37bae39cdd152ba0ad9c8661f7fa2740fd23c5d4f4666a560d11a0100da100e7

Analysis

max time kernel
135s
max time network
6s
platform
windows7_x64
resource
win7v200430
submitted
13-07-2020 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.DOC.Kryptik.Q.6586.xls
Size

300KB
MD5

ee4e4354a83b4f83ce02d43d3d62f605
SHA1

91c416665c0d3265ce241e745a146f5c2ea8b7ba
SHA256

37bae39cdd152ba0ad9c8661f7fa2740fd23c5d4f4666a560d11a0100da100e7
SHA512

8630fe21d22767606897aa501e9e1368178f63a0ccb566b2707b1d864dc1083de4d24e398291b99b00884559b8fcaa24f1b85b16709302f23dac40aadcb864e0

Score

6^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1092	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1092	EXCEL.EXE
1092	EXCEL.EXE
1092	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1092	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1052	1092	DW20.EXE	23

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1052	1092	EXCEL.EXE	24
PID 1092 wrote to memory of 1052	1092	EXCEL.EXE	24
PID 1092 wrote to memory of 1052	1092	EXCEL.EXE	24
PID 1092 wrote to memory of 1052	1092	EXCEL.EXE	24
PID 1092 wrote to memory of 1052	1092	EXCEL.EXE	24
PID 1052 wrote to memory of 1040	1052	DW20.EXE	25
PID 1052 wrote to memory of 1040	1052	DW20.EXE	25
PID 1052 wrote to memory of 1040	1052	DW20.EXE	25

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1040	dwwin.exe

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.DOC.Kryptik.Q.6586.xls
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1092
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1172
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1172
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1040-2-0x0000000001E70000-0x0000000001E81000-memory.dmp

Filesize
68KB

Download
memory/1040-4-0x0000000002380000-0x0000000002391000-memory.dmp

Filesize
68KB

Download