Author Topic: Curious behaviour. (Read 518 times)

proxx · « **on:** November 25, 2014, 07:49:45 am »

On a server that has multiple people working on in I noticed this weird behaviour.
An excel instance starts under a random user, mem usuage is ~ 6-10MB, CPU util can spike through the roof, 40-60 %.
When I kill it it spawns under a different user, they are not even running excel, endless loop.
Kaspersky + mbam can't find any thing but I am not convinced, this is strange behaviour.

Any suggestions where to look for ?
Deque?

*update.
I am running process explorer and didn't find any TCP connections , best thing is the user is not even using any office application..
Virus total scan of the process is 0/55.
I am stunned.

I am not saying it is malware perse, but the strangest thing is that as soon as I kill it the exe starts runnning as a different user...

Deque · « **Reply #1 on:** November 25, 2014, 09:29:57 am »

Hi proxx.

If you are suspecting malware, you might look out for Crigent:
http://www.crn.com.au/News/381440,warning-over-new-word-excel-malware.aspx
http://blog.trendmicro.com/trendlabs-security-intelligence/word-and-excel-files-infected-using-windows-powershell/

Use procmon to check the activities of the process: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Filter especially for file creations, registry changes, and start of subprocesses.

What is the exact name of the process?
Might also be that excel is just used to inject code into the process, or that the process is not actually excel. Look out for the right path and slight variations in the name.

Check out the registry for entries that are often used to start applications.
Malware might also reside in the registry without having any file on disk.

Edit: Use a rootkit scanner too. E.g. http://usa.kaspersky.com/downloads/TDSSKiller
Or AswMBR: http://www.bleepingcomputer.com/download/aswmbr/

proxx · « **Reply #2 on:** November 25, 2014, 05:15:23 pm »

Quote from: Deque on November 25, 2014, 09:29:57 am

Hi proxx.

If you are suspecting malware, you might look out for Crigent:
http://www.crn.com.au/News/381440,warning-over-new-word-excel-malware.aspx
http://blog.trendmicro.com/trendlabs-security-intelligence/word-and-excel-files-infected-using-windows-powershell/

Use procmon to check the activities of the process: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Filter especially for file creations, registry changes, and start of subprocesses.

What is the exact name of the process?
Might also be that excel is just used to inject code into the process, or that the process is not actually excel. Look out for the right path and slight variations in the name.

Check out the registry for entries that are often used to start applications.
Malware might also reside in the registry without having any file on disk.

Edit: Use a rootkit scanner too. E.g. http://usa.kaspersky.com/downloads/TDSSKiller
Or AswMBR: http://www.bleepingcomputer.com/download/aswmbr/

Thank you

I will try to see where procmon leads me, the exact name is EXCEL.EXE , which is 'valid'
Ofcourse I will give you a sample if I can trace it down

EvilZone

News:

Author Topic: Curious behaviour. (Read 518 times)

proxx

Curious behaviour.

Deque

Re: Curious behaviour.

proxx

Re: Curious behaviour.