48792bb5e220daf2e04bf812584f47e73e7bd2c82cd20c2f8c3aa924113f368b

General

Target

48792bb5e220daf2e04bf812584f47e73e7bd2c82cd20c2f8c3aa924113f368b.xll
Size

42KB
MD5

621e294da3d079e3d5b57836e487812a
SHA1

4652280ed016154900b0846f777278c0bab17453
SHA256

48792bb5e220daf2e04bf812584f47e73e7bd2c82cd20c2f8c3aa924113f368b
SHA512

99264960418691f2d3f374c8149fb1b7a0276fcd179a2bd9d945ddf92e88c68df6542d8ddc7ebb1c6d70f1c7fd9687f1ee102e71e69211ba20d0eb3928a6e30e
SSDEEP

768:Ybb75EEnHDxr5KI3dOm+I4oU5xWw4HPf84q+lniu82me6Y+V2kw53iGf2mmqSZO8:mtEEjxrMS+J52HX8Jme5rGXMygAm

Score

10^/10

discovery

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2744	EXCEL.EXE
2744	EXCEL.EXE

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2684	2744	DW20.EXE	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwwin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DW20.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2744	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2744	EXCEL.EXE
2744	EXCEL.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2744	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2744	EXCEL.EXE
2744	EXCEL.EXE
2744	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2684	2744	EXCEL.EXE	31
PID 2744 wrote to memory of 2684	2744	EXCEL.EXE	31
PID 2744 wrote to memory of 2684	2744	EXCEL.EXE	31
PID 2744 wrote to memory of 2684	2744	EXCEL.EXE	31
PID 2744 wrote to memory of 2684	2744	EXCEL.EXE	31
PID 2744 wrote to memory of 2684	2744	EXCEL.EXE	31
PID 2744 wrote to memory of 2684	2744	EXCEL.EXE	31
PID 2684 wrote to memory of 2420	2684	DW20.EXE	32
PID 2684 wrote to memory of 2420	2684	DW20.EXE	32
PID 2684 wrote to memory of 2420	2684	DW20.EXE	32
PID 2684 wrote to memory of 2420	2684	DW20.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\48792bb5e220daf2e04bf812584f47e73e7bd2c82cd20c2f8c3aa924113f368b.xll
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744
- C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1212
  2⤵
  - Process spawned suspicious child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1212
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259494278.cvr

Filesize
620B

MD5
b64512ba3db6eec158841bf1fab44e32

SHA1
4a46354454ea6f020ad2d449f966425228d360e0

SHA256
0eeaa025374d1c13e2ef62af4b0473e0e7d6da3b33de7fb1f5477409c6945691

SHA512
c7bd2902be404b97bceef5ff541bff4bb431cac562375c463a4aa4fa2f090d08b647cffd9b0a0bf14f009eac6d173a94238f55b532e5c9fa003347b9cb564785

Download Submit
\Users\Admin\AppData\Local\Temp\48792bb5e220daf2e04bf812584f47e73e7bd2c82cd20c2f8c3aa924113f368b.xll

Filesize
42KB

MD5
621e294da3d079e3d5b57836e487812a

SHA1
4652280ed016154900b0846f777278c0bab17453

SHA256
48792bb5e220daf2e04bf812584f47e73e7bd2c82cd20c2f8c3aa924113f368b

SHA512
99264960418691f2d3f374c8149fb1b7a0276fcd179a2bd9d945ddf92e88c68df6542d8ddc7ebb1c6d70f1c7fd9687f1ee102e71e69211ba20d0eb3928a6e30e

Download Submit
memory/2420-22-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2744-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2744-1-0x00000000735FD000-0x0000000073608000-memory.dmp

Filesize
44KB

Download
memory/2744-23-0x00000000735FD000-0x0000000073608000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing