Overview
overview
10Static
static
3Office_201...ll.exe
windows10-2004-x64
10Office_201...te.exe
windows10-2004-x64
7Office_201...re.xml
windows10-2004-x64
1Office_201...ll.xml
windows10-2004-x64
1Office_201...pp.exe
windows10-2004-x64
1Office_201...00.dll
windows10-2004-x64
1Office_201...pp.exe
windows10-2004-x64
1Office_201...00.dll
windows10-2004-x64
3General
-
Target
Office_2013-2024_C2R_Install.rar
-
Size
13.0MB
-
Sample
240407-ykmkcsdc38
-
MD5
d5626978849d5e4eeceaff62f32c641f
-
SHA1
b6d0416052db660e1afefeb3684d1100f07d50b2
-
SHA256
23a91642bbbfc45279d3475e7391117905673b02fb166ba82dd875e6688c876d
-
SHA512
4d7bd50a8413286b1cf3e4277a16fad98fe77f735661c62360f7b025e2d2fa3c6a7f2831ab249f10dabcba5b49ab39022b92d7e06bd5dd956f25aec00e479a5d
-
SSDEEP
196608:Ja0kuwJK7n/v+iKjEeQ871wo2Tfk/WcVpB4fTDcqo7O23v5sRsNA3TUF+SFmh27M:gyaiSEeG1fUfBiTmHR2D3AjmQ4
Static task
static1
Behavioral task
behavioral1
Sample
Office_2013-2024_C2R_Install/OInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
Office_2013-2024_C2R_Install/activate.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Office_2013-2024_C2R_Install/files/Configure.xml
Resource
win10v2004-20240319-en
Behavioral task
behavioral4
Sample
Office_2013-2024_C2R_Install/files/Uninstall.xml
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Office_2013-2024_C2R_Install/files/x64/cleanospp.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
Office_2013-2024_C2R_Install/files/x64/msvcr100.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Office_2013-2024_C2R_Install/files/x86/cleanospp.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
Office_2013-2024_C2R_Install/files/x86/msvcr100.dll
Resource
win10v2004-20240226-en
Malware Config
Extracted
https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData
Targets
-
-
Target
Office_2013-2024_C2R_Install/OInstall.exe
-
Size
7.6MB
-
MD5
0160ee7f90b074e1260437094298a55b
-
SHA1
79f83fef9915440925e7f87c7ef4db535299aeec
-
SHA256
cc389c8aeb7a90d81aba8d18ee5e01a9700b6016d58eeb35706c5ac0d95f0b7a
-
SHA512
5c652937989d2c8453b453724c6582aca7f84f5f4007e096947b532e0ee60ff496d684b284ae7224de18b751d303ea8b1acf9e5419d183030781943db5423e35
-
SSDEEP
196608:Ea504j1o2h2JdZhzTQIDHeLr9ex044sA+3VOhXbei29w:zqA17YJdZhzEIDQg6ERVsiTi
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Office_2013-2024_C2R_Install/activate.exe
-
Size
332.5MB
-
MD5
858dd6a097f4745df576c37e01119ec2
-
SHA1
9c5c603f8eb74f6f3101611a94a597eb0d46765d
-
SHA256
1257b591c67c8fc0d3c4490fd80c62ff98760f1a1a74b24920f38b24698e44be
-
SHA512
d341e636146dd2e987cf3b5c6e128d0d32531f89719e088f6bec7912c54ee14b1abf2c60856bbe064b264252559351a9e6746a78134792cd7a08961070d860e5
-
SSDEEP
98304:zd2rIjP+6mg6sNHvmmzPwshcxfre/W6I/vuOFmCJl+6KZCOVgb:zd2rg+75sRmmLThcd6qmCyoOV0
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Office_2013-2024_C2R_Install/files/Configure.xml
-
Size
1KB
-
MD5
7d74885dacc883e14f50ec18dfe0ab24
-
SHA1
9126424e22e38854797a86617d56e2c37f551125
-
SHA256
754b93802239741325c782d3368ac57d1b3bfc6e1d1c5c56bf51b99b91c491cc
-
SHA512
4cf90464b385dab0081324d693dd6171639c7937ce7d1ff1711e0bef95e6e63840c4549c9b1521ae8c48f8d4424a52122f6811dc500c76f2e1a0e4c8c60713d2
Score1/10 -
-
-
Target
Office_2013-2024_C2R_Install/files/Uninstall.xml
-
Size
59B
-
MD5
364f86f97324ea82fe0d142cd01cf6dd
-
SHA1
fc2a45da2ede0c018ab8e46044e6a25765c27d99
-
SHA256
09d5b42140bab13165ba97fbd0e77792304c3c93555be02c3dce21a7a69c66dd
-
SHA512
9b0a0944535e25c944e01bed1674efff119505292b176287c0dad3db70ffc4244cff21cccfd1fd94b09dd6d5f84221930b66b210101e482cc4bb5df3311a5fdf
Score1/10 -
-
-
Target
Office_2013-2024_C2R_Install/files/x64/cleanospp.exe
-
Size
28KB
-
MD5
d3467cb7b83b654c2d05407dc7ba2360
-
SHA1
af7b4fdde21434f9e8d2e90fbff7b1d64af8a0a3
-
SHA256
edf85f4e2ef1a427b34265a22f261d664ec78de90c3b5da4174ef28558c8522a
-
SHA512
0998bc55b4b928077144cececfaaeee6d957f5acfcfab083987b2ba1e039ca9bf2156c633213c8a3c1ccd874d6ea31e5e1b8e0de6fdfd42693f844aca4408c5e
-
SSDEEP
384:AQAInWKpEFFzpjq37oIOU6GHq33QPiu431VPjdOKV1TQilrkK:AxWTpOFagUb2qiu43P7PV1D
Score1/10 -
-
-
Target
Office_2013-2024_C2R_Install/files/x64/msvcr100.dll
-
Size
809KB
-
MD5
df3ca8d16bded6a54977b30e66864d33
-
SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883
-
SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
-
SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0
-
SSDEEP
12288:3gzGPEett9Mw9HfBCddjMb2NQVmTW752fmyyKWeHQGokozS:QzJetPMw9HfBCrMb2Kc6ymyyKWewGzUS
Score1/10 -
-
-
Target
Office_2013-2024_C2R_Install/files/x86/cleanospp.exe
-
Size
25KB
-
MD5
98821a7a5737d656633d10a3afb724bd
-
SHA1
0307ba03137de39735c6e5bde8afd22d5279f0f9
-
SHA256
04ba4487f95290e0b0557b44300c18f637fbaf0872ee96e3111013b8a1539f25
-
SHA512
5e32cfa18cf6353bd36194ef9f00d0768fb5ec9723582d7ca72fcf60931ba08199d750270307e1c82adf57fb801855be6986f26e09b02aa7a5db74e95e3263ff
-
SSDEEP
384:N9FuUOvAiG0gIVDKDYgmh02HPwzi3AnXdOKV1TE54UslGsGK3:wUAAYgmO21QXPV1Y1i3
Score1/10 -
-
-
Target
Office_2013-2024_C2R_Install/files/x86/msvcr100.dll
-
Size
755KB
-
MD5
bf38660a9125935658cfa3e53fdc7d65
-
SHA1
0b51fb415ec89848f339f8989d323bea722bfd70
-
SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
-
SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
SSDEEP
12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
Score3/10 -