0e7dcaa2a0b1d03753b49f7fd799a82c9c0ee20b6d1b02496151f53e234ddd91

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7
submitted
09/07/2020, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.34139809.20191.20380.xls
Size

911KB
MD5

5d3da35b75a8ebd4ea01e5dfea3cc964
SHA1

a96ad70d56e1fb611b6ecc29029b813b9d3948ff
SHA256

0e7dcaa2a0b1d03753b49f7fd799a82c9c0ee20b6d1b02496151f53e234ddd91
SHA512

6d887b61524f8ceec84268623b9187b98c1ce6ec96ab3650bab587253b3e71e77480e3e39e75e7beb106c847c8ae98e0257613e220d62dfbde0ff9ee62e55c3c

Score

6^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1296	2040	EXCEL.EXE	24
PID 2040 wrote to memory of 1296	2040	EXCEL.EXE	24
PID 2040 wrote to memory of 1296	2040	EXCEL.EXE	24
PID 2040 wrote to memory of 1296	2040	EXCEL.EXE	24
PID 2040 wrote to memory of 1296	2040	EXCEL.EXE	24
PID 1296 wrote to memory of 1412	1296	DW20.EXE	25
PID 1296 wrote to memory of 1412	1296	DW20.EXE	25
PID 1296 wrote to memory of 1412	1296	DW20.EXE	25

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1412	dwwin.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2040	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2040	EXCEL.EXE
2040	EXCEL.EXE
2040	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2040	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1296	2040	DW20.EXE	23

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.34139809.20191.20380.xls
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:2040
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1156
  2⤵
  - Suspicious use of WriteProcessMemory
  - Process spawned suspicious child process
  PID:1296
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1156
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1412-2-0x0000000001DB0000-0x0000000001DC1000-memory.dmp

Filesize
68KB

Download
memory/1412-4-0x0000000002270000-0x0000000002281000-memory.dmp

Filesize
68KB

Download