Analysis
-
max time kernel
26s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
19/10/2020, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
document-1022862840.xls
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
document-1022862840.xls
Resource
win10v200722
0 signatures
0 seconds
General
-
Target
document-1022862840.xls
-
Size
426KB
-
MD5
51570d44afe7438aa7c9fe1d9396bae8
-
SHA1
64a9066b5e040128c486d445122cd30581150e17
-
SHA256
a69accc253cc56e9069f93a7647e2519b71a046947b05a38bb5b51308db0a7ef
-
SHA512
b2683f2aa519cd1d5c2eaf3335d8c1f3791a599733ab6e1ed37bf3fc2fd1037767c530734175fe7bd44e14c3ee61d51a8d472b34a315d4c9f305d61099807dc0
Score
6/10
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2424 3888 DW20.EXE 65 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3888 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3888 EXCEL.EXE 3888 EXCEL.EXE 3004 dwwin.exe 3004 dwwin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE 3888 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3888 wrote to memory of 2424 3888 EXCEL.EXE 74 PID 3888 wrote to memory of 2424 3888 EXCEL.EXE 74 PID 2424 wrote to memory of 3004 2424 DW20.EXE 76 PID 2424 wrote to memory of 3004 2424 DW20.EXE 76
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\document-1022862840.xls"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 44082⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 44083⤵
- Suspicious behavior: EnumeratesProcesses
PID:3004
-
-