7bbbb364b218aa3da80f1c8e8e43e389a71811dcf1d1fe63be8e7a85a3ac0fd0

Analysis

max time kernel
113s
max time network
119s
platform
windows7_x64
resource
win7
submitted
14-07-2020 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tr_4.xls
Size

90KB
MD5

4cabdfd852c1c7fe830508cec8dd0982
SHA1

ee530e442bdf28a4834bca1922be2dd54761c6d5
SHA256

7bbbb364b218aa3da80f1c8e8e43e389a71811dcf1d1fe63be8e7a85a3ac0fd0
SHA512

a6ec25d43a123a9a9b7f5005a7acd7b9bad3f3142f0b29d9c43b993fabec22e8926f29f324e85a050ed832a2c4c594802906705ed89ac7460e818188c0b8cd2a

Score

6^/10

Malware Config

Signatures

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwwin.exe

pid process

1860 dwwin.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1516 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1516 EXCEL.EXE
1516 EXCEL.EXE
1516 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

EXCEL.EXE

pid process

1516 EXCEL.EXE

pid	process
1860	dwwin.exe

pid	process
1516	EXCEL.EXE

pid	process
1516	EXCEL.EXE
1516	EXCEL.EXE
1516	EXCEL.EXE

pid	process
1516	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1752	1516	DW20.EXE	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EXCEL.EXEDW20.EXE

description	pid	process	target process
PID 1516 wrote to memory of 1752	1516	EXCEL.EXE	DW20.EXE
PID 1516 wrote to memory of 1752	1516	EXCEL.EXE	DW20.EXE
PID 1516 wrote to memory of 1752	1516	EXCEL.EXE	DW20.EXE
PID 1516 wrote to memory of 1752	1516	EXCEL.EXE	DW20.EXE
PID 1516 wrote to memory of 1752	1516	EXCEL.EXE	DW20.EXE
PID 1752 wrote to memory of 1860	1752	DW20.EXE	dwwin.exe
PID 1752 wrote to memory of 1860	1752	DW20.EXE	dwwin.exe
PID 1752 wrote to memory of 1860	1752	DW20.EXE	dwwin.exe

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\tr_4.xls
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1516

C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1156
2⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 1156
3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\65286.cvr

Download Submit
memory/1752-0-0x0000000000000000-mapping.dmp

Download
memory/1860-1-0x0000000000000000-mapping.dmp

Download
memory/1860-2-0x0000000001CF0000-0x0000000001D01000-memory.dmp

Filesize
68KB

Download
memory/1860-4-0x0000000002340000-0x0000000002351000-memory.dmp

Filesize
68KB

Download