analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

OTool.zip

Full analysis: https://app.any.run/tasks/015c4e5f-9db5-42be-8b3b-e9b70b764a68
Verdict: Malicious activity
Analysis date: November 14, 2018, 13:35:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

F5572E58DC156287BD479E885A7BE1F6

SHA1:

B85F4453507642AC99B6680AA24C85B2E3D15AEC

SHA256:

9DFB663B8C961752B8F9201DC6AB8D380742325E95F273248127D90E6EC49120

SSDEEP:

196608:FplogZ5QkZ4fCeQfgd7hej2mG/J47LNaPoFdZw73/HaDa:FplogZ4bQfg6j23OaGdCj/aDa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 7za.exe (PID: 3032)
      • Office Tool Plus.exe (PID: 3952)
      • 7za.exe (PID: 3140)
      • 7za.exe (PID: 3268)
      • 7za.exe (PID: 3708)
      • Office Tool Plus.exe (PID: 1404)
      • 7za.exe (PID: 2528)
      • 7za.exe (PID: 2060)
      • 7za.exe (PID: 3516)
      • setup.exe (PID: 1696)
      • check.exe (PID: 772)
      • aria2c.exe (PID: 1016)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • Office Tool Plus.exe (PID: 1404)

    • Creates files in the program directory

      • Office Tool Plus.exe (PID: 1404)
      • 7za.exe (PID: 2528)
      • 7za.exe (PID: 3708)
      • 7za.exe (PID: 3268)
      • 7za.exe (PID: 3140)
      • 7za.exe (PID: 3032)
      • 7za.exe (PID: 3516)
      • 7za.exe (PID: 2060)

    • Reads Environment values

      • Office Tool Plus.exe (PID: 1404)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3692)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: OTool/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2018:06:30 17:00:15
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
14
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start start winrar.exe office tool plus.exe no specs office tool plus.exe notepad.exe no specs 7za.exe no specs 7za.exe no specs 7za.exe no specs 7za.exe no specs 7za.exe no specs 7za.exe no specs 7za.exe no specs setup.exe aria2c.exe no specs check.exe

Process information

PID
CMD
Path
Indicators
Parent process
3692"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\OTool.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3952"C:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\Office Tool Plus.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\Office Tool Plus.exeWinRAR.exe
User:
admin
Company:
Landian Office 365
Integrity Level:
MEDIUM
Description:
Office Tool Plus
Exit code:
3221226540
Version:
5.0.1.0
1404"C:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\Office Tool Plus.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\Office Tool Plus.exe
WinRAR.exe
User:
admin
Company:
Landian Office 365
Integrity Level:
HIGH
Description:
Office Tool Plus
Version:
5.0.1.0
2564"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa3692.10423\Office GVLK Key.txtC:\Windows\system32\NOTEPAD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2528"C:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\7-zip\7za.exe" e C:\ProgramData\OTP\MRO.cab -oC:\ProgramData\OTP\ -aoaC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\7-zip\7za.exeOffice Tool Plus.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
16.04
3708"C:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\7-zip\7za.exe" e C:\ProgramData\OTP\MRO.cab -oC:\ProgramData\OTP\ -aoaC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\7-zip\7za.exeOffice Tool Plus.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
16.04
3140"C:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\7-zip\7za.exe" e C:\ProgramData\OTP\MRO.cab -oC:\ProgramData\OTP\ -aoaC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\7-zip\7za.exeOffice Tool Plus.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
16.04
3032"C:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\7-zip\7za.exe" e C:\ProgramData\OTP\MRO.cab -oC:\ProgramData\OTP\ -aoaC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\7-zip\7za.exeOffice Tool Plus.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
16.04
3268"C:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\7-zip\7za.exe" e C:\ProgramData\OTP\MRO.cab -oC:\ProgramData\OTP\ -aoaC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\7-zip\7za.exeOffice Tool Plus.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
16.04
3516"C:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\7-zip\7za.exe" e C:\ProgramData\OTP\MRO.cab -oC:\ProgramData\OTP\ -aoaC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\7-zip\7za.exeOffice Tool Plus.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
16.04
Total events
1 059
Read events
915
Write events
0
Delete events
0

Modification events

No data
Executable files
62
Suspicious files
17
Text files
33
Unknown types
0

Dropped files

PID
Process
Filename
Type
3692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\activate\OSPP_zh-cn.VBStext
MD5:5737B157EAAFDA93DF17D64DC7A175B2
SHA256:AC15336CAD9F134463696C3A40A3F9A3DABC6F60F6F20368D1C5F0563607546B
3692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\activate\OSPP.VBStext
MD5:1B12CC712B648C0F05AED3E0EC99AAAB
SHA256:2037F0310FE838FB2AA02CDD2E8CEF237AA806ED02CBBE01403772B360577D0F
3692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\activate\licenses.datacompressed
MD5:2CEA2C2E32CA288D1308A47867DEB929
SHA256:9BA840BFD1B40A646D3C4C98286108A4B085216EE1FFAA42729CA77FB8DBBADF
3692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\setup.exeexecutable
MD5:0371333BC0ACFACE03CD05ED5B4D5ECC
SHA256:D8C8CA483ACA7BCFA0133340C262B661A677A0B6741C6EA50602037709E69B91
3692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\activate\SLERROR_zh-cn.XMLtext
MD5:8AAB13B33880E258209741626A52259B
SHA256:2753D0E69E144BDCD26853F1CF468C2D713A72628665D201CF90160439A5CE0A
3692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\Thunder\aria2c.exeexecutable
MD5:717D0F91D78F95FA0E9A43474EFF12BA
SHA256:1677867238F99FC42A05130198140FFF5EA7D26496B1B796578DE671593D280B
3692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\activate\check.exeexecutable
MD5:BB4796A5F1AEE873CA1B0A4F06CB063A
SHA256:DE65F4506AD84C085A68A3FAE111D21A085F222C21EB58D62ECA377F7D52BA85
3692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\activate\OSPPREARM.EXEexecutable
MD5:0425533B09F71EE34B65F60219A26F8F
SHA256:877811F5FEB1E7B1A6A0EA692B3B13C8351C08E01883C9A64E0A67E1F571CC55
3692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\clean\script.datacompressed
MD5:DB584110D4340ED502171B66137FA959
SHA256:41F09DEF90721D296ABA0E605EA1F2A723E9A78DD078985008094C4CABF83E7D
3692WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3692.9868\OTool\files\activate\SLERROR.XMLtext
MD5:36F7DADFE84E62DA00292D0569C3F523
SHA256:B3378A3178F3E52094DB20E8A828011CD8882017919522A544BAEF3057BD11D3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
10
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1404
Office Tool Plus.exe
GET
301
2.18.232.120:80
http://officecdn.microsoft.com/pr/f2e724c1-748f-4b47-8fb8-8e0d210e9208/office/data/MRO.cab
unknown
whitelisted
1404
Office Tool Plus.exe
GET
301
2.18.232.120:80
http://officecdn.microsoft.com/pr/b8f9b850-328d-4355-9145-c59439a0c4cf/office/data/MRO.cab
unknown
whitelisted
1404
Office Tool Plus.exe
GET
301
2.18.232.120:80
http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/office/data/MRO.cab
unknown
whitelisted
1404
Office Tool Plus.exe
GET
301
2.18.232.120:80
http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114/office/data/MRO.cab
unknown
whitelisted
1404
Office Tool Plus.exe
GET
301
2.18.232.120:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/MRO.cab
unknown
whitelisted
1404
Office Tool Plus.exe
GET
301
2.18.232.120:80
http://officecdn.microsoft.com/pr/5440fd1f-7ecb-4221-8110-145efaa6372f/office/data/MRO.cab
unknown
whitelisted
1404
Office Tool Plus.exe
GET
200
2.16.186.90:80
http://officecdn.microsoft.com.edgesuite.net/pr/b8f9b850-328d-4355-9145-c59439a0c4cf/office/data/MRO.cab
unknown
compressed
16.0 Kb
whitelisted
1404
Office Tool Plus.exe
GET
200
2.16.186.90:80
http://officecdn.microsoft.com.edgesuite.net/pr/f2e724c1-748f-4b47-8fb8-8e0d210e9208/office/data/MRO.cab
unknown
compressed
16.2 Kb
whitelisted
1404
Office Tool Plus.exe
GET
200
2.16.186.90:80
http://officecdn.microsoft.com.edgesuite.net/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114/office/data/MRO.cab
unknown
compressed
16.2 Kb
whitelisted
1404
Office Tool Plus.exe
GET
200
2.16.186.90:80
http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/MRO.cab
unknown
compressed
16.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1404
Office Tool Plus.exe
222.186.170.7:443
server.lancdn.com
No.31,Jin-rong Street
CN
unknown
1696
setup.exe
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
1696
setup.exe
52.109.76.34:443
nexus.officeapps.live.com
Microsoft Corporation
IE
whitelisted
1696
setup.exe
52.109.120.18:443
nexusrules.officeapps.live.com
Microsoft Corporation
HK
whitelisted
1404
Office Tool Plus.exe
2.16.186.90:80
officecdn.microsoft.com.edgesuite.net
Akamai International B.V.
whitelisted
1404
Office Tool Plus.exe
2.18.232.120:80
officecdn.microsoft.com
Akamai International B.V.
whitelisted
1696
setup.exe
40.121.213.159:443
client-office365-tas.msedge.net
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
server.lancdn.com
  • 222.186.170.7
malicious
officecdn.microsoft.com
  • 2.18.232.120
whitelisted
officecdn.microsoft.com.edgesuite.net
  • 2.16.186.90
  • 2.16.186.83
whitelisted
nexusrules.officeapps.live.com
  • 52.109.120.18
whitelisted
config.edge.skype.com
  • 13.107.3.128
whitelisted
client-office365-tas.msedge.net
  • 40.121.213.159
whitelisted
nexus.officeapps.live.com
  • 52.109.76.34
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
OTool.zip