Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2023 18:05
Static task
static1
Behavioral task
behavioral1
Sample
MV. NEW BRIDGE (EX THORCO SVENDBORG)..xll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
MV. NEW BRIDGE (EX THORCO SVENDBORG)..xll
Resource
win10-20230220-en
Behavioral task
behavioral3
Sample
MV. NEW BRIDGE (EX THORCO SVENDBORG)..xll
Resource
win10v2004-20230220-en
General
-
Target
MV. NEW BRIDGE (EX THORCO SVENDBORG)..xll
-
Size
1.7MB
-
MD5
e772d046be7fbfbe96e90eca5ab20566
-
SHA1
286d9bcf13c0cb309f9041f2ea03e5ce99848669
-
SHA256
92c7146dd4dd24206b2c0b9dee831bdd772eced8b8d5c67b3b73e31bababea82
-
SHA512
4c79623f6c7c557169da85715e69f387ef2d98a16ab35516768ef921e65e791d1301d2574a6703b1e7c9fb6902d69bef341908294ba31469e57321533de70103
-
SSDEEP
24576:G7wsfP/WNl5dgI/XvETj7g+bWfqHnm9yX1eeXqmqBXQ:G7T3WNdnn+gryHnmqXqm
Malware Config
Extracted
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1020 2292 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3568 2292 cmd.exe EXCEL.EXE -
Loads dropped DLL 2 IoCs
Processes:
EXCEL.EXEpid process 2292 EXCEL.EXE 2292 EXCEL.EXE -
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1660 2292 DW20.EXE EXCEL.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdwwin.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dwwin.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
EXCEL.EXEdwwin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwwin.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2292 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
EXCEL.EXEpid process 2292 EXCEL.EXE 2292 EXCEL.EXE 2292 EXCEL.EXE 2292 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
EXCEL.EXEdescription pid process Token: SeDebugPrivilege 2292 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 2292 EXCEL.EXE 2292 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2292 EXCEL.EXE 2292 EXCEL.EXE 2292 EXCEL.EXE 2292 EXCEL.EXE 2292 EXCEL.EXE 2292 EXCEL.EXE 2292 EXCEL.EXE 2292 EXCEL.EXE 2292 EXCEL.EXE 2292 EXCEL.EXE 2292 EXCEL.EXE 2292 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXEcmd.execmd.exeDW20.EXEdescription pid process target process PID 2292 wrote to memory of 1020 2292 EXCEL.EXE cmd.exe PID 2292 wrote to memory of 1020 2292 EXCEL.EXE cmd.exe PID 1020 wrote to memory of 1368 1020 cmd.exe certutil.exe PID 1020 wrote to memory of 1368 1020 cmd.exe certutil.exe PID 2292 wrote to memory of 3568 2292 EXCEL.EXE cmd.exe PID 2292 wrote to memory of 3568 2292 EXCEL.EXE cmd.exe PID 3568 wrote to memory of 3376 3568 cmd.exe certutil.exe PID 3568 wrote to memory of 3376 3568 cmd.exe certutil.exe PID 2292 wrote to memory of 1660 2292 EXCEL.EXE DW20.EXE PID 2292 wrote to memory of 1660 2292 EXCEL.EXE DW20.EXE PID 1660 wrote to memory of 2416 1660 DW20.EXE dwwin.exe PID 1660 wrote to memory of 2416 1660 DW20.EXE dwwin.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\MV. NEW BRIDGE (EX THORCO SVENDBORG)..xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C certutil -decode C:\Users\Admin\Downloads\appXMNGZCDUPG.txt C:\Users\Admin\Downloads\appXMNGZCDUPG.txt.xlsx2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -decode C:\Users\Admin\Downloads\appXMNGZCDUPG.txt C:\Users\Admin\Downloads\appXMNGZCDUPG.txt.xlsx3⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C certutil -decode C:\Users\Admin\Downloads\appXMNGZCDUPG.txt C:\Users\Admin\Downloads\appXMNGZCDUPG.txt.exe &2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -decode C:\Users\Admin\Downloads\appXMNGZCDUPG.txt C:\Users\Admin\Downloads\appXMNGZCDUPG.txt.exe3⤵
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 54122⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 54123⤵
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MV. NEW BRIDGE (EX THORCO SVENDBORG)..xllFilesize
1.7MB
MD5e772d046be7fbfbe96e90eca5ab20566
SHA1286d9bcf13c0cb309f9041f2ea03e5ce99848669
SHA25692c7146dd4dd24206b2c0b9dee831bdd772eced8b8d5c67b3b73e31bababea82
SHA5124c79623f6c7c557169da85715e69f387ef2d98a16ab35516768ef921e65e791d1301d2574a6703b1e7c9fb6902d69bef341908294ba31469e57321533de70103
-
C:\Users\Admin\AppData\Local\Temp\MV. NEW BRIDGE (EX THORCO SVENDBORG)..xllFilesize
1.7MB
MD5e772d046be7fbfbe96e90eca5ab20566
SHA1286d9bcf13c0cb309f9041f2ea03e5ce99848669
SHA25692c7146dd4dd24206b2c0b9dee831bdd772eced8b8d5c67b3b73e31bababea82
SHA5124c79623f6c7c557169da85715e69f387ef2d98a16ab35516768ef921e65e791d1301d2574a6703b1e7c9fb6902d69bef341908294ba31469e57321533de70103
-
C:\Users\Admin\Downloads\appXMNGZCDUPG.txtFilesize
24KB
MD5fbefbe8ae4a09ba8018b2d7ff9143f3e
SHA1c03cd7561d6a64f754c65bda8faa5a434eb04e0b
SHA256881a15d10e000d20b2179290d340e1234f46301569f19e34fe06f82f37cb32c8
SHA512490167845d6930e10339e83a5e60181e78a718b8975eccb6bb104467020b4fd4b080be20e463e5bfe681549e843999a2b90b3f48db737229e8a0bdc198af7189
-
C:\Users\Admin\Downloads\appXMNGZCDUPG.txtFilesize
58B
MD5759d88148f2999ed1b1db44c9b1be24d
SHA16a427759e0dfb9ebc2826a239dd3c7ffb2d39a36
SHA25622a3bb08dd922fa426a32104fb211b5b6897f286913f74e349c55dcec45e307c
SHA5120b3c1cbc98c7f6839b7654f80037e5efd0ea06a62ef3afb52423d27cd283aee4b844befed5fb0f1f65f89fe472a455a255f911e9a296206758e53666fdd5d852
-
C:\Users\Admin\Downloads\appXMNGZCDUPG.txt.xlsxFilesize
18KB
MD5aea065e068a1c885c5c82b9da16de628
SHA1f6c1af23d9e30b77160bf0da4f56eaef94d853c1
SHA256fcd49a887692286cd815e911fd667f9323152c4d13e37020f065aabd023ab0ca
SHA512092247866bca90694c95e7d1db658baba7fd88c192fd8e2c132de896541b3a09b74b17055022dbb03789814a0a31c3ae57072e6ef6f3c88f2cd23c0ca8275c8a
-
memory/1660-179-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmpFilesize
64KB
-
memory/1660-178-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmpFilesize
64KB
-
memory/1660-177-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmpFilesize
64KB
-
memory/1660-176-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmpFilesize
64KB
-
memory/2292-138-0x00007FFA7CFF0000-0x00007FFA7D000000-memory.dmpFilesize
64KB
-
memory/2292-148-0x0000015352BA0000-0x0000015352BB0000-memory.dmpFilesize
64KB
-
memory/2292-149-0x0000015352BA0000-0x0000015352BB0000-memory.dmpFilesize
64KB
-
memory/2292-150-0x0000015352BA0000-0x0000015352BB0000-memory.dmpFilesize
64KB
-
memory/2292-151-0x0000015352BA0000-0x0000015352BB0000-memory.dmpFilesize
64KB
-
memory/2292-152-0x0000015352BA0000-0x0000015352BB0000-memory.dmpFilesize
64KB
-
memory/2292-144-0x0000015351030000-0x0000015351203000-memory.dmpFilesize
1.8MB
-
memory/2292-139-0x00007FFA7CFF0000-0x00007FFA7D000000-memory.dmpFilesize
64KB
-
memory/2292-133-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmpFilesize
64KB
-
memory/2292-137-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmpFilesize
64KB
-
memory/2292-136-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmpFilesize
64KB
-
memory/2292-135-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmpFilesize
64KB
-
memory/2292-134-0x00007FFA7F050000-0x00007FFA7F060000-memory.dmpFilesize
64KB