Analysis

  • max time kernel
    75s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    20/10/2020, 22:23

General

  • Target

    doc_pack-345057170.xls

  • Size

    62KB

  • MD5

    fe2ebe3f1daceedd8aa40708a3c101bc

  • SHA1

    be96b9225517604540c6d7a355db50c4d3b7e723

  • SHA256

    8a90e7c86390b108ac72220703ff2c3a3935741ffd1f01fc4cba85b8c8b4c9eb

  • SHA512

    b04c6ea36bc664f19d2d8d22b28b062f0c1cd7fafcc4a8430d09573c9645ff65f2e39e7a813afbf53683dc0c3bc741cbbea80e5c03d94ce6073c480b95d6a9f3

Score
6/10

Malware Config

Signatures

  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-345057170.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4524
      2⤵
      • Process spawned suspicious child process
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\Windows\system32\dwwin.exe
        C:\Windows\system32\dwwin.exe -x -s 4524
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2656

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/784-0-0x00007FFE42C50000-0x00007FFE43316000-memory.dmp

    Filesize

    6.8MB

  • memory/784-2-0x0000017ED06C5000-0x0000017ED06CA000-memory.dmp

    Filesize

    20KB

  • memory/2656-6-0x000001DF367C0000-0x000001DF367C1000-memory.dmp

    Filesize

    4KB

  • memory/2656-7-0x000001DF367C0000-0x000001DF367C1000-memory.dmp

    Filesize

    4KB

  • memory/2656-9-0x000001DF36E00000-0x000001DF36E01000-memory.dmp

    Filesize

    4KB

  • memory/2656-12-0x000001DF37130000-0x000001DF37131000-memory.dmp

    Filesize

    4KB

  • memory/2656-13-0x000001DF37130000-0x000001DF37131000-memory.dmp

    Filesize

    4KB

  • memory/2656-14-0x000001DF37130000-0x000001DF37131000-memory.dmp

    Filesize

    4KB

  • memory/2656-15-0x000001DF36D40000-0x000001DF36D41000-memory.dmp

    Filesize

    4KB