Windows Analysis Report
ScannedXfileX2.xlam.xlsx

Overview

General Information

Sample name: ScannedXfileX2.xlam.xlsx
Analysis ID: 1428199
MD5: df7ca854604bd4f2b015a33a0ffcf3ac
SHA1: 9edffd0c999381f0cb310ac71060224a46862a37
SHA256: 001dc9607cd0bc84512d280d3531670ab506d343c8c95925cfceca29d8d0456e
Tags: AgentTeslaxlsx
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Document exploit detected (process start blacklist hit)
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Sigma detected: Equation Editor Network Connection
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Document misses a certain OLE stream usually present in this Microsoft Office document type
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (unknown TCP traffic)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ScannedXfileX2.xlam.xlsx Avira: detected
Multi AV Scanner detection for submitted file
Source: ScannedXfileX2.xlam.xlsx ReversingLabs: Detection: 71%

Exploits
barindex
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 31.214.157.14 Port: 80 Jump to behavior
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: unknown Jump to behavior
Office Equation Editor has been started
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Shellcode detected
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0359065B WriteFile,CreateProcessW,ExitProcess, 2_2_0359065B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035905D0 WriteFile, 2_2_035905D0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035904C5 CreateFileW, 2_2_035904C5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035906FA CreateProcessW,ExitProcess, 2_2_035906FA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035904FC LoadLibraryW, 2_2_035904FC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03590568 WriteFile, 2_2_03590568
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035906D9 CreateProcessW,ExitProcess, 2_2_035906D9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03590452 CreateFileW, 2_2_03590452
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03590641 WriteFile,CreateProcessW,ExitProcess, 2_2_03590641
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03590479 CreateFileW, 2_2_03590479
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0359061D WriteFile,CreateProcessW,ExitProcess, 2_2_0359061D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0359041D ExitProcess,CreateFileW, 2_2_0359041D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03590601 WriteFile, 2_2_03590601
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035906BC CreateProcessW,ExitProcess, 2_2_035906BC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035904B2 CreateFileW, 2_2_035904B2
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035905B4 WriteFile, 2_2_035905B4
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03590736 ExitProcess, 2_2_03590736
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03590436 CreateFileW, 2_2_03590436
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: speedy34.myvnc.com
Source: global traffic DNS query: name: speedy34.myvnc.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 31.214.157.14:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 31.214.157.14:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 31.214.157.14:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RACKPLACEDE RACKPLACEDE
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 31.214.157.14:80
Source: unknown DNS traffic detected: queries for: speedy34.myvnc.com
Source: EQNEDT32.EXE, 00000002.00000002.498827584.000000000062E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://speedy34.myvnc.com/WZM.exe

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: sheet1.xml, type: SAMPLE Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 770B0000 page execute and read and write Jump to behavior
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ScannedXfileX2.xlam.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Yara signature match
Source: sheet1.xml, type: SAMPLE Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
Source: classification engine Classification label: mal100.expl.winXLSX@3/3@2/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$ScannedXfileX2.xlam.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR6A65.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: ScannedXfileX2.xlam.xlsx ReversingLabs: Detection: 71%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64win.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: webio.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: credssp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: version.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: ScannedXfileX2.xlam.xlsx Initial sample: OLE zip file path = xl/media/image1.jpg
Source: ScannedXfileX2.xlam.xlsx Initial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: ScannedXfileX2.xlam.xlsx Initial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2188 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Contains functionality to read the PEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0359073D mov edx, dword ptr fs:[00000030h] 2_2_0359073D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428199 Sample: ScannedXfileX2.xlam.xlsx Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 14 Malicious sample detected (through community Yara rule) 2->14 16 Antivirus / Scanner detection for submitted sample 2->16 18 Multi AV Scanner detection for submitted file 2->18 20 5 other signatures 2->20 6 EXCEL.EXE 6 11 2->6         started        process3 process4 8 EQNEDT32.EXE 1 6->8         started        dnsIp5 12 speedy34.myvnc.com 31.214.157.14, 80 RACKPLACEDE Germany 8->12 22 Office equation editor establishes network connection 8->22 24 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->24 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
31.214.157.14
 speedy34.myvnc.com Germany
58329 RACKPLACEDE true

Contacted Domains

Name IP Active
speedy34.myvnc.com 31.214.157.14 true