I’m investigating an alert in IDR where the parent process Excel spawned a process RunDLL32.exe hotplug.dll,HotPlugSafeRemovalDriveNotification ESD-USB (D:)
The Excel document in the parent process was a .csv file so no VBA code.
The document in the parent process was never present on the USB drive.
So it seems very odd.
I think it is a false-positive but I’m wondering if anyone here might have some ideas about how I can figure out why the event happened.
Hey @aaron_denton,
Hard to say without looking at the log that fired off the detection, but the rule logic for that particular detection is the parent process is either winword or excel, so even though it was a .csv file, it was most likely opened by excel. Are you able to upload any information (without any identifying information that shouldn’t be posted on a public forum) so that I can see what the cmd line was or anything that can help?
Stephen,
I removed most of the environmental variables from the alert since I don’t think they are relevant.
All info has been replaced with fake username, hostname, and domain name.
"hostname": "Laptop123",
"dns_domain": "mydomain.local",
"os_type": "WINDOWS",
"r7_hostid": "11eedce9e4a45170...",
"process": {
"start_time": "2022-06-06T16:14:47.986Z",
"name": "rundll32.exe",
"pid": 1656,
"r7_id": "e66055d1f610d3819cf332cde721b5220bbb125848db6...",
"exe_path": "C:\\Windows\\System32\\rundll32.exe",
"cmd_line": "\"C:\\WINDOWS\\System32\\RunDll32.exe\" C:\\WINDOWS\\system32\\hotplug.dll,HotPlugSafeRemovalDriveNotification ESD-USB (D:)",
"username": "MYDOMAIN\\john.doe",
"session": 1,
"exe_file": {
"owner": "NT SERVICE\\TrustedInstaller",
"orig_filename": "RUNDLL32.EXE",
"description": "Windows host process (Rundll32)",
"product_name": "Microsoft® Windows® Operating System",
"version": "10.0.19041.746 (WinBuild.160101.0800)",
"created": "2021-11-16T18:02:21.994Z",
"last_modified": "2021-11-16T18:02:21.994Z",
"size": 71680,
"internal_name": "rundll",
"hashes": {
"md5": "ef3179d498793bf4234f708d3be28633",
"sha256": "b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa",
"sha1": "dd399ae46303343f9f0da189aee11c67bd868222"
},
"signing_status": "UNSIGNED"
},
"hash_reputation": {
"reputation": "Known",
"threat_level": "None",
"reliability": "Very High",
"first_analyzed_time": "2021-01-13T05:51:18.000Z",
"engine_count": 25,
"engine_match": 0,
"engine_percent": 0
}
},
"parent_process": {
"start_time": "2022-06-06T16:13:45.084Z",
"name": "EXCEL.EXE",
"pid": 13348,
"ppid": 13400,
"r7_id": "0f28ff42f8e602acf860d81a6629c64e9b74a29b257...",
"exe_path": "C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE",
"cmd_line": "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\EXCEL.EXE\" \"C:\\Users\\john.doe\\Documents\\File.csv\"",
"username": "MEC-1\\john.doe",
"session": 1,
"exe_file": {
"owner": "BUILTIN\\Administrators",
"orig_filename": "Excel.exe",
"description": "Microsoft Excel",
"product_name": "Microsoft Office",
"version": "16.0.14931.20132",
"created": "2022-03-17T09:58:24.033Z",
"last_modified": "2022-03-17T09:58:24.627Z",
"size": 65340776,
"internal_name": "Excel",
"hashes": {
"md5": "e52aaa0aca4ccc43af2fc0a4c3d75689",
"sha256": "cfa43a5139266a18b7f7be17f0cc4caaca4d785b033feb75b230cdb7155bdf20",
"sha1": "78fb6217adbac62bb6c9572e6303751f22e7a864"
},
"signing_status": "SIGNED_VALID",
"signing_chain": [
{
"subject": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation",
"issuer": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2010",
"thumbprint": "5A257D333718C4B468A5DBC6643348AF667AEE3D"
},
{
"subject": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2010",
"issuer": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010",
"thumbprint": "8BFE3107712B3C886B1C96AAEC89984914DC9B6B"
},
{
"subject": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010",
"issuer": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010",
"thumbprint": "3B1EFD3A66EA28B16697394703A72CA340A05BD5"
}
],
"countersigning_chain": [
{
"subject": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Ireland Operations Limited, OU=Thales TSS ESN:86DF-4BBC-9335, CN=Microsoft Time-Stamp Service",
"issuer": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time-Stamp PCA 2010",
"thumbprint": "34A2F214EBABF43CA29A70786CAE64B34426AFD5"
},
{
"subject": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time-Stamp PCA 2010",
"issuer": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010",
"thumbprint": "36056A5662DCADECF82CC14C8B80EC5E0BCC59A6"
},
{
"subject": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010",
"issuer": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010",
"thumbprint": "3B1EFD3A66EA28B16697394703A72CA340A05BD5"
}
]
}
},
"env_vars": [
{
"var": "ALLUSERSPROFILE",
"val": "C:\\ProgramData"
},
{
"var": "APPDATA",
"val": "C:\\Users\\john.doe\\AppData\\Roaming"
},
{
"var": "FPS_BROWSER_APP_PROFILE_STRING",
"val": "Internet Explorer"
},
{
"var": "FPS_BROWSER_USER_PROFILE_STRING",
"val": "Default"
},
...
},
{
"var": "SESSIONNAME",
"val": "Console"
},
...
Thanks Aaron,
I’m taking a look now and will edit this reply with what I find.
Edit: Aaron, so I’ll state the obvious first, the log is showing “file.csv” having been launched, and then the rundll32 process launching after it which in the command line shows the hotplug.dll running hotplugsaferemovaldrivenotification. The command line shows the correct location for the hotplug.dll which is a legitimate windows process. Now this could happen in a few different scenarios and with just this one log I can’t be sure but here are some potential scenarios:
user opened file.csv and then removed a usb drive, so since excel was opened prior windows records that as the parent process, so in short two unrelated events that are merged to one with the way windows records parent process and children processes.
user opened file.csv and then went to save as and either ejected the usb when they noticed it was still plugged in from the “save as” windows explorer screen
user opened file.csv and even though there are was no VBA in the CSV, Excel might have a plugin or add-on that did something to the attached usb and it was forcefully ejected (software-wise, not physically ejected)
Again these are just some potential scenarios, so I can’t say for sure whether it’s benign or a false positive, although the dll files look they are launching from the correct location in the cmd line. I would recommend you interview the user and get a timeline of the activity they did and what USB devices they have in order to try and get a disposition on this.
First of all, thank you very much for the reply. That is exactly the info I was looking for.
I talked with the user, and they had their phone charging off their laptop during this time. It seems very likely that they disconnected the phone to run to a meeting, or to head home for the day.
I believe what happened is probably first the first scenario you suggested.
Thank you.
@aaron_denton
The explanation given sounds reasonable. However, unfortunately CSV files can launch code when opened in Excel.