Analysis
-
max time kernel
144s -
max time network
132s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-07-2020 07:09
Static task
static1
Behavioral task
behavioral1
Sample
Products_Pricerate_2020.xls
Resource
win7
Behavioral task
behavioral2
Sample
Products_Pricerate_2020.xls
Resource
win10v200430
General
-
Target
Products_Pricerate_2020.xls
-
Size
78KB
-
MD5
0c75b0ce041408fb62db6ca38e97c018
-
SHA1
02c7976c74e4d2e48558ce234d09a7c590025cd2
-
SHA256
78e0be68a469edfd73e4f409e6bb6f73e14cda8d3252258b0a7b6af43efb0032
-
SHA512
dc56658d55aeb02e05fdd8900f5e13ccd88c3d7fbee5d7f6e4e05cfbad0ef846e25dfcf828b1c83e8523ca38da0476caa70e0a3f1a6401553c3a31e7770564a8
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
EXCEL.EXEpid process 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3540 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
EXCEL.EXEdwwin.exepid process 3540 EXCEL.EXE 3540 EXCEL.EXE 2108 dwwin.exe 2108 dwwin.exe -
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2052 3540 DW20.EXE EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEDW20.EXEdescription pid process target process PID 3540 wrote to memory of 2052 3540 EXCEL.EXE DW20.EXE PID 3540 wrote to memory of 2052 3540 EXCEL.EXE DW20.EXE PID 2052 wrote to memory of 2108 2052 DW20.EXE dwwin.exe PID 2052 wrote to memory of 2108 2052 DW20.EXE dwwin.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Products_Pricerate_2020.xls"1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
PID:3540 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 30122⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 30123⤵
- Suspicious behavior: EnumeratesProcesses
PID:2108