popup

Report - mso-install.exe

Gen1 Generic Malware UPX Malicious Library Malicious Packer Antivirus PE File PE32 OS Processor Check PE64 CAB DLL
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.10.17 10:55 Machine s1_win7_x6403
Filename mso-install.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score
4
 Behavior Score
12.6
ZERO API
VT API (file) 18 detected (AIDetectMalware, Unsafe, malicious, confidence, moderate confidence, PoverTel, high, score, Autoit, Wacapew, MachineLearning, Anomalous, 100%, susgen, C9nj)
md5 d16b9f62e697777a3b63f53c95a8c65c
sha256 f47857662ee05b4e6f3063940f737f87c116faaa25cf8ea9e7e0d6fb3d4ef166
ssdeep 12288:vYV6MorX7qzuC3QHO9FQVHPF51jgcQ+uBYzSR5+YxKFQSj55m6Ul9jeCoAK59UZZ:8BXu9HGaVHQZa2QXFpPm6ULr60RKOh
imphash fc6683d30d9f25244a50fd5357825e79
impfuzzy 12:VA/DzqYOZkKDHLB78r4B3ExjLAkcOaiTQQnd3mxCHH:V0DBaPHLB7PxExjLAkcOV2kn
  Network IP location

Signature (31cnts)

Level Description
watch Attempts to create or modify system certificates
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Creates a suspicious Powershell process
watch Deletes executed files from disk
watch Disables proxy possibly for traffic interception
watch File has been identified by 18 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process mso-install.exe
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Checks whether any human activity is being performed by constantly checking whether the foreground window changed
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Searches running processes potentially to identify processes for sandbox evasion
notice The binary likely contains encrypted or compressed data indicative of a packer
notice The executable is compressed using UPX
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (15cnts)

Level Name Description Collection
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
info CAB_file_format CAB archive file binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (26cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v64_16.0.14332.20791.cab
whois
US COGENT-174 38.96.206.65
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab
whois
US COGENT-174 38.96.206.65
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
whois
US Akamai International B.V. 23.2.16.67
http://185.25.60.13:8080/distr/components/deploy-mso.dst
whois
RU Optibit LLC 185.25.60.13
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v64.cab
whois
US None 23.45.207.174
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
whois
US EDGECAST 152.195.38.76
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl
whois
US AKAMAI-AS 23.202.35.72 clean
http://195.130.214.155:8080/logUserActivity.php?u=3FE1525F8E2065C102140EB6C463BC5D&t=1729181842&m=common&a=run_Component:%20deploy-mso%20(pid%20=%201603)
whois
RU Mobilon Telecommunications LLC 195.130.214.155 clean
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
whois
Unknown 104.94.217.134 clean
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
whois
US AKAMAI-AS 23.202.35.65 clean
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v64_16.0.14332.20303.cab
whois
US CLARO S.A. 23.219.78.199 clean
http://185.25.60.13:8080/distr/components/deploy-mso.ver
whois
RU Optibit LLC 185.25.60.13 clean
officecdn.microsoft.com
whois
US COGENT-174 38.96.206.65 clean
nexusrules.officeapps.live.com
whois
NL MICROSOFT-CORP-MSN-AS-BLOCK 52.111.243.30 clean
ecs.office.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 52.113.194.132 clean
mrodevicemgr.officeapps.live.com
whois
SG MICROSOFT-CORP-MSN-AS-BLOCK 52.109.124.190 clean
cacerts.digicert.com
whois
US EDGECAST 152.195.38.76 clean
www.microsoft.com
whois
Unknown 104.94.217.134 clean
195.130.214.155
whois
RU Mobilon Telecommunications LLC 195.130.214.155 clean
23.40.45.184
whois
US AKAMAI-AS 23.40.45.184 mailcious
52.109.124.190
whois
SG MICROSOFT-CORP-MSN-AS-BLOCK 52.109.124.190 clean
152.195.38.76
whois
US EDGECAST 152.195.38.76 clean
52.111.227.14
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 52.111.227.14 clean
52.113.194.132
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 52.113.194.132 clean
185.25.60.13
whois
RU Optibit LLC 185.25.60.13 malware
173.222.248.74
whois
Unknown 173.222.248.74 clean

Suricata ids

ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
 0x5d0b18 LoadLibraryA
 0x5d0b1c GetProcAddress
 0x5d0b20 VirtualProtect
 0x5d0b24 VirtualAlloc
 0x5d0b28 VirtualFree
 0x5d0b2c ExitProcess
ADVAPI32.dll
 0x5d0b34 GetAce
COMCTL32.dll
 0x5d0b3c ImageList_Remove
COMDLG32.dll
 0x5d0b44 GetOpenFileNameW
GDI32.dll
 0x5d0b4c LineTo
IPHLPAPI.DLL
 0x5d0b54 IcmpSendEcho
MPR.dll
 0x5d0b5c WNetUseConnectionW
ole32.dll
 0x5d0b64 CoGetObject
OLEAUT32.dll
 0x5d0b6c VariantInit
PSAPI.DLL
 0x5d0b74 GetProcessMemoryInfo
SHELL32.dll
 0x5d0b7c DragFinish
USER32.dll
 0x5d0b84 GetDC
USERENV.dll
 0x5d0b8c LoadUserProfileW
UxTheme.dll
 0x5d0b94 IsThemeActive
VERSION.dll
 0x5d0b9c VerQueryValueW
WININET.dll
 0x5d0ba4 FtpOpenFileW
WINMM.dll
 0x5d0bac timeGetTime
WSOCK32.dll
 0x5d0bb4 connect

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure