analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://c2rsetup.officeapps.live.com/c2r/download.aspx?productreleaseid=skypeforbusinessentryretail&platform=x86&language=es-es&source=o16o365&version=o16ga

Full analysis: https://app.any.run/tasks/90267235-aec9-43c6-a470-69c69d52133f
Verdict: Malicious activity
Analysis date: December 06, 2018, 07:17:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

2E434CCE2CE73AF7BC8CAC8F3D798F9C

SHA1:

39E08D35FEEB478F4755FD76D02AB2E327169A0D

SHA256:

DFEC1E2EA4F93229C03BD53EF74B65B33DA47357295537E01DA02A080289F607

SSDEEP:

3:N8M4uMM8uT3q8ElfIadXHuSHzyWBPafxGEC9uN6UGByWLsK6:2M4u4c3q3fIad3uuVapGshGByF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • OfficeClickToRun.exe (PID: 2436)
      • OfficeClickToRun.exe (PID: 3084)
    • Application was dropped or rewritten from another process

      • download[1].exe (PID: 2244)
      • download[1].exe (PID: 2820)
      • OfficeClickToRun.exe (PID: 3084)
      • OfficeClickToRun.exe (PID: 2436)
    • Changes settings of System certificates

      • download[1].exe (PID: 2820)
      • OfficeClickToRun.exe (PID: 3084)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • download[1].exe (PID: 2820)
      • download[1].exe (PID: 2244)
      • OfficeClickToRun.exe (PID: 2436)
    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3252)
      • iexplore.exe (PID: 2856)
      • download[1].exe (PID: 2820)
      • OfficeClickToRun.exe (PID: 3084)
    • Executes PowerShell scripts

      • download[1].exe (PID: 2820)
    • Application launched itself

      • download[1].exe (PID: 2244)
    • Adds / modifies Windows certificates

      • download[1].exe (PID: 2820)
      • OfficeClickToRun.exe (PID: 3084)
    • Creates files in the user directory

      • powershell.exe (PID: 3924)
    • Searches for installed software

      • download[1].exe (PID: 2820)
    • Creates files in the program directory

      • download[1].exe (PID: 2820)
      • OfficeClickToRun.exe (PID: 3084)
    • Creates files in the Windows directory

      • OfficeClickToRun.exe (PID: 3084)
    • Removes files from Windows directory

      • OfficeClickToRun.exe (PID: 3084)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2856)
    • Changes internet zones settings

      • iexplore.exe (PID: 2856)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3252)
      • iexplore.exe (PID: 2856)
    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 2436)
      • OfficeClickToRun.exe (PID: 3084)
    • Reads settings of System Certificates

      • OfficeClickToRun.exe (PID: 3084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
7
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start iexplore.exe iexplore.exe download[1].exe download[1].exe powershell.exe no specs officeclicktorun.exe no specs officeclicktorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
2856"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3252"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2856 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2244"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\download[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\download[1].exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office
Version:
16.0.11029.20064
2820"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\download[1].exe" ELEVATED C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\download[1].exe
download[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office
Version:
16.0.11029.20064
3924"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -WindowStyle Hidden -Command "& { $isOfficeInstalled = Get-AppxPackage Microsoft.Office.Desktop -allusers; if ($isOfficeInstalled -eq $null) { Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Centennial.Detection.IsCentennialOfficeInstalled.scratch' -InputObject '0' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Centennial.Detection.IsCentennialOfficeInstalled.scratch' -InputObject '1' -Encoding ascii } }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exedownload[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2436 forcecentcheck= deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 productreleaseid=SkypeforBusinessEntryRetail platform=x86 culture=es-es defaultplatform=False lcid=3082 b= prereleasebuild=4419 storeid= tx= totalclientcabsize=20812258 productstoadd=SkypeforBusinessEntryRetail.16_es-es_x-none scenario=unknown mediatype.16=CDN SkypeforBusinessEntryRetail.excludedapps.16=groove updatesenabled.16=True cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.11029.20079 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 sourcetype.16=CDN flt.useexptransportinplacepl=unknown flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknownC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exedownload[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.11029.20079
3084"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.11029.20079
Total events
1 840
Read events
1 511
Write events
0
Delete events
0

Modification events

No data
Executable files
182
Suspicious files
15
Text files
23
Unknown types
9

Dropped files

PID
Process
Filename
Type
2856iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2856iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2856iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF812FCEA904287765.TMP
MD5:
SHA256:
2856iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFE01783410B5D7EEE.TMP
MD5:
SHA256:
2856iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{0E704B65-F927-11E8-BAD8-5254004A04AF}.dat
MD5:
SHA256:
2820download[1].exeC:\Users\admin\AppData\Local\Temp\CabF013.tmp
MD5:
SHA256:
2820download[1].exeC:\Users\admin\AppData\Local\Temp\TarF014.tmp
MD5:
SHA256:
2820download[1].exeC:\Users\admin\AppData\Local\Temp\OfficeC2RFFF641DA-ED0D-4DC3-AFFE-734878431F68OfficeC2RA2ADB74C-2A70-4BD0-B907-FEF8A7FF81A5\v32.hash
MD5:
SHA256:
2820download[1].exeC:\Users\admin\AppData\Local\Temp\OfficeC2RFFF641DA-ED0D-4DC3-AFFE-734878431F68OfficeC2RA2ADB74C-2A70-4BD0-B907-FEF8A7FF81A5\VersionDescriptor.xml
MD5:
SHA256:
2820download[1].exeC:\Users\admin\AppData\Local\Temp\OfficeC2RFFF641DA-ED0D-4DC3-AFFE-734878431F68\v32.hash
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
12
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2820
download[1].exe
HEAD
301
2.18.232.120:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11029.20079.cab
unknown
whitelisted
2820
download[1].exe
GET
301
2.18.232.120:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11029.20079/i320.cab
unknown
whitelisted
2820
download[1].exe
HEAD
301
2.18.232.120:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11029.20079.cab
unknown
whitelisted
2820
download[1].exe
HEAD
301
2.18.232.120:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11029.20079/i323082.cab
unknown
whitelisted
2820
download[1].exe
HEAD
200
2.16.186.83:80
http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11029.20079.cab
unknown
whitelisted
2820
download[1].exe
GET
301
2.18.232.120:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11029.20079/i323082.cab
unknown
whitelisted
2820
download[1].exe
GET
301
2.18.232.120:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11029.20079.cab
unknown
whitelisted
2820
download[1].exe
HEAD
301
2.18.232.120:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11029.20079/i320.cab
unknown
whitelisted
2820
download[1].exe
HEAD
200
2.16.186.83:80
http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.11029.20079.cab
unknown
whitelisted
2820
download[1].exe
HEAD
200
2.16.186.83:80
http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.11029.20079/i320.cab
unknown
compressed
83.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3252
iexplore.exe
52.109.20.8:443
c2rsetup.officeapps.live.com
Microsoft Corporation
US
unknown
2856
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2820
download[1].exe
2.16.186.74:80
crl.microsoft.com
Akamai International B.V.
whitelisted
3084
OfficeClickToRun.exe
2.16.186.74:80
crl.microsoft.com
Akamai International B.V.
whitelisted
2820
download[1].exe
52.109.76.40:443
mrodevicemgr.officeapps.live.com
Microsoft Corporation
IE
suspicious
3084
OfficeClickToRun.exe
2.21.41.70:80
www.microsoft.com
GTT Communications Inc.
FR
malicious
2244
download[1].exe
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
3084
OfficeClickToRun.exe
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
2244
download[1].exe
52.232.69.150:443
client-office365-tas.msedge.net
Microsoft Corporation
NL
whitelisted
2820
download[1].exe
2.18.232.120:80
officecdn.microsoft.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
c2rsetup.officeapps.live.com
  • 52.109.20.8
whitelisted
client-office365-tas.msedge.net
  • 52.232.69.150
whitelisted
config.edge.skype.com
  • 13.107.3.128
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.109.76.40
whitelisted
officecdn.microsoft.com
  • 2.18.232.120
whitelisted
officecdn.microsoft.com.edgesuite.net
  • 2.16.186.83
  • 2.16.186.90
whitelisted
crl.microsoft.com
  • 2.16.186.74
  • 2.16.186.120
whitelisted
www.microsoft.com
  • 2.21.41.70
whitelisted

Threats

No threats detected
No debug info