4f8696a9fa832771c2e0a561ec5b12e0bde3f0afeda049c7e53ffc1b56e7bb09

Analysis

max time kernel
146s
max time network
41s
platform
windows7_x64
resource
win7v200430
submitted
17-07-2020 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inv_9.xls
Size

603KB
MD5

e511d5d44cf2910cb1d6245d2f3652aa
SHA1

bd1addabe7755fa3116942bbc9c190c77f25c0db
SHA256

4f8696a9fa832771c2e0a561ec5b12e0bde3f0afeda049c7e53ffc1b56e7bb09
SHA512

16ee8ec4ad8201a39ce79b30275ef1cc9ea9299dde3005557c501e9fb89acafdf14ececf35d4afd0fe66b035f22c99be910ac997d4594112fe52a74e8654f910

Score

6^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1252	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	676	1252	DW20.EXE	23

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 676	1252	EXCEL.EXE	24
PID 1252 wrote to memory of 676	1252	EXCEL.EXE	24
PID 1252 wrote to memory of 676	1252	EXCEL.EXE	24
PID 1252 wrote to memory of 676	1252	EXCEL.EXE	24
PID 1252 wrote to memory of 676	1252	EXCEL.EXE	24
PID 676 wrote to memory of 1016	676	DW20.EXE	25
PID 676 wrote to memory of 1016	676	DW20.EXE	25
PID 676 wrote to memory of 1016	676	DW20.EXE	25

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1016	dwwin.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1252	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1252	EXCEL.EXE
1252	EXCEL.EXE
1252	EXCEL.EXE

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\inv_9.xls
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1252
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1160
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1160
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-2-0x0000000001D90000-0x0000000001DA1000-memory.dmp

Filesize
68KB

Download
memory/1016-4-0x0000000002210000-0x0000000002221000-memory.dmp

Filesize
68KB

Download