Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10_x64 -
resource
win10 -
submitted
20/10/2020, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-352590073.xls
Resource
win7v200722
Behavioral task
behavioral2
Sample
doc_pack-352590073.xls
Resource
win10
General
-
Target
doc_pack-352590073.xls
-
Size
62KB
-
MD5
ef2dfe0447620f796e324aed70582e4e
-
SHA1
469ed63cc853515d1c27a1e1d12cedcd5e3df45b
-
SHA256
bc15dca3e68b7c8c3fc82ec997e688fdd7de323b20c9489d369e67401c1b4fd1
-
SHA512
36cf861b69c7f69d46ea08df262c101b65602f753cd5294ebeb89734fb035eda38eae7048cbb692d10402cff971a603fd7b51d733c4c4e6fd598bfed9888a131
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1516 772 DW20.EXE 65 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 772 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 772 EXCEL.EXE 772 EXCEL.EXE 1664 dwwin.exe 1664 dwwin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 772 EXCEL.EXE 772 EXCEL.EXE 772 EXCEL.EXE 772 EXCEL.EXE 772 EXCEL.EXE 772 EXCEL.EXE 772 EXCEL.EXE 772 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 772 wrote to memory of 1516 772 EXCEL.EXE 75 PID 772 wrote to memory of 1516 772 EXCEL.EXE 75 PID 1516 wrote to memory of 1664 1516 DW20.EXE 76 PID 1516 wrote to memory of 1664 1516 DW20.EXE 76
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-352590073.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 44242⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 44243⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664
-
-