83aaf79ba8cb78ba77a7ad2b96e276e1d7bc731d734987c8acdfa6db40eea318

Analysis

max time kernel
114s
max time network
120s
platform
windows7_x64
resource
win7
submitted
10-07-2020 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

invoicel_25336.xls
Size

166KB
MD5

122e863c8d959fdb586a6a4ca09e6cb1
SHA1

ab5d42a9f39bfedf3e9f27972757dfe943b1893d
SHA256

83aaf79ba8cb78ba77a7ad2b96e276e1d7bc731d734987c8acdfa6db40eea318
SHA512

9e6915a0bb565f306904574d7177fa611372eb0ef04add6e4557ee64a6e8fc6539371abc803b28e8c7b8fa08bb7c1f47f24592c9495a1d556dc89065f17a0846

Score

6^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1156 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1156 EXCEL.EXE
1156 EXCEL.EXE
1156 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

EXCEL.EXE

pid process

1156 EXCEL.EXE

pid	process
1156	EXCEL.EXE

pid	process
1156	EXCEL.EXE
1156	EXCEL.EXE
1156	EXCEL.EXE

pid	process
1156	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1480	1156	DW20.EXE	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EXCEL.EXEDW20.EXE

description	pid	process	target process
PID 1156 wrote to memory of 1480	1156	EXCEL.EXE	DW20.EXE
PID 1156 wrote to memory of 1480	1156	EXCEL.EXE	DW20.EXE
PID 1156 wrote to memory of 1480	1156	EXCEL.EXE	DW20.EXE
PID 1156 wrote to memory of 1480	1156	EXCEL.EXE	DW20.EXE
PID 1156 wrote to memory of 1480	1156	EXCEL.EXE	DW20.EXE
PID 1480 wrote to memory of 1716	1480	DW20.EXE	dwwin.exe
PID 1480 wrote to memory of 1716	1480	DW20.EXE	dwwin.exe
PID 1480 wrote to memory of 1716	1480	DW20.EXE	dwwin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwwin.exe

pid process

1716 dwwin.exe

pid	process
1716	dwwin.exe

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\invoicel_25336.xls
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156

C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1156
2⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 1156
3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\68110.cvr

Download Submit
memory/1480-0-0x0000000000000000-mapping.dmp

Download
memory/1716-1-0x0000000000000000-mapping.dmp

Download
memory/1716-2-0x0000000001DC0000-0x0000000001DD1000-memory.dmp

Filesize
68KB

Download
memory/1716-4-0x0000000002320000-0x0000000002331000-memory.dmp

Filesize
68KB

Download