cc391febddc384528fdf0b25e440074cf5f8f1ef4630e75e2655efc7a3c1697d

Analysis

max time kernel
55s
max time network
67s
platform
windows7_x64
resource
win7
submitted
15-07-2020 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Marlo_Dione.xls
Size

286KB
MD5

40cb120fa3a2838c031479f46aa098fd
SHA1

eee1ed1682879b0b011480d2dcdc9628522d9aad
SHA256

cc391febddc384528fdf0b25e440074cf5f8f1ef4630e75e2655efc7a3c1697d
SHA512

978ca11b563aab0ff3d1f6ef960166935d5c630181142edbd36eb95b7c5e2530e3270abe47fe5942e1bd03c1fd022cfbb7b6203697b85794fe1ec86856a420a5

Score

6^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
112	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
112	EXCEL.EXE
112	EXCEL.EXE
112	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
112	EXCEL.EXE
112	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1068	112	DW20.EXE	23

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 1068	112	EXCEL.EXE	24
PID 112 wrote to memory of 1068	112	EXCEL.EXE	24
PID 112 wrote to memory of 1068	112	EXCEL.EXE	24
PID 112 wrote to memory of 1068	112	EXCEL.EXE	24
PID 112 wrote to memory of 1068	112	EXCEL.EXE	24
PID 1068 wrote to memory of 1652	1068	DW20.EXE	25
PID 1068 wrote to memory of 1652	1068	DW20.EXE	25
PID 1068 wrote to memory of 1652	1068	DW20.EXE	25

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Marlo_Dione.xls
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:112
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1156
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1156
    3⤵
    PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-2-0x0000000001DE0000-0x0000000001DF1000-memory.dmp

Filesize
68KB

Download
memory/1652-4-0x00000000020B0000-0x00000000020C1000-memory.dmp

Filesize
68KB

Download
memory/1652-5-0x00000000020B0000-0x00000000020C1000-memory.dmp

Filesize
68KB

Download