

Score

N/A

Malware Config

Signatures

Files

OfficeSetup.exe
.exe windows x86

37f9e8ab7fafe86805d755256f713b15

Code Sign

33:00:00:03:26:ae:ce:ed:f9:bc:e4:7b:92:00:00:00:00:03:26
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/03/2020, 18:29

Not After

03/03/2021, 18:29

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

15:e2:29:fe:14:35:70:74:b6:6a:98:f8:0b:49:59:7c
Certificate

Issuer

CN=C2RService,O=C2RService,L=Redmond,ST=Washington,C=US

Not Before

17/02/2017, 00:12

Not After

31/12/2039, 23:59

Subject

CN=C2RService,O=C2RService,L=Redmond,ST=Washington,C=US

06:68:3b:9d:05:38:88:7b:bb:da:ab:c4:71:e9:d1:bb:68:a3:ba:d8
Signer

Actual PE Digest

06:68:3b:9d:05:38:88:7b:bb:da:ab:c4:71:e9:d1:bb:68:a3:ba:d8

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=C2RService,O=C2RService,L=Redmond,ST=Washington,C=US

01/12/2022, 14:34
Valid: false

e0:9f:bc:7b:e8:49:d8:ca:d5:54:35:3a:81:f7:65:c6:d8:dc:f1:8c:10:6f:e8:79:d8:94:a0:1f:69:7c:23:2a
Signer

Actual PE Digest

e0:9f:bc:7b:e8:49:d8:ca:d5:54:35:3a:81:f7:65:c6:d8:dc:f1:8c:10:6f:e8:79:d8:94:a0:1f:69:7c:23:2a

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

01/12/2022, 14:34
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP

Imports

advapi32

ConvertSidToStringSidW
OpenProcessToken
GetTokenInformation
RegSetValueExW
RegQueryValueExW
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
CryptReleaseContext
EventWriteTransfer
EventRegister
EventUnregister
RegEnumKeyExW
RegQueryInfoKeyW
RegEnumValueW
RegDeleteTreeW
RegDeleteKeyW
RegGetValueW
RegDeleteValueW
IsValidSid
GetSidSubAuthorityCount
GetSidSubAuthority
RegNotifyChangeKeyValue
RevertToSelf
OpenThreadToken
GetLengthSid
CopySid
InitializeAcl
AddAccessAllowedAce
AllocateAndInitializeSid
FreeSid
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidA
CheckTokenMembership
CreateWellKnownSid
EqualSid
ImpersonateLoggedOnUser
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenSCManagerW
CloseServiceHandle
OpenServiceW
QueryServiceStatusEx
QueryServiceConfigW
RegEnumValueA
RegDeleteValueA
RegGetValueA
EventWrite

ole32

CoDisableCallCancellation
CoEnableCallCancellation
CoUninitialize
CoInitialize
CoCancelCall
CLSIDFromString
CoRevokeInitializeSpy
CoRegisterInitializeSpy
CreateStreamOnHGlobal
CoTaskMemAlloc
IIDFromString
CoTaskMemFree
StringFromCLSID
CoCreateInstance
CoSetProxyBlanket
CoCreateFreeThreadedMarshaler
StringFromGUID2
CoCreateGuid
CoInitializeSecurity
CoInitializeEx

gdi32

CreateFontW
SelectObject
GetTextMetricsW
CreatePen
GetStockObject
Rectangle
SetTextColor
SetBkColor
GetTextExtentPoint32W
SetDCBrushColor
SetDCPenColor
CreateSolidBrush
DeleteObject
GetDeviceCaps

oleaut32

VariantClear
SysFreeString
SysAllocString
VariantInit

ws2_32

GetAddrInfoW
FreeAddrInfoW
WSAStartup

kernel32

RegisterWaitForSingleObject
SetThreadAffinityMask
GetNumaHighestNodeNumber
ChangeTimerQueueTimer
GetThreadPriority
SetThreadPriority
CreateTimerQueue
InterlockedFlushSList
RtlUnwind
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetThreadTimes
FreeLibraryAndExitThread
VirtualProtect
DuplicateHandle
UnregisterWaitEx
UnregisterWait
CompareStringW
GetCPInfo
EncodePointer
InitializeCriticalSectionAndSpinCount
GetFileInformationByHandle
GetStringTypeW
OpenThread
GetSystemPreferredUILanguages
K32GetProcessImageFileNameW
GetDateFormatW
GetConsoleMode
ReadConsoleW
GetTimeFormatW
GetDriveTypeW
DeleteTimerQueueTimer
CreateTimerQueueTimer
GetConsoleCP
ExitThread
CloseHandle
GetLastError
GetModuleHandleA
GetModuleHandleW
GetProcAddress
LoadLibraryW
SetLastError
GetModuleFileNameW
OutputDebugStringA
CompareStringEx
LocalFree
HeapFree
GetProcessHeap
GetCurrentProcess
GetCurrentProcessId
CreateThread
GetCurrentThreadId
GetExitCodeThread
DeleteFileW
WriteFile
ReadFile
SetFilePointerEx
FreeLibrary
WideCharToMultiByte
IsWow64Process
GetModuleHandleExW
ExpandEnvironmentStringsW
InitializeCriticalSectionEx
DeleteCriticalSection
GlobalFree
MultiByteToWideChar
RaiseException
DecodePointer
CreateMutexW
GetCommandLineW
GlobalMemoryStatusEx
GetNativeSystemInfo
VerSetConditionMask
VerifyVersionInfoW
GetUserDefaultLocaleName
FlsFree
FlsAlloc
Sleep
AttachConsole
AllocConsole
GetStdHandle
WriteConsoleW
FreeConsole
LocaleNameToLCID
FindClose
UnmapViewOfFile
CreateFileA
CreateFileMappingA
GetFileSize
MapViewOfFile
GetStringTypeExW
GetUserDefaultLCID
LoadLibraryA
LCMapStringW
FormatMessageA
GetSystemTimeAsFileTime
TlsAlloc
TlsFree
FlsGetValue
TlsGetValue
FlsSetValue
TlsSetValue
GetTickCount64
K32GetProcessMemoryInfo
LeaveCriticalSection
EnterCriticalSection
InitializeSRWLock
AcquireSRWLockShared
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
GetProcessTimes
TerminateProcess
GetModuleFileNameA
GetShortPathNameA
K32GetModuleFileNameExW
CreateProcessW
LoadLibraryExW
FindResourceW
SizeofResource
LoadResource
OpenProcess
GetVersionExW
GetDiskFreeSpaceExW
CreateFileW
DeviceIoControl
SetErrorMode
GetComputerNameW
MulDiv
FormatMessageW
GetLogicalProcessorInformation
GetSystemDirectoryW
HeapAlloc
IsValidCodePage
GetSystemTime
SystemTimeToFileTime
FileTimeToSystemTime
GetCPInfoExW
CreateEventW
SetEvent
WaitForSingleObject
WaitForMultipleObjectsEx
CreateEventExW
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableSRW
CloseThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
ExitProcess
SetThreadpoolWait
WaitForThreadpoolWaitCallbacks
CreateThreadpoolWait
CreateThreadpoolWork
SubmitThreadpoolWork
ReleaseSemaphore
WaitForSingleObjectEx
QueryDepthSList
TryEnterCriticalSection
InitializeSListHead
InterlockedPushEntrySList
InterlockedPopEntrySList
RtlCaptureStackBackTrace
ReleaseMutex
TzSpecificLocalTimeToSystemTime
GetTempPathW
GetLongPathNameW
ResetEvent
QueryPerformanceCounter
QueryPerformanceFrequency
VirtualProtectEx
GetSystemInfo
GlobalAlloc
GetFileSizeEx
LockResource
CreateFileMappingW
SetEndOfFile
GetOverlappedResult
FlushFileBuffers
CancelIoEx
GetFileAttributesExW
CreateDirectoryW
SetFileAttributesW
GetFileAttributesW
RemoveDirectoryW
FindFirstFileExW
FindNextFileW
GetFileType
CopyFileW
SetFilePointer
UnlockFile
LockFile
SetFileInformationByHandle
GetFileInformationByHandleEx
GetTempFileNameW
SignalObjectAndWait
GetProcessAffinityMask
CreateWaitableTimerW
SetWaitableTimerEx
CancelWaitableTimer
GetTickCount
WerRegisterMemoryBlock
WerUnregisterMemoryBlock
QueryFullProcessImageNameW
IsProcessorFeaturePresent
CreateIoCompletionPort
PostQueuedCompletionStatus
GetThreadIOPendingFlag
GetCurrentThread
GetQueuedCompletionStatus
IsDebuggerPresent
WaitForMultipleObjects
GetStartupInfoW
CreateMemoryResourceNotification
GetSystemPowerStatus
IsSystemResumeAutomatic
QueryUnbiasedInterruptTime
OutputDebugStringW
VirtualFree
VirtualAlloc
OpenEventA
CreateEventA
OpenMutexA
CreateMutexA
OpenSemaphoreA
CreateSemaphoreA
OpenFileMappingA
LocalAlloc
GetThreadLocale
MoveFileExW
FindFirstFileW
lstrcmpW
FlushViewOfFile
GetFullPathNameW
ProcessIdToSessionId
DeleteFileA
GetTempPathA
GetCurrentDirectoryW
SetEnvironmentVariableW
GetPriorityClass
GetExitCodeProcess
K32EnumProcesses
K32EnumProcessModulesEx
GetTimeZoneInformation
IsValidLocale
GetLocaleInfoEx
LCIDToLocaleName
GetLocaleInfoW
ResolveLocaleName
GetUserPreferredUILanguages
GetACP
LCMapStringEx
GetSystemDefaultLCID
EnumSystemLocalesEx
GetSystemDefaultLocaleName
GetUserGeoID
AreFileApisANSI
HeapCreate
GetDiskFreeSpaceW
InitializeCriticalSection
GetFullPathNameA
UnlockFileEx
HeapValidate
HeapSize
GetDiskFreeSpaceA
GetFileAttributesA
HeapReAlloc
HeapCompact
HeapDestroy
LockFileEx
GetPhysicallyInstalledSystemMemory
GetProductInfo
SwitchToThread
EnumSystemLocalesW
SetStdHandle
GetOEMCP
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
VirtualQuery
CloseThreadpoolWait
LoadLibraryExA
ReleaseSRWLockShared
GetLocalTime

wintrust

WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
WinVerifyTrust

setupapi

SetupIterateCabinetW

gdiplus

GdipDeleteGraphics
GdipFillRectangleI
GdipCloneBrush
GdipDeleteBrush
GdipCreateSolidFill
GdipGetImageGraphicsContext
GdipGetImageWidth
GdipCreateFromHDC
GdipGetImageHeight
GdipCreateBitmapFromScan0
GdipDisposeImage
GdipCloneImage
GdipAlloc
GdipFree
GdipLoadImageFromStream
GdipDrawImageRectI
GdiplusStartup
GdipDrawImageRectRectI

rpcrt4

RpcStringFreeW
UuidToStringW

Sections

.text
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 97KB - Virtual size: 163KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 598KB - Virtual size: 600KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 311KB - Virtual size: 310KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

37f9e8ab7fafe86805d755256f713b15

Code Sign

33:00:00:03:26:ae:ce:ed:f9:bc:e4:7b:92:00:00:00:00:03:26Certificate

Extended Key Usages

61:0c:52:4c:00:00:00:00:00:03Certificate

Key Usages

15:e2:29:fe:14:35:70:74:b6:6a:98:f8:0b:49:59:7cCertificate

06:68:3b:9d:05:38:88:7b:bb:da:ab:c4:71:e9:d1:bb:68:a3:ba:d8Signer

Signature Validations

Verification

01/12/2022, 14:34 Valid: false

e0:9f:bc:7b:e8:49:d8:ca:d5:54:35:3a:81:f7:65:c6:d8:dc:f1:8c:10:6f:e8:79:d8:94:a0:1f:69:7c:23:2aSigner

Signature Validations

Verification

01/12/2022, 14:34 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

ole32

gdi32

oleaut32

ws2_32

kernel32

wintrust

setupapi

gdiplus

rpcrt4

Sections

.text Size: 3.8MB - Virtual size: 3.8MB

.rdata Size: 1.4MB - Virtual size: 1.4MB

.data Size: 97KB - Virtual size: 163KB

.rsrc Size: 598KB - Virtual size: 600KB

.reloc Size: 311KB - Virtual size: 310KB

33:00:00:03:26:ae:ce:ed:f9:bc:e4:7b:92:00:00:00:00:03:26
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

15:e2:29:fe:14:35:70:74:b6:6a:98:f8:0b:49:59:7c
Certificate

06:68:3b:9d:05:38:88:7b:bb:da:ab:c4:71:e9:d1:bb:68:a3:ba:d8
Signer

01/12/2022, 14:34
Valid: false

e0:9f:bc:7b:e8:49:d8:ca:d5:54:35:3a:81:f7:65:c6:d8:dc:f1:8c:10:6f:e8:79:d8:94:a0:1f:69:7c:23:2a
Signer

01/12/2022, 14:34
Valid: false

.text
Size: 3.8MB - Virtual size: 3.8MB

.rdata
Size: 1.4MB - Virtual size: 1.4MB

.data
Size: 97KB - Virtual size: 163KB

.rsrc
Size: 598KB - Virtual size: 600KB

.reloc
Size: 311KB - Virtual size: 310KB