analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

OInstall.exe

Full analysis: https://app.any.run/tasks/5a7665c7-521e-49b3-87dd-d9aa70ed0e22
Verdict: Malicious activity
Analysis date: May 15, 2019, 12:51:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

CB6E2C13B9548E4864EAA610EBCE96A3

SHA1:

02B0F88785DED01C75A3EAF4288AEB0BE48D143E

SHA256:

9F46B1F0AA822B65F98744F91414E033C9248021A9F472FA23AE8A81B26B8FAE

SSDEEP:

196608:vHKNxawqBBz0yVnn6z77vv1JQOE5LlpiFi8oULkWZlftsc1ZMihDOnc6ACqcq2tf:vExEBBV96z77vvf3kioGkmBD7wnc6Ad2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • OfficeClickToRun.exe (PID: 1636)
      • OfficeClickToRun.exe (PID: 3528)
    • Application was dropped or rewritten from another process

      • setup.exe (PID: 2324)
      • files.dat (PID: 3568)
      • OfficeClickToRun.exe (PID: 3528)
      • OfficeClickToRun.exe (PID: 1636)
    • Changes settings of System certificates

      • setup.exe (PID: 2324)
      • OfficeClickToRun.exe (PID: 1636)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3120)
    • Starts application with an unusual extension

      • cmd.exe (PID: 944)
    • Starts CMD.EXE for commands execution

      • OInstall.exe (PID: 2076)
    • Executable content was dropped or overwritten

      • OInstall.exe (PID: 2076)
      • files.dat (PID: 3568)
      • setup.exe (PID: 2324)
      • OfficeClickToRun.exe (PID: 1636)
    • Adds / modifies Windows certificates

      • setup.exe (PID: 2324)
      • OfficeClickToRun.exe (PID: 1636)
    • Searches for installed software

      • setup.exe (PID: 2324)
    • Executes PowerShell scripts

      • setup.exe (PID: 2324)
    • Creates files in the program directory

      • setup.exe (PID: 2324)
      • OfficeClickToRun.exe (PID: 1636)
    • Creates files in the Windows directory

      • OfficeClickToRun.exe (PID: 1636)
    • Removes files from Windows directory

      • OfficeClickToRun.exe (PID: 1636)
  • INFO

    • Reads settings of System Certificates

      • setup.exe (PID: 2324)
      • OfficeClickToRun.exe (PID: 3528)
      • OfficeClickToRun.exe (PID: 1636)
    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 3528)
      • OfficeClickToRun.exe (PID: 1636)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

FileDescription: Office 2013-2016 C2R Install
ProductName: Office 2013-2016 C2R Install
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Unknown
FileOS: Unknown (0)
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 6.7.0.0
FileVersionNumber: 6.7.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x12eace0
UninitializedDataSize: 9658368
InitializedDataSize: 90112
CodeSize: 10174464
LinkerVersion: 2.5
PEType: PE32
TimeStamp: 2019:04:25 07:02:44+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 25-Apr-2019 05:02:44
Detected languages:
  • English - United States
ProductName: Office 2013-2016 C2R Install
FileDescription: Office 2013-2016 C2R Install

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 25-Apr-2019 05:02:44
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00936000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00937000
0x009B4000
0x009B4000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.89369
.rsrc
0x012EB000
0x00016000
0x00015200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.96496

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.94291
1117
UNKNOWN
English - United States
RT_MANIFEST
2
1.96082
9640
UNKNOWN
English - United States
RT_ICON
3
2.20562
4264
UNKNOWN
English - United States
RT_ICON
4
2.87138
1128
UNKNOWN
English - United States
RT_ICON

Imports

ADVAPI32.DLL
COMCTL32.DLL
GDI32.DLL
ICMP.DLL
IMAGEHLP.DLL
IPHLPAPI.DLL
KERNEL32.DLL
MSI.DLL
MSVCRT.dll
NETAPI32.DLL
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start oinstall.exe no specs oinstall.exe cmd.exe no specs cmd.exe no specs files.dat cmd.exe no specs setup.exe powershell.exe no specs officeclicktorun.exe officeclicktorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
3248"C:\Users\admin\AppData\Local\Temp\OInstall.exe" C:\Users\admin\AppData\Local\Temp\OInstall.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Office 2013-2016 C2R Install
Exit code:
3221226540
2076"C:\Users\admin\AppData\Local\Temp\OInstall.exe" C:\Users\admin\AppData\Local\Temp\OInstall.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Office 2013-2016 C2R Install
3312"C:\Windows\System32\cmd.exe" /D /c copy C:\Windows\system32\Tasks\OInstall "C:\Windows\Temp\OInstall.tmp" /YC:\Windows\System32\cmd.exeOInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
944"C:\Windows\System32\cmd.exe" /D /c files.dat -y -pkmsautoC:\Windows\System32\cmd.exeOInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3568files.dat -y -pkmsautoC:\Users\admin\AppData\Local\Temp\files\files.dat
cmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Console SFX
Exit code:
0
Version:
9.20
2132"C:\Windows\System32\cmd.exe" /D /c C:\Users\admin\AppData\Local\Temp\files\Setup.exe /configure Configure.xmlC:\Windows\System32\cmd.exeOInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2324C:\Users\admin\AppData\Local\Temp\files\Setup.exe /configure Configure.xmlC:\Users\admin\AppData\Local\Temp\files\setup.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office
Version:
16.0.11617.33601
3120"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3528 deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 platform=x86 productreleaseid=none forcecentcheck= culture=en-us defaultplatform=False storeid= lcid=1033 b= totalclientcabsize=20033012 productstoadd=ProjectProRetail.16_en-us_x-none|ProplusRetail.16_en-us_x-none|VisioProRetail.16_en-us_x-none scenariosubtype=ODT scenario=unknown updatesenabled.16=True acceptalleulas.16=True cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.11601.20204 mediatype.16=CDN visioproretail.excludedapps.16=onedrive baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 projectproretail.excludedapps.16=onedrive sourcetype.16=CDN flt.useexptransportinplacepl=unknown flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknownC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.11601.20174
1636"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.11601.20174
Total events
813
Read events
526
Write events
281
Delete events
6

Modification events

(PID) Process:(2076) OInstall.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Operation:writeName:Speaker Configuration
Value:
4
(PID) Process:(2324) setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Experiment\officeclicktorun
Operation:writeName:FirstSessionTriggered
Value:
1
(PID) Process:(2324) setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
Operation:writeName:UIFallbackLanguages
Value:
x-none
(PID) Process:(2324) setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
Operation:writeName:HelpLanguageTag
Value:
en-US
(PID) Process:(2324) setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
Operation:writeName:PreferredEditingLanguage
Value:
en-US
(PID) Process:(2324) setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
Operation:writeName:PreviousPreferredEditingLanguage
Value:
en-US
(PID) Process:(2324) setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
Operation:writeName:WordChangeInstallLanguage
Value:
No
(PID) Process:(2324) setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
Operation:writeName:WordMailChangeInstallLanguage
Value:
No
(PID) Process:(2324) setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
Operation:writeName:XLChangeInstallLanguage
Value:
No
(PID) Process:(2324) setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources
Operation:writeName:PPTChangeInstallLanguage
Value:
No
Executable files
190
Suspicious files
16
Text files
29
Unknown types
8

Dropped files

PID
Process
Filename
Type
2324setup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R90DA1C77-5FB2-4A37-875F-A5E66A955BA4\v32_16.0.11601.20204.cab
MD5:
SHA256:
2324setup.exeC:\Users\admin\AppData\Local\Temp\Cab906C.tmp
MD5:
SHA256:
2324setup.exeC:\Users\admin\AppData\Local\Temp\Tar906D.tmp
MD5:
SHA256:
2324setup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R90DA1C77-5FB2-4A37-875F-A5E66A955BA4OfficeC2R5A59CF32-75AE-4CEE-AAAB-751B657A814C\v32.hash
MD5:
SHA256:
2324setup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R90DA1C77-5FB2-4A37-875F-A5E66A955BA4OfficeC2R5A59CF32-75AE-4CEE-AAAB-751B657A814C\VersionDescriptor.xml
MD5:
SHA256:
2324setup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R90DA1C77-5FB2-4A37-875F-A5E66A955BA4\v32.hash
MD5:
SHA256:
2324setup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R90DA1C77-5FB2-4A37-875F-A5E66A955BA4\VersionDescriptor.xml
MD5:
SHA256:
3120powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZA59B3K87YE3BHTR0YZF.temp
MD5:
SHA256:
3120powershell.exeC:\Users\admin\AppData\Local\Temp\Office.ValidateResult.scratch
MD5:
SHA256:
3120powershell.exeC:\Users\admin\AppData\Local\Temp\Office.ValidateError.scratch
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
12
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2324
setup.exe
HEAD
301
104.111.214.95:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11601.20204.cab
NL
whitelisted
2324
setup.exe
HEAD
200
2.16.186.83:80
http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11601.20204.cab
unknown
whitelisted
2324
setup.exe
GET
301
104.111.214.95:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11601.20204.cab
NL
whitelisted
2324
setup.exe
GET
301
104.111.214.95:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11601.20204/i320.cab
NL
whitelisted
2324
setup.exe
HEAD
200
2.16.186.83:80
http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11601.20204.cab
unknown
whitelisted
2324
setup.exe
HEAD
301
104.111.214.95:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11601.20204.cab
NL
whitelisted
2324
setup.exe
HEAD
301
104.111.214.95:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11601.20204/i320.cab
NL
whitelisted
1636
OfficeClickToRun.exe
GET
200
2.16.186.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
der
824 b
whitelisted
2324
setup.exe
GET
200
173.223.10.123:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
NL
der
555 b
whitelisted
2324
setup.exe
GET
200
2.16.186.83:80
http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11601.20204.cab
unknown
compressed
17.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
2324
setup.exe
52.109.120.18:443
nexusrules.officeapps.live.com
Microsoft Corporation
HK
whitelisted
2324
setup.exe
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
2324
setup.exe
2.16.186.83:80
officecdn.microsoft.com.edgesuite.net
Akamai International B.V.
whitelisted
1636
OfficeClickToRun.exe
2.16.186.120:80
crl.microsoft.com
Akamai International B.V.
whitelisted
2324
setup.exe
52.109.76.40:443
mrodevicemgr.officeapps.live.com
Microsoft Corporation
IE
suspicious
3528
OfficeClickToRun.exe
52.109.120.18:443
nexusrules.officeapps.live.com
Microsoft Corporation
HK
whitelisted
1636
OfficeClickToRun.exe
52.109.120.18:443
nexusrules.officeapps.live.com
Microsoft Corporation
HK
whitelisted
1636
OfficeClickToRun.exe
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
1636
OfficeClickToRun.exe
2.23.106.83:80
www.microsoft.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
nexusrules.officeapps.live.com
  • 52.109.120.18
whitelisted
config.edge.skype.com
  • 13.107.3.128
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.109.76.40
whitelisted
officecdn.microsoft.com
  • 104.111.214.95
whitelisted
officecdn.microsoft.com.edgesuite.net
  • 2.16.186.83
  • 2.16.186.90
whitelisted
crl.microsoft.com
  • 173.223.10.123
  • 173.223.10.146
  • 2.16.186.120
  • 2.16.186.74
whitelisted
www.microsoft.com
  • 2.23.106.83
whitelisted

Threats

No threats detected
No debug info