General

  • Target

    Office_2013-2024_C2R_Install.rar

  • Size

    13.0MB

  • Sample

    240407-ykmkcsdc38

  • MD5

    d5626978849d5e4eeceaff62f32c641f

  • SHA1

    b6d0416052db660e1afefeb3684d1100f07d50b2

  • SHA256

    23a91642bbbfc45279d3475e7391117905673b02fb166ba82dd875e6688c876d

  • SHA512

    4d7bd50a8413286b1cf3e4277a16fad98fe77f735661c62360f7b025e2d2fa3c6a7f2831ab249f10dabcba5b49ab39022b92d7e06bd5dd956f25aec00e479a5d

  • SSDEEP

    196608:Ja0kuwJK7n/v+iKjEeQ871wo2Tfk/WcVpB4fTDcqo7O23v5sRsNA3TUF+SFmh27M:gyaiSEeG1fUfBiTmHR2D3AjmQ4

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Targets

    • Target

      Office_2013-2024_C2R_Install/OInstall.exe

    • Size

      7.6MB

    • MD5

      0160ee7f90b074e1260437094298a55b

    • SHA1

      79f83fef9915440925e7f87c7ef4db535299aeec

    • SHA256

      cc389c8aeb7a90d81aba8d18ee5e01a9700b6016d58eeb35706c5ac0d95f0b7a

    • SHA512

      5c652937989d2c8453b453724c6582aca7f84f5f4007e096947b532e0ee60ff496d684b284ae7224de18b751d303ea8b1acf9e5419d183030781943db5423e35

    • SSDEEP

      196608:Ea504j1o2h2JdZhzTQIDHeLr9ex044sA+3VOhXbei29w:zqA17YJdZhzEIDQg6ERVsiTi

    Score
    10/10
    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Office_2013-2024_C2R_Install/activate.exe

    • Size

      332.5MB

    • MD5

      858dd6a097f4745df576c37e01119ec2

    • SHA1

      9c5c603f8eb74f6f3101611a94a597eb0d46765d

    • SHA256

      1257b591c67c8fc0d3c4490fd80c62ff98760f1a1a74b24920f38b24698e44be

    • SHA512

      d341e636146dd2e987cf3b5c6e128d0d32531f89719e088f6bec7912c54ee14b1abf2c60856bbe064b264252559351a9e6746a78134792cd7a08961070d860e5

    • SSDEEP

      98304:zd2rIjP+6mg6sNHvmmzPwshcxfre/W6I/vuOFmCJl+6KZCOVgb:zd2rg+75sRmmLThcd6qmCyoOV0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Office_2013-2024_C2R_Install/files/Configure.xml

    • Size

      1KB

    • MD5

      7d74885dacc883e14f50ec18dfe0ab24

    • SHA1

      9126424e22e38854797a86617d56e2c37f551125

    • SHA256

      754b93802239741325c782d3368ac57d1b3bfc6e1d1c5c56bf51b99b91c491cc

    • SHA512

      4cf90464b385dab0081324d693dd6171639c7937ce7d1ff1711e0bef95e6e63840c4549c9b1521ae8c48f8d4424a52122f6811dc500c76f2e1a0e4c8c60713d2

    Score
    1/10
    • Target

      Office_2013-2024_C2R_Install/files/Uninstall.xml

    • Size

      59B

    • MD5

      364f86f97324ea82fe0d142cd01cf6dd

    • SHA1

      fc2a45da2ede0c018ab8e46044e6a25765c27d99

    • SHA256

      09d5b42140bab13165ba97fbd0e77792304c3c93555be02c3dce21a7a69c66dd

    • SHA512

      9b0a0944535e25c944e01bed1674efff119505292b176287c0dad3db70ffc4244cff21cccfd1fd94b09dd6d5f84221930b66b210101e482cc4bb5df3311a5fdf

    Score
    1/10
    • Target

      Office_2013-2024_C2R_Install/files/x64/cleanospp.exe

    • Size

      28KB

    • MD5

      d3467cb7b83b654c2d05407dc7ba2360

    • SHA1

      af7b4fdde21434f9e8d2e90fbff7b1d64af8a0a3

    • SHA256

      edf85f4e2ef1a427b34265a22f261d664ec78de90c3b5da4174ef28558c8522a

    • SHA512

      0998bc55b4b928077144cececfaaeee6d957f5acfcfab083987b2ba1e039ca9bf2156c633213c8a3c1ccd874d6ea31e5e1b8e0de6fdfd42693f844aca4408c5e

    • SSDEEP

      384:AQAInWKpEFFzpjq37oIOU6GHq33QPiu431VPjdOKV1TQilrkK:AxWTpOFagUb2qiu43P7PV1D

    Score
    1/10
    • Target

      Office_2013-2024_C2R_Install/files/x64/msvcr100.dll

    • Size

      809KB

    • MD5

      df3ca8d16bded6a54977b30e66864d33

    • SHA1

      b7b9349b33230c5b80886f5c1f0a42848661c883

    • SHA256

      1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

    • SHA512

      951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

    • SSDEEP

      12288:3gzGPEett9Mw9HfBCddjMb2NQVmTW752fmyyKWeHQGokozS:QzJetPMw9HfBCrMb2Kc6ymyyKWewGzUS

    Score
    1/10
    • Target

      Office_2013-2024_C2R_Install/files/x86/cleanospp.exe

    • Size

      25KB

    • MD5

      98821a7a5737d656633d10a3afb724bd

    • SHA1

      0307ba03137de39735c6e5bde8afd22d5279f0f9

    • SHA256

      04ba4487f95290e0b0557b44300c18f637fbaf0872ee96e3111013b8a1539f25

    • SHA512

      5e32cfa18cf6353bd36194ef9f00d0768fb5ec9723582d7ca72fcf60931ba08199d750270307e1c82adf57fb801855be6986f26e09b02aa7a5db74e95e3263ff

    • SSDEEP

      384:N9FuUOvAiG0gIVDKDYgmh02HPwzi3AnXdOKV1TE54UslGsGK3:wUAAYgmO21QXPV1Y1i3

    Score
    1/10
    • Target

      Office_2013-2024_C2R_Install/files/x86/msvcr100.dll

    • Size

      755KB

    • MD5

      bf38660a9125935658cfa3e53fdc7d65

    • SHA1

      0b51fb415ec89848f339f8989d323bea722bfd70

    • SHA256

      60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

    • SHA512

      25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

    • SSDEEP

      12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks