c3b92516dd77bf745e32aa4ffc4db810f0dbb9d290989235c71489b75910917d

Analysis

max time kernel
106s
max time network
52s
platform
windows7_x64
resource
win7v200430
submitted
13-07-2020 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3b92516dd77bf745e32aa4ffc4db810f0dbb9d290989235c71489b75910917d.xls
Size

340KB
MD5

1591dce6e9ac5b9cfc8246d1113a14e8
SHA1

f9248ab4978f521c1052a6d54932aadeb8a56560
SHA256

c3b92516dd77bf745e32aa4ffc4db810f0dbb9d290989235c71489b75910917d
SHA512

5de06b8d3bee8af4d9069efe7efed0dc6cf2f43dd60535d658055f69dd3259617228477ce851e1c45834321e535c043fe633dbbaf60b69d38d0d7ee9ec866f16

Score

6^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1388	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1388	EXCEL.EXE
1388	EXCEL.EXE
1388	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1388	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1604	1388	DW20.EXE	23

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1604	1388	EXCEL.EXE	24
PID 1388 wrote to memory of 1604	1388	EXCEL.EXE	24
PID 1388 wrote to memory of 1604	1388	EXCEL.EXE	24
PID 1388 wrote to memory of 1604	1388	EXCEL.EXE	24
PID 1388 wrote to memory of 1604	1388	EXCEL.EXE	24
PID 1604 wrote to memory of 784	1604	DW20.EXE	25
PID 1604 wrote to memory of 784	1604	DW20.EXE	25
PID 1604 wrote to memory of 784	1604	DW20.EXE	25

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
784	dwwin.exe

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\c3b92516dd77bf745e32aa4ffc4db810f0dbb9d290989235c71489b75910917d.xls
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1164
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1164
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-2-0x0000000001DC0000-0x0000000001DD1000-memory.dmp

Filesize
68KB

Download
memory/784-4-0x00000000023E0000-0x00000000023F1000-memory.dmp

Filesize
68KB

Download