Analysis
-
max time kernel
49s -
max time network
40s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 02:06
Behavioral task
behavioral1
Sample
d4dd435dc4fce8abbb37ead140e1ac4a7a3a390865153731c486e45cb2a5e375.xlsm
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d4dd435dc4fce8abbb37ead140e1ac4a7a3a390865153731c486e45cb2a5e375.xlsm
Resource
win10v2004-20240226-en
General
-
Target
d4dd435dc4fce8abbb37ead140e1ac4a7a3a390865153731c486e45cb2a5e375.xlsm
-
Size
92KB
-
MD5
22ea4d81054fa5ba008fb0a3b1773c13
-
SHA1
10ee09d10820645e95b6f4da75647eb4d8674973
-
SHA256
d4dd435dc4fce8abbb37ead140e1ac4a7a3a390865153731c486e45cb2a5e375
-
SHA512
dfc571226fea768eb5c7cd068c22c57764d76fa09bd16b0cd974aa47e331685760fe0f0a6b47d9705993041e2ddbcca09879aaf31e24e34efc33a91a9f8b952d
-
SSDEEP
1536:CguZCa6S5khUIvtUK+blect4znOSjhLM+vGa/M1NIpPkUlB7583fjncFYIIoIFn:CgugapkhlvZSe4aPjpM+d/Ms8ULavLcQ
Malware Config
Signatures
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3264 3400 DW20.EXE 90 -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dwwin.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dwwin.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwwin.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3400 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3400 EXCEL.EXE 3400 EXCEL.EXE 3400 EXCEL.EXE 3400 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3400 EXCEL.EXE 3400 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3400 EXCEL.EXE 3400 EXCEL.EXE 3400 EXCEL.EXE 3400 EXCEL.EXE 3400 EXCEL.EXE 3400 EXCEL.EXE 3400 EXCEL.EXE 3400 EXCEL.EXE 3400 EXCEL.EXE 3400 EXCEL.EXE 3400 EXCEL.EXE 3400 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3400 wrote to memory of 3264 3400 EXCEL.EXE 95 PID 3400 wrote to memory of 3264 3400 EXCEL.EXE 95 PID 3264 wrote to memory of 3284 3264 DW20.EXE 96 PID 3264 wrote to memory of 3284 3264 DW20.EXE 96
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\d4dd435dc4fce8abbb37ead140e1ac4a7a3a390865153731c486e45cb2a5e375.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 33682⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 33683⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3284
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4968 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:2292