473291804cc6e62a92dd5a63b6af620085143cb1fcfbc4baf42792aae2a36a73

Analysis

max time kernel
144s
max time network
6s
platform
windows7_x64
resource
win7v200430
submitted
13/07/2020, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.DOC.Kryptik.Q.20559.xls
Size

296KB
MD5

99d2053effd6a4b7aaf0d42ab3a065bf
SHA1

345fb54bfaa4c458d15223d604de854600fcb2d8
SHA256

473291804cc6e62a92dd5a63b6af620085143cb1fcfbc4baf42792aae2a36a73
SHA512

338b62ae3bc03b455bb2e023d9322391bc5da77b93a7897ccc03dad55ecbbf05e19f55acf940122e539dc96e1377269609ed814af12ed3af9f8a9f731ff514e4

Score

6^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 452	1512	EXCEL.EXE	24
PID 1512 wrote to memory of 452	1512	EXCEL.EXE	24
PID 1512 wrote to memory of 452	1512	EXCEL.EXE	24
PID 1512 wrote to memory of 452	1512	EXCEL.EXE	24
PID 1512 wrote to memory of 452	1512	EXCEL.EXE	24
PID 452 wrote to memory of 1036	452	DW20.EXE	25
PID 452 wrote to memory of 1036	452	DW20.EXE	25
PID 452 wrote to memory of 1036	452	DW20.EXE	25

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1036	dwwin.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1512	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1512	EXCEL.EXE
1512	EXCEL.EXE
1512	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1512	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	452	1512	DW20.EXE	23

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.DOC.Kryptik.Q.20559.xls
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:1512
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1168
  2⤵
  - Suspicious use of WriteProcessMemory
  - Process spawned suspicious child process
  PID:452
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1168
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1036-2-0x0000000001C80000-0x0000000001C91000-memory.dmp

Filesize
68KB

Download
memory/1036-4-0x0000000002280000-0x0000000002291000-memory.dmp

Filesize
68KB

Download