060da027a490aacf135d894ecf1f158568af1257d4003716cd93d416fa8f508d

General

Target

2d480c7b696975ed15cabc3709953ff3368ac88cdfcf66abd1841b1e8adbdceb.xls
Size

973KB
MD5

08d16f26dc58a3565b478a5ef975e844
SHA1

c47387a591bb42c39a43f90e30ef26e8726d8ca4
SHA256

060da027a490aacf135d894ecf1f158568af1257d4003716cd93d416fa8f508d
SHA512

be279977d3f916fd06097f0ab8d66d9380f0358ba40841bbc8c1a0c441a32f8b81ea82c7138a7b25e8f91cecc6732ccaef984a0ea3a74efeb9fd1c2045bd70c3
SSDEEP

12288:TEMdFhqCSBFbYJ3Kev5ZGbJMo4iP9HA8BuXvKBfFUl9v1RQ3l16WGZeo5iokzhVv:gMp+7YJ3KcQ5IiBurvHQVoWG0Pv

Score

6^/10

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2620	3056	DW20.EXE	27

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3056	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3056	EXCEL.EXE
3056	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3056	EXCEL.EXE
3056	EXCEL.EXE
3056	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2620	3056	EXCEL.EXE	28
PID 3056 wrote to memory of 2620	3056	EXCEL.EXE	28
PID 3056 wrote to memory of 2620	3056	EXCEL.EXE	28
PID 3056 wrote to memory of 2620	3056	EXCEL.EXE	28
PID 3056 wrote to memory of 2620	3056	EXCEL.EXE	28
PID 3056 wrote to memory of 2620	3056	EXCEL.EXE	28
PID 3056 wrote to memory of 2620	3056	EXCEL.EXE	28
PID 2620 wrote to memory of 2628	2620	DW20.EXE	29
PID 2620 wrote to memory of 2628	2620	DW20.EXE	29
PID 2620 wrote to memory of 2628	2620	DW20.EXE	29
PID 2620 wrote to memory of 2628	2620	DW20.EXE	29

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2d480c7b696975ed15cabc3709953ff3368ac88cdfcf66abd1841b1e8adbdceb.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 932
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 932
    3⤵
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259394281.cvr

Filesize
524B

MD5
7fb9b4f50d0cc416f72d5bef17025e49

SHA1
ec64b90173fda99b7552d2cf3c51803500216e0c

SHA256
477707bf7f1eeb65c47b9a76a92b622f50cce464f790e8b55aa7126c1c2652a3

SHA512
65dd84e67548715d490f2222169beb118e963a56f12913472f7196e5505caab490c7ca76c2f0e4c62f9d4b4f5392cd3969d81eb5f6c250c7f8497b90a5a8e612

Download Submit
memory/2628-4-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/3056-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3056-1-0x0000000072A3D000-0x0000000072A48000-memory.dmp

Filesize
44KB

Download
memory/3056-5-0x0000000072A3D000-0x0000000072A48000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing