Analysis
-
max time kernel
89s -
max time network
94s -
platform
windows10_x64 -
resource
win10 -
submitted
20/10/2020, 23:07
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-559363553.xls
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
doc_pack-559363553.xls
Resource
win10
0 signatures
0 seconds
General
-
Target
doc_pack-559363553.xls
-
Size
62KB
-
MD5
b1eba9767fd7b694320f563a1fa14ac1
-
SHA1
693149cb421a0e1bc3253075de63f0409f334b52
-
SHA256
f8a12eeb6eac98952c9119a3529e8f99f9e256cdc899317d12372ed5caa9982c
-
SHA512
57312c5c606a8f46b2ea583a8c20656f7261c00edb7276a49e4116b1109d52a5bd8e66a0595ef8d322dcfa686fe48ce63a8fdd2f1eac4a4af14808f53eb2f7c8
Score
6/10
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1528 3044 DW20.EXE 66 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3044 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3044 EXCEL.EXE 3044 EXCEL.EXE 1624 dwwin.exe 1624 dwwin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3044 EXCEL.EXE 3044 EXCEL.EXE 3044 EXCEL.EXE 3044 EXCEL.EXE 3044 EXCEL.EXE 3044 EXCEL.EXE 3044 EXCEL.EXE 3044 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3044 wrote to memory of 1528 3044 EXCEL.EXE 75 PID 3044 wrote to memory of 1528 3044 EXCEL.EXE 75 PID 1528 wrote to memory of 1624 1528 DW20.EXE 76 PID 1528 wrote to memory of 1624 1528 DW20.EXE 76
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-559363553.xls"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 42842⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 42843⤵
- Suspicious behavior: EnumeratesProcesses
PID:1624
-
-