Malware analysis Office Converter Pack.exe Malicious activity

Add for printing

File name:	Office Converter Pack.exe
Full analysis:	https://app.any.run/tasks/e0dca1d1-f79b-4952-8739-ae8931863913
Verdict:	Malicious activity
Analysis date:	October 09, 2019, 15:22:48
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
MD5:	C16FE4A973855B9A3944CB035C0DD82A
SHA1:	6FD4CDE3461F634359BFE7DCF837674F51B6752F
SHA256:	6412FA3DCE709FF735B52D21BDAF5CA98CA05F86E2AF9E5B8EE03B511366635F
SSDEEP:	196608:6FQGLMGReuFcN5WKYf0Qm9PmxS1h++L83b6TxcFug9QFo:E4huFEbYvwAi03bh8/K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - SETUP.EXE (PID: 3076)
- Changes the autorun value in the registry
  - Office Converter Pack.exe (PID: 3940)
SUSPICIOUS
- Executable content was dropped or overwritten
  - Office Converter Pack.exe (PID: 3940)
  - OSE.EXE (PID: 3452)
  - msiexec.exe (PID: 2720)
  - msiexec.exe (PID: 3728)
- Starts Microsoft Installer
  - SETUP.EXE (PID: 3076)
- Executed as Windows Service
  - vssvc.exe (PID: 2240)
  - OSE.EXE (PID: 3452)
- Executed via COM
  - DrvInst.exe (PID: 3416)
- Creates COM task schedule object
  - msiexec.exe (PID: 3728)
- Creates files in the Windows directory
  - msiexec.exe (PID: 3728)
INFO
- Searches for installed software
  - msiexec.exe (PID: 3728)
- Application launched itself
  - msiexec.exe (PID: 3728)
- Reads Microsoft Office registry keys
  - MsiExec.exe (PID: 3380)
  - MsiExec.exe (PID: 3312)
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 2240)
- Creates a software uninstall entry
  - MsiExec.exe (PID: 3312)
  - msiexec.exe (PID: 3728)
- Manual execution by user
  - cmd.exe (PID: 3012)
- Creates files in the program directory
  - msiexec.exe (PID: 3728)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Microsoft Update - Self Extracting Cabinet (82.1)
.exe	\|	Win32 Executable MS Visual C++ (generic) (7.5)
.exe	\|	Win64 Executable (generic) (6.6)
.dll	\|	Win32 Dynamic Link Library (generic) (1.5)
.exe	\|	Win32 Executable (generic) (1)

EXIF

EXE

ProductVersion:	11.0.5614
ProductName:	Microsoft Office 2003 Resource Kit
OriginalFileName:	ork.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
InternalName:	ork.exe
FileVersion:	11.0.5614
FileDescription:	Microsoft Office 2003 Resource Kit Self-Extracting Installer
CompanyName:	Microsoft Corporation
CharacterSet:	Unicode
LanguageCode:	English (U.S.)
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Windows NT 32-bit
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	11.0.5614.0
FileVersionNumber:	11.0.5614.0
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	5.1
OSVersion:	5.1
EntryPoint:	0x5a5e
UninitializedDataSize:	-
InitializedDataSize:	7439360
CodeSize:	34816
LinkerVersion:	7
PEType:	PE32
TimeStamp:	2001:08:18 03:42:57+02:00
MachineType:	Intel 386 or later, and compatibles

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3588	"C:\Users\admin\AppData\Local\Temp\Office Converter Pack.exe"	C:\Users\admin\AppData\Local\Temp\Office Converter Pack.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office 2003 Resource Kit Self-Extracting Installer Exit code: 3221226540 Version: 11.0.5614
3940	"C:\Users\admin\AppData\Local\Temp\Office Converter Pack.exe"	C:\Users\admin\AppData\Local\Temp\Office Converter Pack.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office 2003 Resource Kit Self-Extracting Installer Exit code: 0 Version: 11.0.5614
3076	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE /iexpress CDCACHE=2	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE	—	Office Converter Pack.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Setup Bootstrapper Exit code: 0 Version: 11.0.5510
3452	"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"	C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE		services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Office Source Engine Exit code: 0 Version: 14.0.4730.1010
2720	"C:\Windows\system32\msiexec.exe" /I "C:\MSOCache\All Users\90240409-6000-11D3-8CFE-0150048383C9\ORK.MSI" CDCACHE=2 LAUNCHEDFROMSETUP=1 SETUPEXEPATH=C:\Users\admin\AppData\Local\Temp\IXP000.TMP\ SETUPEXENAME=SETUP.EXE /lpiwaeo "C:\Users\admin\AppData\Local\Temp\Microsoft Office 2003 Resource Kit Setup(0001)_Task(0001).txt" STANDALONEOSE="C:\MSOCache\All Users\90240409-6000-11D3-8CFE-0150048383C9\FILES\SETUP\OSE.EXE" CDCACHE="2" DELETABLECACHE="1" LOCALCACHEDRIVE="C" DWSETUPLOGFILE="C:\Users\admin\AppData\Local\Temp\Microsoft Office 2003 Resource Kit Setup(0001).txt" DWMSILOGFILE="C:\Users\admin\AppData\Local\Temp\Microsoft Office 2003 Resource Kit Setup(0001)_Task(0001).txt"	C:\Windows\system32\msiexec.exe		SETUP.EXE
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
3728	C:\Windows\system32\msiexec.exe /V	C:\Windows\system32\msiexec.exe		services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255)
3380	C:\Windows\system32\MsiExec.exe -Embedding DFADD9E95276F31CB246B71885DB2EB6 C	C:\Windows\system32\MsiExec.exe	—	msiexec.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
2240	C:\Windows\system32\vssvc.exe	C:\Windows\system32\vssvc.exe	—	services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3416	DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "00000390" "000005CC"	C:\Windows\system32\DrvInst.exe	—	svchost.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3312	C:\Windows\system32\MsiExec.exe -Embedding 704E1349A4177443310EB23203175081	C:\Windows\system32\MsiExec.exe	—	msiexec.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 126

Read events

550

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

181

Unknown types

Dropped files

PID	Process	Filename		Type
3940	Office Converter Pack.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\ORK.CAB		—
		MD5:—	SHA256:—
3076	SETUP.EXE	C:\Users\admin\AppData\Local\Temp\Microsoft Office 2003 Resource Kit Setup(0001).txt		text
		MD5:C2F684244E6108D5500BAE013697792D	SHA256:B77B33D1964BD6532DAC5AA74C49952A7EB6863C5E2BE690349FB538654334E4
3940	Office Converter Pack.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\ORK.CHM_1033		chm
		MD5:DD4F9BB9FDA40ABEB5EBC0F95FFB3593	SHA256:B1A8A2DD61E9554ABCC337BAD78AE75C50696CA453AEFDC6EA1C10B3BE712461
3940	Office Converter Pack.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE		executable
		MD5:D0D323B414B7748E713B51374D91B7D6	SHA256:4248DC2814960C11E26A6C5C66868941D77A1651B028311CCB536B3DFE39BAA0
3940	Office Converter Pack.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\ork.xml		xml
		MD5:F2946A842CA35AD62C06144090435921	SHA256:A51E4A88F632AF8494495DD5575DDE794523984714FF99CEB679D807418FEDA4
3940	Office Converter Pack.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\SETUP.INI		text
		MD5:C2D3B071382B578318F4593CB9F516FE	SHA256:07B8F3F300F49E279A7E2EA78BA90C8FC077B66FF273B33C6818767AE8CF1D98
3940	Office Converter Pack.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\ORK.MSI		executable
		MD5:BDAE5C55256BEDC65AED3FDC17C506DC	SHA256:946BEAD54A0B29933AA24856BDADC72595A7657AEBA6F23F6EC68A5C98D71A7E
3940	Office Converter Pack.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\OSE.EXE		executable
		MD5:7A56CF3E3F12E8AF599963B16F50FB6A	SHA256:882C82BAE96D263138D4C0D6C425458B770B7B9C8E9C1D28AC918BF6BE94A5C2
2720	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI2E94.tmp		—
		MD5:—	SHA256:—
2720	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI2F02.tmp		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

Office Converter Pack.exe

C16FE4A973855B9A3944CB035C0DD82A

6FD4CDE3461F634359BFE7DCF837674F51B6752F

6412FA3DCE709FF735B52D21BDAF5CA98CA05F86E2AF9E5B8EE03B511366635F

196608:6FQGLMGReuFcN5WKYf0Qm9PmxS1h++L83b6TxcFug9QFo:E4huFEbYvwAi03bh8/K

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Starts Microsoft Installer

Executed as Windows Service

Executed via COM

Creates COM task schedule object

Creates files in the Windows directory

INFO

Searches for installed software

Application launched itself

Reads Microsoft Office registry keys

Low-level read access rights to disk partition

Creates a software uninstall entry

Manual execution by user

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings