eecc250e3959ffaa3572218c0490ceb5c5597f11d4f6a225e13574ebdb3db71e

General

Target

eecc250e3959ffaa3572218c0490ceb5c5597f11d4f6a225e13574ebdb3db71e.xls
Size

4.8MB
MD5

90cede352673de54b372ca7bcd138ffc
SHA1

3ad05e2b6b5044d556aada87e3bfe93d2ea21f2c
SHA256

eecc250e3959ffaa3572218c0490ceb5c5597f11d4f6a225e13574ebdb3db71e
SHA512

30f585d3d138abfb2ee7c19079f25b19e3245a016e6d04038603f633823bccc338711c8d19bd12f8e897252acd5b8d4222f301ba711e865b79d0dc639f281ded
SSDEEP

98304:Ov4K91f7vFpQ+g8RFpiLd+8kLD84tCEr0RtNiC5eSsNMt+r+WC1HnKHnn3BBXXXs:OvpvFa+g8RWLdPk/84tCEr0RtNiC5eS9

Score

6^/10

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4132	4728	DW20.EXE	EXCEL.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwwin.exeEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dwwin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dwwin.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dwwin.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEdwwin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dwwin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwwin.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4728 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

EXCEL.EXE

pid process

4728 EXCEL.EXE
4728 EXCEL.EXE
4728 EXCEL.EXE
4728 EXCEL.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

4728 EXCEL.EXE
4728 EXCEL.EXE
4728 EXCEL.EXE
4728 EXCEL.EXE
4728 EXCEL.EXE
4728 EXCEL.EXE
4728 EXCEL.EXE
4728 EXCEL.EXE

pid	process
4728	EXCEL.EXE

pid	process
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE

pid	process
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE
4728	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EXCEL.EXEDW20.EXE

description	pid	process	target process
PID 4728 wrote to memory of 4132	4728	EXCEL.EXE	DW20.EXE
PID 4728 wrote to memory of 4132	4728	EXCEL.EXE	DW20.EXE
PID 4132 wrote to memory of 2744	4132	DW20.EXE	dwwin.exe
PID 4132 wrote to memory of 2744	4132	DW20.EXE	dwwin.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\eecc250e3959ffaa3572218c0490ceb5c5597f11d4f6a225e13574ebdb3db71e.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4728

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 2112
2⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 2112
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2744-147-0x0000000000000000-mapping.dmp

Download
memory/4132-141-0x0000000000000000-mapping.dmp

Download
memory/4132-152-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/4132-151-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/4132-150-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/4132-149-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/4728-136-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/4728-139-0x0000021818030000-0x0000021818034000-memory.dmp

Filesize
16KB

Download
memory/4728-140-0x000002181B49F000-0x000002181B4A1000-memory.dmp

Filesize
8KB

Download
memory/4728-138-0x00007FFE708D0000-0x00007FFE708E0000-memory.dmp

Filesize
64KB

Download
memory/4728-137-0x00007FFE708D0000-0x00007FFE708E0000-memory.dmp

Filesize
64KB

Download
memory/4728-148-0x000002181B769000-0x000002181B76B000-memory.dmp

Filesize
8KB

Download
memory/4728-132-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/4728-135-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/4728-134-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download
memory/4728-133-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads