0f840c4fc62f7f42086ac5c70abe5da1e457260bdaaed07a8aa7d1bfac26ef87

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
30/10/2023, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f840c4fc62f7f42086ac5c70abe5da1e457260bdaaed07a8aa7d1bfac26ef87.xlsb
Size

1.1MB
MD5

25f563b4d2e141908023a473eaa39819
SHA1

85cde7162b448c3a50f3a4d6af5859e70de6b0aa
SHA256

0f840c4fc62f7f42086ac5c70abe5da1e457260bdaaed07a8aa7d1bfac26ef87
SHA512

25aa3d54a141a56957617c00dae72c0ed046cf8019f3faab52c9ac11b9d2834dfdff0157dc3d7be8bf2193a7548bb320dad0ad1180dc90b57e36029d4cf3839c
SSDEEP

24576:uodXPBgSLkhfNnDwYe4WywYJo+mAb24UtXlXT0ns8/o3Hdb+/My:uI/PkpBwYTxJZNy4UtXJ0sAo5Jy

Score

6^/10

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2888	2164	DW20.EXE	27

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B8-8589-11D1-B16A-00C0F0283628}	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\ = "DImageComboEvents"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\TypeLib\{A50BF67F-753C-4780-9024-E39E61AA7338}\2.0	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\ = "ITreeViewEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A50BF67F-753C-4780-9024-E39E61AA7338}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Excel8.0\\MSForms.exd"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1DAC565E-D159-4B15-89DA-A4688918B5D3}\1.2\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\ = "IProgressBar"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA662-8594-11D1-B16A-00C0F0283628}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00024518-0000-0000-C000-000000000046}\ = "IRefDummy"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}\ = "IStatusBar"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E7E2880-66A5-40E8-B204-87D1E0D6C0D0}\2.0\FLAGS	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\TypeLib\{A50BF67F-753C-4780-9024-E39E61AA7338}\2.0\ = "Microsoft Forms 2.0 Object Library"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1DAC565E-D159-4B15-89DA-A4688918B5D3}\1.2\HELPDIR	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\ = "IPanels"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2164	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2164	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2164	EXCEL.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE
2164	EXCEL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1348	2164	EXCEL.EXE	28
PID 2164 wrote to memory of 1348	2164	EXCEL.EXE	28
PID 2164 wrote to memory of 1348	2164	EXCEL.EXE	28
PID 2164 wrote to memory of 1348	2164	EXCEL.EXE	28
PID 2164 wrote to memory of 2888	2164	EXCEL.EXE	33
PID 2164 wrote to memory of 2888	2164	EXCEL.EXE	33
PID 2164 wrote to memory of 2888	2164	EXCEL.EXE	33
PID 2164 wrote to memory of 2888	2164	EXCEL.EXE	33
PID 2164 wrote to memory of 2888	2164	EXCEL.EXE	33
PID 2164 wrote to memory of 2888	2164	EXCEL.EXE	33
PID 2164 wrote to memory of 2888	2164	EXCEL.EXE	33
PID 2888 wrote to memory of 1816	2888	DW20.EXE	34
PID 2888 wrote to memory of 1816	2888	DW20.EXE	34
PID 2888 wrote to memory of 1816	2888	DW20.EXE	34
PID 2888 wrote to memory of 1816	2888	DW20.EXE	34

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\0f840c4fc62f7f42086ac5c70abe5da1e457260bdaaed07a8aa7d1bfac26ef87.xlsb
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1348
- C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1908
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1908
    3⤵
    PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259558535.cvr

Filesize
1KB

MD5
08d477e123760947cb8a64f896bc2535

SHA1
194c0b71bbcb856b2639430ef233675d83ada7d1

SHA256
93bb939282a73e59e1113db2bf4a495faa074e53ba297fa715239b70ff03de06

SHA512
3be0ca3c974230d84f17358f69b228e0d7f67aec4f9d42c9a5a6dedcba0606f0d09bcd714b009e148f14197878e9c1224bce924857ec7a7d6d1cd448fc28c54c

Download Submit
memory/2164-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2164-1-0x0000000071E9D000-0x0000000071EA8000-memory.dmp

Filesize
44KB

Download
memory/2164-9-0x00000000076D0000-0x00000000077D0000-memory.dmp

Filesize
1024KB

Download
memory/2164-14-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-15-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-16-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-17-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-18-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-19-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-20-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-21-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-22-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-23-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-24-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-25-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-26-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-28-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-29-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-30-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-27-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-32-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-31-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-34-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-36-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-33-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-35-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-37-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-39-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-38-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-40-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-41-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-42-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-43-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-44-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-45-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-46-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-47-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-48-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-49-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-50-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-51-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-52-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-53-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-55-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-58-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-56-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-57-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-59-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-60-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-62-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-61-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-64-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-63-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-54-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-65-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-66-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-67-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-68-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-69-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-70-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-71-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-73-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-72-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-75-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-74-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-76-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-78-0x0000000071E9D000-0x0000000071EA8000-memory.dmp

Filesize
44KB

Download
memory/2164-115-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-145-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-174-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-203-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-232-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-234-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-262-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-277-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-320-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-351-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-382-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-408-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-410-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-425-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-426-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-429-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-442-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-444-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-459-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-460-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-469-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-471-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-489-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-494-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-499-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-500-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-513-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-514-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-517-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-518-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-527-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-540-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-543-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-553-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-564-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-578-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-589-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-590-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-592-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-612-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-626-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-628-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-637-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-642-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-655-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-661-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-687-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-688-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-689-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-690-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-691-0x0000000006460000-0x0000000006660000-memory.dmp

Filesize
2.0MB

Download
memory/2164-692-0x0000000006360000-0x0000000006460000-memory.dmp

Filesize
1024KB

Download
memory/2164-694-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-696-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-714-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-715-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-716-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-717-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-718-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-719-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download
memory/2164-720-0x0000000007E10000-0x0000000008210000-memory.dmp

Filesize
4.0MB

Download