| File name: | oledata.mso |
| Full analysis: | https://app.any.run/tasks/643feedd-f9ab-455e-a277-b615378fdeb8 |
| Verdict: | Malicious activity |
| Analysis date: | December 14, 2023, 02:52:03 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/octet-stream |
| File info: | data |
| MD5: | D72B7312F61CF7581C7DC62967BB2F33 |
| SHA1: | D7672D6422FFE263D341804161DEC879E7C01D03 |
| SHA256: | 57A678A10926EEA3A609A968D73D5C433A3CE9419B7200EDD9C59109C2668AF3 |
| SSDEEP: | 48:rYwSSyrhHwqMLlDecGSPgwverY0/QiMNuLu8vH0KZDAEZKb4kd:ILrFwjecP4wvrFEu4H0XEIbP |
MALICIOUS
The DLL Hijacking
- OIS.EXE (PID: 2076)
SUSPICIOUS
Reads the Internet Settings
- rundll32.exe (PID: 2540)
INFO
Reads the computer name
- OIS.EXE (PID: 2076)
- wordpad.exe (PID: 2776)
Reads Microsoft Office registry keys
- OIS.EXE (PID: 2076)
Checks supported languages
- OIS.EXE (PID: 2076)
- wordpad.exe (PID: 2776)
Reads Environment values
- OIS.EXE (PID: 2076)
Creates files or folders in the user directory
- OIS.EXE (PID: 2076)
Manual execution by a user
- explorer.exe (PID: 2424)
- rundll32.exe (PID: 2896)
- notepad++.exe (PID: 1452)
- OUTLOOK.EXE (PID: 2248)
- wordpad.exe (PID: 2776)
Reads the machine GUID from the registry
- OIS.EXE (PID: 2076)
- wordpad.exe (PID: 2776)
Reads Internet Explorer settings
- OUTLOOK.EXE (PID: 2248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .mmpz | | | LMMS Project Zipped (100) |
|---|
Total processes
54
Monitored processes
8
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1452 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Downloads\oledata.mso.mmpz" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | ||||||||||||
User: admin Company: Don HO don.h@free.fr Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.91 Modules
| |||||||||||||||
| 2076 | "C:\PROGRA~1\MICROS~1\Office14\OIS.EXE" /shellOpen "C:\Users\admin\Downloads\oledata.mso.mmpz" | C:\Program Files\Microsoft Office\Office14\OIS.EXE | — | rundll32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office 2010 Exit code: 0 Version: 14.0.6015.1000 Modules
| |||||||||||||||
| 2248 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 Modules
| |||||||||||||||
| 2424 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2540 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL "C:\Users\admin\Downloads\oledata.mso.mmpz" | C:\Windows\System32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2776 | "C:\Program Files\Windows NT\Accessories\wordpad.exe" | C:\Program Files\Windows NT\Accessories\wordpad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Wordpad Application Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2896 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Downloads\oledata.mso.mmpz | C:\Windows\System32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3528 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\oledata.mso.mmpz" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | rundll32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
Total events
22 768
Read events
21 888
Write events
441
Delete events
439
Modification events
| (PID) Process: | (2540) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | delete value | Name: | C:\Windows\system32\WFS.exe |
Value: Microsoft Windows Fax and Scan | |||
| (PID) Process: | (2540) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | delete value | Name: | C:\Program Files\Google\Chrome\Application\chrome.exe |
Value: Google Chrome | |||
| (PID) Process: | (2540) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | delete value | Name: | C:\Program Files\Mozilla Firefox\firefox.exe |
Value: Firefox | |||
| (PID) Process: | (2540) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | delete value | Name: | C:\Program Files\FileZilla FTP Client\filezilla.exe |
Value: FileZilla FTP Client | |||
| (PID) Process: | (2540) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | delete value | Name: | C:\Program Files\CCleaner\CCleaner.exe |
Value: CCleaner | |||
| (PID) Process: | (2540) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | delete value | Name: | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe |
Value: Adobe Acrobat Reader DC | |||
| (PID) Process: | (2540) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2076) OIS.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (2076) OIS.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1041 |
Value: On | |||
| (PID) Process: | (2076) OIS.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1046 |
Value: On | |||
Executable files
0
Suspicious files
5
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2076 | OIS.EXE | C:\Users\admin\AppData\Local\Temp\CVR3A0A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3528 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3B3E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2248 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRC07.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2248 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst | — | |
MD5:— | SHA256:— | |||
| 2248 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\Outlook.pst | — | |
MD5:— | SHA256:— | |||
| 2248 | OUTLOOK.EXE | C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst | — | |
MD5:— | SHA256:— | |||
| 2076 | OIS.EXE | C:\Users\admin\AppData\Local\Microsoft\OIS\OIScatalog.cag | text | |
MD5:EA5BF588B65243E4E031D82F172B47DD | SHA256:F437373CC506A38D13416E36F6168D13613A8A790E5E62A3F8F1E328FF8375AE | |||
| 3528 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3265A06D-E2BA-4292-BA1B-761D3A6E426B}.tmp | binary | |
MD5:5D4D94EE7E06BBB0AF9584119797B23A | SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 | |||
| 2248 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\msoD5F.tmp | html | |
MD5:A8934077843220A8E31367C7BBE15E6C | SHA256:A2DB0201D36F07F3F99D1ADF8B8EAFB9CF9BB803D024FCC9327B77AF56346861 | |||
| 1452 | notepad++.exe | C:\Users\admin\AppData\Roaming\Notepad++\session.xml | text | |
MD5:0BA352125D662AA0C42E88251C141695 | SHA256:9F3878917E5C8D9DA16BFA2DEF0E89B5517A9BC7584D22539C99E49A1F05071C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2248 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.messenger.msn.com |
| whitelisted |
dns.msftncsi.com |
| shared |
Threats
Process | Message |
|---|---|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | ED255D9151912E40DF048A56288E969A8D0DAFA3
|