Analysis
-
max time kernel
144s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 20:00
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.DOC.Kryptik.Q.19369.xls
Resource
win7v200430
Behavioral task
behavioral2
Sample
SecuriteInfo.com.DOC.Kryptik.Q.19369.xls
Resource
win10
General
-
Target
SecuriteInfo.com.DOC.Kryptik.Q.19369.xls
-
Size
309KB
-
MD5
303c9e48d826ba7aecf04663d9c317cb
-
SHA1
3394d30bb16ba4c31f1340b65cf8df4147119d27
-
SHA256
27ef9f658173804df9512e93698abdd1eb924a493cfe4945c7011fc936f5af12
-
SHA512
77cde6d6c7399e14e650bcf4a82448fef842e3c1d61a9b724728deb86acaeab9fa534a4df4f67bd427e6f385775655ff6d5220953dbbba517cd9ba57d9e9140f
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 676 EXCEL.EXE 676 EXCEL.EXE 676 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
EXCEL.EXEpid process 676 EXCEL.EXE -
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1044 676 DW20.EXE EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEDW20.EXEdescription pid process target process PID 676 wrote to memory of 1044 676 EXCEL.EXE DW20.EXE PID 676 wrote to memory of 1044 676 EXCEL.EXE DW20.EXE PID 676 wrote to memory of 1044 676 EXCEL.EXE DW20.EXE PID 676 wrote to memory of 1044 676 EXCEL.EXE DW20.EXE PID 676 wrote to memory of 1044 676 EXCEL.EXE DW20.EXE PID 1044 wrote to memory of 1032 1044 DW20.EXE dwwin.exe PID 1044 wrote to memory of 1032 1044 DW20.EXE dwwin.exe PID 1044 wrote to memory of 1032 1044 DW20.EXE dwwin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dwwin.exepid process 1032 dwwin.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 676 EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.DOC.Kryptik.Q.19369.xls1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
PID:676 -
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 11762⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 11763⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1032