Analysis
-
max time kernel
104s -
max time network
131s -
platform
windows10_x64 -
resource
win10 -
submitted
20/10/2020, 23:08
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-670509438.xls
Resource
win7v200722
Behavioral task
behavioral2
Sample
doc_pack-670509438.xls
Resource
win10
General
-
Target
doc_pack-670509438.xls
-
Size
62KB
-
MD5
2bbe9c96cb3c7e3fc2b7a7e805dafada
-
SHA1
b24fd6468066fb60e89f926d8f610478746f2f66
-
SHA256
929ba51bad648fcdee510ad3a47bafbf3649baeac7af4397f32b3dd03bd8ec62
-
SHA512
419a7432ccb972f97f0c6caee9098dbf2a66a17c3f33c50e9c5379c8eb2a21a11bf84c71fd278b2bb531c395379950ecaaecb6a698e4cb872987c097691ae468
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2672 3908 DW20.EXE 66 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3908 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3908 EXCEL.EXE 3908 EXCEL.EXE 2788 dwwin.exe 2788 dwwin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3908 EXCEL.EXE 3908 EXCEL.EXE 3908 EXCEL.EXE 3908 EXCEL.EXE 3908 EXCEL.EXE 3908 EXCEL.EXE 3908 EXCEL.EXE 3908 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3908 wrote to memory of 2672 3908 EXCEL.EXE 76 PID 3908 wrote to memory of 2672 3908 EXCEL.EXE 76 PID 2672 wrote to memory of 2788 2672 DW20.EXE 77 PID 2672 wrote to memory of 2788 2672 DW20.EXE 77
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-670509438.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 44602⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 44603⤵
- Suspicious behavior: EnumeratesProcesses
PID:2788
-
-