Overview

overview

8

Static

static

3

OfficeSetup.exe

windows7-x64

7

OfficeSetup.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    1603s
  • max time network
    1608s
  • platform
    windows7_x64
  • resource
    win7-20230220-es
  • resource tags

    arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    02-06-2023 03:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OfficeSetup.exe

  • Size

    7.1MB

  • MD5

    5781f79d70dcea270950a0fc73e43beb

  • SHA1

    efb824956d620f49452fd6df0ada10992c302cdc

  • SHA256

    191a136632dc258553917026a7a46bf6d0945aab4feba00204ed012001a50507

  • SHA512

    67c5c7c160e8ad4195844b0c6be9a51b554fa01ed93ac719893a9a184672b224c6bed250a9220417e5b334d1cf5e3f1d024df3166b94762ccbff01c775da704b

  • SSDEEP

    196608:C49GfxidA1cQ379CfAaxRwhgiFcStLoKntczlkaI6HMaJTtGbbAgQ:C4QpidA1KfZRwhgRKntczB

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OfficeSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\OfficeSetup.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 560
      2⤵
      • Program crash
      PID:1588
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2012
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1464
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x1dc
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:920

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2012-54-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/2012-55-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download