6e650a4383b6094da81c5d909ea099d520b969348e7189d6b04b6cb5dffdf754

Analysis

max time kernel
103s
max time network
75s
platform
windows7_x64
resource
win7
submitted
13-07-2020 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.DOC.Kryptik.Q.17436.xls
Size

303KB
MD5

50d833a21db581f09239c26b5723376b
SHA1

d11f201a327d253cc68836e39ca73ece51f2767b
SHA256

6e650a4383b6094da81c5d909ea099d520b969348e7189d6b04b6cb5dffdf754
SHA512

9f9be8e4688ae30360b5bcf50fc1307a569cc1cfdea443708c7a795b8bd4285a3c989ed7f2d773aef7647680f22f0f4e41fb346c552bb084dab2f0801e1885c7

Score

6^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1424	1196	EXCEL.EXE	24
PID 1196 wrote to memory of 1424	1196	EXCEL.EXE	24
PID 1196 wrote to memory of 1424	1196	EXCEL.EXE	24
PID 1196 wrote to memory of 1424	1196	EXCEL.EXE	24
PID 1196 wrote to memory of 1424	1196	EXCEL.EXE	24
PID 1424 wrote to memory of 1436	1424	DW20.EXE	25
PID 1424 wrote to memory of 1436	1424	DW20.EXE	25
PID 1424 wrote to memory of 1436	1424	DW20.EXE	25

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1436	dwwin.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1196	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1196	EXCEL.EXE
1196	EXCEL.EXE
1196	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1196	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1424	1196	DW20.EXE	23

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.DOC.Kryptik.Q.17436.xls
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:1196
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1176
  2⤵
  - Suspicious use of WriteProcessMemory
  - Process spawned suspicious child process
  PID:1424
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1176
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1436-2-0x0000000001D30000-0x0000000001D41000-memory.dmp

Filesize
68KB

Download
memory/1436-4-0x00000000022F0000-0x0000000002301000-memory.dmp

Filesize
68KB

Download