de032555e5d7aceffb24e42e90b928e6e36deab19d5d8096644ab51bcb31755c

Analysis

max time kernel
103s
max time network
28s
platform
windows7_x64
resource
win7
submitted
14/07/2020, 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Goldy_Rosene.xls
Size

524KB
MD5

8734774af3e2c5920e7a12ac8f5aac9e
SHA1

10229a863500a9a5b34ce917bf34a334baac677c
SHA256

de032555e5d7aceffb24e42e90b928e6e36deab19d5d8096644ab51bcb31755c
SHA512

1587b73dd32b25640008dbcb06ffd7dac491154502ef8e35ec987f36b754f04017251ad48c053fb6dceab7ee2ee72d059de006b9f9b34d3d2f900a71b6769fc3

Score

6^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 1364	1012	EXCEL.EXE	24
PID 1012 wrote to memory of 1364	1012	EXCEL.EXE	24
PID 1012 wrote to memory of 1364	1012	EXCEL.EXE	24
PID 1012 wrote to memory of 1364	1012	EXCEL.EXE	24
PID 1012 wrote to memory of 1364	1012	EXCEL.EXE	24
PID 1364 wrote to memory of 1424	1364	DW20.EXE	25
PID 1364 wrote to memory of 1424	1364	DW20.EXE	25
PID 1364 wrote to memory of 1424	1364	DW20.EXE	25

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1424	dwwin.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1012	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1012	EXCEL.EXE
1012	EXCEL.EXE
1012	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1012	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1364	1012	DW20.EXE	23

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Goldy_Rosene.xls
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:1012
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1156
  2⤵
  - Suspicious use of WriteProcessMemory
  - Process spawned suspicious child process
  PID:1364
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1156
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1424-2-0x0000000001DF0000-0x0000000001E01000-memory.dmp

Filesize
68KB

Download
memory/1424-4-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download