Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
20/10/2020, 22:28
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-425070766.xls
Resource
win7
Behavioral task
behavioral2
Sample
doc_pack-425070766.xls
Resource
win10v200722
General
-
Target
doc_pack-425070766.xls
-
Size
62KB
-
MD5
a1aec5751ac217b8a015117c85d14bc5
-
SHA1
60259e906df99eb3e8bb45dd00afa0fd45c6f2e2
-
SHA256
2d340059906002683010bbb6dc8b006d577b3d19f8a9a4be139f75d94034d92e
-
SHA512
4c06f52a9bed6e98142055cd4ecff3a9ca1e342e43a7f1b2ea05e43a747f5a9d9c6ab188c304d0d9ce6cb680017802d1661515d77fb25542bd9cdc152974247f
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4020 3876 DW20.EXE 65 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3876 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3876 EXCEL.EXE 3876 EXCEL.EXE 1236 dwwin.exe 1236 dwwin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3876 EXCEL.EXE 3876 EXCEL.EXE 3876 EXCEL.EXE 3876 EXCEL.EXE 3876 EXCEL.EXE 3876 EXCEL.EXE 3876 EXCEL.EXE 3876 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3876 wrote to memory of 4020 3876 EXCEL.EXE 79 PID 3876 wrote to memory of 4020 3876 EXCEL.EXE 79 PID 4020 wrote to memory of 1236 4020 DW20.EXE 80 PID 4020 wrote to memory of 1236 4020 DW20.EXE 80
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-425070766.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 47322⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 47323⤵
- Suspicious behavior: EnumeratesProcesses
PID:1236
-
-