Source: Network Connection | Author: Joe Security: Data: DestinationIp: 5.181.80.177, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2540, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165 |
Source: Process started | Author: Florian Roth: Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2540, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe, ProcessId: 2788 |
Source: Process started | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2540, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe, ProcessId: 2788 |
Source: document230134.xlsx | Virustotal: Detection: 53% | Perma Link |
Source: document230134.xlsx | Metadefender: Detection: 17% | Perma Link |
Source: document230134.xlsx | ReversingLabs: Detection: 46% |
Source: document230134.xlsx | Joe Sandbox ML: detected |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Process created: C:\Windows\SysWOW64\cmd.exe |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Process created: C:\Windows\SysWOW64\cmd.exe |
Source: unknown | Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Source: global traffic | TCP traffic: 192.168.2.22:49165 -> 5.181.80.177:80 |
Source: Joe Sandbox View | ASN Name: TELEHOUSE-ASBG TELEHOUSE-ASBG |
Source: global traffic | TCP traffic: 192.168.2.22:49165 -> 5.181.80.177:80 |
Source: unknown | TCP traffic detected without corresponding DNS query: 5.181.80.177 |
Source: unknown | TCP traffic detected without corresponding DNS query: 5.181.80.177 |
Source: classification engine | Classification label: mal76.expl.winXLSX@4/1@0/1 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\Desktop\~$document230134.xlsx | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\AppData\Local\Temp\CVRC061.tmp | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Console Write: .................................3!.............P..............._Bas....P$Ys....@.......|....................................................... |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: document230134.xlsx | Virustotal: Detection: 53% |
Source: document230134.xlsx | Metadefender: Detection: 17% |
Source: document230134.xlsx | ReversingLabs: Detection: 46% |
Source: unknown | Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
Source: unknown | Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Source: document230134.xlsx | Initial sample: OLE indicators vbamacros = False |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2648 | Thread sleep time: -240000s >= -30000s |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe |
Source: C:\Windows\SysWOW64\cmd.exe | Queries volume information: C:\ VolumeInformation |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.