Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.1904

Overview

General Information

Sample Name:	SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.1904 (renamed file extension from 1904 to rtf)
Analysis ID:	634396
MD5:	79b069c9ad93309ee526ce5fa70e535e
SHA1:	c04be61d6e0971cb8543d7dc0930f613252adc72
SHA256:	604f8b6cb27fc3e83849c6afa3bc2736ef58dc7f00ec4d9eaf3834321d251572
Tags:	rtf
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for dropped file

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Shellcode detected

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Office equation editor establishes network connection

Drops PE files to the user root directory

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores large binary data to the registry

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

PE file contains executable resources (Code or Archives)

Abnormal high CPU Usage

PE file does not import any functions

Potential document exploit detected (unknown TCP traffic)

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Binary contains a suspicious time stamp

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000004.00000002.1262023853.0000000003780000.00000040.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://pet-vr.net/.tmb/cache/bin_oWBLdyptAp56.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.rtf

ReversingLabs: Detection: 22%

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4264E978-4468-4FBA-B78A-8460C16E076C}.tmp

Avira: detection malicious, Label: EXP/CVE-2018-0798.Gen

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Pc07.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Pc07.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 69.49.231.213 Port: 443

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Users\Public\Pc07.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Hardheartedly12

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 69.49.231.213:443 -> 192.168.2.22:49171 version: TLS 1.2

Source:	Binary string: System.Runtime.CompilerServices.VisualC.ni.pdb source: System.Runtime.CompilerServices.VisualC.dll.4.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.4.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdbRSDS source: System.Runtime.CompilerServices.VisualC.dll.4.dr
Source:	Binary string: d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\coinstaller\Win8Release\x64\bin\vm3dc003.pdb source: vm3dc003.dll.4.dr

Source: C:\Users\Public\Pc07.exe	Code function: 4_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C49
Source: C:\Users\Public\Pc07.exe	Code function: 4_2_00406873 FindFirstFileW,FindClose,	4_2_00406873
Source: C:\Users\Public\Pc07.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A0658 LoadLibraryW,URLDownloadToFileW,	2_2_036A0658
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A06DF URLDownloadToFileW,	2_2_036A06DF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A072A WinExec,ExitProcess,	2_2_036A072A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A05E6 LoadLibraryW,URLDownloadToFileW,	2_2_036A05E6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A0672 URLDownloadToFileW,	2_2_036A0672
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A074A ExitProcess,	2_2_036A074A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A05CA LoadLibraryW,URLDownloadToFileW,	2_2_036A05CA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A05B1 ExitProcess,	2_2_036A05B1

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: gingthysyllenesliopa.com

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 69.49.231.213:443

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 69.49.231.213:443

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://pet-vr.net/.tmb/cache/bin_oWBLdyptAp56.bin

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /a1/mitra.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gingthysyllenesliopa.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Source: EQNEDT32.EXE, 00000002.00000002.977826088.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976993125.0000000000622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.977826088.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976993125.0000000000622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: vm3dc003.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: EQNEDT32.EXE, 00000002.00000002.977826088.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976993125.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Pc07.exe, 00000004.00000000.910633975.000000000040A000.00000008.00000001.01000000.00000004.sdmp, Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, Pc07.exe.2.dr, mitra[1].exe.2.dr, uninstalla.exe.4.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.977826088.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976993125.0000000000622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.977826088.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976993125.0000000000622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0L
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://s2.symcb.com0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://sv.symcd.com0&
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://www.vmware.com/0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://www.vmware.com/0/
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: EQNEDT32.EXE, 00000002.00000003.976993125.0000000000622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gingthysyllenesliopa.com/
Source: EQNEDT32.EXE, 00000002.00000002.977700839.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gingthysyllenesliopa.com/a1/mitra.exeW
Source: EQNEDT32.EXE, 00000002.00000002.977700839.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gingthysyllenesliopa.com/a1/mitra.exeicX
Source: EQNEDT32.EXE, 00000002.00000002.977936561.00000000036A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gingthysyllenesliopa.com/a1/mitra.exej
Source: EQNEDT32.EXE, 00000002.00000002.977700839.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gingthysyllenesliopa.com/a1/mitra.exejjC:
Source: System.Runtime.CompilerServices.VisualC.dll.4.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: System.Runtime.CompilerServices.VisualC.dll.4.dr	String found in binary or memory: https://github.com/dotnet/runtimeBSJB
Source: EQNEDT32.EXE, 00000002.00000002.977826088.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976993125.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: vm3dc003.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: vm3dc003.dll.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C0C1D6A3-6F2A-443A-9B77-F4A1B9FF854F}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: gingthysyllenesliopa.com

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036A0658 LoadLibraryW,URLDownloadToFileW,

2_2_036A0658

Source: global traffic

Source: unknown

HTTPS traffic detected: 69.49.231.213:443 -> 192.168.2.22:49171 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\Public\Pc07.exe

Code function: 4_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_004056DE

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.rtf, type: SAMPLE

Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\Pc07.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mitra[1].exe			Jump to dropped file

Yara signature match

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.rtf, type: SAMPLE

Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\Pc07.exe

Code function: 4_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

4_2_0040352D

Detected potential crypto function

Source: C:\Users\Public\Pc07.exe	Code function: 4_2_0040755C	4_2_0040755C
Source: C:\Users\Public\Pc07.exe	Code function: 4_2_00406D85	4_2_00406D85
Source: C:\Users\Public\Pc07.exe	Code function: 4_2_73E61BFF	4_2_73E61BFF

PE file contains executable resources (Code or Archives)

Source: System.Runtime.CompilerServices.VisualC.dll.4.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Abnormal high CPU Usage

Source: C:\Users\Public\Pc07.exe

Process Stats: CPU usage > 98%

PE file does not import any functions

Source: System.Runtime.CompilerServices.VisualC.dll.4.dr

Static PE information: No import functions for PE file found

PE file contains strange resources

Source: mitra[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mitra[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mitra[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Pc07.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Pc07.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Pc07.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uninstalla.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\Pc07.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\Pc07.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.rtf

ReversingLabs: Detection: 22%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Pc07.exe C:\Users\Public\Pc07.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Pc07.exe C:\Users\Public\Pc07.exe	Jump to behavior

Source: C:\Users\Public\Pc07.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\Pc07.exe

4_2_0040352D

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Rtf.Obfuscated.64.25308.rtf

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5C52.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winRTF@4/21@1/1

Source: C:\Users\Public\Pc07.exe

Code function: 4_2_004021AA CoCreateInstance,

4_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\Pc07.exe

Code function: 4_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

4_2_0040498A

Source: C:\Users\Public\Pc07.exe

File written: C:\Users\user\AppData\Local\Temp\Exolve.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Users\Public\Pc07.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Hardheartedly12

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.rtf

Static file information: File size 1880657 > 1048576

Source:	Binary string: System.Runtime.CompilerServices.VisualC.ni.pdb source: System.Runtime.CompilerServices.VisualC.dll.4.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.4.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdbRSDS source: System.Runtime.CompilerServices.VisualC.dll.4.dr
Source:	Binary string: d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\coinstaller\Win8Release\x64\bin\vm3dc003.pdb source: vm3dc003.dll.4.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.1262023853.0000000003780000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\Pc07.exe

Code function: 4_2_73E630C0 push eax; ret

4_2_73E630EE

PE file contains sections with non-standard names

Source: vm3dc003.dll.4.dr	Static PE information: section name: .didat
Source: vm3dc003.dll.4.dr	Static PE information: section name: .gehcont
Source: vm3dc003.dll.4.dr	Static PE information: section name: _RDATA

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\Pc07.exe

Code function: 4_2_73E61BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_73E61BFF

PE file contains an invalid checksum

Source: mitra[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0xee744
Source: Pc07.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0xee744
Source: System.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0x3d68
Source: uninstalla.exe.4.dr	Static PE information: real checksum: 0x3f1bf6 should be: 0x4a8b4

Binary contains a suspicious time stamp

Source: System.Runtime.CompilerServices.VisualC.dll.4.dr

Static PE information: 0xC22B5F28 [Fri Mar 24 23:05:12 2073 UTC]

Drops PE files

Source: C:\Users\Public\Pc07.exe	File created: C:\Users\user\AppData\Local\Temp\vm3dc003.dll	Jump to dropped file
Source: C:\Users\Public\Pc07.exe	File created: C:\Users\user\AppData\Local\Temp\nsj949D.tmp\System.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\Pc07.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mitra[1].exe	Jump to dropped file
Source: C:\Users\Public\Pc07.exe	File created: C:\Users\user\AppData\Local\Temp\uninstalla.exe	Jump to dropped file
Source: C:\Users\Public\Pc07.exe	File created: C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\Pc07.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\Pc07.exe

Jump to dropped file

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Pc07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\Pc07.exe

RDTSC instruction interceptor: First address: 00000000037CE10D second address: 00000000037CE10D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F88FCBD6655h 0x00000006 test ax, cx 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b test dl, dl 0x0000000d rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 616

Thread sleep time: -420000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\Public\Pc07.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vm3dc003.dll	Jump to dropped file
Source: C:\Users\Public\Pc07.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uninstalla.exe	Jump to dropped file
Source: C:\Users\Public\Pc07.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file

Source: C:\Users\Public\Pc07.exe	Code function: 4_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C49
Source: C:\Users\Public\Pc07.exe	Code function: 4_2_00406873 FindFirstFileW,FindClose,	4_2_00406873
Source: C:\Users\Public\Pc07.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Pc07.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Pc07.exe	API call chain: ExitProcess graph end node

Source: vm3dc003.dll.4.dr	Binary or memory string: LegalCopyrightCopyright (C) 1998-2021 VMware, Inc.B
Source: vm3dc003.dll.4.dr	Binary or memory string: {4d36e968-e325-11ce-bfc1-08002be10318}SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}CoInstallers32SOFTWARE\Microsoft\Windows\CurrentVersion\RunVMware VM3DService ProcessRegDeleteValue failed (0x%lx).
Source: vm3dc003.dll.4.dr	Binary or memory string: noreply@vmware.com0
Source: vm3dc003.dll.4.dr	Binary or memory string: http://www.vmware.com/0
Source: vm3dc003.dll.4.dr	Binary or memory string: VMware, Inc.
Source: vm3dc003.dll.4.dr	Binary or memory string: dbghelp.dllSoftware\VMware, Inc.\VMware SVGADebugSearchPathBacktrace[%2d] rip=%p %s+%#x %s:%d
Source: vm3dc003.dll.4.dr	Binary or memory string: VMware, Inc.1!0
Source: vm3dc003.dll.4.dr	Binary or memory string: %s: VMToolsRegistry Not set.
Source: vm3dc003.dll.4.dr	Binary or memory string: FileDescriptionVMware SVGA 3D Coinstaller:
Source: Pc07.exe, 00000004.00000002.1261959939.00000000005F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: vm3dc003.dll.4.dr	Binary or memory string: http://www.vmware.com/0/
Source: vm3dc003.dll.4.dr	Binary or memory string: Software\VMware, Inc.\VMware SVGA
Source: vm3dc003.dll.4.dr	Binary or memory string: VMware, Inc.1
Source: vm3dc003.dll.4.dr	Binary or memory string: VMware, Inc.0
Source: vm3dc003.dll.4.dr	Binary or memory string: ProductNameVMware SVGA 3D`
Source: vm3dc003.dll.4.dr	Binary or memory string: CompanyNameVMware, Inc.^

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\Pc07.exe

Code function: 4_2_73E61BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_73E61BFF

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036A0751 mov edx, dword ptr fs:[00000030h]

2_2_036A0751

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\Pc07.exe C:\Users\Public\Pc07.exe

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\Public\Pc07.exe

4_2_0040352D

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
69.49.231.213	gingthysyllenesliopa.com	United States		46606	UNIFIEDLAYER-AS-1US	true

Contacted Domains

Name	IP	Active
gingthysyllenesliopa.com	69.49.231.213	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://gingthysyllenesliopa.com/a1/mitra.exe	true	Avira URL Cloud: safe	unknown
http://pet-vr.net/.tmb/cache/bin_oWBLdyptAp56.bin	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 00000004.00000002.1262023853.0000000003780000.00000040.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://pet-vr.net/.tmb/cache/bin_oWBLdyptAp56.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.rtf

ReversingLabs: Detection: 22%

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4264E978-4468-4FBA-B78A-8460C16E076C}.tmp

Avira: detection malicious, Label: EXP/CVE-2018-0798.Gen

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Pc07.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Pc07.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 69.49.231.213 Port: 443

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Users\Public\Pc07.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Hardheartedly12

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 69.49.231.213:443 -> 192.168.2.22:49171 version: TLS 1.2

Source:	Binary string: System.Runtime.CompilerServices.VisualC.ni.pdb source: System.Runtime.CompilerServices.VisualC.dll.4.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.4.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdbRSDS source: System.Runtime.CompilerServices.VisualC.dll.4.dr
Source:	Binary string: d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\coinstaller\Win8Release\x64\bin\vm3dc003.pdb source: vm3dc003.dll.4.dr

Source: C:\Users\Public\Pc07.exe	Code function: 4_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C49
Source: C:\Users\Public\Pc07.exe	Code function: 4_2_00406873 FindFirstFileW,FindClose,	4_2_00406873
Source: C:\Users\Public\Pc07.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A0658 LoadLibraryW,URLDownloadToFileW,	2_2_036A0658
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A06DF URLDownloadToFileW,	2_2_036A06DF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A072A WinExec,ExitProcess,	2_2_036A072A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A05E6 LoadLibraryW,URLDownloadToFileW,	2_2_036A05E6
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A0672 URLDownloadToFileW,	2_2_036A0672
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A074A ExitProcess,	2_2_036A074A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A05CA LoadLibraryW,URLDownloadToFileW,	2_2_036A05CA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036A05B1 ExitProcess,	2_2_036A05B1

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: gingthysyllenesliopa.com

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 69.49.231.213:443

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 69.49.231.213:443

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://pet-vr.net/.tmb/cache/bin_oWBLdyptAp56.bin

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Source: EQNEDT32.EXE, 00000002.00000002.977826088.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976993125.0000000000622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.977826088.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976993125.0000000000622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: vm3dc003.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: EQNEDT32.EXE, 00000002.00000002.977826088.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976993125.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Pc07.exe, 00000004.00000000.910633975.000000000040A000.00000008.00000001.01000000.00000004.sdmp, Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, Pc07.exe.2.dr, mitra[1].exe.2.dr, uninstalla.exe.4.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.977826088.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976993125.0000000000622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.977826088.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976993125.0000000000622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0L
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://s2.symcb.com0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://sv.symcd.com0&
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: vm3dc003.dll.4.dr	String found in binary or memory: http://www.vmware.com/0
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: http://www.vmware.com/0/
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Pc07.exe, 00000004.00000002.1261905882.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vm3dc003.dll.4.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: EQNEDT32.EXE, 00000002.00000003.976993125.0000000000622000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gingthysyllenesliopa.com/
Source: EQNEDT32.EXE, 00000002.00000002.977700839.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gingthysyllenesliopa.com/a1/mitra.exeW
Source: EQNEDT32.EXE, 00000002.00000002.977700839.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gingthysyllenesliopa.com/a1/mitra.exeicX
Source: EQNEDT32.EXE, 00000002.00000002.977936561.00000000036A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gingthysyllenesliopa.com/a1/mitra.exej
Source: EQNEDT32.EXE, 00000002.00000002.977700839.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gingthysyllenesliopa.com/a1/mitra.exejjC:
Source: System.Runtime.CompilerServices.VisualC.dll.4.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: System.Runtime.CompilerServices.VisualC.dll.4.dr	String found in binary or memory: https://github.com/dotnet/runtimeBSJB
Source: EQNEDT32.EXE, 00000002.00000002.977826088.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.977865282.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976993125.0000000000622000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.976907119.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: vm3dc003.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: vm3dc003.dll.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C0C1D6A3-6F2A-443A-9B77-F4A1B9FF854F}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: gingthysyllenesliopa.com

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036A0658 LoadLibraryW,URLDownloadToFileW,

2_2_036A0658

Source: global traffic

Source: unknown

HTTPS traffic detected: 69.49.231.213:443 -> 192.168.2.22:49171 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\Public\Pc07.exe

4_2_004056DE

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.rtf, type: SAMPLE

Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\Pc07.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mitra[1].exe			Jump to dropped file

Yara signature match

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.rtf, type: SAMPLE

Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Contains functionality to shutdown / reboot the system

Source: C:\Users\Public\Pc07.exe

4_2_0040352D

Detected potential crypto function

Source: C:\Users\Public\Pc07.exe	Code function: 4_2_0040755C	4_2_0040755C
Source: C:\Users\Public\Pc07.exe	Code function: 4_2_00406D85	4_2_00406D85
Source: C:\Users\Public\Pc07.exe	Code function: 4_2_73E61BFF	4_2_73E61BFF

PE file contains executable resources (Code or Archives)

Source: System.Runtime.CompilerServices.VisualC.dll.4.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Abnormal high CPU Usage

Source: C:\Users\Public\Pc07.exe

Process Stats: CPU usage > 98%

PE file does not import any functions

Source: System.Runtime.CompilerServices.VisualC.dll.4.dr

Static PE information: No import functions for PE file found

PE file contains strange resources

Source: mitra[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mitra[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mitra[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Pc07.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Pc07.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Pc07.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uninstalla.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\Pc07.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\Pc07.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.rtf

ReversingLabs: Detection: 22%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Pc07.exe C:\Users\Public\Pc07.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\Pc07.exe C:\Users\Public\Pc07.exe	Jump to behavior

Source: C:\Users\Public\Pc07.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\Pc07.exe

4_2_0040352D

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Rtf.Obfuscated.64.25308.rtf

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5C52.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winRTF@4/21@1/1

Source: C:\Users\Public\Pc07.exe

Code function: 4_2_004021AA CoCreateInstance,

4_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\Pc07.exe

Code function: 4_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

4_2_0040498A

Source: C:\Users\Public\Pc07.exe

File written: C:\Users\user\AppData\Local\Temp\Exolve.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Users\Public\Pc07.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Hardheartedly12

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.rtf

Static file information: File size 1880657 > 1048576

Source:	Binary string: System.Runtime.CompilerServices.VisualC.ni.pdb source: System.Runtime.CompilerServices.VisualC.dll.4.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.4.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdbRSDS source: System.Runtime.CompilerServices.VisualC.dll.4.dr
Source:	Binary string: d:\build\ob\bora-18379147\bora-vmsoft\build\release-x64\svga\wddm\src\coinstaller\Win8Release\x64\bin\vm3dc003.pdb source: vm3dc003.dll.4.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.1262023853.0000000003780000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\Public\Pc07.exe

Code function: 4_2_73E630C0 push eax; ret

4_2_73E630EE

PE file contains sections with non-standard names

Source: vm3dc003.dll.4.dr	Static PE information: section name: .didat
Source: vm3dc003.dll.4.dr	Static PE information: section name: .gehcont
Source: vm3dc003.dll.4.dr	Static PE information: section name: _RDATA

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\Pc07.exe

Code function: 4_2_73E61BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_73E61BFF

PE file contains an invalid checksum

Source: mitra[1].exe.2.dr	Static PE information: real checksum: 0x0 should be: 0xee744
Source: Pc07.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0xee744
Source: System.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0x3d68
Source: uninstalla.exe.4.dr	Static PE information: real checksum: 0x3f1bf6 should be: 0x4a8b4

Binary contains a suspicious time stamp

Source: System.Runtime.CompilerServices.VisualC.dll.4.dr

Static PE information: 0xC22B5F28 [Fri Mar 24 23:05:12 2073 UTC]

Drops PE files

Source: C:\Users\Public\Pc07.exe	File created: C:\Users\user\AppData\Local\Temp\vm3dc003.dll	Jump to dropped file
Source: C:\Users\Public\Pc07.exe	File created: C:\Users\user\AppData\Local\Temp\nsj949D.tmp\System.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\Pc07.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mitra[1].exe	Jump to dropped file
Source: C:\Users\Public\Pc07.exe	File created: C:\Users\user\AppData\Local\Temp\uninstalla.exe	Jump to dropped file
Source: C:\Users\Public\Pc07.exe	File created: C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\Pc07.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\Pc07.exe

Jump to dropped file

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Pc07.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\Pc07.exe

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 616

Thread sleep time: -420000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\Public\Pc07.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vm3dc003.dll	Jump to dropped file
Source: C:\Users\Public\Pc07.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uninstalla.exe	Jump to dropped file
Source: C:\Users\Public\Pc07.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file

Source: C:\Users\Public\Pc07.exe	Code function: 4_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405C49
Source: C:\Users\Public\Pc07.exe	Code function: 4_2_00406873 FindFirstFileW,FindClose,	4_2_00406873
Source: C:\Users\Public\Pc07.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Pc07.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Pc07.exe	API call chain: ExitProcess graph end node

Source: vm3dc003.dll.4.dr	Binary or memory string: LegalCopyrightCopyright (C) 1998-2021 VMware, Inc.B
Source: vm3dc003.dll.4.dr	Binary or memory string: {4d36e968-e325-11ce-bfc1-08002be10318}SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}CoInstallers32SOFTWARE\Microsoft\Windows\CurrentVersion\RunVMware VM3DService ProcessRegDeleteValue failed (0x%lx).
Source: vm3dc003.dll.4.dr	Binary or memory string: noreply@vmware.com0
Source: vm3dc003.dll.4.dr	Binary or memory string: http://www.vmware.com/0
Source: vm3dc003.dll.4.dr	Binary or memory string: VMware, Inc.
Source: vm3dc003.dll.4.dr	Binary or memory string: dbghelp.dllSoftware\VMware, Inc.\VMware SVGADebugSearchPathBacktrace[%2d] rip=%p %s+%#x %s:%d
Source: vm3dc003.dll.4.dr	Binary or memory string: VMware, Inc.1!0
Source: vm3dc003.dll.4.dr	Binary or memory string: %s: VMToolsRegistry Not set.
Source: vm3dc003.dll.4.dr	Binary or memory string: FileDescriptionVMware SVGA 3D Coinstaller:
Source: Pc07.exe, 00000004.00000002.1261959939.00000000005F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: vm3dc003.dll.4.dr	Binary or memory string: http://www.vmware.com/0/
Source: vm3dc003.dll.4.dr	Binary or memory string: Software\VMware, Inc.\VMware SVGA
Source: vm3dc003.dll.4.dr	Binary or memory string: VMware, Inc.1
Source: vm3dc003.dll.4.dr	Binary or memory string: VMware, Inc.0
Source: vm3dc003.dll.4.dr	Binary or memory string: ProductNameVMware SVGA 3D`
Source: vm3dc003.dll.4.dr	Binary or memory string: CompanyNameVMware, Inc.^

Contains functionality to dynamically determine API calls

Source: C:\Users\Public\Pc07.exe

Code function: 4_2_73E61BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_73E61BFF

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036A0751 mov edx, dword ptr fs:[00000030h]

2_2_036A0751

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\Pc07.exe C:\Users\Public\Pc07.exe

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\Public\Pc07.exe

4_2_0040352D

ID:	634396
Product:	CloudBasic
Start time:	02:34:16
Start date:	26.05.2022
Sample:	SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.1904
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	79b069c9ad93309ee526ce5fa70e535e
SHA1:	c04be61d6e0971cb8543d7dc0930f613252adc72
SHA256:	604f8b6cb27fc3e83849c6afa3bc2736ef58dc7f00ec4d9eaf3834321d251572
Filetype:	Rich Text Format (5005/1) 55.56%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mitra[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	6697A6BAC38736D1E2B18267F681F53D	B377EB9B75CA605336E1A33AB3486646E93A481C	742AFCB2267AF8E568183F1EAC9E311CED03B5C78F11112F78799C2F62CC038A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4264E978-4468-4FBA-B78A-8460C16E076C}.tmp	Composite Document File V2 Document, Cannot read section info	98E9660D72501714FFC283F6C35985A1	B7A44CC42B6B053DE4B4B53BDCAC13EC7652D548	A5000EAD134F2A032BDEF997722255C26DE17852F8050BE789B3759E1E2B5066
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5132D078-0A03-463E-B367-94FBD8B5A13D}.tmp	data	FEC512A3E966D8F77B1E3FEFB2F7C071	53C1D5C0952202B1126E42D53FEC7A044C8CF3BA	ACB0727ACCE00141D369E9C4DB29460B43AF88D171513E5584BACB3D6253D844
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{76DE1609-7B2E-4BC2-9325-71BD4F5443DB}.tmp	data	107DDB6829B5C9163FDD4B655EBA736E	12ED3DCFC37688F30F9C743348EA56AD35310535	734411DC396D98DF43DF0E3293EA69A730B6CC2B2A7D781F5C8A8ADD7A2B5B08
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C0C1D6A3-6F2A-443A-9B77-F4A1B9FF854F}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\Exolve.ini	ASCII text, with CRLF line terminators	272BC34712948F6A7132DD80E17DE84E	461967EA55D874C28BF0999FB66CACE785D9BCA9	019D3E92BF00DC7409E188A19F11AB33C31BFBAFE5B2E036632CC69B71207FE9
C:\Users\user\AppData\Local\Temp\Green_Leaves_21.bmp	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3	2F12A714A50993C090C94EC2672490E1	4F9A319C412F1B1B251C027B1C2448BBDBB9CA6F	E759639DCCA8E96864BC82EDBACFD5BB14FE37412A6F3FCE7C82BF1BB944B6E4
C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows	E3F74999CDB00FCAAA6A40A97B8F199B	F3A2C8DF8E98F7DCB49CBE5C4A717A6087A656D2	6929BC473DF404FCED714F345479216B66B72ACF116061DF1CDD8ACAEE961333
C:\Users\user\AppData\Local\Temp\drive-harddisk-system-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	39182B562FCB2BAD93D58516462708A8	F9A88E1F1313BD05CDB1E962DE8170CCCFDA9151	DEF4215BBA93FAED6FCF7E4687EF89AB828DB10E69171A5E14908F091302C59F
C:\Users\user\AppData\Local\Temp\fahrenheit.Roa	data	955CEB631B184F331699680E6F228214	CDB9B77D116BBE77AFB468A87B40CC14D56592A0	7B465FE1BF398A3AF1D281F4ACE398F1649685C5FD8EB5BBDF16C95E254F62BD
C:\Users\user\AppData\Local\Temp\mail-unread-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	433D25AD6818DB00083CD062A16D3479	D4210D893E965912EA7BD45C80D359FECAB54A98	3D06E8FA89BA4FA9D9BCC260F38C72D1A104FE3E6F8923A3EE553563832027CB
C:\Users\user\AppData\Local\Temp\nsj949D.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\scanner.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	0CBA7EB7455B0DB79456C5911F12B75E	DAACA4FE36E4F61016D473A0A1CD4C980906872B	50F4DB972320FF30D4FD98B61F58D956678F38FD1D11CA5109E5559D02A986BE
C:\Users\user\AppData\Local\Temp\uninstalla.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	1DCEAF980C4D83AE2A13BD0F047E1BD7	7D97E79EFB047361A8C2A8AC0A26B37127C3C7AC	0C340FB13ACAAAE759215AF9C970DC6C167418534C421EB626643E20FD0AC832
C:\Users\user\AppData\Local\Temp\vm3dc003.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	059BE7432DFAD92F4EA0A2E5941C52A7	1C1B989D6B9D0FA0808FCA8893ADDC8CD76602D9	8E184A514D8716B59B24892CB425752E6D7837735C1E9F1996D66E70BFEC033B
C:\Users\user\AppData\Local\Temp\vtshim.c	C source, ASCII text	1B00C31FF20D27F07B299063908311E0	1976E6DD68DD0D64508C91A6DFAB8E75F8AAF6CD	EC872BB1DDC330D3F19F68D033B0706E1B78D4A91A58998674B67EAD58BEA729
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu May 26 08:35:01 2022, mtime=Thu May 26 08:35:01 2022, atime=Thu May 26 08:35:12 2022, length=1880657, window=hide	F7545D05FF458AAA11A018A5AB599E5B	E3D1F69665EEE2799C798DC47740E9D25BF4A347	AE316FB653554A5DC6CD5756CFFAFE91A02D328552ACABB9174758EFFFF69664
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	CF54C8DA250A4EAA98F85E3719B41CF2	E3A2CE5BF70AAB7A5FD6C184DDE3FB3A5966E047	486AA9169F034089D7EA0AF3832320BD9EFD41BD711A993AF5D597672B7CC4DD
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	C5E24006AFAC8C2659023AD09A07EB0F	4B7B834BEDADFD0A2764743E021D40C55A51F284	7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E
C:\Users\user\Desktop\~$curiteInfo.com.Exploit.Rtf.Obfuscated.64.25308.rtf	data	C5E24006AFAC8C2659023AD09A07EB0F	4B7B834BEDADFD0A2764743E021D40C55A51F284	7C9E6D71E3F53D37A78CCE23FA21D259365A9571C6C3A01E8D216586177BA87E
C:\Users\Public\Pc07.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	6697A6BAC38736D1E2B18267F681F53D	B377EB9B75CA605336E1A33AB3486646E93A481C	742AFCB2267AF8E568183F1EAC9E311CED03B5C78F11112F78799C2F62CC038A

Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.1904

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.1904

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Exploit.Rtf.Obfuscated.64.25308.1904