Analysis

  • max time kernel
    144s
  • max time network
    132s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    09-07-2020 07:09

General

  • Target

    Products_Pricerate_2020.xls

  • Size

    78KB

  • MD5

    0c75b0ce041408fb62db6ca38e97c018

  • SHA1

    02c7976c74e4d2e48558ce234d09a7c590025cd2

  • SHA256

    78e0be68a469edfd73e4f409e6bb6f73e14cda8d3252258b0a7b6af43efb0032

  • SHA512

    dc56658d55aeb02e05fdd8900f5e13ccd88c3d7fbee5d7f6e4e05cfbad0ef846e25dfcf828b1c83e8523ca38da0476caa70e0a3f1a6401553c3a31e7770564a8

Score
6/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Suspicious use of WriteProcessMemory 4 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Products_Pricerate_2020.xls"
    1⤵
    • Checks processor information in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Enumerates system info in registry
    PID:3540
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 3012
      2⤵
      • Process spawned suspicious child process
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\system32\dwwin.exe
        C:\Windows\system32\dwwin.exe -x -s 3012
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2052-0-0x0000000000000000-mapping.dmp

  • memory/2108-1-0x0000000000000000-mapping.dmp

  • memory/2108-2-0x0000020C1D440000-0x0000020C1D441000-memory.dmp

    Filesize

    4KB

  • memory/2108-3-0x0000020C1D440000-0x0000020C1D441000-memory.dmp

    Filesize

    4KB

  • memory/2108-5-0x0000020C1DAA0000-0x0000020C1DAA1000-memory.dmp

    Filesize

    4KB

  • memory/2108-6-0x0000020C1DEA0000-0x0000020C1DEA1000-memory.dmp

    Filesize

    4KB

  • memory/2108-8-0x0000020C1DE40000-0x0000020C1DE41000-memory.dmp

    Filesize

    4KB

  • memory/2108-9-0x0000020C1DE40000-0x0000020C1DE41000-memory.dmp

    Filesize

    4KB

  • memory/2108-10-0x0000020C1DE40000-0x0000020C1DE41000-memory.dmp

    Filesize

    4KB