Malware analysis OfficeTeam.Installer.dll Malicious activity

Add for printing

File name:	OfficeTeam.Installer.dll
Full analysis:	https://app.any.run/tasks/aac42598-1fa5-40b3-93a9-71c4e94a0a54
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 29, 2024, 12:48:48
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	adware stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5:	EBFA0F0A9C1FE1FEEEA166A6FF933D0B
SHA1:	384F7D533EAF151CF99B1147AAE74BC0DEA5C487
SHA256:	A7BBFF68720A38C2491BB0886A84331D765C6F6ED29F5658A73A7664F28765AE
SSDEEP:	98304:hNo51dNZ/mBinOyhCszMuZwVNSl1EhnH2R6bx0BAMmG3xxBNm+M7:ozNxI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - rundll32.exe (PID: 1480)
SUSPICIOUS
- Drops the executable file immediately after the start
  - rundll32.exe (PID: 1480)
- Access to an unwanted program domain was detected
  - rundll32.exe (PID: 1480)
INFO
- Reads security settings of Internet Explorer
  - rundll32.exe (PID: 1480)
- Checks proxy server information
  - rundll32.exe (PID: 1480)
- Reads the software policy settings
  - rundll32.exe (PID: 1480)
- Creates files or folders in the user directory
  - rundll32.exe (PID: 1480)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:31 08:54:37+00:00
ImageFileCharacteristics:	Executable, 32-bit, DLL
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	1778688
InitializedDataSize:	702976
UninitializedDataSize:	-
EntryPoint:	0x64fb5
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

119

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1480

"C:\WINDOWS\SysWOW64\rundll32.exe" C:\Users\admin\AppData\Local\Temp\OfficeTeam.Installer.dll, #1

C:\Windows\SysWOW64\rundll32.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

Add for printing

Total events

1 059

Read events

1 047

Write events

Delete events

Modification events


(PID) Process:	(1480) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1480) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1480) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1480) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1480) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1480) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1480) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1480) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MINIE
Operation:	write	Name:	LinksBandEnabled
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1480	rundll32.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475		binary
		MD5:07667D5AC5EA7AA040E1D5AD30F3BB2C	SHA256:C5CC8D8C022A78768D03F7ADB5954111342D48A99C5447838B26FEE09F558320
1480	rundll32.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_0B0F0404F69AB9B4CB987F5770E5D618		der
		MD5:10D92194C33A16A1C5DB990D22804D3B	SHA256:81B89EA3C92EBE8C72A884A2D7A95288DADE7CE34B996F7653EC2E437E792DA0
1480	rundll32.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475		der
		MD5:7A18B513A1822DD01D511F081CAB682A	SHA256:3E626301C78890B0664DB4D9E757DA715312FB0F10179A6C91E1110ECD7775DA
1480	rundll32.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_0B0F0404F69AB9B4CB987F5770E5D618		binary
		MD5:D6A192EF1A6D36F2E4D99D0841EE61BB	SHA256:39DB3EC15B5BCCCCE50420E084332EAD4D820082A7DDFCB4565E6D0C6A72EC89
1480	rundll32.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Bookmarks		binary
		MD5:E95C85AB2475DCFFF6E266D75D11082F	SHA256:63E775A9CFAFB8C320ABFDC01E72541643685A8B3E4BC6C437E806BC016D43C8
1480	rundll32.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Bookmarks		binary
		MD5:E95C85AB2475DCFFF6E266D75D11082F	SHA256:63E775A9CFAFB8C320ABFDC01E72541643685A8B3E4BC6C437E806BC016D43C8
1480	rundll32.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences		binary
		MD5:6F67B979487459CFFE3ED8DFD525A4CB	SHA256:F8305EC7A743894E33952CFA2074ADF3627D94BDB935D82B886076CC93AE1A48
1480	rundll32.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\places.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
1480	rundll32.exe	C:\Users\admin\Favorites\Bing.url		url
		MD5:B628FB120D306A9A72D65FAC0E06AC11	SHA256:E6127AF28ACDF1B4F8AA817C9417A1C8D33EA224B213A07320F54F6B036C4B10
1480	rundll32.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences		binary
		MD5:FC2F304120D94B38C00C8CDF1257ADD9	SHA256:283DD396805D205D46FA51CE622A1261199F9F1C50027151D39A708F6D7B7B46

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1480	rundll32.exe	GET	200	151.101.66.133:80	http://ocsp.globalsign.com/rootr1/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDkcHsQGaDFetObPhfan5	US	binary	1.41 Kb	whitelisted
1480	rundll32.exe	POST	200	43.159.200.212:80	http://ofsg.fh67k.com/	HK	text	152 b	unknown
1480	rundll32.exe	GET	200	151.101.66.133:80	http://ocsp2.globalsign.com/gsorganizationvalsha2g3/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSVLM6m9XSaK2pXyc357yFJVjgNwQQUaIa4fXrZbUlrhy8YixU0bNe0eg4CDGVFedNjiGIliJjigQ%3D%3D	US	binary	1.43 Kb	whitelisted
1480	rundll32.exe	POST	200	43.159.200.212:80	http://of2sg.fh67k.com/	HK	text	8.94 Kb	unknown
1480	rundll32.exe	POST	200	43.159.200.212:80	http://ofres.fh67k.com/	HK	—	—	unknown
1480	rundll32.exe	POST	200	43.159.200.212:80	http://ofres.fh67k.com/	HK	—	—	unknown
1480	rundll32.exe	POST	200	43.159.200.212:80	http://ofres.fh67k.com/	HK	—	—	unknown
1480	rundll32.exe	POST	200	43.159.200.212:80	http://ofres.fh67k.com/	HK	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
7072	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1480	rundll32.exe	43.159.200.212:80	ofsg.fh67k.com	Tencent Building, Kejizhongyi Avenue	HK	unknown
1480	rundll32.exe	159.75.57.35:443	sg-xj-1306567145.cos.ap-guangzhou.myqcloud.com	Shenzhen Tencent Computer Systems Company Limited	CN	whitelisted
1480	rundll32.exe	151.101.66.133:80	ocsp.globalsign.com	FASTLY	US	whitelisted
7072	svchost.exe	20.44.239.154:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	SG	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.44.239.154	whitelisted
google.com	142.250.184.238	whitelisted
ofsg.fh67k.com	43.159.200.212	unknown
sg-xj-1306567145.cos.ap-guangzhou.myqcloud.com	159.75.57.35 159.75.57.69	whitelisted
ocsp.globalsign.com	151.101.66.133 151.101.194.133 151.101.2.133 151.101.130.133	whitelisted
ocsp2.globalsign.com	151.101.66.133 151.101.2.133 151.101.130.133 151.101.194.133	whitelisted
of2sg.fh67k.com	43.159.200.212	unknown
ofres.fh67k.com	43.159.200.212	unknown
ieonline.microsoft.com	204.79.197.200	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Misc activity	ET INFO Tencent Cloud Storage Domain in DNS Lookup (myqcloud .com)
1480	rundll32.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible ))
1480	rundll32.exe	Misc activity	ET INFO Observed Tencent Cloud Storage Domain (myqcloud .com in TLS SNI)
1480	rundll32.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible ))
1480	rundll32.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible ))
1480	rundll32.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible ))
1480	rundll32.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible ))
1480	rundll32.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible ))

Add for printing

Process	Message
rundll32.exe	LoadMemModuleIco Start!
rundll32.exe	logkit_report start!!!
rundll32.exe	logkit_report finish!!!

General Info

OfficeTeam.Installer.dll

EBFA0F0A9C1FE1FEEEA166A6FF933D0B

384F7D533EAF151CF99B1147AAE74BC0DEA5C487

A7BBFF68720A38C2491BB0886A84331D765C6F6ED29F5658A73A7664F28765AE

98304:hNo51dNZ/mBinOyhCszMuZwVNSl1EhnH2R6bx0BAMmG3xxBNm+M7:ozNxI

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

SUSPICIOUS

Drops the executable file immediately after the start

Access to an unwanted program domain was detected

INFO

Reads security settings of Internet Explorer

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings