Analysis Report TRA-St-0015-O01.xlsx

Overview

General Information

Sample Name:	TRA-St-0015-O01.xlsx
Analysis ID:	345208
MD5:	63c2af36e2ec6b0c464889473ba19048
SHA1:	d1d834ca00c0538a448e64e10231a5c78c09838d
SHA256:	129cd5a1fca6d3febd900de6cbecb9e30e22a19d7b2aeda41ee3c1eac54981ba
Tags:	VelvetSweatshopxlsx
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected FormBook

Drops PE files to the user root directory

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Drops PE files to the user directory

Drops certificate files (DER)

Enables debug privileges

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: TRA-St-0015-O01.xlsx	Virustotal: Detection: 31%			Perma Link
Source: TRA-St-0015-O01.xlsx	ReversingLabs: Detection: 22%

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\kinsvc[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\XaHKwnPuj.exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 162.241.148.128:443 -> 192.168.2.22:49165 version: TLS 1.2

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: spicesherbs.in

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 162.241.148.128:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 162.241.148.128:443

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BADF7393.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: spicesherbs.in

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vbc.exe, 00000004.00000002.2170919142.000000001BA40000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2169176262.0000000002371000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000004.00000002.2170919142.000000001BA40000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: BADF7393.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

Source: unknown

HTTPS traffic detected: 162.241.148.128:443 -> 192.168.2.22:49165 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY

Drops certificate files (DER)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\kinsvc[1].exe			Jump to dropped file

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 7_2_00BF3F76	7_2_00BF3F76
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00BF9369	7_2_00BF9369
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00BFDB4B	7_2_00BFDB4B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00BFD8C7	7_2_00BFD8C7
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00BFDB41	7_2_00BFDB41

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: TRA-St-0015-O01.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Yara signature match

Source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: XaHKwnPuj.exe.4.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@16/14@2/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$TRA-St-0015-O01.xlsx

Jump to behavior

Source: C:\Users\Public\vbc.exe

Mutant created: \Sessions\1\BaseNamedObjects\XbELoWjomkFJpgsBcjJbdEN

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF0C4.tmp

Jump to behavior

Source: C:\Windows\System32\schtasks.exe

Console Write: ................................................................................@...............p...............................................

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f89061884b75dab0e3967d7221e5290d\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: TRA-St-0015-O01.xlsx	Virustotal: Detection: 31%
Source: TRA-St-0015-O01.xlsx	ReversingLabs: Detection: 22%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XaHKwnPuj' /XML 'C:\Users\user\AppData\Local\Temp\tmp2222.tmp'
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XaHKwnPuj' /XML 'C:\Users\user\AppData\Local\Temp\tmp2222.tmp'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: TRA-St-0015-O01.xlsx

Initial sample: OLE indicators vbamacros = False

Source: TRA-St-0015-O01.xlsx

Initial sample: OLE indicators encrypted = True

Source: initial sample

Static PE information: section name: .text entropy: 7.78051129047

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\XaHKwnPuj.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\kinsvc[1].exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XaHKwnPuj' /XML 'C:\Users\user\AppData\Local\Temp\tmp2222.tmp'

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: TRA-St-0015-O01.xlsx

Stream path 'EncryptedPackage' entropy: 7.99976973003 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2720, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\Public\vbc.exe

Code function: 7_2_00BF471C sldt word ptr [edx]

7_2_00BF471C

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2560	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 824	Thread sleep time: -54277s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2916	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2170020694.000000001A782000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XaHKwnPuj' /XML 'C:\Users\user\AppData\Local\Temp\tmp2222.tmp'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.241.148.128	unknown	United States		46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
spicesherbs.in	162.241.148.128	true

AV Detection:

Multi AV Scanner detection for submitted file

Source: TRA-St-0015-O01.xlsx	Virustotal: Detection: 31%			Perma Link
Source: TRA-St-0015-O01.xlsx	ReversingLabs: Detection: 22%

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\kinsvc[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\XaHKwnPuj.exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 162.241.148.128:443 -> 192.168.2.22:49165 version: TLS 1.2

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: spicesherbs.in

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 162.241.148.128:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 162.241.148.128:443

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BADF7393.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: spicesherbs.in

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vbc.exe, 00000004.00000002.2170919142.000000001BA40000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2169176262.0000000002371000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000004.00000002.2170919142.000000001BA40000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: BADF7393.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

Source: unknown

HTTPS traffic detected: 162.241.148.128:443 -> 192.168.2.22:49165 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY

Drops certificate files (DER)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\kinsvc[1].exe			Jump to dropped file

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 7_2_00BF3F76	7_2_00BF3F76
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00BF9369	7_2_00BF9369
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00BFDB4B	7_2_00BFDB4B
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00BFD8C7	7_2_00BFD8C7
Source: C:\Users\Public\vbc.exe	Code function: 7_2_00BFDB41	7_2_00BFDB41

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: TRA-St-0015-O01.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Yara signature match

Source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: XaHKwnPuj.exe.4.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@16/14@2/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$TRA-St-0015-O01.xlsx

Jump to behavior

Source: C:\Users\Public\vbc.exe

Mutant created: \Sessions\1\BaseNamedObjects\XbELoWjomkFJpgsBcjJbdEN

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF0C4.tmp

Jump to behavior

Source: C:\Windows\System32\schtasks.exe

Console Write: ................................................................................@...............p...............................................

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f89061884b75dab0e3967d7221e5290d\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: TRA-St-0015-O01.xlsx	Virustotal: Detection: 31%
Source: TRA-St-0015-O01.xlsx	ReversingLabs: Detection: 22%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XaHKwnPuj' /XML 'C:\Users\user\AppData\Local\Temp\tmp2222.tmp'
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XaHKwnPuj' /XML 'C:\Users\user\AppData\Local\Temp\tmp2222.tmp'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: TRA-St-0015-O01.xlsx

Initial sample: OLE indicators vbamacros = False

Source: TRA-St-0015-O01.xlsx

Initial sample: OLE indicators encrypted = True

Source: initial sample

Static PE information: section name: .text entropy: 7.78051129047

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\XaHKwnPuj.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\kinsvc[1].exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XaHKwnPuj' /XML 'C:\Users\user\AppData\Local\Temp\tmp2222.tmp'

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: TRA-St-0015-O01.xlsx

Stream path 'EncryptedPackage' entropy: 7.99976973003 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2720, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\Public\vbc.exe

Code function: 7_2_00BF471C sldt word ptr [edx]

7_2_00BF471C

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2560	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 824	Thread sleep time: -54277s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2916	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2170020694.000000001A782000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XaHKwnPuj' /XML 'C:\Users\user\AppData\Local\Temp\tmp2222.tmp'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\Users\Public\vbc.exe VolumeInformation

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match

File source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY

ID:	345208
Product:	CloudBasic
Start time:	20:33:47
Start date:	27.01.2021
Sample:	TRA-St-0015-O01.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	63c2af36e2ec6b0c464889473ba19048
SHA1:	d1d834ca00c0538a448e64e10231a5c78c09838d
SHA256:	129cd5a1fca6d3febd900de6cbecb9e30e22a19d7b2aeda41ee3c1eac54981ba
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 59134 bytes, 1 file	E92176B0889CC1BB97114BEB2F3C1728	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	DA24412AA96F1A51D7A1C7F0E63901F0	13B1483CE43D630CCA5F460AB270DA7F764512D9	613A697AB25376DAA6A23A4F82928456CF95820090B32CB17BAA6C98179DEC8E
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	DDA8BE33A50FC45ACBADDE1E16982CF8	BD92A8AEDC28D46640624F4410CDCE3872D4277A	B4E9CBCAA6B854ADD8D0A0038237F380E2419948DD0C4BF8C4E5F9376AEF6F17
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\kinsvc[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C7B2B0FA4A71FE33536148C2584DA7DB	D449E0DC0D24447634C61987CF0907FB72CF93A4	DB8923F36B12AC2D21DE6B241E3AC228170456F7DB87DC38552E89F9A4E8903A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\284D8619.jpeg	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3	AA7A56E6A97FFA9390DA10A2EC0C5805	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BADF7393.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	02BE9DEC93BBAE0645D69572E9563911	DDBA1220AA092E00FFAB90155D796D735E93E627	A9955A402E6FC0BBE4CA2D34DA0BADA39DC9239F3F9FE6F4A71BA6A9EC230B40
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CEC07078.jpeg	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3	AA7A56E6A97FFA9390DA10A2EC0C5805	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
C:\Users\user\AppData\Local\Temp\CabA5C2.tmp	Microsoft Cabinet archive data, 59134 bytes, 1 file	E92176B0889CC1BB97114BEB2F3C1728	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
C:\Users\user\AppData\Local\Temp\TarA5C3.tmp	data	64FEDADE4387A8B92C120B21EC61E394	15A2673209A41CCA2BC3ADE90537FE676010A962	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
C:\Users\user\AppData\Local\Temp\tmp2222.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	2F157857CAC56F3C7E44E7262FD6EAAD	022DCAA46EEEFD345D9BD8DF1870FD0C916E828B	92991267A638A487B7117A3EBC7F732AD8C253A77149680D45E1289C5144AAD0
C:\Users\user\AppData\Roaming\XaHKwnPuj.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C7B2B0FA4A71FE33536148C2584DA7DB	D449E0DC0D24447634C61987CF0907FB72CF93A4	DB8923F36B12AC2D21DE6B241E3AC228170456F7DB87DC38552E89F9A4E8903A
C:\Users\user\Desktop\~$TRA-St-0015-O01.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C7B2B0FA4A71FE33536148C2584DA7DB	D449E0DC0D24447634C61987CF0907FB72CF93A4	DB8923F36B12AC2D21DE6B241E3AC228170456F7DB87DC38552E89F9A4E8903A

Analysis Report TRA-St-0015-O01.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains