d92c94030dca29964cb4e5cd8a31c6fc73ce0b0e01734450aed7e3327f132e78

General

Target

Document_314379760-Copy.xls
Size

59KB
MD5

24e2b1dc895e185efb45e60cda15abbf
SHA1

6e49f02ddab975d859f401d4ea59fb6fec37ce7f
SHA256

d92c94030dca29964cb4e5cd8a31c6fc73ce0b0e01734450aed7e3327f132e78
SHA512

93b0f7cb2c948123b7bd13db860b891686522a0bbc16890a6cbfcff1a4b0c91475f56d2b079612bd75daec415cf42688f82d202509533b3512cd4c80b7911b3e

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

WerFault.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	420	2148	WerFault.exe	EXCEL.EXE

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 420 created 2148 420 WerFault.exe EXCEL.EXE

description	pid	process	target process
PID 420 created 2148	420	WerFault.exe	EXCEL.EXE

ServiceHost packer 23 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/2148-31-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-32-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-34-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-33-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-35-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-36-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-38-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-41-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-40-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-42-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-43-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-44-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-46-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-45-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-39-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-37-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-50-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-49-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-48-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-47-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-51-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-52-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2148-53-0x0000000000000000-mapping.dmp	servicehost

Process spawned suspicious child process 2 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXEDW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2180	1112	DW20.EXE	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2196	2148	DW20.EXE	EXCEL.EXE

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

420 2148 WerFault.exe EXCEL.EXE

pid	pid_target	process	target process
420	2148	WerFault.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid process

1112 EXCEL.EXE
2148 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

EXCEL.EXEdwwin.exeEXCEL.EXEdwwin.exe

pid	process
1112	EXCEL.EXE
1112	EXCEL.EXE
1356	dwwin.exe
1356	dwwin.exe
1112	EXCEL.EXE
1112	EXCEL.EXE
2148	EXCEL.EXE
2148	EXCEL.EXE
1876	dwwin.exe
1876	dwwin.exe
2148	EXCEL.EXE
2148	EXCEL.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

EXCEL.EXE

pid process

1112 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid	process
1112	EXCEL.EXE
1112	EXCEL.EXE
1112	EXCEL.EXE
1112	EXCEL.EXE
1112	EXCEL.EXE
1112	EXCEL.EXE
2148	EXCEL.EXE
2148	EXCEL.EXE
2148	EXCEL.EXE
2148	EXCEL.EXE
2148	EXCEL.EXE
2148	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXEDW20.EXEdwwin.exeEXCEL.EXEDW20.EXE

description	pid	process	target process
PID 1112 wrote to memory of 2180	1112	EXCEL.EXE	DW20.EXE
PID 1112 wrote to memory of 2180	1112	EXCEL.EXE	DW20.EXE
PID 2180 wrote to memory of 1356	2180	DW20.EXE	dwwin.exe
PID 2180 wrote to memory of 1356	2180	DW20.EXE	dwwin.exe
PID 1356 wrote to memory of 2148	1356	dwwin.exe	EXCEL.EXE
PID 1356 wrote to memory of 2148	1356	dwwin.exe	EXCEL.EXE
PID 1356 wrote to memory of 2148	1356	dwwin.exe	EXCEL.EXE
PID 2148 wrote to memory of 2196	2148	EXCEL.EXE	DW20.EXE
PID 2148 wrote to memory of 2196	2148	EXCEL.EXE	DW20.EXE
PID 2196 wrote to memory of 1876	2196	DW20.EXE	dwwin.exe
PID 2196 wrote to memory of 1876	2196	DW20.EXE	dwwin.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Document_314379760-Copy.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4076
2⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 4076
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1356

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 3840
5⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 3840
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2148 -s 508
5⤵
- Process spawned unexpected child process
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:420

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
MD5
31bc270a7f359fd68833152f34498547

SHA1
2c022e12a928e1d90e9785ecfc9335fe3f73f038

SHA256
72cf4bea3be223eb27c72b4667b8ae013256497fd5515640411a0995f3a9c2e6

SHA512
1398d0628e19dcfa3b9fb57e16fd146c6f9d6af4f494d553d66fa11b857fd90cab0f9445c7d5fb7737445bb8ad98cbe6fd8e4e856819262c0a4bfc93493d385f

Download Submit
memory/420-58-0x0000018EFB040000-0x0000018EFB041000-memory.dmp

Filesize
4KB

Download
memory/1112-2-0x00007FFC48440000-0x00007FFC48A77000-memory.dmp

Filesize
6.2MB

Download
memory/1356-11-0x0000020A45E10000-0x0000020A45E11000-memory.dmp

Filesize
4KB

Download
memory/1356-6-0x0000020A45380000-0x0000020A45381000-memory.dmp

Filesize
4KB

Download
memory/1356-8-0x0000020A45AC0000-0x0000020A45AC1000-memory.dmp

Filesize
4KB

Download
memory/1356-12-0x0000020A45E10000-0x0000020A45E11000-memory.dmp

Filesize
4KB

Download
memory/1356-13-0x0000020A45E10000-0x0000020A45E11000-memory.dmp

Filesize
4KB

Download
memory/1356-5-0x0000020A45380000-0x0000020A45381000-memory.dmp

Filesize
4KB

Download
memory/1356-4-0x0000000000000000-mapping.dmp

Download
memory/1876-25-0x000001ADCCC80000-0x000001ADCCC81000-memory.dmp

Filesize
4KB

Download
memory/1876-54-0x000001ADCD690000-0x000001ADCD691000-memory.dmp

Filesize
4KB

Download
memory/1876-28-0x000001ADCD340000-0x000001ADCD341000-memory.dmp

Filesize
4KB

Download
memory/1876-24-0x0000000000000000-mapping.dmp

Download
memory/2148-35-0x0000000000000000-mapping.dmp

Download
memory/2148-44-0x0000000000000000-mapping.dmp

Download
memory/2148-31-0x0000000000000000-mapping.dmp

Download
memory/2148-32-0x0000000000000000-mapping.dmp

Download
memory/2148-34-0x0000000000000000-mapping.dmp

Download
memory/2148-33-0x0000000000000000-mapping.dmp

Download
memory/2148-21-0x00007FFC48440000-0x00007FFC48A77000-memory.dmp

Filesize
6.2MB

Download
memory/2148-36-0x0000000000000000-mapping.dmp

Download
memory/2148-38-0x0000000000000000-mapping.dmp

Download
memory/2148-41-0x0000000000000000-mapping.dmp

Download
memory/2148-40-0x0000000000000000-mapping.dmp

Download
memory/2148-42-0x0000000000000000-mapping.dmp

Download
memory/2148-43-0x0000000000000000-mapping.dmp

Download
memory/2148-20-0x0000000000000000-mapping.dmp

Download
memory/2148-46-0x0000000000000000-mapping.dmp

Download
memory/2148-45-0x0000000000000000-mapping.dmp

Download
memory/2148-39-0x0000000000000000-mapping.dmp

Download
memory/2148-37-0x0000000000000000-mapping.dmp

Download
memory/2148-50-0x0000000000000000-mapping.dmp

Download
memory/2148-49-0x0000000000000000-mapping.dmp

Download
memory/2148-48-0x0000000000000000-mapping.dmp

Download
memory/2148-47-0x0000000000000000-mapping.dmp

Download
memory/2148-51-0x0000000000000000-mapping.dmp

Download
memory/2148-52-0x0000000000000000-mapping.dmp

Download
memory/2148-53-0x0000000000000000-mapping.dmp

Download
memory/2180-3-0x0000000000000000-mapping.dmp

Download
memory/2196-23-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads