Analysis
-
max time kernel
75s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
20/10/2020, 22:23
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-345057170.xls
Resource
win7
Behavioral task
behavioral2
Sample
doc_pack-345057170.xls
Resource
win10v200722
General
-
Target
doc_pack-345057170.xls
-
Size
62KB
-
MD5
fe2ebe3f1daceedd8aa40708a3c101bc
-
SHA1
be96b9225517604540c6d7a355db50c4d3b7e723
-
SHA256
8a90e7c86390b108ac72220703ff2c3a3935741ffd1f01fc4cba85b8c8b4c9eb
-
SHA512
b04c6ea36bc664f19d2d8d22b28b062f0c1cd7fafcc4a8430d09573c9645ff65f2e39e7a813afbf53683dc0c3bc741cbbea80e5c03d94ce6073c480b95d6a9f3
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3284 784 DW20.EXE 66 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 784 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 784 EXCEL.EXE 784 EXCEL.EXE 2656 dwwin.exe 2656 dwwin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 784 wrote to memory of 3284 784 EXCEL.EXE 80 PID 784 wrote to memory of 3284 784 EXCEL.EXE 80 PID 3284 wrote to memory of 2656 3284 DW20.EXE 81 PID 3284 wrote to memory of 2656 3284 DW20.EXE 81
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-345057170.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 45242⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 45243⤵
- Suspicious behavior: EnumeratesProcesses
PID:2656
-
-