Analysis
-
max time kernel
88s -
max time network
153s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
19/10/2020, 23:32
Static task
static1
Behavioral task
behavioral1
Sample
document-138161646.xls
Resource
win7v200722
Behavioral task
behavioral2
Sample
document-138161646.xls
Resource
win10v200722
General
-
Target
document-138161646.xls
-
Size
426KB
-
MD5
24f7d2c93d14bd25c8295a85997d9abe
-
SHA1
46a1dc4d5855c2e29889705638c80285c303cf62
-
SHA256
1422ce2cd2fe424a4441f4205b38dd68054cde2995a4af3a78a5f3d452b1f340
-
SHA512
0a8924fe428035503bef0cc23e6be6e7c9b13b8b7efd521f3d1051a7070a4c972d2e9905327dec6e56070c8896ae71fc20f77a9d4de5d3bfed2dc22a69921dac
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2028 3952 DW20.EXE 65 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3952 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3952 EXCEL.EXE 3952 EXCEL.EXE 1336 dwwin.exe 1336 dwwin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE 3952 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3952 wrote to memory of 2028 3952 EXCEL.EXE 79 PID 3952 wrote to memory of 2028 3952 EXCEL.EXE 79 PID 2028 wrote to memory of 1336 2028 DW20.EXE 80 PID 2028 wrote to memory of 1336 2028 DW20.EXE 80
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\document-138161646.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 47522⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 47523⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336
-
-