48eb94cc491f59b951a2753961864dd0d6257d96e0ba0862a302399cd1e7dba4

Analysis

max time kernel
145s
max time network
6s
platform
windows7_x64
resource
win7v200430
submitted
15/07/2020, 21:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.005690e01.30926.xls
Size

298KB
MD5

0983f5f90c2c6b305e27d357873c6552
SHA1

19e996fb068bad7cbfd1ff373f104a45f159b0f5
SHA256

48eb94cc491f59b951a2753961864dd0d6257d96e0ba0862a302399cd1e7dba4
SHA512

e400695841f024582e3a6e567db60a3f0011a89dbbe3eb2417039d7f5841bb74670b8c95570c0fb302a6aceacb45070f64fac5a675ff3ebc1bf98596666c3d2d

Score

6^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 1500	904	EXCEL.EXE	24
PID 904 wrote to memory of 1500	904	EXCEL.EXE	24
PID 904 wrote to memory of 1500	904	EXCEL.EXE	24
PID 904 wrote to memory of 1500	904	EXCEL.EXE	24
PID 904 wrote to memory of 1500	904	EXCEL.EXE	24
PID 1500 wrote to memory of 680	1500	DW20.EXE	25
PID 1500 wrote to memory of 680	1500	DW20.EXE	25
PID 1500 wrote to memory of 680	1500	DW20.EXE	25

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
680	dwwin.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
904	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
904	EXCEL.EXE
904	EXCEL.EXE
904	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
904	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1500	904	DW20.EXE	23

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.005690e01.30926.xls
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:904
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1156
  2⤵
  - Suspicious use of WriteProcessMemory
  - Process spawned suspicious child process
  PID:1500
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1156
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/680-2-0x0000000001E20000-0x0000000001E31000-memory.dmp

Filesize
68KB

Download
memory/680-4-0x00000000022E0000-0x00000000022F1000-memory.dmp

Filesize
68KB

Download