27ef9f658173804df9512e93698abdd1eb924a493cfe4945c7011fc936f5af12

Analysis

max time kernel
144s
max time network
37s
platform
windows7_x64
resource
win7v200430
submitted
13-07-2020 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.DOC.Kryptik.Q.19369.xls
Size

309KB
MD5

303c9e48d826ba7aecf04663d9c317cb
SHA1

3394d30bb16ba4c31f1340b65cf8df4147119d27
SHA256

27ef9f658173804df9512e93698abdd1eb924a493cfe4945c7011fc936f5af12
SHA512

77cde6d6c7399e14e650bcf4a82448fef842e3c1d61a9b724728deb86acaeab9fa534a4df4f67bd427e6f385775655ff6d5220953dbbba517cd9ba57d9e9140f

Score

6^/10

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

676 EXCEL.EXE
676 EXCEL.EXE
676 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

EXCEL.EXE

pid process

676 EXCEL.EXE

pid	process
676	EXCEL.EXE
676	EXCEL.EXE
676	EXCEL.EXE

pid	process
676	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1044	676	DW20.EXE	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EXCEL.EXEDW20.EXE

description	pid	process	target process
PID 676 wrote to memory of 1044	676	EXCEL.EXE	DW20.EXE
PID 676 wrote to memory of 1044	676	EXCEL.EXE	DW20.EXE
PID 676 wrote to memory of 1044	676	EXCEL.EXE	DW20.EXE
PID 676 wrote to memory of 1044	676	EXCEL.EXE	DW20.EXE
PID 676 wrote to memory of 1044	676	EXCEL.EXE	DW20.EXE
PID 1044 wrote to memory of 1032	1044	DW20.EXE	dwwin.exe
PID 1044 wrote to memory of 1032	1044	DW20.EXE	dwwin.exe
PID 1044 wrote to memory of 1032	1044	DW20.EXE	dwwin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwwin.exe

pid process

1032 dwwin.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

676 EXCEL.EXE

pid	process
1032	dwwin.exe

pid	process
676	EXCEL.EXE

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.DOC.Kryptik.Q.19369.xls
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
PID:676

C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1176
2⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 1176
3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\113833.cvr

Download Submit
memory/1032-1-0x0000000000000000-mapping.dmp

Download
memory/1032-2-0x0000000001DB0000-0x0000000001DC1000-memory.dmp

Filesize
68KB

Download
memory/1032-4-0x0000000002350000-0x0000000002361000-memory.dmp

Filesize
68KB

Download
memory/1044-0-0x0000000000000000-mapping.dmp

Download