f726cbe23062b21e3eee285a2fb0d3b8d86bcf918b2b52c32f4949a86f66514e

Resubmissions

17-12-2020 17:27

201217-zn5dhd2f8s 10

22-09-2020 07:26

200922-drz7628cca 8

Analysis

max time kernel
132s
max time network
138s
platform
windows7_x64
resource
win7
submitted
22-09-2020 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11182140512.xls
Size

103KB
MD5

fcca012018f8aa9fbfeb705664a5db2b
SHA1

71123bd3c44bc29a49f4e65d14bc5e52c52927c2
SHA256

f726cbe23062b21e3eee285a2fb0d3b8d86bcf918b2b52c32f4949a86f66514e
SHA512

09fb53f13b8a35ff107d6f0781db9efceb60b597d520544a88159cdaaa43cd7afbac6230d8ab0d25164b4441e57fae9b55c13cd0be08d83482d319886ec1b5f1

Score

6^/10

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1836	900	DW20.EXE	23

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
900	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
900	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1848	dwwin.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
900	EXCEL.EXE
900	EXCEL.EXE
900	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1836	900	EXCEL.EXE	25
PID 900 wrote to memory of 1836	900	EXCEL.EXE	25
PID 900 wrote to memory of 1836	900	EXCEL.EXE	25
PID 900 wrote to memory of 1836	900	EXCEL.EXE	25
PID 900 wrote to memory of 1836	900	EXCEL.EXE	25
PID 1836 wrote to memory of 1848	1836	DW20.EXE	26
PID 1836 wrote to memory of 1848	1836	DW20.EXE	26
PID 1836 wrote to memory of 1848	1836	DW20.EXE	26

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\11182140512.xls
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900
- C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1176
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1176
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1848-2-0x0000000001E20000-0x0000000001E31000-memory.dmp

Filesize
68KB

Download
memory/1848-4-0x00000000021D0000-0x00000000021E1000-memory.dmp

Filesize
68KB

Download