Analysis
-
max time kernel
76s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
20/10/2020, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
doc_pack-338473204.xls
Resource
win7
Behavioral task
behavioral2
Sample
doc_pack-338473204.xls
Resource
win10v200722
General
-
Target
doc_pack-338473204.xls
-
Size
62KB
-
MD5
9f30b8d60e204ac7c7aefc0428a59ef8
-
SHA1
1fc99e1421d623d6922b099d998f16fef211e189
-
SHA256
b90c0dca68c53dafc2d37e3a717e9e0453f674df98c0fcaaaf81a9d194f31caa
-
SHA512
7428bb7f0cf762b944b8b0464dac8f9fcc234ad0a444177024a0d7fc3555e37130da18cf854cdb524bd913cfe34151c66dab4ec62626d3c8ecb30a6530237af2
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3492 3488 DW20.EXE 65 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3488 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3488 EXCEL.EXE 3488 EXCEL.EXE 4012 dwwin.exe 4012 dwwin.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3488 EXCEL.EXE 3488 EXCEL.EXE 3488 EXCEL.EXE 3488 EXCEL.EXE 3488 EXCEL.EXE 3488 EXCEL.EXE 3488 EXCEL.EXE 3488 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3488 wrote to memory of 3492 3488 EXCEL.EXE 79 PID 3488 wrote to memory of 3492 3488 EXCEL.EXE 79 PID 3492 wrote to memory of 4012 3492 DW20.EXE 80 PID 3492 wrote to memory of 4012 3492 DW20.EXE 80
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-338473204.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 47322⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 47323⤵
- Suspicious behavior: EnumeratesProcesses
PID:4012
-
-