Analysis
-
max time kernel
113s -
max time network
118s -
platform
windows7_x64 -
resource
win7 -
submitted
14-07-2020 17:39
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.DOC.Kryptik.Q.12069.xls
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.DOC.Kryptik.Q.12069.xls
Resource
win10v200430
General
-
Target
SecuriteInfo.com.DOC.Kryptik.Q.12069.xls
-
Size
514KB
-
MD5
c12b6b3320e173dc205e7f47d23307f7
-
SHA1
d33ea64ead4e6b68760cd961d013e6a829381fbd
-
SHA256
61741b3b7c3ea966b893de091e59f96510b855a024a371546845b5f4e51d6f3d
-
SHA512
932412e87ed6a813d54e911643828cf357c1b5230bc9f5bd835ceaca2832ac6aa08a1d795c7d56e7df97aee84d40eb3d209c34db3c0bb9d4a0800df07001d7dd
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 900 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 900 EXCEL.EXE 900 EXCEL.EXE 900 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
EXCEL.EXEpid process 900 EXCEL.EXE -
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1436 900 DW20.EXE EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEDW20.EXEdescription pid process target process PID 900 wrote to memory of 1436 900 EXCEL.EXE DW20.EXE PID 900 wrote to memory of 1436 900 EXCEL.EXE DW20.EXE PID 900 wrote to memory of 1436 900 EXCEL.EXE DW20.EXE PID 900 wrote to memory of 1436 900 EXCEL.EXE DW20.EXE PID 900 wrote to memory of 1436 900 EXCEL.EXE DW20.EXE PID 1436 wrote to memory of 1512 1436 DW20.EXE dwwin.exe PID 1436 wrote to memory of 1512 1436 DW20.EXE dwwin.exe PID 1436 wrote to memory of 1512 1436 DW20.EXE dwwin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dwwin.exepid process 1512 dwwin.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.DOC.Kryptik.Q.12069.xls1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900 -
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE"C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 11522⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 11523⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1512