a72d63cc39282fc2f056979dcbfa503a57359946f8f527cc7615938fd21ca73a

Analysis

max time kernel
115s
max time network
121s
platform
windows7_x64
resource
win7
submitted
15-07-2020 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

File_0008656.xls
Size

341KB
MD5

26452ff471bf557d0e6d01a6d65517b5
SHA1

c5f89cecc9b9a7baeff94c922b21afa30e7836b7
SHA256

a72d63cc39282fc2f056979dcbfa503a57359946f8f527cc7615938fd21ca73a
SHA512

f7aff1fda98dbebe99dd867498dcb8f95eb9314541794e1b3a15210c7f10c5edb23e1ed727020a527dc816cfd3e0cbac64e3c3259f960007f1ecfbe7905a46ef

Score

6^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 1500	1152	EXCEL.EXE	24
PID 1152 wrote to memory of 1500	1152	EXCEL.EXE	24
PID 1152 wrote to memory of 1500	1152	EXCEL.EXE	24
PID 1152 wrote to memory of 1500	1152	EXCEL.EXE	24
PID 1152 wrote to memory of 1500	1152	EXCEL.EXE	24
PID 1500 wrote to memory of 1724	1500	DW20.EXE	25
PID 1500 wrote to memory of 1724	1500	DW20.EXE	25
PID 1500 wrote to memory of 1724	1500	DW20.EXE	25

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1152	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1152	EXCEL.EXE
1152	EXCEL.EXE
1152	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1152	EXCEL.EXE
1152	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1500	1152	DW20.EXE	23

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\File_0008656.xls
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:1152
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1172
  2⤵
  - Suspicious use of WriteProcessMemory
  - Process spawned suspicious child process
  PID:1500
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1172
    3⤵
    PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-2-0x0000000001D60000-0x0000000001D71000-memory.dmp

Filesize
68KB

Download
memory/1724-4-0x00000000022F0000-0x0000000002301000-memory.dmp

Filesize
68KB

Download