Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Signature.xlsx

CDFV2 Encrypted

initial sample

Details

Filetype:	CDFV2 Encrypted
Entropy:	7.996746245995192
Filename:	Signature.xlsx
Filesize:	2493440
MD5:	560a48512736572ec4abceb4ecf22250
SHA1:	56798f4c080101515e42b5678a2039ac6b8caaf3
SHA256:	1d93a4fcbcf81b40332da7aedaa9288ca16a2c0c588db5c78c6e349ce53478d4
SHA512:	52e6f40d303311a42e184835c734f0b482af35e38186202e46433c2251b9eb9d3d5c9a2aad25353193d6cf6bb5794212ace90a54cdd56fa6f6f647587bd69e4c
SSDEEP:	49152:XMzIKfCSJddchY7PRLJCLC3vX/UryBWs2yxNqbyj2FrwwV:2frJnQm9yC3P6GWsfAyj2mwV
Preview:	........................>...................'...................................................................................\|.......~...............z.......\|.......~...............z.......\|.......~...............z.......\|..............................

Signature Hits	Behavior Group	Mitre Attack
Document misses a certain OLE stream usually present in this Microsoft Office document type	System Summary,
Document contains OLE streams with high entropy indicating encrypted embedded content	Hooking and other Techniques for Hiding and Protection,	Obfuscated Files or Information
Document has a 'vbamacros' value indicative of goodware	System Summary,
Document has an 'encrypted' value indicative of goodware	System Summary,
Submission file is bigger than most known malware samples	System Summary,

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

downloaded

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hm1[1].exe
IE cache URL:	http://18.194.54.219/wows/hm1.exe
Category:	downloaded
Dump:	hm1[1].exe.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.405346249644526
Encrypted:	false
Ssdeep:	12288:2PG5tVUOCqv9SdgIJCOhpMbs/oSmCy9XY3FGCr6:eG38WYZhyhCyA2
Size:	633856
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: File Dropped By EQNEDT32EXE	System Summary,
Machine Learning detection for dropped file	AV Detection,
Office equation editor drops PE file	System Summary,
Drops PE files	Persistence and Installation Behavior,

C:\Users\Public\vbc.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\Public\vbc.exe
Category:	dropped
Dump:	vbc.exe.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.405346249644526
Encrypted:	false
Ssdeep:	12288:2PG5tVUOCqv9SdgIJCOhpMbs/oSmCy9XY3FGCr6:eG38WYZhyhCyA2
Size:	633856
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Machine Learning detection for dropped file	AV Detection,
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)	System Summary,
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion,	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Detected potential crypto function	System Summary,	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Enables debug privileges	Anti Debugging,
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging,	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection,
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary,
Queries a list of all running processes	Malware Analysis System Evasion,	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection,	System Information Discovery
Reads software policies	System Summary,	System Information Discovery
Spawns processes	System Summary,	Process Injection
Uses Microsoft Silverlight	System Summary,

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B65EA87.jpeg

gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B65EA87.jpeg
Category:	dropped
Dump:	3B65EA87.jpeg.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Entropy:	7.801842363879827
Encrypted:	false
Ssdeep:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
Size:	48770
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\86CDB2DC.jpeg

gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\86CDB2DC.jpeg
Category:	dropped
Dump:	86CDB2DC.jpeg.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Entropy:	7.801842363879827
Encrypted:	false
Ssdeep:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
Size:	48770
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E74B891E.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E74B891E.emf
Category:	dropped
Dump:	E74B891E.emf.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Entropy:	2.8986230323260216
Encrypted:	false
Ssdeep:	3072:r34UL0tS6WB0JOqFVY5QcARI/McGdAT9kRLFdtSyUu50yknG/qc+x:D4UcLe0JOqQQZR8MDdATCR3tS+jqcC
Size:	653280
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Downloads files	Networking,	Ingress Tool Transfer

C:\Users\user\Desktop\~$Signature.xlsx

data

dropped

Details

File:	C:\Users\user\Desktop\~$Signature.xlsx
Category:	dropped
Dump:	~$Signature.xlsx.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
Size:	330
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Document misses a certain OLE stream usually present in this Microsoft Office document type	System Summary,
Creates files inside the user directory	System Summary,	Masquerading
Document contains OLE streams with high entropy indicating encrypted embedded content	Hooking and other Techniques for Hiding and Protection,	Obfuscated Files or Information
Document has a 'vbamacros' value indicative of goodware	System Summary,
Document has an 'encrypted' value indicative of goodware	System Summary,
Submission file is bigger than most known malware samples	System Summary,

Processes

Path

Cmdline

Malicious

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2332
Target ID:	2
Parent PID:	584
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	20:03:11
Date:	27/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary,
Sigma detected: File Dropped By EQNEDT32EXE	System Summary,
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Office Equation Editor has been started	Exploits,
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

'C:\Users\Public\vbc.exe'

Details

Is windows:	false
Is dropped:	true
PID:	2852
Target ID:	4
Parent PID:	2332
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	'C:\Users\Public\vbc.exe'
Size:	633856
MD5:	BE84C387975B024F25DC96EC5F85F7BD
Time:	20:03:12
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x210000
Modulesize:	663552
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Yara detected AntiVM_3	Malware Analysis System Evasion,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

Details

Is windows:	false
Is dropped:	true
PID:	2876
Target ID:	5
Parent PID:	2852
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	C:\Users\Public\vbc.exe
Size:	633856
MD5:	BE84C387975B024F25DC96EC5F85F7BD
Time:	20:03:13
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x210000
Modulesize:	663552
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Yara detected AntiVM_3	Malware Analysis System Evasion,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

Details

Is windows:	false
Is dropped:	true
PID:	2468
Target ID:	6
Parent PID:	2852
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	C:\Users\Public\vbc.exe
Size:	633856
MD5:	BE84C387975B024F25DC96EC5F85F7BD
Time:	20:03:14
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x210000
Modulesize:	663552
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Yara detected AntiVM_3	Malware Analysis System Evasion,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

Details

Is windows:	false
Is dropped:	true
PID:	2460
Target ID:	7
Parent PID:	2852
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	C:\Users\Public\vbc.exe
Size:	633856
MD5:	BE84C387975B024F25DC96EC5F85F7BD
Time:	20:03:14
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x210000
Modulesize:	663552
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Yara detected AntiVM_3	Malware Analysis System Evasion,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

Details

Is windows:	false
Is dropped:	true
PID:	2424
Target ID:	8
Parent PID:	2852
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	C:\Users\Public\vbc.exe
Size:	633856
MD5:	BE84C387975B024F25DC96EC5F85F7BD
Time:	20:03:14
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x210000
Modulesize:	663552
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Yara detected AntiVM_3	Malware Analysis System Evasion,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

Details

Is windows:	false
Is dropped:	true
PID:	2420
Target ID:	9
Parent PID:	2852
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	C:\Users\Public\vbc.exe
Size:	633856
MD5:	BE84C387975B024F25DC96EC5F85F7BD
Time:	20:03:15
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x210000
Modulesize:	663552
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Yara detected AntiVM_3	Malware Analysis System Evasion,
Drops PE files to the user root directory	Boot Survival,	Masquerading
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection,	System Information Discovery
Spawns processes	System Summary,	Process Injection

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	152
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	20:02:51
Date:	27/01/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fed0000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary,	Process Injection

URLs

Name

Malicious

http://18.194.54.219/wows/hm1.exe

18.194.54.219

Details

Name:	http://18.194.54.219/wows/hm1.exe
IP:	18.194.54.219
TargetID:	2
From Memory:	false
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection,
Multi AV Scanner detection for domain / URL	AV Detection,
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary,
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking,	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking,
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

http://thesnake.herokuapp.com/snakes

unknown

Details

Name:	http://thesnake.herokuapp.com/snakes
TargetID:	-1
From Memory:	true
Source:	vbc.exe, vbc.exe, 00000005.00000002.2157599757.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000006.00000002.2158308519.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000007.00000002.2159068648.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000008.00000002.2159827958.0000000000212000.00000020.00020000.sdmp, vbc.exe, 00000009.00000002.2161125989.0000000000212000.00000020.00020000.sdmp, vbc.exe.2.dr

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,

http://www.day.com/dam/1.0

unknown

Details

Name:	http://www.day.com/dam/1.0
TargetID:	0
From Memory:	true
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	E74B891E.emf.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	4
From Memory:	true
Current Path:	C:\Users\Public\vbc.exe
Source:	vbc.exe, 00000004.00000002.2162212987.00000000020D1000.00000004.00000001.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Urls found in memory or binary data	Networking,

IPs

Domain

Country

Active

Malicious

18.194.54.219

unknown

United States

unknown

Details

IP:	18.194.54.219
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary,
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking,	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking,
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

;!6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F08D7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

u'6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F4F97

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F5699

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 21

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F4F97

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

EquationEditorFilesIntl_1033

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

SavedLegacySettings

There are 50 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

20D1000

unkown

page read and write

30D9000

unkown

page read and write

48F0000

unkown

page readonly

1E0000

unkown

page read and write

1E60000

unkown

page read and write

53AE000

stack

page read and write

51FE000

unkown

page read and write

1FC0000

unkown

page read and write

4610000

unkown

page read and write

212000

unkown image

page execute read

700000

heap private

page read and write

690000

unkown

page read and write

4140000

unkown

page read and write

58EE000

stack

page read and write

433D000

stack

page read and write

6EE000

unkown

page read and write

485C000

unkown

page read and write

6F0000

unkown

page read and write

2AE000

unkown image

page readonly

2AE000

unkown image

page readonly

561F000

unkown

page read and write

210000

unkown image

page readonly

41C0000

unkown

page read and write

690000

unkown

page read and write

1E60000

unkown

page read and write

4EA0000

heap private

page execute and read and write

690000

unkown

page read and write

4CA0000

heap private

page read and write

229A000

unkown

page read and write

6A0000

unkown

page read and write

710000

unkown

page readonly

300000

unkown

page read and write

210000

unkown image

page readonly

2AE000

unkown image

page readonly

20CE000

unkown

page read and write | page guard

1E70000

unkown

page read and write

212000

unkown image

page execute read

212000

unkown image

page execute read

212000

unkown image

page execute read

210000

unkown image

page readonly

20CF000

unkown

page read and write

212000

unkown image

page execute read

41F0000

unkown

page read and write

53B1000

unkown

page read and write

3B0000

unkown

page read and write

414F000

unkown

page read and write

6F0000

unkown

page read and write

212000

unkown image

page execute read

2AE000

unkown image

page readonly

48B0000

heap private

page read and write

40D6000

unkown

page read and write

212000

unkown image

page execute read

210000

unkown image

page readonly

212000

unkown image

page execute read

48D2000

heap private

page read and write

3E7000

heap default

page read and write

1E60000

unkown

page read and write

6F0000

unkown

page read and write

4B8F000

stack

page read and write

1F80000

heap private

page execute and read and write

4EE0000

unkown

page readonly

561E000

unkown

page read and write | page guard

2AE000

unkown image

page readonly

600000

unkown

page read and write

2AE000

unkown image

page readonly

210000

unkown image

page readonly

689000

heap private

page read and write

4C80000

heap private

page read and write

210000

unkown image

page readonly

4CB0000

unkown

page read and write

1F70000

unkown

page read and write

47DF000

stack

page read and write

4CCD000

unkown

page read and write

41D0000

unkown

page read and write

210000

unkown image

page readonly

210000

unkown image

page readonly

210000

unkown image

page readonly

4A1E000

unkown

page read and write

1E70000

unkown

page read and write

210000

unkown image

page readonly

2CA000

unkown

page execute and read and write

48B4000

heap private

page read and write

1F3000

unkown

page execute and read and write

200000

unkown

page read and write

4BDE000

unkown

page read and write

4340000

unkown

page readonly

212000

unkown image

page execute read

4150000

unkown

page read and write

178000

stack

page read and write

210000

unkown image

page readonly

42C000

heap default

page read and write

210000

unkown image

page readonly

2AE000

unkown image

page readonly

890000

unkown

page readonly

2D7000

unkown

page execute and read and write

41E0000

unkown

page read and write

5C0000

heap private

page execute and read and write

310000

heap default

page read and write

550000

unkown

page readonly

2C7000

unkown

page execute and read and write

2AE000

unkown image

page readonly

1E80000

heap private

page read and write

5C2E000

stack

page read and write

4170000

unkown

page read and write

40F0000

unkown

page read and write

20D000

unkown

page execute and read and write

4670000

unkown

page read and write

306000

unkown

page read and write

6F0000

unkown

page read and write

6F0000

unkown

page read and write

413C000

unkown

page read and write

1F4000

unkown

page read and write

40E0000

unkown

page read and write

1F6A000

unkown

page read and write

20000

unkown

page read and write

2AE000

unkown image

page readonly

420000

heap default

page read and write

210000

unkown image

page readonly

489000

unkown

page read and write

3E0000

heap default

page read and write

210000

unkown image

page readonly

48B000

heap default

page read and write

4160000

unkown

page read and write

3D0000

unkown

page read and write

5404000

unkown

page read and write

2AE000

unkown image

page readonly

41BE000

unkown

page read and write

3A0000

unkown

page execute and read and write

2DB000

unkown

page execute and read and write

2AE000

unkown image

page readonly

2AE000

unkown image

page readonly

7EFDF000

unkown

page read and write

1FD000

unkown

page execute and read and write

212000

unkown image

page execute read

30D1000

unkown

page read and write

3D0000

unkown

page read and write

210000

unkown image

page readonly

680000

heap private

page read and write

1DA000

unkown

page read and write

210000

unkown image

page readonly

491000

unkown

page read and write

404000

heap default

page read and write

53B0000

unkown

page read and write

210000

unkown image

page readonly

1F60000

unkown

page read and write

4E0000

unkown

page readonly

212000

unkown image

page execute read

4A8E000

unkown

page read and write

2D2000

unkown

page read and write

212000

unkown image

page execute read

423E000

unkown

page read and write

210000

unkown image

page readonly

3C0000

unkown

page readonly

5A7E000

stack

page read and write

There are 144 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

IPs

Registry

Memdumps