Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 10:52
Static task
static1
Behavioral task
behavioral1
Sample
invoicel_25336.xls
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
invoicel_25336.xls
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
invoicel_25336.xls
-
Size
166KB
-
MD5
122e863c8d959fdb586a6a4ca09e6cb1
-
SHA1
ab5d42a9f39bfedf3e9f27972757dfe943b1893d
-
SHA256
83aaf79ba8cb78ba77a7ad2b96e276e1d7bc731d734987c8acdfa6db40eea318
-
SHA512
9e6915a0bb565f306904574d7177fa611372eb0ef04add6e4557ee64a6e8fc6539371abc803b28e8c7b8fa08bb7c1f47f24592c9495a1d556dc89065f17a0846
Score
6/10
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1156 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1156 EXCEL.EXE 1156 EXCEL.EXE 1156 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
EXCEL.EXEpid process 1156 EXCEL.EXE -
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1480 1156 DW20.EXE EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEDW20.EXEdescription pid process target process PID 1156 wrote to memory of 1480 1156 EXCEL.EXE DW20.EXE PID 1156 wrote to memory of 1480 1156 EXCEL.EXE DW20.EXE PID 1156 wrote to memory of 1480 1156 EXCEL.EXE DW20.EXE PID 1156 wrote to memory of 1480 1156 EXCEL.EXE DW20.EXE PID 1156 wrote to memory of 1480 1156 EXCEL.EXE DW20.EXE PID 1480 wrote to memory of 1716 1480 DW20.EXE dwwin.exe PID 1480 wrote to memory of 1716 1480 DW20.EXE dwwin.exe PID 1480 wrote to memory of 1716 1480 DW20.EXE dwwin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dwwin.exepid process 1716 dwwin.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\invoicel_25336.xls1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 11562⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 11563⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1716