Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2344
Target ID:	2
Parent PID:	584
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	07:02:10
Date:	16/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary,
Sigma detected: File Dropped By EQNEDT32EXE	System Summary,
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Office Equation Editor has been started	Exploits,
Spawns processes	System Summary,	Process Injection

C:\Users\Public\vbc.exe

'C:\Users\Public\vbc.exe'

Details

Is windows:	false
Is dropped:	true
PID:	1276
Target ID:	4
Parent PID:	2344
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	'C:\Users\Public\vbc.exe'
Size:	269312
MD5:	2559B5B8D60DD663DF52D0570F5973A9
Time:	07:02:14
Date:	16/02/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	80252928
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation,	Software Packing
Detected unpacking (overwrites its own PE header)	Compliance, Data Obfuscation,	Software Packing
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary,
Yara detected Lokibot	Stealing of Sensitive Information,
Yara detected Lokibot	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files to the user root directory	Boot Survival,	Masquerading
Office equation editor drops PE file	System Summary,
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits,	Exploitation for Client Execution
Sigma detected: Executables Started in Suspicious Folder	System Summary,
Sigma detected: Execution in Non-Executable Folder	System Summary,
Sigma detected: Suspicious Program Location Process Starts	System Summary,
Yara detected aPLib compressed binary	Data Obfuscation,
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion,	Process Injection
Drops PE files	Persistence and Installation Behavior,
Drops PE files to the user directory	Persistence and Installation Behavior,	Masquerading
Yara detected Credential Stealer	Stealing of Sensitive Information,
Spawns processes	System Summary,	Process Injection
Urls found in memory or binary data	Networking,

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	944
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	07:01:50
Date:	16/02/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f0d0000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary,	Process Injection

URLs

Name

Malicious

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.trade/alien/fre.php

http://stdyrusschinetwomast.dns.army/receiprt/regasm.exe

103.141.138.123

http://alphastand.top/alien/fre.php

http://becharnise.ir/fa13/fre.php

185.208.180.121

http://www.%s.comPA

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

http://www.day.com/dam/1.0

unknown

http://www.ibsensoftware.com/

unknown

Domains

Name

Malicious

becharnise.ir

185.208.180.121

Details

Name:	becharnise.ir
IP:	185.208.180.121
TargetID:	4
Current Path:	C:\Users\Public\vbc.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection,
Multi AV Scanner detection for domain / URL	AV Detection,
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking,
C2 URLs / IPs found in malware configuration	Networking,	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking,	Application Layer Protocol
Posts data to webserver	Networking,	Application Layer Protocol Non-Application Layer Protocol
Urls found in memory or binary data	Networking,

stdyrusschinetwomast.dns.army

103.141.138.123

Details

Name:	stdyrusschinetwomast.dns.army
IP:	103.141.138.123
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary,
Uses a known web browser user agent for HTTP communication	Networking,	Application Layer Protocol
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

cutt.ly

172.67.8.238

Details

Name:	cutt.ly
IP:	172.67.8.238
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs DNS queries)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking,

IPs

Domain

Country

Active

Malicious

103.141.138.123

unknown

Viet Nam

unknown

Details

IP:	103.141.138.123
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	Viet Nam
Countrycode:	VNM
ASN number:	135905
ASN name:	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	System Summary,

185.208.180.121

unknown

Iran (ISLAMIC Republic Of)

unknown

Details

IP:	185.208.180.121
TargetID:	4
Current Path:	C:\Users\Public\vbc.exe
Country:	Iran (ISLAMIC Republic Of)
Countrycode:	IRN
ASN number:	48147
ASN name:	AMINIDCIR
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking,

172.67.8.238

unknown

United States

unknown

Details

IP:	172.67.8.238
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities,	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities,	Exploitation for Client Execution
Uses secure TLS version for HTTPS connections	Compliance, Networking,

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

818

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F0464

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

178

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F4B43

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F5F30

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 21

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F4B43

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

EquationEditorFilesIntl_1033

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

SavedLegacySettings

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Blob

There are 56 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

400000

unkown image

page execute and read and write

220000

unkown

page execute and read and write

240000

unkown

page read and write

5230000

heap default

page read and write

7200000

unkown

page readonly

6C70000

unkown

page readonly

7119000

unkown

page read and write

69F0000

heap private

page read and write

76EF000

unkown

page read and write

5226000

heap private

page read and write

7000000

unkown

page read and write

5254000

heap default

page read and write

439000

unkown image

page write copy

6A70000

heap private

page read and write

5268000

unkown

page read and write

350000

heap default

page read and write

400000

unkown image

page readonly

68DD000

unkown

page read and write

49F000

unkown image

page execute and read and write

528F000

unkown

page read and write

5081000

unkown image

page readonly

7970000

heap private

page read and write

68C0000

unkown

page read and write

257000

unkown

page read and write

7100000

unkown

page read and write

5210000

unkown

page readonly

270000

unkown

page read and write

18A000

unkown

page read and write

5220000

heap private

page read and write

20000

unkown

page read and write

401000

unkown image

page execute read

6BAF000

unkown

page read and write

5282000

unkown

page read and write

400000

unkown image

page readonly

30F000

unkown

page read and write

7EFDF000

unkown

page read and write

6AB0000

unkown

page read and write

2BF000

unkown

page read and write

260000

unkown

page readonly

7AAF000

unkown

page read and write

6A6E000

unkown

page read and write

6AB0000

unkown

page read and write

5237000

heap default

page read and write

1B0000

unkown

page readonly

6C00000

heap private

page read and write

5259000

unkown

page execute and read and write

430000

unkown image

page readonly

6C60000

heap private

page read and write

5090000

unkown

page readonly

8C000

unkown

page read and write

5284000

unkown

page read and write

49B000

unkown image

page execute and read and write

2C0000

heap private

page read and write

250000

unkown

page read and write

7890000

heap private

page read and write

7113000

unkown

page read and write

54C0000

unkown

page readonly

5081000

unkown image

page readonly

There are 48 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps