Windows Analysis Report New_1007572_021.xltx

Overview

General Information

Sample Name: New_1007572_021.xltx
Analysis ID: 458850
MD5: 427e80f30505c596c822c141283a5a70
SHA1: d910f9e9ecf2cb8c68f8fca4121bac4bad757a37
SHA256: d1acfa41b1e1fbc076b41547954e6615132256983b0315c50f8dbb97a0399fbd
Tags: xlsxxltx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected FormBook
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Found malware configuration
Source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.domoexpra.club/cg53/"], "decoy": ["sugarlushcosmetic.com", "a2net.info", "ximakaya.com", "thevochick.com", "khafto.com", "zsgpbgsbh.icu", "psm-gen.com", "jhxhotei.com", "7991899.com", "nda.today", "fourseasonsvanlines.com", "splediferous.info", "thesqlgoth.com", "newpathequine.com", "advan.digital", "skamanderboats.com", "thejnit.com", "pardusarms.net", "mevasoluciones.com", "biggdogg5n2.com", "anogirl.com", "xinyisanreqi.com", "2mothertruckers.net", "phongvevic.com", "atmosphere.rent", "amabie-net.com", "stocksp24.com", "starseedbeing.com", "icreditmalaysia.com", "inochinokagayaki.net", "christianbooktrailer.com", "gidrot.com", "junglecli.com", "greenportcivic.com", "beyondparenting101.com", "tracisolomon.xyz", "healinghandssalem.com", "hackersincgolf.com", "goselling.solutions", "cumuluspharma.com", "ramblecollections.com", "mac-marine.com", "likeit21.com", "gdlejing.com", "si600.net", "greenhearthome.com", "tourps.com", "lvyi19.com", "frequent420.com", "goodteattirerebates.com", "melanie-gore.com", "comfsresidential.com", "vrgkk.com", "losmaestrosencarpinteria.com", "nikhitaindustries.com", "fresgolens.online", "xpj777.life", "zerkalo-mr-bit-casino.com", "thorsensgrinding.com", "ronniethemole.com", "poundlove.com", "joansv.com", "finneyplace.com", "dakotacntr.com"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Metadefender: Detection: 45% Perma Link
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe ReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Local\Temp\tynex.exe ReversingLabs: Detection: 28%
Source: C:\Users\Public\tynex.exe ReversingLabs: Detection: 28%
Multi AV Scanner detection for submitted file
Source: New_1007572_021.xltx ReversingLabs: Detection: 39%
Yara detected FormBook
Source: Yara match File source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPED
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Joe Sandbox ML: detected
Source: C:\Users\Public\tynex.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.0.FB_C479.tmp.exe.1340000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.tynex.exe.36294d0.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.FB_C479.tmp.exe.1340000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.tynex.exe.39186d0.6.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 5.2.tynex.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.tynex.exe.276b818.2.unpack Avira: Label: TR/Dropper.Gen

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\tynex.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\tynex.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: FB_C479.tmp.exe, cscript.exe
Source: Binary string: cscript.pdbN source: FB_C479.tmp.exe, 00000007.00000002.2220113771.0000000000370000.00000040.00000001.sdmp
Source: Binary string: cscript.pdb source: FB_C479.tmp.exe, 00000007.00000002.2220113771.0000000000370000.00000040.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 4x nop then pop esi 7_2_0135727D
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 4x nop then pop edi 7_2_01357D7B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop esi 9_2_0008727D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop edi 9_2_00087D7B

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.domoexpra.club/cg53/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Di4/New_1007572_021.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: inter-trading-service.comConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30DB366F.jpg Jump to behavior
Source: global traffic HTTP traffic detected: GET /Di4/New_1007572_021.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: inter-trading-service.comConnection: Keep-Alive
Source: tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: inter-trading-service.com
Source: explorer.exe, 00000008.00000000.2191398155.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000008.00000000.2191398155.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000008.00000000.2177874264.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: tynex.exe, 00000005.00000002.2168389998.0000000002727000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: tynex.exe, 00000005.00000002.2168389998.0000000002727000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000008.00000000.2170296081.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: tynex.exe, 00000005.00000002.2168389998.0000000002727000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000008.00000000.2176511182.00000000039F0000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: explorer.exe, 00000008.00000000.2188293638.000000000842E000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000008.00000000.2191398155.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000008.00000000.2177874264.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: tynex.exe, 00000005.00000002.2168389998.0000000002727000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000008.00000000.2191398155.000000000A330000.00000008.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000008.00000000.2170296081.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.2177874264.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: tynex.exe, 00000005.00000002.2168389998.0000000002727000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000008.00000000.2177874264.0000000004B50000.00000002.00000001.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp3
Source: explorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-de/?ocid=iehpT
Source: tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.2188293638.000000000842E000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000008.00000000.2177419686.000000000419A000.00000004.00000001.sdmp, explorer.exe, 00000008.00000000.2177529570.0000000004263000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: explorer.exe, 00000008.00000000.2188293638.000000000842E000.00000004.00000001.sdmp, explorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: explorer.exe, 00000008.00000000.2188293638.000000000842E000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
Source: explorer.exe, 00000008.00000000.2188293638.000000000842E000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1k

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPED

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPED Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPED Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\tynex.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\Public\tynex.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\Public\tynex.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135A100 NtAllocateVirtualMemory, 7_2_0135A100
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135A050 NtClose, 7_2_0135A050
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_01359F20 NtCreateFile, 7_2_01359F20
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_01359FD0 NtReadFile, 7_2_01359FD0
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135A04C NtClose, 7_2_0135A04C
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135A0FA NtAllocateVirtualMemory, 7_2_0135A0FA
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_01359F1A NtCreateFile, 7_2_01359F1A
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_01359FCA NtReadFile, 7_2_01359FCA
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009900C4 NtCreateFile,LdrInitializeThunk, 7_2_009900C4
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00990048 NtProtectVirtualMemory,LdrInitializeThunk, 7_2_00990048
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00990078 NtResumeThread,LdrInitializeThunk, 7_2_00990078
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098F9F0 NtClose,LdrInitializeThunk, 7_2_0098F9F0
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098F900 NtReadFile,LdrInitializeThunk, 7_2_0098F900
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_0098FAD0
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FAE8 NtQueryInformationProcess,LdrInitializeThunk, 7_2_0098FAE8
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FBB8 NtQueryInformationToken,LdrInitializeThunk, 7_2_0098FBB8
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FB68 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_0098FB68
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FC90 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_0098FC90
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FC60 NtMapViewOfSection,LdrInitializeThunk, 7_2_0098FC60
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FD8C NtDelayExecution,LdrInitializeThunk, 7_2_0098FD8C
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FDC0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_0098FDC0
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FEA0 NtReadVirtualMemory,LdrInitializeThunk, 7_2_0098FEA0
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_0098FED0
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FFB4 NtCreateSection,LdrInitializeThunk, 7_2_0098FFB4
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009910D0 NtOpenProcessToken, 7_2_009910D0
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00990060 NtQuerySection, 7_2_00990060
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009901D4 NtSetValueKey, 7_2_009901D4
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0099010C NtOpenDirectoryObject, 7_2_0099010C
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00991148 NtOpenThread, 7_2_00991148
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009907AC NtCreateMutant, 7_2_009907AC
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098F8CC NtWaitForSingleObject, 7_2_0098F8CC
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098F938 NtWriteFile, 7_2_0098F938
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00991930 NtSetContextThread, 7_2_00991930
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FAB8 NtQueryValueKey, 7_2_0098FAB8
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FA20 NtQueryInformationFile, 7_2_0098FA20
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FA50 NtEnumerateValueKey, 7_2_0098FA50
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FBE8 NtQueryVirtualMemory, 7_2_0098FBE8
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FB50 NtCreateKey, 7_2_0098FB50
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FC30 NtOpenProcess, 7_2_0098FC30
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FC48 NtSetInformationFile, 7_2_0098FC48
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00990C40 NtGetContextThread, 7_2_00990C40
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00991D80 NtSuspendThread, 7_2_00991D80
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FD5C NtEnumerateKey, 7_2_0098FD5C
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FE24 NtWriteVirtualMemory, 7_2_0098FE24
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FFFC NtCreateProcessEx, 7_2_0098FFFC
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0098FF34 NtQueueApcThread, 7_2_0098FF34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025E00C4 NtCreateFile,LdrInitializeThunk, 9_2_025E00C4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025E07AC NtCreateMutant,LdrInitializeThunk, 9_2_025E07AC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_025DFAD0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFAE8 NtQueryInformationProcess,LdrInitializeThunk, 9_2_025DFAE8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFAB8 NtQueryValueKey,LdrInitializeThunk, 9_2_025DFAB8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFB50 NtCreateKey,LdrInitializeThunk, 9_2_025DFB50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFB68 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_025DFB68
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFBB8 NtQueryInformationToken,LdrInitializeThunk, 9_2_025DFBB8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DF900 NtReadFile,LdrInitializeThunk, 9_2_025DF900
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DF9F0 NtClose,LdrInitializeThunk, 9_2_025DF9F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_025DFED0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFFB4 NtCreateSection,LdrInitializeThunk, 9_2_025DFFB4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFC60 NtMapViewOfSection,LdrInitializeThunk, 9_2_025DFC60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFDC0 NtQuerySystemInformation,LdrInitializeThunk, 9_2_025DFDC0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFD8C NtDelayExecution,LdrInitializeThunk, 9_2_025DFD8C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025E0048 NtProtectVirtualMemory, 9_2_025E0048
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025E0078 NtResumeThread, 9_2_025E0078
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025E0060 NtQuerySection, 9_2_025E0060
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025E10D0 NtOpenProcessToken, 9_2_025E10D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025E1148 NtOpenThread, 9_2_025E1148
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025E010C NtOpenDirectoryObject, 9_2_025E010C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025E01D4 NtSetValueKey, 9_2_025E01D4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFA50 NtEnumerateValueKey, 9_2_025DFA50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFA20 NtQueryInformationFile, 9_2_025DFA20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFBE8 NtQueryVirtualMemory, 9_2_025DFBE8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DF8CC NtWaitForSingleObject, 9_2_025DF8CC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DF938 NtWriteFile, 9_2_025DF938
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025E1930 NtSetContextThread, 9_2_025E1930
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFE24 NtWriteVirtualMemory, 9_2_025DFE24
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFEA0 NtReadVirtualMemory, 9_2_025DFEA0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFF34 NtQueueApcThread, 9_2_025DFF34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFFFC NtCreateProcessEx, 9_2_025DFFFC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFC48 NtSetInformationFile, 9_2_025DFC48
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025E0C40 NtGetContextThread, 9_2_025E0C40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFC30 NtOpenProcess, 9_2_025DFC30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFC90 NtUnmapViewOfSection, 9_2_025DFC90
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025DFD5C NtEnumerateKey, 9_2_025DFD5C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025E1D80 NtSuspendThread, 9_2_025E1D80
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008A050 NtClose, 9_2_0008A050
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008A100 NtAllocateVirtualMemory, 9_2_0008A100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_00089F20 NtCreateFile, 9_2_00089F20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_00089FD0 NtReadFile, 9_2_00089FD0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008A04C NtClose, 9_2_0008A04C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008A0FA NtAllocateVirtualMemory, 9_2_0008A0FA
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_00089F1A NtCreateFile, 9_2_00089F1A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_00089FCA NtReadFile, 9_2_00089FCA
Detected potential crypto function
Source: C:\Users\Public\tynex.exe Code function: 4_2_00293288 4_2_00293288
Source: C:\Users\Public\tynex.exe Code function: 4_2_00293286 4_2_00293286
Source: C:\Users\Public\tynex.exe Code function: 4_2_00B565F8 4_2_00B565F8
Source: C:\Users\Public\tynex.exe Code function: 4_2_00B56608 4_2_00B56608
Source: C:\Users\Public\tynex.exe Code function: 4_2_046E6AB0 4_2_046E6AB0
Source: C:\Users\Public\tynex.exe Code function: 4_2_046E53C2 4_2_046E53C2
Source: C:\Users\Public\tynex.exe Code function: 4_2_046E538B 4_2_046E538B
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135D166 7_2_0135D166
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_01341030 7_2_01341030
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135E376 7_2_0135E376
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_01342D90 7_2_01342D90
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135D773 7_2_0135D773
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_01342FB0 7_2_01342FB0
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135BFA6 7_2_0135BFA6
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_01349E30 7_2_01349E30
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135E6D5 7_2_0135E6D5
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0099E0C6 7_2_0099E0C6
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009CD005 7_2_009CD005
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009B905A 7_2_009B905A
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009A3040 7_2_009A3040
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0099E2E9 7_2_0099E2E9
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00A41238 7_2_00A41238
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009C63DB 7_2_009C63DB
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0099F3CF 7_2_0099F3CF
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009A2305 7_2_009A2305
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009A7353 7_2_009A7353
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009EA37B 7_2_009EA37B
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009B1489 7_2_009B1489
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009D5485 7_2_009D5485
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009BC5F0 7_2_009BC5F0
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009A351F 7_2_009A351F
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009A4680 7_2_009A4680
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009AE6C1 7_2_009AE6C1
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00A42622 7_2_00A42622
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009AC7BC 7_2_009AC7BC
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00A2579A 7_2_00A2579A
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009D57C3 7_2_009D57C3
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00A3F8EE 7_2_00A3F8EE
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009AC85C 7_2_009AC85C
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009C286D 7_2_009C286D
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009A29B2 7_2_009A29B2
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00A4098E 7_2_00A4098E
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009B69FE 7_2_009B69FE
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00A25955 7_2_00A25955
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00A53A83 7_2_00A53A83
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00A4CBA4 7_2_00A4CBA4
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0099FBD7 7_2_0099FBD7
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00A2DBDA 7_2_00A2DBDA
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009C7B00 7_2_009C7B00
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00A3FDDD 7_2_00A3FDDD
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009D0D3B 7_2_009D0D3B
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009ACD5B 7_2_009ACD5B
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009D2E2F 7_2_009D2E2F
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009BEE4C 7_2_009BEE4C
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009B0F3F 7_2_009B0F3F
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009CDF7C 7_2_009CDF7C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02691238 9_2_02691238
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025EE2E9 9_2_025EE2E9
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025F7353 9_2_025F7353
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0263A37B 9_2_0263A37B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025F2305 9_2_025F2305
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025EF3CF 9_2_025EF3CF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_026163DB 9_2_026163DB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_026963BF 9_2_026963BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025F3040 9_2_025F3040
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0260905A 9_2_0260905A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0261D005 9_2_0261D005
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025EE0C6 9_2_025EE0C6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02692622 9_2_02692622
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0263A634 9_2_0263A634
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025FE6C1 9_2_025FE6C1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025F4680 9_2_025F4680
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_026257C3 9_2_026257C3
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025FC7BC 9_2_025FC7BC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0267579A 9_2_0267579A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0262D47D 9_2_0262D47D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02625485 9_2_02625485
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02601489 9_2_02601489
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02636540 9_2_02636540
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025F351F 9_2_025F351F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0260C5F0 9_2_0260C5F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_026A3A83 9_2_026A3A83
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02617B00 9_2_02617B00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025EFBD7 9_2_025EFBD7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0267DBDA 9_2_0267DBDA
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0269CBA4 9_2_0269CBA4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025FC85C 9_2_025FC85C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0261286D 9_2_0261286D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0268F8EE 9_2_0268F8EE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02675955 9_2_02675955
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_026069FE 9_2_026069FE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0269098E 9_2_0269098E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025F29B2 9_2_025F29B2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0260EE4C 9_2_0260EE4C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02622E2F 9_2_02622E2F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0261DF7C 9_2_0261DF7C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02600F3F 9_2_02600F3F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025FCD5B 9_2_025FCD5B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_02620D3B 9_2_02620D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0268FDDD 9_2_0268FDDD
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008D166 9_2_0008D166
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008E376 9_2_0008E376
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008E6D5 9_2_0008E6D5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008D773 9_2_0008D773
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_00072D90 9_2_00072D90
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_00079E30 9_2_00079E30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008BFA6 9_2_0008BFA6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_00072FB0 9_2_00072FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: String function: 0099DF5C appears 107 times
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: String function: 00A0F970 appears 81 times
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: String function: 0099E2A8 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: String function: 009E373B appears 238 times
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: String function: 009E3F92 appears 108 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 025EE2A8 appears 38 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 025EDF5C appears 118 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 0263373B appears 238 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 02633F92 appears 108 times
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 0265F970 appears 81 times
PE file contains strange resources
Source: FB_BFF5.tmp.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file does not import any functions
Source: FB_BFF5.tmp.exe.5.dr Static PE information: No import functions for PE file found
Source: FB_C479.tmp.exe.5.dr Static PE information: No import functions for PE file found
Yara signature match
Source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPED Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPED Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: New_1007572_021[1].exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: tynex.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: tynex.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: FB_C479.tmp.exe.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: FB_C479.tmp.exe.5.dr Static PE information: Section .text
Source: tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLTX@13/9@2/1
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Code function: 5_2_00401000 FindResourceA,SizeofResource,LoadResource,LockResource,GetTempPathA,GetTempFileNameA,MoveFileExA,MoveFileExA,sprintf,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,FreeResource,MoveFileExA,ExitProcess, 5_2_00401000
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$New_1007572_021.xltx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE214.tmp Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\Public\tynex.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\Public\tynex.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: New_1007572_021.xltx ReversingLabs: Detection: 39%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\tynex.exe C:\Users\Public\tynex.exe
Source: C:\Users\Public\tynex.exe Process created: C:\Users\user\AppData\Local\Temp\tynex.exe C:\Users\user\AppData\Local\Temp\tynex.exe
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process created: C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe'
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process created: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\tynex.exe C:\Users\Public\tynex.exe Jump to behavior
Source: C:\Users\Public\tynex.exe Process created: C:\Users\user\AppData\Local\Temp\tynex.exe C:\Users\user\AppData\Local\Temp\tynex.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process created: C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process created: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\Public\tynex.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: FB_C479.tmp.exe, cscript.exe
Source: Binary string: cscript.pdbN source: FB_C479.tmp.exe, 00000007.00000002.2220113771.0000000000370000.00000040.00000001.sdmp
Source: Binary string: cscript.pdb source: FB_C479.tmp.exe, 00000007.00000002.2220113771.0000000000370000.00000040.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: New_1007572_021[1].exe.2.dr, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs .Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: tynex.exe.2.dr, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs .Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: tynex.exe.4.dr, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs .Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.tynex.exe.11a0000.0.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs .Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.tynex.exe.11a0000.1.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs .Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.2.tynex.exe.380000.0.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs .Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.tynex.exe.380000.0.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs .Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Binary contains a suspicious time stamp
Source: New_1007572_021[1].exe.2.dr Static PE information: 0xDF29736D [Sun Aug 22 17:54:53 2088 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\tynex.exe Code function: 4_2_002919F0 push 0000006Ch; ret 4_2_00291A05
Source: C:\Users\Public\tynex.exe Code function: 4_2_00B50A5D push eax; retf 001Bh 4_2_00B50A5E
Source: C:\Users\Public\tynex.exe Code function: 4_2_00B53EF8 pushfd ; iretd 4_2_00B53EF9
Source: C:\Users\Public\tynex.exe Code function: 4_2_08193117 push edi; iretd 4_2_08193125
Source: C:\Users\Public\tynex.exe Code function: 4_2_08193D79 pushfd ; iretd 4_2_08193D7A
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135D12C push eax; ret 7_2_0135D132
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135D166 push dword ptr [CCC28DB9h]; ret 7_2_0135D772
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_01357140 push edi; retf 7_2_01357160
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_01357814 push eax; retf 7_2_0135781A
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135D075 push eax; ret 7_2_0135D0C8
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135784D push eax; retf 7_2_0135781A
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135D0C2 push eax; ret 7_2_0135D0C8
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135D0CB push eax; ret 7_2_0135D132
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0134EDBC push edx; retf 7_2_0134EDBF
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135C443 push eax; iretd 7_2_0135C44B
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135E4EE push ds; iretd 7_2_0135E4EF
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0135D773 push dword ptr [CCC28DB9h]; ret 7_2_0135D772
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0099DFA1 push ecx; ret 7_2_0099DFB4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025EDFA1 push ecx; ret 9_2_025EDFB4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008D075 push eax; ret 9_2_0008D0C8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008D0CB push eax; ret 9_2_0008D132
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008D0C2 push eax; ret 9_2_0008D0C8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008D12C push eax; ret 9_2_0008D132
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_00087140 push edi; retf 9_2_00087160
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008D166 push dword ptr [CCC28DB9h]; ret 9_2_0008D772
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008C443 push eax; iretd 9_2_0008C44B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008E4EE push ds; iretd 9_2_0008E4EF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008D773 push dword ptr [CCC28DB9h]; ret 9_2_0008D772
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_00087814 push eax; retf 9_2_0008781A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0008784D push eax; retf 9_2_0008781A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_0007EDBC push edx; retf 9_2_0007EDBF
Source: initial sample Static PE information: section name: .text entropy: 7.98710710749
Source: initial sample Static PE information: section name: .text entropy: 7.98710710749
Source: initial sample Static PE information: section name: .text entropy: 7.98710710749
Source: initial sample Static PE information: section name: .text entropy: 7.40373413401

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\tynex.exe File created: C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tynex.exe File created: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\tynex.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exe Jump to dropped file
Source: C:\Users\Public\tynex.exe File created: C:\Users\user\AppData\Local\Temp\tynex.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\tynex.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\Public\tynex.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe RDTSC instruction interceptor: First address: 00000000013498E4 second address: 00000000013498EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe RDTSC instruction interceptor: First address: 0000000001349B4E second address: 0000000001349B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 00000000000798E4 second address: 00000000000798EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 0000000000079B4E second address: 0000000000079B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_01349A80 rdtsc 7_2_01349A80
Contains long sleeps (>= 3 min)
Source: C:\Users\Public\tynex.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2816 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\Public\tynex.exe TID: 3004 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\Public\tynex.exe TID: 824 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 2252 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cscript.exe Last function: Thread delayed
Source: C:\Users\Public\tynex.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000008.00000000.2169316587.00000000001F5000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.2177502882.0000000004234000.00000004.00000001.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000008.00000000.2177529570.0000000004263000.00000004.00000001.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
Source: explorer.exe, 00000008.00000000.2177502882.0000000004234000.00000004.00000001.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: tynex.exe, 00000005.00000003.2165543256.0000000000541000.00000004.00000001.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000008.00000000.2177502882.0000000004234000.00000004.00000001.sdmp Binary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
Source: explorer.exe, 00000008.00000000.2177431267.00000000041AD000.00000004.00000001.sdmp Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: C:\Users\Public\tynex.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_01349A80 rdtsc 7_2_01349A80
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_0134ACC0 LdrLoadDll, 7_2_0134ACC0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_00980080 mov ecx, dword ptr fs:[00000030h] 7_2_00980080
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009800EA mov eax, dword ptr fs:[00000030h] 7_2_009800EA
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Code function: 7_2_009A26F8 mov eax, dword ptr fs:[00000030h] 7_2_009A26F8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 9_2_025F26F8 mov eax, dword ptr fs:[00000030h] 9_2_025F26F8
Enables debug privileges
Source: C:\Users\Public\tynex.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\tynex.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\Public\tynex.exe Memory allocated: C:\Users\user\AppData\Local\Temp\tynex.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\Public\tynex.exe Memory written: C:\Users\user\AppData\Local\Temp\tynex.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Thread register set: target process: 1388 Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Thread register set: target process: 1388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: D00000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\Public\tynex.exe Memory written: C:\Users\user\AppData\Local\Temp\tynex.exe base: 400000 Jump to behavior
Source: C:\Users\Public\tynex.exe Memory written: C:\Users\user\AppData\Local\Temp\tynex.exe base: 401000 Jump to behavior
Source: C:\Users\Public\tynex.exe Memory written: C:\Users\user\AppData\Local\Temp\tynex.exe base: 402000 Jump to behavior
Source: C:\Users\Public\tynex.exe Memory written: C:\Users\user\AppData\Local\Temp\tynex.exe base: 403000 Jump to behavior
Source: C:\Users\Public\tynex.exe Memory written: C:\Users\user\AppData\Local\Temp\tynex.exe base: 404000 Jump to behavior
Source: C:\Users\Public\tynex.exe Memory written: C:\Users\user\AppData\Local\Temp\tynex.exe base: 7EFDE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\Public\tynex.exe C:\Users\Public\tynex.exe Jump to behavior
Source: C:\Users\Public\tynex.exe Process created: C:\Users\user\AppData\Local\Temp\tynex.exe C:\Users\user\AppData\Local\Temp\tynex.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process created: C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tynex.exe Process created: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe' Jump to behavior
Source: explorer.exe, 00000008.00000000.2170029973.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.2170029973.00000000006F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.2169316587.00000000001F5000.00000004.00000020.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.2170029973.00000000006F0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\tynex.exe Queries volume information: C:\Users\Public\tynex.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\tynex.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPED

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458850 Sample: New_1007572_021.xltx Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 12 other signatures 2->64 11 EQNEDT32.EXE 11 2->11         started        16 EXCEL.EXE 30 10 2->16         started        process3 dnsIp4 50 inter-trading-service.com 160.153.129.234, 49165, 80 GODADDY-AMSDE United States 11->50 44 C:\Users\user\...44ew_1007572_021[1].exe, PE32 11->44 dropped 46 C:\Users\Public\tynex.exe, PE32 11->46 dropped 86 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->86 18 tynex.exe 1 6 11->18         started        48 C:\Users\user\...\~$New_1007572_021.xltx, data 16->48 dropped file5 signatures6 process7 file8 38 C:\Users\user\AppData\Local\Temp\tynex.exe, PE32 18->38 dropped 66 Multi AV Scanner detection for dropped file 18->66 68 Machine Learning detection for dropped file 18->68 70 Writes to foreign memory regions 18->70 72 2 other signatures 18->72 22 tynex.exe 5 18->22         started        signatures9 process10 file11 40 C:\Users\user\AppData\...\FB_C479.tmp.exe, PE32 22->40 dropped 42 C:\Users\user\AppData\...\FB_BFF5.tmp.exe, PE32 22->42 dropped 74 Multi AV Scanner detection for dropped file 22->74 76 Machine Learning detection for dropped file 22->76 26 FB_C479.tmp.exe 22->26         started        29 FB_BFF5.tmp.exe 22->29         started        signatures12 process13 signatures14 78 Antivirus detection for dropped file 26->78 80 Multi AV Scanner detection for dropped file 26->80 82 Machine Learning detection for dropped file 26->82 84 5 other signatures 26->84 31 explorer.exe 26->31 injected process15 process16 33 cscript.exe 31->33         started        signatures17 52 Modifies the context of a thread in another process (thread injection) 33->52 54 Maps a DLL or memory area into another process 33->54 56 Tries to detect virtualization through RDTSC time measurements 33->56 36 cmd.exe 33->36         started        process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
160.153.129.234
 inter-trading-service.com United States
21501 GODADDY-AMSDE true

Contacted Domains

Name IP Active
inter-trading-service.com 160.153.129.234 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://inter-trading-service.com/Di4/New_1007572_021.exe true
  • Avira URL Cloud: safe
 unknown