Overview

overview

10

Static

static

10

ManagerOff...in.zip

windows7-x64

ManagerOff...in.zip

windows10-2004-x64

1

ManagerOff...ool.py

windows7-x64

3

ManagerOff...ool.py

windows10-2004-x64

3

ManagerOff...ll.ps1

windows7-x64

3

ManagerOff...ll.ps1

windows10-2004-x64

8

ManagerOff...L/.txt

windows7-x64

1

ManagerOff...L/.txt

windows10-2004-x64

1

ManagerOff...13.xml

windows7-x64

3

ManagerOff...13.xml

windows10-2004-x64

8

ManagerOff...16.xml

windows7-x64

3

ManagerOff...16.xml

windows10-2004-x64

1

ManagerOff...19.xml

windows7-x64

3

ManagerOff...19.xml

windows10-2004-x64

1

ManagerOff...21.xml

windows7-x64

3

ManagerOff...21.xml

windows10-2004-x64

1

ManagerOff...ICENSE

windows7-x64

1

ManagerOff...ICENSE

windows10-2004-x64

1

ManagerOff...DME.md

windows7-x64

3

ManagerOff...DME.md

windows10-2004-x64

3

ManagerOff...ce.bat

windows7-x64

3

ManagerOff...ce.bat

windows10-2004-x64

8

ManagerOff...tup.py

windows7-x64

3

ManagerOff...tup.py

windows10-2004-x64

3

Analysis

  • max time kernel
    782s
  • max time network
    782s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 11:57

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ManagerOfficeTool-main.zip

  • Size

    13KB

  • MD5

    29ddf372af8d7483cb2e29fac23fda46

  • SHA1

    1f7ee432dcf82598becd36547644fad014842a0e

  • SHA256

    88de739cac5442354a41df7ff4e8fc4f223a8ff9ff87b59c13df607b491ec679

  • SHA512

    537f7a1af2bacabe4c7a05578fe514c4c4913b35aed1b5aecc1098a9d6e28e076dafc422d6e687a24b1a13d99adc9b65868884598e71e53e4e2f594a0b1b5800

  • SSDEEP

    192:3AhC+zKGDVmNtPtwciCBcGr8fDka8Jvyfs4/LCuy4SML9ggUqNDXwXdbXlb3nUgy:wdKGeZ9SoiPcvYXLyvqpXwXFxLNF+

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://api.github.com/repos/OfficeDev/Office-IT-Pro-Deployment-Scripts/contents/Office-ProPlus-Management/Get-OfficeVersion/Get-OfficeVersion.ps1
exe.dropper

https://api.github.com/repos/OfficeDev/Office-IT-Pro-Deployment-Scripts/contents/Office-ProPlus-Deployment/Remove-PreviousOfficeInstalls

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ManagerOfficeTool-main.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2748
  • C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\Desktop\ManagerOfficeTool-main\RunInstallOffice.bat" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\system32\openfiles.exe
      openfiles
      2⤵
        PID:1268
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -ExecutionPolicy RemoteSigned -File "Install.ps1"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:608
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x594
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1592
    • C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\ManagerOfficeTool-main\Files\Install.ps1"
      1⤵
        PID:552
      • C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
        "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2280
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\Admin\Desktop\ManagerOfficeTool-main\Files\Install.ps1"
        1⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\Admin\Desktop\ManagerOfficeTool-main\Files\Install.ps1"
        1⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2600
      • C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
        "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2992
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ManagerOfficeTool-main\RunInstallOffice.bat"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Windows\system32\openfiles.exe
          openfiles
          2⤵
            PID:2032
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -ExecutionPolicy RemoteSigned -File "Install.ps1"
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:660
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ManagerOfficeTool-main\RunInstallOffice.bat"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:892
          • C:\Windows\system32\openfiles.exe
            openfiles
            2⤵
              PID:2364
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -ExecutionPolicy RemoteSigned -File "Install.ps1"
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2136
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x0
            1⤵
              PID:1844
            • C:\Windows\system32\AUDIODG.EXE
              C:\Windows\system32\AUDIODG.EXE 0x404
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1640
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x1
              1⤵
                PID:1720

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                Filesize

                6KB

                MD5

                a1ba2cb4934cdbe102ebdae226ca1ec8

                SHA1

                4fa993aad3a936f2939b55925508f934b1ff8db2

                SHA256

                15f8925c3ac1b0f53fc66f38d7e8557e087b384f5977e813a9d0cb93a6e92da4

                SHA512

                4f9935ac4a7db0a503ff65f459624652ee4b38670702d1213cd072d9f00be061dcf2587abb6020b9e30dc0390c67f0ea507f89fced56972e45205644cf737f16

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                Filesize

                7KB

                MD5

                2515825f92c6bd0db49bcae988f26af9

                SHA1

                7edaad88872366ce7c1c39d114ab2ae7476c2c5a

                SHA256

                76acc96a67ebdca65fb2ed8233cc71cccfc5812b4767734b5311d1ce7b1c8544

                SHA512

                3d1f4a409d1d9c2db0521a8fdab3f6145f6d0f0c6c05465a4884e73826cee10254ea0bb42279d0c64067c2f743560878a699be83458e0a1f67f9fb430b739674

                Download Submit

              • C:\Users\Admin\Desktop\ManagerOfficeTool-main\Files\Install.ps1
                Filesize

                9KB

                MD5

                bdf4700521e7ff887848f152e53d9446

                SHA1

                3714fcb19a4261d7b6b63de09acb3c7b7a20fdb7

                SHA256

                262eb464258454d97ffd36c251495811aa13e7686975a3e76492a6297d675c26

                SHA512

                b9b54ffa642509074c9a2fb98e9c4af89c6e71e87ee3b9b7ba488d2ce9d0d15ccb02d1e33b49be04a1a1f6f2e048912d7c0b2aafa2056740d0b65adf4598e949

                Download Submit

              • C:\Users\Admin\Desktop\ManagerOfficeTool-main\RunInstallOffice.bat
                Filesize

                1KB

                MD5

                67220c6f2714056236b22f6c0050a1a0

                SHA1

                c54e1e079fb9a8e85500283a739675a2c09f8358

                SHA256

                c9fa95a5b741fc6e9355702f7925c8c0c629b6d7da914d4159c66ed7bee05fe6

                SHA512

                9fbd25d7ae9f6340e7b49a584a191e5f4afe542809d74f4612cbddbbf4ff899633cda9dcc696d58662e5f9f0ed6c251f1cb9fda93513682d06badb7b6d3d4899

                Download Submit

              • memory/608-29-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

                Filesize

                2.9MB

                Download

              • memory/608-30-0x0000000002770000-0x0000000002778000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2136-69-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

                Filesize

                2.9MB

                Download

              • memory/2136-70-0x0000000002240000-0x0000000002248000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2280-38-0x0000000002950000-0x0000000002958000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2280-37-0x000000001B5A0000-0x000000001B882000-memory.dmp

                Filesize

                2.9MB

                Download

              • memory/2720-45-0x000000001B5A0000-0x000000001B882000-memory.dmp

                Filesize

                2.9MB

                Download

              • memory/2720-46-0x0000000002890000-0x0000000002898000-memory.dmp

                Filesize

                32KB

                Download