23631416cd1d76d8b9b1bb014b3f5f96ab7dcb93e60d38fdc1a6896f9245df95 | Triage

Submit
Reports

Overview

overview

Static

static

7

Office 201...ll.exe

windows11-21h2-x64

Sharing

Copy URL Twitter E-mail

General

Target

OInstallv7.7.7.5.rar
Size

43.0MB
Sample

240212-k2rczsbc36
MD5

d9f6e4167ea2e53d182d684de8f43872
SHA1

64281157ee6b1d54673d6c3947babc4bd56d9bf9
SHA256

23631416cd1d76d8b9b1bb014b3f5f96ab7dcb93e60d38fdc1a6896f9245df95
SHA512

e4ae6f6ff657d26562d958683a7cf613c2514f12e186679b80edec3dcae0cb7648a2da0f99edaffb6fa48f19ef0c78e8fdd4e52847e0c738c3ff52ee7f2d8c29
SSDEEP

786432:O4CJOs7kZgnYTLlR0Z0VXw5H7I/eQuZiuSmVZi/Hk1ItznOXTnt:O4CJOs7ki80GVg5H7IeN3iM1IYjt

Score

10^/10

evasion upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

Office 2013-2024 C2R Install v7.7.7.5/OInstall.exe

Resource

win11-20231215-en

windows11-21h2-x64

24 signatures

1800 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20624/i640.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20624/i641033.cab

Targets

- Target
  
  Office 2013-2024 C2R Install v7.7.7.5/OInstall.exe
- Size
  
  18.0MB
- MD5
  
  816ed6fdf32a6d2ae153be18ebca59e7
- SHA1
  
  21264678ebd5c879f269ec60564b653dc1052ef4
- SHA256
  
  19b021d9bcf3b0137f2847a3e08826dbc52e88ffe617579b325f14068954db3f
- SHA512
  
  a6579f7fad6fdf59855cdba998764474bf408f441a924ec3c1cd1d1e51ac53a72fdbad75dc44bb06659a5fcb12ec239dc9f43cf32fd6ffe9523e57c5f9e6cf18
- SSDEEP
  
  393216:+CqFTywoCkhfO/zFXGW/F/P9wXiXzTheCeC/+pWt0Ts:+XFTXRkdObGXYzteWMa0o
Score

10^/10

evasion
- Blocklisted process makes network request
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

© 2018-2025

Terms | Privacy