Analysis
-
max time kernel
16s -
max time network
70s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
20/10/2020, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-322413574.xls
Resource
win7v200722
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
doc_pack-322413574.xls
Resource
win10v200722
0 signatures
0 seconds
General
-
Target
doc_pack-322413574.xls
-
Size
62KB
-
MD5
08eb1a86e17f85aa38769369e04dce15
-
SHA1
b9a6ab82adce1cb3090576087c97e5957d94079a
-
SHA256
27e3e8f78022dc6dffcf7b58b8b00816aa979bb1fc3c0e5631057fbe4af1a105
-
SHA512
699c72769cf250e9a32cf44514726fd8a15af04cde2a2abfb6ddccd23d9167b390f44fa02dec0e74f5ca2898bc583ba396906fc1929654685b2e0cc262e50dc6
Score
6/10
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 8 796 DW20.EXE 66 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 796 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 796 EXCEL.EXE 796 EXCEL.EXE 2868 dwwin.exe 2868 dwwin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 796 EXCEL.EXE 796 EXCEL.EXE 796 EXCEL.EXE 796 EXCEL.EXE 796 EXCEL.EXE 796 EXCEL.EXE 796 EXCEL.EXE 796 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 796 wrote to memory of 8 796 EXCEL.EXE 73 PID 796 wrote to memory of 8 796 EXCEL.EXE 73 PID 8 wrote to memory of 2868 8 DW20.EXE 74 PID 8 wrote to memory of 2868 8 DW20.EXE 74
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-322413574.xls"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 43082⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 43083⤵
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-