0e7dcaa2a0b1d03753b49f7fd799a82c9c0ee20b6d1b02496151f53e234ddd91

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7
submitted
09-07-2020 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.34139809.20191.20380.xls
Size

911KB
MD5

5d3da35b75a8ebd4ea01e5dfea3cc964
SHA1

a96ad70d56e1fb611b6ecc29029b813b9d3948ff
SHA256

0e7dcaa2a0b1d03753b49f7fd799a82c9c0ee20b6d1b02496151f53e234ddd91
SHA512

6d887b61524f8ceec84268623b9187b98c1ce6ec96ab3650bab587253b3e71e77480e3e39e75e7beb106c847c8ae98e0257613e220d62dfbde0ff9ee62e55c3c

Score

6^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EXCEL.EXEDW20.EXE

description	pid	process	target process
PID 2040 wrote to memory of 1296	2040	EXCEL.EXE	DW20.EXE
PID 2040 wrote to memory of 1296	2040	EXCEL.EXE	DW20.EXE
PID 2040 wrote to memory of 1296	2040	EXCEL.EXE	DW20.EXE
PID 2040 wrote to memory of 1296	2040	EXCEL.EXE	DW20.EXE
PID 2040 wrote to memory of 1296	2040	EXCEL.EXE	DW20.EXE
PID 1296 wrote to memory of 1412	1296	DW20.EXE	dwwin.exe
PID 1296 wrote to memory of 1412	1296	DW20.EXE	dwwin.exe
PID 1296 wrote to memory of 1412	1296	DW20.EXE	dwwin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwwin.exe

pid process

1412 dwwin.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2040 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

2040 EXCEL.EXE
2040 EXCEL.EXE
2040 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

EXCEL.EXE

pid process

2040 EXCEL.EXE

pid	process
1412	dwwin.exe

pid	process
2040	EXCEL.EXE

pid	process
2040	EXCEL.EXE
2040	EXCEL.EXE
2040	EXCEL.EXE

pid	process
2040	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1296	2040	DW20.EXE	EXCEL.EXE

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.34139809.20191.20380.xls
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1156
2⤵
- Suspicious use of WriteProcessMemory
- Process spawned suspicious child process
PID:1296

C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 1156
3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\65770.cvr

Download Submit
memory/1296-0-0x0000000000000000-mapping.dmp

Download
memory/1412-1-0x0000000000000000-mapping.dmp

Download
memory/1412-2-0x0000000001DB0000-0x0000000001DC1000-memory.dmp

Filesize
68KB

Download
memory/1412-4-0x0000000002270000-0x0000000002281000-memory.dmp

Filesize
68KB

Download