Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10_x64 -
resource
win10 -
submitted
20/10/2020, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-380226848.xls
Resource
win7v200722
Behavioral task
behavioral2
Sample
doc_pack-380226848.xls
Resource
win10
General
-
Target
doc_pack-380226848.xls
-
Size
62KB
-
MD5
297cc8eba56c3356931aaad9aacc3e58
-
SHA1
cf19fa2782636416539b04b79035e2f10605e8bb
-
SHA256
3129693214d8802e97e251e12a6315edabc4e56cbc50d28053e23adf1f47d184
-
SHA512
4d442dafe6e04b7da35c8167a1a342154c12cb5c7f4bd24f32273772db99b91c4155da899caa8afb704a5b490eb4e32b3d54199a6a537c52623e479ea061f1e4
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2780 3900 DW20.EXE 66 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3900 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3900 EXCEL.EXE 3900 EXCEL.EXE 2840 dwwin.exe 2840 dwwin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3900 EXCEL.EXE 3900 EXCEL.EXE 3900 EXCEL.EXE 3900 EXCEL.EXE 3900 EXCEL.EXE 3900 EXCEL.EXE 3900 EXCEL.EXE 3900 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3900 wrote to memory of 2780 3900 EXCEL.EXE 76 PID 3900 wrote to memory of 2780 3900 EXCEL.EXE 76 PID 2780 wrote to memory of 2840 2780 DW20.EXE 77 PID 2780 wrote to memory of 2840 2780 DW20.EXE 77
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-380226848.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 44402⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 44403⤵
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-