Analysis
-
max time kernel
75s -
max time network
136s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 19:00
Static task
static1
Behavioral task
behavioral1
Sample
account_invoice_5918.xls
Resource
win7v200430
Behavioral task
behavioral2
Sample
account_invoice_5918.xls
Resource
win10
General
-
Target
account_invoice_5918.xls
-
Size
166KB
-
MD5
a13b46e0c9153d4ce366ad65c4d2fc04
-
SHA1
bd1c268034ab18a61ef5bb2f4c75de70fd739124
-
SHA256
56754abf3731d99b740618119f73736894c6aba81fde45ee27f864f10b376341
-
SHA512
54cfc04fe000011ea8ecc12988dfa9b4f572093d187a5bc3473333ae142990130165bbf71a5b1751ab454f40535eb2d8ce01d642cffb5f22646b79411fb5a40f
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EXCEL.EXEDW20.EXEdescription pid process target process PID 720 wrote to memory of 3388 720 EXCEL.EXE DW20.EXE PID 720 wrote to memory of 3388 720 EXCEL.EXE DW20.EXE PID 3388 wrote to memory of 936 3388 DW20.EXE dwwin.exe PID 3388 wrote to memory of 936 3388 DW20.EXE dwwin.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
EXCEL.EXEpid process 720 EXCEL.EXE 720 EXCEL.EXE 720 EXCEL.EXE 720 EXCEL.EXE 720 EXCEL.EXE 720 EXCEL.EXE 720 EXCEL.EXE 720 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 720 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
EXCEL.EXEdwwin.exepid process 720 EXCEL.EXE 720 EXCEL.EXE 936 dwwin.exe 936 dwwin.exe -
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3388 720 DW20.EXE EXCEL.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\account_invoice_5918.xls"1⤵
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:720 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 43322⤵
- Suspicious use of WriteProcessMemory
- Process spawned suspicious child process
PID:3388 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 43323⤵
- Suspicious behavior: EnumeratesProcesses
PID:936