48792bb5e220daf2e04bf812584f47e73e7bd2c82cd20c2f8c3aa924113f368b

General

Target

48792bb5e220daf2e04bf812584f47e73e7bd2c82cd20c2f8c3aa924113f368b.xll
Size

42KB
MD5

621e294da3d079e3d5b57836e487812a
SHA1

4652280ed016154900b0846f777278c0bab17453
SHA256

48792bb5e220daf2e04bf812584f47e73e7bd2c82cd20c2f8c3aa924113f368b
SHA512

99264960418691f2d3f374c8149fb1b7a0276fcd179a2bd9d945ddf92e88c68df6542d8ddc7ebb1c6d70f1c7fd9687f1ee102e71e69211ba20d0eb3928a6e30e
SSDEEP

768:Ybb75EEnHDxr5KI3dOm+I4oU5xWw4HPf84q+lniu82me6Y+V2kw53iGf2mmqSZO8:mtEEjxrMS+J52HX8Jme5rGXMygAm

Score

10^/10

discovery

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Loads dropped DLL 2 IoCs

Processes:

EXCEL.EXE

pid	Process
1728	EXCEL.EXE
1728	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2628	1728	DW20.EXE	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EXCEL.EXEDW20.EXEdwwin.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DW20.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwwin.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
1728	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

EXCEL.EXE

pid	Process
1728	EXCEL.EXE
1728	EXCEL.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

EXCEL.EXE

pid	Process
1728	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid	Process
1728	EXCEL.EXE
1728	EXCEL.EXE
1728	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXEDW20.EXE

description	pid	Process	procid_target
PID 1728 wrote to memory of 2628	1728	EXCEL.EXE	32
PID 1728 wrote to memory of 2628	1728	EXCEL.EXE	32
PID 1728 wrote to memory of 2628	1728	EXCEL.EXE	32
PID 1728 wrote to memory of 2628	1728	EXCEL.EXE	32
PID 1728 wrote to memory of 2628	1728	EXCEL.EXE	32
PID 1728 wrote to memory of 2628	1728	EXCEL.EXE	32
PID 1728 wrote to memory of 2628	1728	EXCEL.EXE	32
PID 2628 wrote to memory of 3036	2628	DW20.EXE	33
PID 2628 wrote to memory of 3036	2628	DW20.EXE	33
PID 2628 wrote to memory of 3036	2628	DW20.EXE	33
PID 2628 wrote to memory of 3036	2628	DW20.EXE	33

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\48792bb5e220daf2e04bf812584f47e73e7bd2c82cd20c2f8c3aa924113f368b.xll
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728
- C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1916
  2⤵
  - Process spawned suspicious child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1916
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259467555.cvr

Filesize
620B

MD5
fadc2d539d8aae8a54b3a0ee5ae3023f

SHA1
340a08380b8705799cddf318d122faeff1510c92

SHA256
ae5c59b22e52b8c0b527f6786f2dcbbc0b31f1fa2d0e3b3669aedc8811324e3e

SHA512
aab17d4bb2bc94a1d865f8f272552eebd3528314c2f6025d70f17855c59ed1cefbbb9f67098c260ac826f15fb43d74fcb0ce645f5de15f737231b6daaa2f7976

Download Submit
\Users\Admin\AppData\Local\Temp\48792bb5e220daf2e04bf812584f47e73e7bd2c82cd20c2f8c3aa924113f368b.xll

Filesize
42KB

MD5
621e294da3d079e3d5b57836e487812a

SHA1
4652280ed016154900b0846f777278c0bab17453

SHA256
48792bb5e220daf2e04bf812584f47e73e7bd2c82cd20c2f8c3aa924113f368b

SHA512
99264960418691f2d3f374c8149fb1b7a0276fcd179a2bd9d945ddf92e88c68df6542d8ddc7ebb1c6d70f1c7fd9687f1ee102e71e69211ba20d0eb3928a6e30e

Download Submit
memory/1728-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1728-1-0x00000000722DD000-0x00000000722E8000-memory.dmp

Filesize
44KB

Download
memory/1728-18-0x00000000722DD000-0x00000000722E8000-memory.dmp

Filesize
44KB

Download
memory/3036-21-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads