c649bb64c9dc14442065457270d02182ae8e76a950f9ebf55ae20556cd56faae

Analysis

max time kernel
139s
max time network
32s
platform
windows7_x64
resource
win7v200430
submitted
14-07-2020 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.43488673.23607.22739.xls
Size

356KB
MD5

5c7d60d78ce275b07e473dcfa2bbb5ec
SHA1

1d770eda584a966708e9ced9501556798129c504
SHA256

c649bb64c9dc14442065457270d02182ae8e76a950f9ebf55ae20556cd56faae
SHA512

d38cbafedab54efb38e4d420ede77533e180d87886d481b39a4157799dc71f23a403f77dd59944ee31753a6d8f0ed855336775d7f5d9602528ea0394ead1fcfe

Score

6^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1400	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1400	EXCEL.EXE
1400	EXCEL.EXE
1400	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1400	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1012	1400	DW20.EXE	23

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1012	1400	EXCEL.EXE	24
PID 1400 wrote to memory of 1012	1400	EXCEL.EXE	24
PID 1400 wrote to memory of 1012	1400	EXCEL.EXE	24
PID 1400 wrote to memory of 1012	1400	EXCEL.EXE	24
PID 1400 wrote to memory of 1012	1400	EXCEL.EXE	24
PID 1012 wrote to memory of 552	1012	DW20.EXE	25
PID 1012 wrote to memory of 552	1012	DW20.EXE	25
PID 1012 wrote to memory of 552	1012	DW20.EXE	25

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
552	dwwin.exe

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.43488673.23607.22739.xls
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1400
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1160
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1160
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/552-2-0x0000000001D60000-0x0000000001D71000-memory.dmp

Filesize
68KB

Download
memory/552-4-0x00000000021D0000-0x00000000021E1000-memory.dmp

Filesize
68KB

Download