27ef9f658173804df9512e93698abdd1eb924a493cfe4945c7011fc936f5af12

Analysis

max time kernel
144s
max time network
37s
platform
windows7_x64
resource
win7v200430
submitted
13/07/2020, 20:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.DOC.Kryptik.Q.19369.xls
Size

309KB
MD5

303c9e48d826ba7aecf04663d9c317cb
SHA1

3394d30bb16ba4c31f1340b65cf8df4147119d27
SHA256

27ef9f658173804df9512e93698abdd1eb924a493cfe4945c7011fc936f5af12
SHA512

77cde6d6c7399e14e650bcf4a82448fef842e3c1d61a9b724728deb86acaeab9fa534a4df4f67bd427e6f385775655ff6d5220953dbbba517cd9ba57d9e9140f

Score

6^/10

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
676	EXCEL.EXE
676	EXCEL.EXE
676	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
676	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1044	676	DW20.EXE	23

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 1044	676	EXCEL.EXE	24
PID 676 wrote to memory of 1044	676	EXCEL.EXE	24
PID 676 wrote to memory of 1044	676	EXCEL.EXE	24
PID 676 wrote to memory of 1044	676	EXCEL.EXE	24
PID 676 wrote to memory of 1044	676	EXCEL.EXE	24
PID 1044 wrote to memory of 1032	1044	DW20.EXE	25
PID 1044 wrote to memory of 1032	1044	DW20.EXE	25
PID 1044 wrote to memory of 1032	1044	DW20.EXE	25

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1032	dwwin.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
676	EXCEL.EXE

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.DOC.Kryptik.Q.19369.xls
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
PID:676
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1176
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1176
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-2-0x0000000001DB0000-0x0000000001DC1000-memory.dmp

Filesize
68KB

Download
memory/1032-4-0x0000000002350000-0x0000000002361000-memory.dmp

Filesize
68KB

Download