Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 17:05
Static task
static1
Behavioral task
behavioral1
Sample
fb29c33662a5cb0c39d2e96907b963b3.xlsm
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
fb29c33662a5cb0c39d2e96907b963b3.xlsm
Resource
win10v2004-20231215-en
General
-
Target
fb29c33662a5cb0c39d2e96907b963b3.xlsm
-
Size
6KB
-
MD5
fb29c33662a5cb0c39d2e96907b963b3
-
SHA1
851d394b9b76a4335a6bb0f239220db31e3c738e
-
SHA256
d2b44e4232accfa49dd0169f0a0c16f2f65c613b2560529562821cf58edd4998
-
SHA512
b67b18e9dfe5a5c388001f4b03a64936f02834736db4af3774c1d27d420eaba72de2b0ee3bd32983883b9ea2e2485b1cf2fb9bde345de9f738ba42a1c166c794
-
SSDEEP
192:NDSIuSlUbrA2OmmfR+G8UhHFBFYu+Ab98yl1Yx+C0:NfuvM2wb1FYub98y7J
Malware Config
Extracted
http://46.17.98.187/index.php
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 100 2724 DW20.EXE 23 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dwwin.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwwin.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2724 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2724 EXCEL.EXE 2724 EXCEL.EXE 2724 EXCEL.EXE 2724 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2724 EXCEL.EXE 2724 EXCEL.EXE 2724 EXCEL.EXE 2724 EXCEL.EXE 2724 EXCEL.EXE 2724 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2724 wrote to memory of 100 2724 EXCEL.EXE 93 PID 2724 wrote to memory of 100 2724 EXCEL.EXE 93 PID 100 wrote to memory of 4892 100 DW20.EXE 94 PID 100 wrote to memory of 4892 100 DW20.EXE 94
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\fb29c33662a5cb0c39d2e96907b963b3.xlsm"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 35282⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 35283⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4892
-
-