Help with Memory corruption exploitation event in excel.exe

tlmarques — Tue, 23 Jul 2024 12:07:08 GMT

Hi, I need your help.
When analyzing a Memory corruption exploitation event in excel.exe, the usually doesn't provide much information

I can only see in the graphical interface that the user executed Excel at that moment.

In my case, it shows that the user opened an Excel file that was on a file share.

I would like to know if anyone knows how I can obtain more data/information.
I downloaded all the Alert data...however, there is a lot of information that I can't understand.

In the alert data I've downloaded, is it possible to know if it was a macro or another process that caused this error?

some information below:

{ec:DSE:EcDsePipeline:} cgo: path: C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE signer_name: Microsoft Corporation hash_sha256: 32f8bf94bdd77fa972809f01c755e2f51453cc2e5e48a689d5828b9e97592d82 { severity:4 do_not_disable: friendlyName:excel_exploit technique_id: [T1204.002, T1588.005, T1588.006, ] tactic_id: [TA0002, ] action:block external_description:Memory corruption exploitation in excel.exe profile_override: } Full activation: bioc.excel_exploit

"files": [
{
"companyName": "Microsoft Corporation",
"fileName": "EXCEL.EXE",
"fileSize": "18379976",
"md5": "f123e71cf4b7a68eaf5506f545e7db61",
"rawFullPath": "C:\\Program Files (x86)\\Microsoft Office\\Office12\\EXCEL.EXE",
"sha256": "32f8bf94bdd77fa972809f01c755e2f51453cc2e5e48a689d5828b9e97592d82",
"signers": [
"Microsoft Corporation"
],
"version": "12.0.6787.5000",
"versionCopyright": "© 2006 Microsoft Corporation. All rights reserved.",
"versionDescription": "Microsoft Office Excel",
"versionInternalName": "Excel",
"versionOriginalName": "Excel.exe"
},
{
"companyName": "Microsoft Corporation",
"fileName": "splwow64.exe",
"fileSize": "133632",
"md5": "fba2ce5c57ca89584e2f2ec4adad324f",
"rawFullPath": "C:\\Windows\\splwow64.exe",
"sha256": "67376910254b65243f4aa4c2c4d338eb4beb4111d0a82ec48ae7d438f581203c",
"signers": [
"Microsoft Corporation"
],
"version": "10.0.17763.4644 (WinBuild.160101.0800)",
"versionCopyright": "© Microsoft Corporation. All rights reserved.",
"versionDescription": "Print driver host for applications",
"versionInternalName": "splwow64.exe",
"versionOriginalName": "splwow64.exe"
}
],
"ipBlocked": 0,
"isScan": 0,
"moduleId": 71,
"moduleStatusId": 3225419879,
"modules": [

Re: Help with Memory corruption exploitation event in excel.exe

tlmarques — Tue, 23 Jul 2024 12:16:46 GMT

maybe is this the problem???
Why is splwow64.exe being created when running Office 64-bit Word or - Microsoft Community

Re: Help with Memory corruption exploitation event in excel.exe

tlmarques — Tue, 23 Jul 2024 12:22:11 GMT

topic Re: Help with Memory corruption exploitation event in excel.exe in Cortex XDR Discussions

Help with Memory corruption exploitation event in excel.exe

Re: Help with Memory corruption exploitation event in excel.exe

Re: Help with Memory corruption exploitation event in excel.exe