Analysis

  • max time kernel
    104s
  • max time network
    131s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    20/10/2020, 23:08

General

  • Target

    doc_pack-670509438.xls

  • Size

    62KB

  • MD5

    2bbe9c96cb3c7e3fc2b7a7e805dafada

  • SHA1

    b24fd6468066fb60e89f926d8f610478746f2f66

  • SHA256

    929ba51bad648fcdee510ad3a47bafbf3649baeac7af4397f32b3dd03bd8ec62

  • SHA512

    419a7432ccb972f97f0c6caee9098dbf2a66a17c3f33c50e9c5379c8eb2a21a11bf84c71fd278b2bb531c395379950ecaaecb6a698e4cb872987c097691ae468

Score
6/10

Malware Config

Signatures

  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-670509438.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3908
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4460
      2⤵
      • Process spawned suspicious child process
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\system32\dwwin.exe
        C:\Windows\system32\dwwin.exe -x -s 4460
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2788

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2788-9-0x0000023A0BA40000-0x0000023A0BA41000-memory.dmp

    Filesize

    4KB

  • memory/2788-6-0x0000023A0B320000-0x0000023A0B321000-memory.dmp

    Filesize

    4KB

  • memory/2788-7-0x0000023A0B320000-0x0000023A0B321000-memory.dmp

    Filesize

    4KB

  • memory/2788-12-0x0000023A0BE40000-0x0000023A0BE41000-memory.dmp

    Filesize

    4KB

  • memory/2788-14-0x0000023A0BE40000-0x0000023A0BE41000-memory.dmp

    Filesize

    4KB

  • memory/2788-16-0x0000023A0BD10000-0x0000023A0BD11000-memory.dmp

    Filesize

    4KB

  • memory/2788-17-0x0000023A0BD10000-0x0000023A0BD11000-memory.dmp

    Filesize

    4KB

  • memory/2788-18-0x0000023A0BD10000-0x0000023A0BD11000-memory.dmp

    Filesize

    4KB

  • memory/2788-19-0x0000023A0B980000-0x0000023A0B981000-memory.dmp

    Filesize

    4KB

  • memory/3908-1-0x00000204889DD000-0x00000204889E2000-memory.dmp

    Filesize

    20KB

  • memory/3908-0-0x00007FF8E20E0000-0x00007FF8E27A6000-memory.dmp

    Filesize

    6.8MB