Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2724
Target ID:	2
Parent PID:	584
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	12:29:11
Date:	16/06/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Sigma detected: Execution from Suspicious Folder	System Summary
Office Equation Editor has been started	Exploits
Spawns processes	System Summary	Process Injection

C:\Users\Public\vbc.exe

'C:\Users\Public\vbc.exe'

Details

Is windows:	false
Is dropped:	true
PID:	2856
Target ID:	4
Parent PID:	2724
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	'C:\Users\Public\vbc.exe'
Size:	761856
MD5:	7146B0D2CAED6422C289A08F63A5C685
Time:	12:29:15
Date:	16/06/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd00000
Modulesize:	786432
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Lokibot	Stealing of Sensitive Information
Drops PE files to the user root directory	Boot Survival	Masquerading
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Execution from Suspicious Folder	System Summary
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary

C:\Users\Public\vbc.exe

Details

Is windows:	false
Is dropped:	true
PID:	3052
Target ID:	5
Parent PID:	2856
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	C:\Users\Public\vbc.exe
Size:	761856
MD5:	7146B0D2CAED6422C289A08F63A5C685
Time:	12:29:18
Date:	16/06/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xd00000
Modulesize:	786432
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected Lokibot	Stealing of Sensitive Information
Drops PE files to the user root directory	Boot Survival	Masquerading
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Execution from Suspicious Folder	System Summary
Yara detected aPLib compressed binary	Data Obfuscation
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2520
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	12:28:49
Date:	16/06/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f210000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://103.89.90.94/pzldoc/regasm.exe

103.89.90.94

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.top/alien/fre.php

http://63.141.228.141/32.php/S4wFP8QBww9Tp

63.141.228.141

http://alphastand.win/alien/fre.php

http://alphastand.trade/alien/fre.php

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.

unknown

http://www.day.com/dam/1.0

unknown

http://www.ibsensoftware.com/

unknown

http://www.%s.comPA

unknown

https://github.com/georgw777/MediaManager

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

unknown

https://github.com/georgw777/

unknown

https://github.com/georgw777/MediaManager;https://github.com/georgw777/

unknown

There are 5 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

103.89.90.94

unknown

Viet Nam

Details

IP:	103.89.90.94
TargetID:	2
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	Viet Nam
Countrycode:	VNM
ASN number:	135905
ASN name:	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

63.141.228.141

unknown

United States

Details

IP:	63.141.228.141
TargetID:	5
Current Path:	C:\Users\Public\vbc.exe
Country:	United States
Countrycode:	USA
ASN number:	33387
ASN name:	NOCIXUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

r~8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EFEE8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

FontCachePath

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DefaultSheetR2L

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

UseSystemSeparators

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ThousandsSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DecimalSeparator

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

|k8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F4E30

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F6191

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 21

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_3082

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1036

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

SpellingAndGrammarFiles_1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F4E30

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

EquationEditorFilesIntl_1033

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

SavedLegacySettings

There are 51 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3369000

unkown

page read and write

400000

unkown

page execute and read and write

2381000

unkown

page read and write

AB000

unkown

page read and write

170000

heap private

page read and write

50E000

unkown

page read and write

580000

unkown

page read and write

6F0000

unkown

page read and write

9D0000

unkown

page readonly

450000

unkown

page read and write

300000

heap private

page read and write

320000

unkown

page read and write

80000

unkown

page readonly

1B0000

heap private

page read and write

187000

unkown

page execute and read and write

340000

unkown

page read and write

16A000

unkown

page read and write

610000

unkown

page read and write

4F70000

heap private

page read and write

580000

unkown

page read and write

3E5B000

unkown

page read and write

7EFDF000

unkown

page read and write

8B7000

heap default

page read and write

320000

unkown

page read and write

810000

heap private

page execute and read and write

4A40000

unkown

page read and write

570000

unkown

page read and write

8B0000

heap default

page read and write

300000

unkown

page read and write

2800000

unkown

page read and write

590000

unkown

page read and write

49B000

unkown

page execute and read and write

23A8000

unkown

page read and write

48C0000

unkown

page read and write

197000

unkown

page execute and read and write

140000

unkown

page read and write

2DF000

unkown

page read and write

47E0000

unkown

page readonly

2A8000

unkown

page read and write

870000

unkown

page readonly

40E000

unkown

page read and write

20000

unkown

page read and write

450000

unkown

page read and write

570000

unkown

page read and write

300000

unkown

page read and write

319000

heap private

page read and write

D02000

unkown image

page execute read

51C000

heap default

page read and write

494000

heap default

page read and write

C6D000

unkown

page read and write

4B0000

unkown

page read and write

D00000

unkown image

page readonly

20000

unkown

page read and write

340000

unkown

page read and write

2F0000

unkown

page read and write

2E0000

unkown

page execute and read and write

2361000

unkown

page read and write

30EE000

unkown

page read and write

4F3D000

unkown

page read and write

6E0000

unkown

page read and write

170000

unkown

page read and write

6F0000

unkown

page readonly

610000

unkown

page read and write

2630000

heap private

page read and write

7EFDF000

unkown

page read and write

49B2000

heap private

page read and write

670000

heap default

page read and write

610000

unkown

page execute and read and write

BDF000

unkown

page read and write

570000

unkown

page read and write

AFAE000

unkown

page read and write

4994000

heap private

page read and write

124000

unkown

page read and write

556E000

unkown

page read and write

21C0000

unkown

page readonly

310000

heap private

page read and write

3361000

unkown

page read and write

460000

unkown

page read and write

6D0000

unkown

page read and write

19B000

unkown

page execute and read and write

620000

unkown

page read and write

4BB0000

unkown

page readonly

178000

heap private

page read and write

680000

unkown

page read and write

18A000

unkown

page execute and read and write

620000

unkown

page read and write

176000

unkown

page read and write

305000

unkown

page read and write

5230000

unkown

page read and write

23AA000

unkown

page read and write

8D4000

heap default

page read and write

630000

heap private

page read and write

536000

unkown

page read and write

630000

heap private

page execute and read and write

61F000

unkown

page read and write

D00000

unkown image

page readonly

770000

unkown

page read and write

620000

unkown

page read and write

750000

unkown

page read and write

330000

unkown

page read and write

470000

heap default

page read and write

590000

unkown

page read and write

2D0000

unkown

page read and write

690000

unkown

page read and write

570000

unkown

page read and write

620000

unkown

page read and write

7BE000

unkown

page read and write

C70000

unkown

page readonly

2320000

heap private

page read and write

2813000

unkown

page read and write

3642000

unkown

page read and write

30D000

unkown

page read and write

760000

unkown

page read and write

6A0000

unkown

page read and write

147000

unkown

page read and write

D02000

unkown image

page execute read

2FB0000

heap private

page read and write

D00000

unkown image

page readonly

610000

unkown

page read and write

8F7000

heap default

page read and write

22CE000

unkown

page read and write | page guard

AE1E000

unkown

page read and write | page guard

53A000

unkown

page read and write

DBC000

unkown image

page readonly

636000

heap private

page read and write

410000

heap private

page execute and read and write

6A0000

unkown

page read and write

760000

unkown

page read and write

30F0000

unkown

page read and write

5131000

unkown

page read and write

4B0000

unkown

page read and write

4BC000

heap default

page read and write

620000

unkown

page read and write

300000

unkown

page read and write

50B000

heap default

page read and write

6A0000

unkown

page read and write

DBC000

unkown image

page readonly

740000

unkown

page read and write

740000

unkown

page read and write

620000

unkown

page read and write

4FEE000

unkown

page read and write

320000

unkown

page read and write

4360000

unkown

page readonly

6B0000

unkown

page read and write

5193000

unkown

page read and write

17D000

unkown

page execute and read and write

22CF000

unkown

page read and write

2E1F000

unkown

page read and write

512E000

unkown

page read and write

150000

unkown

page readonly

26BF000

unkown

page read and write

5130000

unkown

page read and write

D00000

unkown image

page readonly

578000

unkown

page read and write

2900000

unkown

page readonly

AE1F000

unkown

page read and write

6A0000

unkown

page read and write

160000

unkown

page read and write

12D000

unkown

page execute and read and write

477000

heap default

page read and write

2E9000

unkown

page read and write

498E000

unkown

page read and write

6D0000

unkown

page read and write

6C0000

heap private

page read and write

464000

unkown

page read and write

49D0000

unkown

page read and write

620000

unkown

page read and write

D02000

unkown image

page execute read

123000

unkown

page execute and read and write

850000

unkown

page readonly

620000

unkown

page read and write

2700000

unkown

page read and write

6AA000

unkown

page read and write

DBC000

unkown image

page readonly

340000

unkown

page read and write

B1BE000

unkown

page read and write

110000

unkown

page read and write

7FC000

unkown

page read and write

570000

unkown

page read and write

192000

unkown

page read and write

CFF000

unkown

page read and write

D00000

unkown image

page readonly

610000

unkown

page read and write

67E000

unkown

page read and write

460000

unkown

page read and write

47DF000

unkown

page read and write

3577000

unkown

page read and write

25BD000

unkown

page read and write

670000

unkown

page read and write

750000

unkown

page read and write

52D000

unkown

page read and write

D02000

unkown image

page execute read

570000

unkown

page read and write

468E000

unkown

page read and write

2F0000

unkown

page read and write

6AF000

unkown

page read and write

4B0000

heap default

page read and write

D00000

unkown image

page readonly

73C000

unkown

page read and write

524D000

unkown

page read and write

350000

heap default

page read and write

DBC000

unkown image

page readonly

32F000

unkown

page read and write

5A0000

unkown

page read and write

2819000

unkown

page read and write

59F000

unkown

page read and write

4990000

heap private

page read and write

C0000

unkown

page readonly

4A0000

unkown

page execute and read and write

60E000

unkown

page read and write

4BAF000

unkown

page read and write

6B0000

unkown

page read and write

A812000

unkown

page read and write

There are 203 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

IPs

Registry

Memdumps