Click to jump to signature section
| Source: ScannedXfileX2.xlam.xlsx | Avira: detected |
| Source: ScannedXfileX2.xlam.xlsx | ReversingLabs: Detection: 71% |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Network connect: IP: 31.214.157.14 Port: 80 | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Process created: unknown | Jump to behavior |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll | Jump to behavior |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_0359065B WriteFile,CreateProcessW,ExitProcess, | 2_2_0359065B |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_035905D0 WriteFile, | 2_2_035905D0 |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_035904C5 CreateFileW, | 2_2_035904C5 |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_035906FA CreateProcessW,ExitProcess, | 2_2_035906FA |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_035904FC LoadLibraryW, | 2_2_035904FC |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_03590568 WriteFile, | 2_2_03590568 |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_035906D9 CreateProcessW,ExitProcess, | 2_2_035906D9 |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_03590452 CreateFileW, | 2_2_03590452 |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_03590641 WriteFile,CreateProcessW,ExitProcess, | 2_2_03590641 |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_03590479 CreateFileW, | 2_2_03590479 |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_0359061D WriteFile,CreateProcessW,ExitProcess, | 2_2_0359061D |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_0359041D ExitProcess,CreateFileW, | 2_2_0359041D |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_03590601 WriteFile, | 2_2_03590601 |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_035906BC CreateProcessW,ExitProcess, | 2_2_035906BC |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_035904B2 CreateFileW, | 2_2_035904B2 |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_035905B4 WriteFile, | 2_2_035905B4 |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_03590736 ExitProcess, | 2_2_03590736 |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_03590436 CreateFileW, | 2_2_03590436 |
| Source: global traffic | DNS query: name: speedy34.myvnc.com |
| Source: global traffic | DNS query: name: speedy34.myvnc.com |
| Source: global traffic | TCP traffic: 192.168.2.22:49161 -> 31.214.157.14:80 |
| Source: global traffic | TCP traffic: 192.168.2.22:49161 -> 31.214.157.14:80 |
| Source: global traffic | TCP traffic: 192.168.2.22:49161 -> 31.214.157.14:80 |
| Source: Joe Sandbox View | ASN Name: RACKPLACEDE RACKPLACEDE |
| Source: global traffic | TCP traffic: 192.168.2.22:49161 -> 31.214.157.14:80 |
| Source: unknown | DNS traffic detected: queries for: speedy34.myvnc.com |
| Source: EQNEDT32.EXE, 00000002.00000002.498827584.000000000062E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://speedy34.myvnc.com/WZM.exe |
| Source: sheet1.xml, type: SAMPLE | Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Memory allocated: 770B0000 page execute and read and write | Jump to behavior |
| Source: ScannedXfileX2.xlam.xlsx | OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false |
| Source: sheet1.xml, type: SAMPLE | Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing |
| Source: classification engine | Classification label: mal100.expl.winXLSX@3/3@2/1 |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\Desktop\~$ScannedXfileX2.xlam.xlsx | Jump to behavior |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\AppData\Local\Temp\CVR6A65.tmp | Jump to behavior |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File read: C:\Users\desktop.ini | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
| Source: ScannedXfileX2.xlam.xlsx | ReversingLabs: Detection: 71% |
| Source: unknown | Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: wow64win.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: wow64cpu.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: msi.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: cryptsp.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: rpcrtremote.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: dwmapi.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: winhttp.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: webio.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: credssp.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: dnsapi.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: iphlpapi.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: winnsi.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: dhcpcsvc6.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: dhcpcsvc.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: rasadhlp.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: ntvdm64.dll | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: version.dll | Jump to behavior |
| Source: Window Recorder | Window detected: More than 3 window changes detected |
| Source: ScannedXfileX2.xlam.xlsx | Initial sample: OLE zip file path = xl/media/image1.jpg |
| Source: ScannedXfileX2.xlam.xlsx | Initial sample: OLE zip file path = xl/calcChain.xml |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems | Jump to behavior |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll | Jump to behavior |
| Source: ScannedXfileX2.xlam.xlsx | Initial sample: OLE indicators vbamacros = False |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2188 | Thread sleep time: -120000s >= -30000s | Jump to behavior |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | API call chain: ExitProcess graph end node | graph_2-1472 |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_0359073D mov edx, dword ptr fs:[00000030h] | 2_2_0359073D |
| Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Edit tour
EXCEL.EXE (PID: 1012 cmdline: 
EQNEDT32.EXE (PID: 1416 cmdline: 
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node