Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10_x64 -
resource
win10 -
submitted
20/10/2020, 23:12
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-705805820.xls
Resource
win7v200722
Behavioral task
behavioral2
Sample
doc_pack-705805820.xls
Resource
win10
General
-
Target
doc_pack-705805820.xls
-
Size
62KB
-
MD5
e80774c9bb6789101c2d72e7ef65b4da
-
SHA1
40e05f07a34d028ca680d5970ac3afe3ce97573f
-
SHA256
72671950248428dc1f4d570d54858d5bcb7ba6191785da39603af9f567e7e13f
-
SHA512
ffe5182f73af0fbbeada572799bd949767ea0e18f4cb7f7322a3986365dc76ebde0b4f47dd013ad88a8ad9c839132abf32eb5c578413e2cc708a427c75865d06
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2580 2896 DW20.EXE 66 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2896 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2896 EXCEL.EXE 2896 EXCEL.EXE 2800 dwwin.exe 2800 dwwin.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2896 EXCEL.EXE 2896 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE 2896 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2580 2896 EXCEL.EXE 76 PID 2896 wrote to memory of 2580 2896 EXCEL.EXE 76 PID 2580 wrote to memory of 2800 2580 DW20.EXE 77 PID 2580 wrote to memory of 2800 2580 DW20.EXE 77
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-705805820.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 46322⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 46323⤵
- Suspicious behavior: EnumeratesProcesses
PID:2800
-
-