Analysis

  • max time kernel
    76s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    20/10/2020, 22:22

General

  • Target

    doc_pack-338473204.xls

  • Size

    62KB

  • MD5

    9f30b8d60e204ac7c7aefc0428a59ef8

  • SHA1

    1fc99e1421d623d6922b099d998f16fef211e189

  • SHA256

    b90c0dca68c53dafc2d37e3a717e9e0453f674df98c0fcaaaf81a9d194f31caa

  • SHA512

    7428bb7f0cf762b944b8b0464dac8f9fcc234ad0a444177024a0d7fc3555e37130da18cf854cdb524bd913cfe34151c66dab4ec62626d3c8ecb30a6530237af2

Score
6/10

Malware Config

Signatures

  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\doc_pack-338473204.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4732
      2⤵
      • Process spawned suspicious child process
      • Suspicious use of WriteProcessMemory
      PID:3492
      • C:\Windows\system32\dwwin.exe
        C:\Windows\system32\dwwin.exe -x -s 4732
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4012

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3488-0-0x00007FFCD30F0000-0x00007FFCD37B6000-memory.dmp

    Filesize

    6.8MB

  • memory/4012-5-0x00000202FEC20000-0x00000202FEC21000-memory.dmp

    Filesize

    4KB

  • memory/4012-6-0x0000020280A20000-0x0000020280A21000-memory.dmp

    Filesize

    4KB

  • memory/4012-7-0x0000020280A20000-0x0000020280A21000-memory.dmp

    Filesize

    4KB

  • memory/4012-9-0x0000020280D10000-0x0000020280D11000-memory.dmp

    Filesize

    4KB

  • memory/4012-10-0x0000020280D10000-0x0000020280D11000-memory.dmp

    Filesize

    4KB

  • memory/4012-11-0x0000020280D10000-0x0000020280D11000-memory.dmp

    Filesize

    4KB

  • memory/4012-12-0x0000020280960000-0x0000020280961000-memory.dmp

    Filesize

    4KB