Analysis
-
max time kernel
75s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
20/10/2020, 23:08
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-640927368.xls
Resource
win7
Behavioral task
behavioral2
Sample
doc_pack-640927368.xls
Resource
win10v200722
General
-
Target
doc_pack-640927368.xls
-
Size
62KB
-
MD5
a9a4dc13d6aa1048cbe6fee8b677cc8a
-
SHA1
b2d43ee61a085649be172f235bafd0bf69a9a449
-
SHA256
37cad4af392fa67e5bb0d8df00139c1f4466c35c61310ed8e29ea89b90cdf6b5
-
SHA512
9ed8ae58eb7b737190ea4772dbe388b29fc1ae75751005b404dd6f81603219a3e87cdcfac0513baf46c6384eb9e28d3d9b8f5fea1da2c8e05dfd34768dc07ecb
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2176 3488 DW20.EXE 65 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3488 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3488 EXCEL.EXE 3488 EXCEL.EXE 2212 dwwin.exe 2212 dwwin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3488 EXCEL.EXE 3488 EXCEL.EXE 3488 EXCEL.EXE 3488 EXCEL.EXE 3488 EXCEL.EXE 3488 EXCEL.EXE 3488 EXCEL.EXE 3488 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3488 wrote to memory of 2176 3488 EXCEL.EXE 79 PID 3488 wrote to memory of 2176 3488 EXCEL.EXE 79 PID 2176 wrote to memory of 2212 2176 DW20.EXE 80 PID 2176 wrote to memory of 2212 2176 DW20.EXE 80
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-640927368.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 47282⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 47283⤵
- Suspicious behavior: EnumeratesProcesses
PID:2212
-
-