Analysis
-
max time kernel
103s -
max time network
75s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 20:00
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.DOC.Kryptik.Q.17436.xls
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.DOC.Kryptik.Q.17436.xls
Resource
win10v200430
General
-
Target
SecuriteInfo.com.DOC.Kryptik.Q.17436.xls
-
Size
303KB
-
MD5
50d833a21db581f09239c26b5723376b
-
SHA1
d11f201a327d253cc68836e39ca73ece51f2767b
-
SHA256
6e650a4383b6094da81c5d909ea099d520b969348e7189d6b04b6cb5dffdf754
-
SHA512
9f9be8e4688ae30360b5bcf50fc1307a569cc1cfdea443708c7a795b8bd4285a3c989ed7f2d773aef7647680f22f0f4e41fb346c552bb084dab2f0801e1885c7
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEDW20.EXEdescription pid process target process PID 1196 wrote to memory of 1424 1196 EXCEL.EXE DW20.EXE PID 1196 wrote to memory of 1424 1196 EXCEL.EXE DW20.EXE PID 1196 wrote to memory of 1424 1196 EXCEL.EXE DW20.EXE PID 1196 wrote to memory of 1424 1196 EXCEL.EXE DW20.EXE PID 1196 wrote to memory of 1424 1196 EXCEL.EXE DW20.EXE PID 1424 wrote to memory of 1436 1424 DW20.EXE dwwin.exe PID 1424 wrote to memory of 1436 1424 DW20.EXE dwwin.exe PID 1424 wrote to memory of 1436 1424 DW20.EXE dwwin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dwwin.exepid process 1436 dwwin.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1196 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1196 EXCEL.EXE 1196 EXCEL.EXE 1196 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
EXCEL.EXEpid process 1196 EXCEL.EXE -
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1424 1196 DW20.EXE EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.DOC.Kryptik.Q.17436.xls1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:1196 -
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 11762⤵
- Suspicious use of WriteProcessMemory
- Process spawned suspicious child process
PID:1424 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 11763⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1436