9f21df8b373bfffb57254b1d061c43c239fd35fc69541a3f26bfbfc0550b9bdf

Analysis

max time kernel
115s
max time network
120s
platform
windows7_x64
resource
win7
submitted
14-07-2020 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tr_1.xls
Size

90KB
MD5

699db210e663e2a7ce73901a4f61d02a
SHA1

3e561b0617dc5c37c6dbfb5756d94dced45b963f
SHA256

9f21df8b373bfffb57254b1d061c43c239fd35fc69541a3f26bfbfc0550b9bdf
SHA512

047bb526d8e5067030ed2ac8d3e7868f185e3121e72ae6c3caf677ecf2c1e8d6810a71bacea38e894de5d7f3e50d9589aa7038989957b0639331cedb712e74ec

Score

6^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1612	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1544	1612	DW20.EXE	23

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1544	1612	EXCEL.EXE	24
PID 1612 wrote to memory of 1544	1612	EXCEL.EXE	24
PID 1612 wrote to memory of 1544	1612	EXCEL.EXE	24
PID 1612 wrote to memory of 1544	1612	EXCEL.EXE	24
PID 1612 wrote to memory of 1544	1612	EXCEL.EXE	24
PID 1544 wrote to memory of 1524	1544	DW20.EXE	25
PID 1544 wrote to memory of 1524	1544	DW20.EXE	25
PID 1544 wrote to memory of 1524	1544	DW20.EXE	25

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1524	dwwin.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1612	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1612	EXCEL.EXE
1612	EXCEL.EXE
1612	EXCEL.EXE

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\tr_1.xls
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1612
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1172
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1172
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1524-2-0x0000000001DB0000-0x0000000001DC1000-memory.dmp

Filesize
68KB

Download
memory/1524-4-0x0000000002210000-0x0000000002221000-memory.dmp

Filesize
68KB

Download