87091a9f7e6707e1ae49c2e0b8e0f93a7ede8762ff8ffb995c6669528ae6b5da

Analysis

max time kernel
136s
max time network
31s
platform
windows7_x64
resource
win7v200430
submitted
08/07/2020, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.XLM.Trojan.Abracadabra.1.Gen.7969.24194.xls
Size

675KB
MD5

a232a0a1cae699df3de319912a1d1a43
SHA1

964db62119ffd8bf045c4084e58fac9f99e93ded
SHA256

87091a9f7e6707e1ae49c2e0b8e0f93a7ede8762ff8ffb995c6669528ae6b5da
SHA512

fe508a8e7e290ce19793f8a475aa3f3fa3ce1deb079e90930f5bddac2d5aa28716af24844035b0a3af69f7e31b2ae513b4aa58e91fff9facfd9d13265c405c60

Score

6^/10

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1644	1032	DW20.EXE	23

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1644	1032	EXCEL.EXE	24
PID 1032 wrote to memory of 1644	1032	EXCEL.EXE	24
PID 1032 wrote to memory of 1644	1032	EXCEL.EXE	24
PID 1032 wrote to memory of 1644	1032	EXCEL.EXE	24
PID 1032 wrote to memory of 1644	1032	EXCEL.EXE	24
PID 1644 wrote to memory of 1348	1644	DW20.EXE	25
PID 1644 wrote to memory of 1348	1644	DW20.EXE	25
PID 1644 wrote to memory of 1348	1644	DW20.EXE	25

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1348	dwwin.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1032	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1032	EXCEL.EXE

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.XLM.Trojan.Abracadabra.1.Gen.7969.24194.xls
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:1032
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1160
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1160
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-2-0x0000000001DC0000-0x0000000001DD1000-memory.dmp

Filesize
68KB

Download
memory/1348-4-0x00000000023B0000-0x00000000023C1000-memory.dmp

Filesize
68KB

Download