3a12068f2e8db89de560110edc5c93a29f92fd01cc51a5f4bfb14c12a862e84b

Analysis

max time kernel
129s
max time network
136s
platform
windows7_x64
resource
win7
submitted
29-06-2020 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

263673.xls
Size

89KB
MD5

1580e540ad5fbaca156c0f63129c22fc
SHA1

f968d84ce60f50168cbc63e0cbaa3fbcc00995e0
SHA256

3a12068f2e8db89de560110edc5c93a29f92fd01cc51a5f4bfb14c12a862e84b
SHA512

486f9f19fc4371705e6719bc8ddfe2d4b7b0dc8514a28621f508c344ba90092a0f369ea81f341cb1234134f693e61ee85195d6caa9a6c759cbbb4acbe36cb7d2

Score

6^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EXCEL.EXEDW20.EXE

description	pid	process	target process
PID 1668 wrote to memory of 1840	1668	EXCEL.EXE	DW20.EXE
PID 1668 wrote to memory of 1840	1668	EXCEL.EXE	DW20.EXE
PID 1668 wrote to memory of 1840	1668	EXCEL.EXE	DW20.EXE
PID 1668 wrote to memory of 1840	1668	EXCEL.EXE	DW20.EXE
PID 1668 wrote to memory of 1840	1668	EXCEL.EXE	DW20.EXE
PID 1840 wrote to memory of 1860	1840	DW20.EXE	dwwin.exe
PID 1840 wrote to memory of 1860	1840	DW20.EXE	dwwin.exe
PID 1840 wrote to memory of 1860	1840	DW20.EXE	dwwin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwwin.exe

pid process

1860 dwwin.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1668 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1668 EXCEL.EXE
1668 EXCEL.EXE
1668 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

EXCEL.EXE

pid process

1668 EXCEL.EXE

pid	process
1860	dwwin.exe

pid	process
1668	EXCEL.EXE

pid	process
1668	EXCEL.EXE
1668	EXCEL.EXE
1668	EXCEL.EXE

pid	process
1668	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1840	1668	DW20.EXE	EXCEL.EXE

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\263673.xls
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1152
2⤵
- Suspicious use of WriteProcessMemory
- Process spawned suspicious child process
PID:1840

C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 1152
3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\66518.cvr

Download Submit
memory/1840-0-0x0000000000000000-mapping.dmp

Download
memory/1860-1-0x0000000000000000-mapping.dmp

Download
memory/1860-2-0x0000000001E10000-0x0000000001E21000-memory.dmp

Filesize
68KB

Download
memory/1860-4-0x00000000022A0000-0x00000000022B1000-memory.dmp

Filesize
68KB

Download