e3800768bbe39dd0cee94fc9b9c3302d025b66699b6c7d3ed322fb5a16eb8aad

General

Target

1E66C639F157FA066C2E4070A46CB0AF32548F4FBA63684120513433059CD26D.xlsm
Size

41KB
MD5

032734a3c93c44855955d4769b7ded98
SHA1

f38cd18659e0fb5d862bac1d9f24691dda4a292c
SHA256

1e66c639f157fa066c2e4070a46cb0af32548f4fba63684120513433059cd26d
SHA512

cd662cd2810fef6a50e9ad4fc9c43e2e56d6c6329a432a19709ea410e3cd8d6f5308a04a8f3f82604dea3e0c8aaa7b3d9959ad8815b097acf11207b32ba41ba9

Score

8^/10

macro xlm

Malware Config

Signatures

Suspicious Office macro 2 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\~ar1FFC.xar	office_xlm_macros
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\~ar1FFC.xar	office_macros

Process spawned suspicious child process 2 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXEDW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3228	4708	DW20.EXE	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1484	1168	DW20.EXE	EXCEL.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid process

4708 EXCEL.EXE
1168 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

EXCEL.EXEdwwin.exeEXCEL.EXEdwwin.exe

pid process

4708 EXCEL.EXE
4708 EXCEL.EXE
3828 dwwin.exe
3828 dwwin.exe
4708 EXCEL.EXE
4708 EXCEL.EXE
1168 EXCEL.EXE
1168 EXCEL.EXE
2244 dwwin.exe
2244 dwwin.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4708 EXCEL.EXE
4708 EXCEL.EXE

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

EXCEL.EXEEXCEL.EXE

pid	process
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
1168	EXCEL.EXE
1168	EXCEL.EXE
1168	EXCEL.EXE
1168	EXCEL.EXE
1168	EXCEL.EXE
1168	EXCEL.EXE
1168	EXCEL.EXE
1168	EXCEL.EXE
1168	EXCEL.EXE
1168	EXCEL.EXE
1168	EXCEL.EXE
1168	EXCEL.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

EXCEL.EXEDW20.EXEdwwin.exeEXCEL.EXEDW20.EXE

description	pid	process	target process
PID 4708 wrote to memory of 3228	4708	EXCEL.EXE	DW20.EXE
PID 4708 wrote to memory of 3228	4708	EXCEL.EXE	DW20.EXE
PID 3228 wrote to memory of 3828	3228	DW20.EXE	dwwin.exe
PID 3228 wrote to memory of 3828	3228	DW20.EXE	dwwin.exe
PID 4708 wrote to memory of 4472	4708	EXCEL.EXE	splwow64.exe
PID 4708 wrote to memory of 4472	4708	EXCEL.EXE	splwow64.exe
PID 3828 wrote to memory of 1168	3828	dwwin.exe	EXCEL.EXE
PID 3828 wrote to memory of 1168	3828	dwwin.exe	EXCEL.EXE
PID 3828 wrote to memory of 1168	3828	dwwin.exe	EXCEL.EXE
PID 1168 wrote to memory of 1484	1168	EXCEL.EXE	DW20.EXE
PID 1168 wrote to memory of 1484	1168	EXCEL.EXE	DW20.EXE
PID 1484 wrote to memory of 2244	1484	DW20.EXE	dwwin.exe
PID 1484 wrote to memory of 2244	1484	DW20.EXE	dwwin.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1E66C639F157FA066C2E4070A46CB0AF32548F4FBA63684120513433059CD26D.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4728
2⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 4728
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3828

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4392
5⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 4392
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2244

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4472

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
MD5
31bc270a7f359fd68833152f34498547

SHA1
2c022e12a928e1d90e9785ecfc9335fe3f73f038

SHA256
72cf4bea3be223eb27c72b4667b8ae013256497fd5515640411a0995f3a9c2e6

SHA512
1398d0628e19dcfa3b9fb57e16fd146c6f9d6af4f494d553d66fa11b857fd90cab0f9445c7d5fb7737445bb8ad98cbe6fd8e4e856819262c0a4bfc93493d385f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Temp\Excel8.0\MSForms.exd
MD5
4a0835c0f1552499a46ed37a261619da

SHA1
53d1a127a75a43f3cb73f215991854312fec2dfc

SHA256
c7c81b0a27aa2b76f165357467d96d33213517fa87eabe18452f35c8299e9f2f

SHA512
59bf4d132a56b904914363b2a88979bc71f353884d412cdd3f09549f55b207b6df9c349314faa161b899a1fa7c60a5b1450bc0336b4a9457c02e8162612ee646

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Excel\~ar1FFC.xar
MD5
88ea9945350a93b2d12ff192b94043e7

SHA1
5dac1e4946dc09f18be5904c6184a1e8f33e4385

SHA256
e5bc7affdbd35eb0df22cfde052c17c843217cd5ec7deb15536ed094fdbce23d

SHA512
2a78e0f3aed66fda5e6665b1004bb9871af1b43b6089b11993bd2b049e2d3e37685ac140d88b00be80716796c47253320aa9252eb2632e55ad7cbccb9497b9ef

Download Submit
memory/1168-21-0x00007FF864080000-0x00007FF8646B7000-memory.dmp

Filesize
6.2MB

Download
memory/1168-20-0x0000000000000000-mapping.dmp

Download
memory/1484-26-0x0000000000000000-mapping.dmp

Download
memory/2244-34-0x000001E845C40000-0x000001E845C41000-memory.dmp

Filesize
4KB

Download
memory/2244-27-0x0000000000000000-mapping.dmp

Download
memory/2244-28-0x000001E845160000-0x000001E845161000-memory.dmp

Filesize
4KB

Download
memory/2244-31-0x000001E845840000-0x000001E845841000-memory.dmp

Filesize
4KB

Download
memory/2244-36-0x000001E845AF0000-0x000001E845AF1000-memory.dmp

Filesize
4KB

Download
memory/3228-3-0x0000000000000000-mapping.dmp

Download
memory/3828-8-0x000001FAB1B10000-0x000001FAB1B11000-memory.dmp

Filesize
4KB

Download
memory/3828-15-0x000001FAB1E50000-0x000001FAB1E51000-memory.dmp

Filesize
4KB

Download
memory/3828-14-0x000001FAB1E50000-0x000001FAB1E51000-memory.dmp

Filesize
4KB

Download
memory/3828-13-0x000001FAB1E50000-0x000001FAB1E51000-memory.dmp

Filesize
4KB

Download
memory/3828-11-0x000001FAB1F10000-0x000001FAB1F11000-memory.dmp

Filesize
4KB

Download
memory/3828-6-0x000001FAB1380000-0x000001FAB1381000-memory.dmp

Filesize
4KB

Download
memory/3828-5-0x000001FAB1380000-0x000001FAB1381000-memory.dmp

Filesize
4KB

Download
memory/3828-4-0x0000000000000000-mapping.dmp

Download
memory/4472-18-0x0000000000000000-mapping.dmp

Download
memory/4708-2-0x00007FF863EE0000-0x00007FF864517000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads