| File name: | OfficeTeamAddin64.dll |
| Full analysis: | https://app.any.run/tasks/5bb7518a-c88a-406b-a236-fd36dbb75966 |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | October 18, 2024, 02:48:09 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
| MD5: | 11BF1232BFEF7377916CF665A9524398 |
| SHA1: | 11940A903AB4E5A0451EE2B4E2DA505B9912CE10 |
| SHA256: | 71961F8BEA2982D6157BE9A1D36B5397F7D34629BD52DEA8D62432C359E31AD6 |
| SSDEEP: | 12288:GXHFcbMl7Xpq3UdVBxaD0Pg64rIuUb1jR3iO2fh7du:4HFwMlSD0745Ub9R3iOMh7du |
MALICIOUS
Executable content was dropped or overwritten
- WINWORD.EXE (PID: 6044)
Unusual execution from MS Office
- WINWORD.EXE (PID: 6044)
SUSPICIOUS
Creates/Modifies COM task schedule object
- regsvr32.exe (PID: 3276)
Uses RUNDLL32.EXE to load library
- WINWORD.EXE (PID: 6044)
Access to an unwanted program domain was detected
- rundll32.exe (PID: 6548)
INFO
Reads Microsoft Office registry keys
- regsvr32.exe (PID: 3276)
Manual execution by a user
- WINWORD.EXE (PID: 6044)
- WINWORD.EXE (PID: 3940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:05:08 14:18:25+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, DLL |
| PEType: | PE32+ |
| LinkerVersion: | 14.16 |
| CodeSize: | 411648 |
| InitializedDataSize: | 210432 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x3d818 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.1 |
| ProductVersionNumber: | 1.0.0.1 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Dynamic link library |
| FileSubtype: | - |
| LanguageCode: | Chinese (Simplified) |
| CharacterSet: | Unicode |
| CompanyName: | TODO: <公司名> |
| FileDescription: | TODO: <文件说明> |
| FileVersion: | 1.0.0.1 |
| LegalCopyright: | TODO: (C) <公司名>。 保留所有权利。 |
| InternalName: | OfficeTeamAddin.dll |
| OriginalFileName: | OfficeTeamAddin.dll |
| ProductName: | TODO: <产品名> |
| ProductVersion: | 1.0.0.1 |
Total processes
152
Monitored processes
10
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1748 | rundll32.exe "C:\Users\admin\AppData\Local\Temp\testdir\OfficeTeam.Installer.dll",StartInstall 2 "1" "" | C:\Windows\System32\rundll32.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1880 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3276 | "C:\WINDOWS\System32\regsvr32.exe" C:\Users\admin\AppData\Local\Temp\OfficeTeamAddin64.dll | C:\Windows\System32\regsvr32.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3940 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\childv.rtf" /o "" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 16.0.16026.20146 Modules
| |||||||||||||||
| 4408 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4828 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "EFCF4936-DF42-4607-BB80-F9EFF7A580A0" "64F4E9D4-2410-4F98-86E7-D2C222568121" "6044" | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64. Exit code: 0 Version: 0.12.2.0 Modules
| |||||||||||||||
| 6044 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\simplywestern.rtf" /o "" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 16.0.16026.20146 Modules
| |||||||||||||||
| 6384 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "9F8A9030-1DE0-41AF-99CD-C878A62473FB" "EF49EEED-47A8-4AA8-BB5E-1BA3B38A3BC9" "3940" | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64. Version: 0.12.2.0 Modules
| |||||||||||||||
| 6512 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6548 | rundll32.exe "C:\Users\admin\AppData\Local\Temp\testdir\OfficeTeam.Installer.dll",StartInstall 2 "1" "" | C:\Windows\SysWOW64\rundll32.exe | rundll32.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
27 970
Read events
26 270
Write events
1 541
Delete events
159
Modification events
| (PID) Process: | (3276) regsvr32.exe | Key: | HKEY_CLASSES_ROOT\CLSID\{19622223-e359-41a3-b5c9-54078d5a34b7}\InprocServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Apartment | |||
| (PID) Process: | (3276) regsvr32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\PowerPoint\Addins\OfficeTeamAddin.Connect |
| Operation: | write | Name: | Description |
Value: OfficeTeam Addin | |||
| (PID) Process: | (3276) regsvr32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\PowerPoint\Addins\OfficeTeamAddin.Connect |
| Operation: | write | Name: | FriendlyName |
Value: OfficeTeam Addin | |||
| (PID) Process: | (3276) regsvr32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\PowerPoint\Addins\OfficeTeamAddin.Connect |
| Operation: | write | Name: | LoadBehavior |
Value: 3 | |||
| (PID) Process: | (3276) regsvr32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\PowerPoint\Addins\OfficeTeamAddin.Connect |
| Operation: | write | Name: | CommandLineSafe |
Value: 1 | |||
| (PID) Process: | (3276) regsvr32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Word\Addins\OfficeTeamAddin.Connect |
| Operation: | write | Name: | Description |
Value: OfficeTeam Addin | |||
| (PID) Process: | (3276) regsvr32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Word\Addins\OfficeTeamAddin.Connect |
| Operation: | write | Name: | FriendlyName |
Value: OfficeTeam Addin | |||
| (PID) Process: | (3276) regsvr32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Word\Addins\OfficeTeamAddin.Connect |
| Operation: | write | Name: | LoadBehavior |
Value: 3 | |||
| (PID) Process: | (3276) regsvr32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Word\Addins\OfficeTeamAddin.Connect |
| Operation: | write | Name: | CommandLineSafe |
Value: 1 | |||
| (PID) Process: | (3276) regsvr32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Excel\Addins\OfficeTeamAddin.Connect |
| Operation: | write | Name: | Description |
Value: OfficeTeam Addin | |||
Executable files
13
Suspicious files
179
Text files
175
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6044 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres | binary | |
MD5:1C53C70990B89E7F30E8B8A5D55D8B1D | SHA256:81270CFF2ACFAFB13458C544469B771FEF97785B729D7B32C81AB3C70EC860A7 | |||
| 6044 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | binary | |
MD5:4DEA55E8C8A60F079316FB4557A9A99B | SHA256:4C81DB7B110CCB305D2655BA7B1F55F324074B7856220CDA561D1A09C855716A | |||
| 6044 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7DFA4838-E500-49AA-BD3A-77F63AFF1ECE | xml | |
MD5:4EE0E2B7F3173A86C5DA417DDD9994E9 | SHA256:681477CCB683065EA9BD2D384C688BAE098AF51C3209FB338B0E21941C585BC2 | |||
| 6044 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | der | |
MD5:F0CD77A5C17378D91F7E5D7DFE16A228 | SHA256:1F3BCC0C03076354D4015BC5A6D5EB997CB207261C834A11DF9EFAD0EFF319DA | |||
| 6044 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | binary | |
MD5:538796652FB6AA80BABCE7534E7CDFF6 | SHA256:413566DEA167CB7EA5CD8B21D8C4C92DE1C6916DDA5569DBEA70F3D7D10DF420 | |||
| 6044 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres | binary | |
MD5:A743BC4C83946AF819EA358A12B9274A | SHA256:60B17FE2A43CCEAE25F231E397915926CA4876EA16587967FDD1CD21EFE96634 | |||
| 6044 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin | text | |
MD5:CC90D669144261B198DEAD45AA266572 | SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899 | |||
| 6548 | rundll32.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_0B0F0404F69AB9B4CB987F5770E5D618 | binary | |
MD5:A5D76A854632DB5EF0E33D1AB459C68E | SHA256:7C3C9202DB97FCA0E0DE4F44015EC2A87B3CB68B84E8B285804689FC34B52762 | |||
| 6044 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json.tmp | binary | |
MD5:5E4A0113F1527E44B0A5AD51ECE5A332 | SHA256:B1EA7E7127DF1ED8D6CB3EB066A38736F764418DA648E4A23694C0186D66DD59 | |||
| 6548 | rundll32.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 | der | |
MD5:A4C27F19E4C4787546E9F16AD100F79C | SHA256:72972D42DA29921D2B5B3CFA4DC7EFEF90303FA7B156B5F4B28E6D2B359C32FD | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
155
DNS requests
53
Threats
11
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4360 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
3276 | regsvr32.exe | POST | 200 | 43.159.200.212:80 | http://ofin.fh67k.com/ | unknown | — | — | unknown |
6548 | rundll32.exe | GET | 200 | 104.18.21.226:80 | http://ocsp2.globalsign.com/gsorganizationvalsha2g3/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSVLM6m9XSaK2pXyc357yFJVjgNwQQUaIa4fXrZbUlrhy8YixU0bNe0eg4CDGVFedNjiGIliJjigQ%3D%3D | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
944 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
6668 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
3156 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
3156 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
6044 | WINWORD.EXE | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1748 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6944 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4360 | SearchApp.exe | 2.16.110.121:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
4360 | SearchApp.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
3276 | regsvr32.exe | 43.159.200.212:80 | ofin.fh67k.com | Tencent Building, Kejizhongyi Avenue | HK | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
944 | svchost.exe | 20.190.159.68:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
944 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
google.com |
| whitelisted |
ofin.fh67k.com |
| unknown |
login.live.com |
| whitelisted |
th.bing.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2172 | svchost.exe | Misc activity | ET INFO Tencent Cloud Storage Domain in DNS Lookup (myqcloud .com) |
6044 | WINWORD.EXE | Misc activity | ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI) |
6548 | rundll32.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible )) |
6548 | rundll32.exe | Misc activity | ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI) |
6548 | rundll32.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible )) |
6548 | rundll32.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible )) |
6548 | rundll32.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible )) |
6548 | rundll32.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible )) |
2172 | svchost.exe | Misc activity | ET INFO Tencent Cloud Storage Domain in DNS Lookup (myqcloud .com) |
6548 | rundll32.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible )) |
Process | Message |
|---|---|
WINWORD.EXE | [OfficeTeamAddin] OnConnection Beg |
WINWORD.EXE | [OfficeTeamAddin] WorkProc Time Repeat Update! |
WINWORD.EXE | [OfficeTeamAddin] WorkProc Beg |
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
rundll32.exe | LoadMemModuleIco Start! |
WINWORD.EXE | [OfficeTeamAddin] WorkProc End |
rundll32.exe | logkit_report start!!! |
rundll32.exe | 818A12786259F28B24B8E5978D7B46BEC053EC35242DEA561EA70551F19394A5 |