Analysis
-
max time kernel
85s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
20/10/2020, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-329653596.xls
Resource
win7
Behavioral task
behavioral2
Sample
doc_pack-329653596.xls
Resource
win10v200722
General
-
Target
doc_pack-329653596.xls
-
Size
62KB
-
MD5
f9f36e3052e281bc1c8e58a8e944d439
-
SHA1
e1a370ac15c32b833eb29664767d9963cc84e566
-
SHA256
c478ba5a626fc1bf7d3a08865c0ee00050425c2997a80bdc32d0d21641fdc86f
-
SHA512
3cc59bdbde2af30f07e66df557334069cc44f66716f13675e33f6c411ccc96cbcb70b68893a2198f4cca1e9ded3845c8553bb912fefb8e27fe95c9097f8b4ea7
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3672 4028 DW20.EXE 65 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4028 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4028 EXCEL.EXE 4028 EXCEL.EXE 3108 dwwin.exe 3108 dwwin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE 4028 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4028 wrote to memory of 3672 4028 EXCEL.EXE 79 PID 4028 wrote to memory of 3672 4028 EXCEL.EXE 79 PID 3672 wrote to memory of 3108 3672 DW20.EXE 80 PID 3672 wrote to memory of 3108 3672 DW20.EXE 80
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-329653596.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 46882⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 46883⤵
- Suspicious behavior: EnumeratesProcesses
PID:3108
-
-