Analysis
-
max time kernel
24s -
max time network
144s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
19/10/2020, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
document-1100493704.xls
Resource
win7v200722
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
document-1100493704.xls
Resource
win10v200722
0 signatures
0 seconds
General
-
Target
document-1100493704.xls
-
Size
426KB
-
MD5
a406357c80a2f54919471d0b8a88d783
-
SHA1
dadaf19ee069b576edb6642b516a44404972e259
-
SHA256
b17badd9fa53a071f6e1934eccd02d7d5201eb9baf355ce2277a6ef65d1edb8f
-
SHA512
a9eae97c9d28cb710145e44225d0a8b10143b356a6769eeabee83c7a76702aa6bd1af92234f8bf8baa97db2fb4b95fbba2c5459da2dac806d07f3008d37e648a
Score
6/10
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3612 3816 DW20.EXE 65 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3816 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3816 EXCEL.EXE 3816 EXCEL.EXE 3932 dwwin.exe 3932 dwwin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE 3816 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3816 wrote to memory of 3612 3816 EXCEL.EXE 72 PID 3816 wrote to memory of 3612 3816 EXCEL.EXE 72 PID 3612 wrote to memory of 3932 3612 DW20.EXE 73 PID 3612 wrote to memory of 3932 3612 DW20.EXE 73
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\document-1100493704.xls"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 44642⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 44643⤵
- Suspicious behavior: EnumeratesProcesses
PID:3932
-
-