19a1f6546cece68543aac388416cdf867ef8aee9061a6ed902d45ce49715a69c

Analysis

max time kernel
121s
max time network
123s
platform
windows10_x64
resource
win10
submitted
17-07-2020 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

reminder_1687164.xls
Size

367KB
MD5

6b1a1c7461aaf71e3857232a4412e4fc
SHA1

51c02cffabb7d7bf7fbc99b2d6d15a91a1eea1dd
SHA256

19a1f6546cece68543aac388416cdf867ef8aee9061a6ed902d45ce49715a69c
SHA512

caf685429d4d4744abdc4acfab5d9bb6072326087079ae2da227e637a86fb02f537495826740263b3bf21ecf436625e400f66c91eec30c43dec02826d0a06618

Score

6^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3676	EXCEL.EXE
3676	EXCEL.EXE
492	dwwin.exe
492	dwwin.exe

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3216	3676	DW20.EXE	66

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 3216	3676	EXCEL.EXE	70
PID 3676 wrote to memory of 3216	3676	EXCEL.EXE	70
PID 3216 wrote to memory of 492	3216	DW20.EXE	71
PID 3216 wrote to memory of 492	3216	DW20.EXE	71

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE
3676	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3676	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\reminder_1687164.xls"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:3676
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4172
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 4172
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/492-2-0x0000021448CC0000-0x0000021448CC1000-memory.dmp

Filesize
4KB

Download
memory/492-3-0x0000021448CC0000-0x0000021448CC1000-memory.dmp

Filesize
4KB

Download
memory/492-5-0x0000021449300000-0x0000021449301000-memory.dmp

Filesize
4KB

Download
memory/492-8-0x0000021449700000-0x0000021449701000-memory.dmp

Filesize
4KB

Download
memory/492-10-0x0000021449640000-0x0000021449641000-memory.dmp

Filesize
4KB

Download
memory/492-11-0x0000021449640000-0x0000021449641000-memory.dmp

Filesize
4KB

Download
memory/492-12-0x0000021449640000-0x0000021449641000-memory.dmp

Filesize
4KB

Download