Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Exhibitions Order Detailed list.xlsx

CDFV2 Encrypted

initial sample

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

downloaded

C:\Users\Public\vbc.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32A28A08.jpeg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52F13E97.png

PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5868B96E.png

PNG image data, 779 x 181, 8-bit colormap, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5DB07460.png

PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\623BCD02.png

PNG image data, 687 x 111, 8-bit colormap, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DB428E1.jpeg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\71EF57AC.png

PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\855D19C5.png

PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8EA69F63.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A50033D4.png

PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B5E1FBBD.png

PNG image data, 687 x 111, 8-bit colormap, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BD98695F.png

PNG image data, 779 x 181, 8-bit colormap, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEC2566A.emf

Windows Enhanced Metafile (EMF) image data version 0x10000

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C0C16556.jpeg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D0083269.png

PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5EA351B.jpeg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3

dropped

C:\Users\user\Desktop\~$Exhibitions Order Detailed list.xlsx

data

dropped

There are 10 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	1980
Target ID:	4
Parent PID:	584
Name:	EQNEDT32.EXE
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Size:	543304
MD5:	A87236E214F6D42A65F5DEDAC816AEC8
Time:	14:50:00
Date:	02/08/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	581632
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Sigma detected: Execution from Suspicious Folder	System Summary
Office Equation Editor has been started	Exploits
Spawns processes	System Summary	Process Injection

C:\Users\Public\vbc.exe

'C:\Users\Public\vbc.exe'

Details

Is windows:	false
Is dropped:	true
PID:	2364
Target ID:	6
Parent PID:	1980
Name:	vbc.exe
Path:	C:\Users\Public\vbc.exe
Commandline:	'C:\Users\Public\vbc.exe'
Size:	114688
MD5:	27BF14807BC9D5CD2D823293F43C3A3A
Time:	14:50:01
Date:	02/08/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	118784
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Drops PE files to the user root directory	Boot Survival	Masquerading
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Execution from Suspicious Folder	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Drops PE files to the user directory	Persistence and Installation Behavior	Masquerading
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Spawns processes	System Summary	Process Injection

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	2696
Target ID:	0
Parent PID:	584
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Size:	27641504
MD5:	5FB0A0F93382ECD19F5F499A5CAA59F0
Time:	14:49:39
Date:	02/08/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13fff0000
Modulesize:	27758592
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://198.12.91.134/win/vbc.exe

198.12.91.134

Details

Name:	http://198.12.91.134/win/vbc.exe
IP:	198.12.91.134
TargetID:	4
From Memory:	false
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Multi AV Scanner detection for domain / URL	AV Detection
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
IP address seen in connection with other malware	Networking
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

http://101.99.94.119/WEALTH_PRUu

Details

Name:	http://101.99.94.119/WEALTH_PRUu
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	config extactor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol

http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check

unknown

Details

Name:	http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
TargetID:	6
From Memory:	true
Current Path:	C:\Users\Public\vbc.exe
Source:	vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.icra.org/vocabulary/.

unknown

Details

Name:	http://www.icra.org/vocabulary/.
TargetID:	6
From Memory:	true
Current Path:	C:\Users\Public\vbc.exe
Source:	vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://windowsmedia.com/redir/services.asp?WMPFriendly=true

unknown

Details

Name:	http://windowsmedia.com/redir/services.asp?WMPFriendly=true
TargetID:	6
From Memory:	true
Current Path:	C:\Users\Public\vbc.exe
Source:	vbc.exe, 00000006.00000002.2352286513.0000000003807000.00000002.00000001.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.day.com/dam/1.0

unknown

Details

Name:	http://www.day.com/dam/1.0
TargetID:	0
From Memory:	true
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	BEC2566A.emf.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

198.12.91.134

unknown

United States

Details

IP:	198.12.91.134
TargetID:	4
Current Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Country:	United States
Countrycode:	USA
ASN number:	36352
ASN name:	AS-COLOCROSSINGUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: EQNEDT32.EXE connecting to internet	Exploits
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

Registry

Path

Value

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

9%9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

MTTT

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ReviewToken

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ED8B3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

FontCachePath

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

VBAFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

j.9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F22BD

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F2AF7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Max Display

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 1

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 2

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 3

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 4

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 5

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 6

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 7

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 8

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 9

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 10

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 11

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 12

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 13

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 14

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 15

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 16

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 17

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 18

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 19

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 20

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Item 21

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

LastPurgeTime

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

1033

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

EXCELFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

ProductFiles

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Name

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

F22BD

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

EquationEditorFilesIntl_1033

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

SavedLegacySettings

There are 33 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

3B0000

unkown

page execute and read and write

2B0000

unkown

page readonly

D0000

unkown

page read and write

35E0000

unkown

page readonly

24C0000

unkown

page readonly

400000

unkown image

page readonly

3294000

unkown

page readonly

3379000

unkown

page readonly

850000

heap private

page read and write

3620000

unkown

page readonly

3274000

unkown

page readonly

32F2000

unkown

page readonly

417000

unkown image

page readonly

3D4000

heap private

page read and write

66E000

unkown

page read and write

720000

unkown

page readonly

446000

heap default

page read and write

3352000

unkown

page readonly

3252000

unkown

page readonly

32E6000

unkown

page readonly

44B000

heap default

page read and write

3335000

unkown

page readonly

3092000

unkown

page readonly

3322000

unkown

page readonly

3292000

unkown

page readonly

230000

unkown

page read and write

25D000

unkown

page read and write

2F0000

heap private

page read and write

3365000

unkown

page readonly

2C0000

unkown

page read and write

337D000

unkown

page readonly

28F0000

unkown

page read and write

28E0000

heap private

page read and write

89000

unkown

page read and write

2772000

heap private

page read and write

2754000

heap private

page read and write

1B0000

unkown

page readonly

33C2000

unkown

page readonly

7EFDF000

unkown

page read and write

3254000

unkown

page readonly

800000

unkown

page readonly

3376000

unkown

page readonly

4F8000

heap private

page read and write

3346000

unkown

page readonly

3098000

unkown

page readonly

3272000

unkown

page readonly

400000

heap default

page read and write

407000

heap default

page read and write

587000

heap default

page read and write

2CF0000

unkown

page readonly

43D000

heap default

page read and write

2750000

heap private

page read and write

3415000

unkown

page readonly

3807000

unkown

page readonly

415000

unkown image

page read and write

25EA000

heap private

page read and write

106000

unkown

page read and write

3582000

unkown

page readonly

25E0000

heap private

page read and write

220000

unkown

page execute read

33E5000

unkown

page readonly

2FE000

unkown

page read and write

33F2000

unkown

page readonly

3305000

unkown

page readonly

33C9000

unkown

page readonly

401000

unkown image

page execute read

33B5000

unkown

page readonly

33F9000

unkown

page readonly

32D5000

unkown

page readonly

680000

unkown

page readonly

2D0000

unkown

page write copy

580000

heap default

page read and write

21F0000

unkown

page readonly

1DF0000

unkown

page read and write

3D0000

heap private

page read and write

35C0000

unkown

page readonly

B7F000

unkown

page read and write

4F0000

heap private

page read and write

60000

unkown

page readonly

3192000

unkown

page readonly

18C000

unkown

page read and write

3600000

unkown

page readonly

3399000

unkown

page readonly

390000

unkown

page readonly

4FB000

heap private

page read and write

9F0000

unkown

page readonly

32C2000

unkown

page readonly

2608000

heap private

page read and write

400000

unkown image

page readonly

400000

unkown image

page readonly

20000

unkown

page read and write

3392000

unkown

page readonly

3316000

unkown

page readonly

420000

unkown

page read and write

38F000

unkown

page read and write

401000

unkown image

page execute read

417000

unkown image

page readonly

2D10000

unkown

page readonly

4F4000

heap private

page read and write

2E0000

unkown

page readonly

310000

heap default

page read and write

5A4000

heap default

page read and write

There are 92 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

IPs

Registry

Memdumps