Friday, September 1, 2017

Threat Round Up for Aug 25 - Sep 1

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between August 25 and September 1. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

  • Doc.Downloader.TrickBot-6336123-0
    Downloader
    Campaigns continue to distribute new TrickBot samples through malspam & document based downloaders. This recent variant of downloader mimics account correspondence from a large financial institution, but the macro used for fetching a TrickBot sample has been stripped down to a simple deobfuscation & shell invocation.
     
  • Doc.Dropper.Agent-6336106-0
    Office Macro Downloader
    This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable.
     
  • Doc.Macro.Obfuscation-6336014-0
    Office Macro
    This cluster of Office Macro documents use the same obfuscation technique to prevent quick analysis. Manual analysis of the obfuscation technique shows many variables and instructions that are not used or evaulated to junk code.
     
  • Doc.Trojan.Agent-6336128-0
    Office Macro based downloader
    This set of downloaders uses string obfuscation in VBA to build a download command for the shell and execute it with the VBA Shell function. It was recently observed delivering TrickBot among other paylods.
     
  • Vbs.Trojan.VBSTrojan-6336102-0
    Trojan
    This Visual Basic script downloader fetches a binary from the internet and install it into the system.
     
  • Win.Malware.Dinwod-6336124-0
    Dropper
    Dinwod is a polymorphic dropper. It copies modified versions of itself to the root directory then deletes the original file. The copies drop the payload DLL in the Windows directory, then force legitimate processes to run the payload via DLL injection.
     
  • Win.Trojan.AlmanCloud-6336008
    Trojan
    This is a Trojan. It contains many anti-debugging and anti-vm tricks to hinder the dynamic analysis and detect instrumented envrionments. The binary can try also to register itself as a Windows service and it modifies the host file. Moreover, it has functionalities to infect USB drives plugged to the victim's computer and it may work also as keylogger. Finally, it has code to contact remote servers and upload the collected information.
     
  • Win.Trojan.Cuegoe-6336130-0
    Trojan
    This is a trojan downloader. The payload varies and is unpacked inside a lengthy linear decryption routine.
     

Threats

Doc.Downloader.TrickBot-6336123-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2580483871-590521980-3826313501-500
  • Outlook_Perf_Library_Lock_PID_90c
IP Addresses
  • 210[.]16[.]102[.]251
  • 216[.]239[.]32[.]21
  • 93[.]114[.]64[.]118
  • 5[.]152[.]210[.]179
  • 146[.]255[.]36[.]1
Domain Names
  • evaluator-expert[.]ro
Files and or directories created
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\bicprcv.exe
  • %AppData%\winapp\Modules\systeminfo64
  • \srvsvc
  • %TEMP%\cdqfm.bat
  • %AppData%\winapp\group_tag
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\cdqfm.bat
  • %TEMP%\bicprcv.exe
  • %AppData%\winapp\Modules\injectDll64_configs\dpost
  • %AppData%\winapp\Modules\injectDll64_configs\dinj
  • %AppData%\winapp\aganpat.exe
  • %AppData%\winapp\Modules\injectDll64
  • %AppData%\winapp\client_id
  • %AppData%\winapp\ahboqbu.exe
  • %AppData%\winapp\Modules\injectDll64_configs\sinj
File Hashes
  • 14ab690a2f5d4fd74f280804a1b59f5c5442c1280e79ee861e68a421cac80ce3
  • 2419210bdd20b352b357573e72eb82bafa801b078f25517546bd348e2e93a505

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


Screenshot






Doc.Dropper.Agent-6336106-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 185[.]165[.]29[.]27
  • 185[.]165[.]29[.]129
Domain Names
  • oceanclubsreloaded[.]us
  • oceanfreightclubs[.]ir
Files and or directories created
  • \TEMP\New Purchase Order.xls
  • \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40DVD2HR\OT[1].exe
  • %AppData%\Microsoft\Office\Recent\New Purchase Order.LNK
  • %AppData%\Microsoft\Office\Recent\272622119.xls.LNK
  • %TEMP%\wbfg.exe
File Hashes
  • 56ef4bb6608968653af98649fddf204933134038b6b27b118ebedcdc5ec5af0e
  • 946def9e50a762ef29de5b56086d976f26446f0bcb5f2590c0354eae1318e0fb
  • 220128b685d4e96e793756636e32257b8fd22e038890d8f194d1681343bea923
  • a4ad5629d490b466e4e62bf9048968ff45466c73849609b64d6617bf32e5cc5f
  • d6ece69e9f8035de573411d57ea11e0bb22d243e0d47b620b9cb99793218b121
  • aecf2b9c77b76f08c6a240cd5b0782f3abba0a872caea783f5105b3b3f42851a

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella





Doc.Macro.Obfuscation-6336014-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value: PnpInstanceID
  • <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES
    • Value: 3488D8938CAA8400F802C2439F4B8FCDCE406396
  • <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\3488D8938CAA8400F802C2439F4B8FCDCE406396
Mutexes
  • socket.1
  • socket.0
  • tty_list::mutex.0
  • socket.2
  • Global\刐ƶ
IP Addresses
  • 82[.]195[.]75[.]101
  • 91[.]219[.]237[.]229
  • 109[.]163[.]234[.]8
  • 38[.]229[.]72[.]16
  • 23[.]21[.]138[.]252
  • 31[.]185[.]104[.]20
  • 78[.]47[.]38[.]226
  • 104[.]20[.]73[.]28
  • 184[.]73[.]220[.]206
  • 46[.]28[.]110[.]244
  • 81[.]7[.]16[.]182
  • 198[.]199[.]64[.]217
  • 174[.]129[.]241[.]106
  • 50[.]19[.]238[.]1
  • 154[.]35[.]132[.]70
  • 62[.]210[.]92[.]11
  • 72[.]21[.]81[.]200
  • 151[.]80[.]42[.]103
  • 5[.]39[.]92[.]199
  • 86[.]59[.]21[.]38
  • 192[.]30[.]255[.]120
  • 192[.]30[.]255[.]121
  • 185[.]100[.]86[.]128
  • 144[.]76[.]163[.]93
  • 178[.]62[.]22[.]36
  • 104[.]20[.]74[.]28
  • 51[.]254[.]101[.]242
  • 46[.]252[.]26[.]2
  • 89[.]45[.]235[.]21
  • 192[.]168[.]1[.]1
  • 178[.]62[.]86[.]96
  • 178[.]62[.]197[.]82
  • 52[.]173[.]193[.]166
  • 192[.]168[.]1[.]255
  • 120[.]29[.]217[.]46
  • 138[.]201[.]14[.]197
  • 86[.]59[.]119[.]88
  • 192[.]30[.]255[.]113
  • 192[.]30[.]255[.]112
  • 85[.]25[.]116[.]81
  • 107[.]22[.]255[.]198
  • 23[.]23[.]170[.]235
  • 192[.]168[.]1[.]127
Domain Names
  • fv-st-konrad[.]de
  • www[.]fv-st-konrad[.]de
  • api[.]ipify[.]org
  • api[.]nuget[.]org
  • chocolatey[.]org
  • dist[.]torproject[.]org
Files and or directories created
  • %AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\cert8.db
  • %TEMP%\ts\lib\net40\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • %TEMP%\ts\lib\net452\it\Microsoft.Win32.TaskScheduler.resources.dll
  • %AppData%\MS\s\SECURITY
  • %AppData%\MS\s\EXAMPLES
  • %AppData%\MS\s\socat.exe
  • %TEMP%\ts\lib\net40\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • %System32%\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf
  • %AppData%\MS\Tor\tor.exe
  • %AppData%\tor\cached-microdescs.new
  • %AppData%\tor\lock
  • %TEMP%\ts\lib\net20\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • %TEMP%\ts\_rels\.rels
  • %AppData%\MS\Tor\libgcc_s_sjlj-1.dll
  • \TEMP\~$L Information.doc
  • %TEMP%\ts\lib\net35\es\Microsoft.Win32.TaskScheduler.resources.dll
  • %System32%\Tasks\MRT
  • %System32%\Tasks\SC
  • %TEMP%\ts\lib\net40\JetBrains.Annotations.xml
  • %AppData%\MS\Tor\libevent_core-2-0-5.dll
  • %TEMP%\ts\lib\net40\JetBrains.Annotations.dll
  • %AppData%\MS\s\cygreadline7.dll
  • %TEMP%\ts\lib\net20\JetBrains.Annotations.xml
  • %AppData%\MS\Data\Tor\geoip6
  • %AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\prefs.js
  • %TEMP%\ts\lib\net20\Microsoft.Win32.TaskScheduler.XML
  • %TEMP%\ts\lib\net35\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • %TEMP%\ts\lib\net20\JetBrains.Annotations.dll
  • %WinDir%\AppCompat\Programs\RecentFileCache.bcf
  • %AppData%\MS\Tor\zlib1.dll
  • \Users\Administrator\Documents\20170822\PowerShell_transcript.PC.SLCVvGfn.20170822125043.txt
  • %AppData%\tor\cached-microdesc-consensus
  • %TEMP%\ts\lib\net40\Microsoft.Win32.TaskScheduler.XML
  • %TEMP%\ts\lib\net35\it\Microsoft.Win32.TaskScheduler.resources.dll
  • %TEMP%\ts\lib\net20\Microsoft.Win32.TaskScheduler.dll
  • %AppData%\MS\Tor\libevent-2-0-5.dll
  • %AppData%\MS\Tor\tor-gencert.exe
  • \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{16FC3937-61E8-4A38-8962-5CC96E748100}.tmp
  • %AppData%\MS\s\cygssl-1.0.0.dll
  • %TEMP%\ts\lib\net40\es\Microsoft.Win32.TaskScheduler.resources.dll
  • \Users\Administrator\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_mshta.exe_b620274e31657385a0786969c6cab647bc5a5eb0_48824423\Report.wer
  • %TEMP%\ts\lib\net40\it\Microsoft.Win32.TaskScheduler.resources.dll
  • %AppData%\MS\s\cygwrap-0.dll
  • %TEMP%\ts\lib\net452\Microsoft.Win32.TaskScheduler.dll
  • %AppData%\MS\s\cygncursesw-10.dll
  • %AppData%\MS\s\VERSION
  • %AppData%\MS\Data\Tor\geoip
  • %AppData%\MS\s\README
  • %TEMP%\ts\lib\net35\JetBrains.Annotations.dll
  • %TEMP%\ts\lib\net452\es\Microsoft.Win32.TaskScheduler.resources.dll
  • %TEMP%\ts\lib\net35\JetBrains.Annotations.xml
  • %TEMP%\ts\[Content_Types].xml
  • \Users\Administrator\Documents\20170822\PowerShell_transcript.PC.tnwsG1BN.20170822125100.txt
  • %TEMP%\ts\lib\net40\Microsoft.Win32.TaskScheduler.dll
  • %AppData%\MS\s\cygcrypto-1.0.0.dll
  • %AppData%\MS\Tor\libssp-0.dll
  • %TEMP%\ts\lib\net35\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • \TEMP\DHL Information.doc
  • %TEMP%\ts\lib\net20\it\Microsoft.Win32.TaskScheduler.resources.dll
  • %AppData%\MS\Tor\libevent_extra-2-0-5.dll
  • %TEMP%\ts\lib\net452\Microsoft.Win32.TaskScheduler.XML
  • %AppData%\tor\cached-certs
  • \Users\Administrator\Documents\20170822\PowerShell_transcript.PC.PBM+k85t.20170822125056.txt
  • %TEMP%\ts\lib\net35\de\Microsoft.Win32.TaskScheduler.resources.dll
  • %System32%\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms
  • %AppData%\MS\s\BUGREPORTS
  • %TEMP%\ts\package\services\metadata\core-properties\b413d53c92364baa9958fdda02cd8e9a.psmdcp
  • %TEMP%\ts\lib\net20\es\Microsoft.Win32.TaskScheduler.resources.dll
  • %AppData%\MS\Tor\libeay32.dll
  • %TEMP%\ts\lib\net20\de\Microsoft.Win32.TaskScheduler.resources.dll
  • %AppData%\MS\Tor\ssleay32.dll
  • %TEMP%\ts\lib\net452\JetBrains.Annotations.dll
  • %TEMP%\ts\lib\net40\de\Microsoft.Win32.TaskScheduler.resources.dll
  • \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40DVD2HR\api_ipify_org[1].txt
  • %TEMP%\ts\lib\net35\Microsoft.Win32.TaskScheduler.dll
  • %TEMP%\ts\lib\net452\JetBrains.Annotations.xml
  • %AppData%\MS\s\FAQ
  • %TEMP%\ts\lib\net20\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • \Users\Administrator\Documents\20170822\PowerShell_transcript.PC.MiXmZ0jf.20170822125034.txt
  • %System32%\Tasks\SUT
  • %AppData%\tor\state
  • %TEMP%\ts\lib\net452\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • %TEMP%\7238.exe
  • %TEMP%\CVRD4FC.tmp.cvr
  • %AppData%\MS\s\CHANGES
  • %TEMP%\ts\TaskScheduler.nuspec
  • %TEMP%\ts\lib\net35\Microsoft.Win32.TaskScheduler.XML
  • %AppData%\MS\s\README.md
  • %AppData%\Microsoft\Office\Recent\DHL Information.LNK
File Hashes
  • bce01bde972b5d97e6bc163cd632fa7c2a1e9f1913abe69f8eb25d22a06063c8
  • 029923c7508a27907e2c88baf9cc2effa2f78e81f4728eae2c185935f2a51fbd
  • 07b63a132b60b293532787b50c7765c6af9cebcc0449592ad31dec1198fc8b5a
  • 12c9ae29a83bf6ecf5766d9f51a2927d586bed20c3d37e4e150ffecadf8cd010
  • 2d1cbae9da80482fffdbbcc4f761e5b12ffbfeb2446026862d381ac80fa0f335
  • 4c5c70e7c517e35f93fd65aa493a9bbad63561ad7dc8b5235e23ca843c9c274e
  • 5d683f41aa10da94c4737aa8901fc92b93d4f5484f4728bcbd802b9336275d59
  • 8b3c33104719d76829977a595901992bb7183ded8f5d1ef379281c7c158ef803
  • 900df27eff06c022c5fc9f6ebdb6f5f1a1e9d65c2de1d5f6300c899937bb95e7
  • 9ef470811ceaab0d47bb4b8e0abdf7d783902c208fedda35f8292b60af7f6870
  • d3bc718d0cb24a9ffb25ae75d413f29fdb173e9174fd07d06ee8bb49ebec2330
  • e433044ade8b09c97cd4b2008bccb9f12d45e32f84a94efbc800754c58ed3eb2
  • efe8092be61ec8c11d6152fbf569517299f3a17322a14d5e1c13350ceaeac223
  • ff428dd61e1f50b36e6fc6707054840c0912455bea073edc5806467ca8cb7046
  • 0009657099e7e3f555a68ae39827099905339f5dafe648585175de089a75ba6b
  • 3724ecf98a0a71f54c227e00417bf0ea603ca480ac6db2a2708cc275f6227104
  • 44cd48611f0044d98082ba3dd816b61fe80ee91812fc05ee1f3f37690f51bacc
  • 488f6347913c580600ca24527ab8a0f3d2129c597a6398cc857eec4f1b0348c1
  • 4b9f88762b2eb226b86c5bb4ce04b4ffcd07d0e332bbc92ed6dd2d7d451c8269
  • 57c8d5b413e5ddc4bbf416ef8ac9b902eb1058e18b79e76ef5340c835c9cfa73
  • 6fe1e272df58349481d71357488f08fda7bf4709cd72be00ce5e42c244783649
  • 6fef1c02e5d06c9cd2b29fee73e796791b7b84a1875ff19296140d49823621ae
  • 6ff2121b359d8a2776c25293aa96b823759b0796e559e70bc6d2e8adaf208fd7
  • 8b0d3d287580a5095e92aaf357bb39e1ab754dd3eaa4ca9c2f7ee4727f5649dd
  • 8e03b31baaa847ffef1df04336d7629bd8c8ca169406768479114b91b96c9092

Coverage


Screenshots of Detection

AMP


ThreatGrid







Doc.Trojan.Agent-6336128-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 216[.]138[.]226[.]110
  • 64[.]182[.]208[.]181
  • 5[.]152[.]210[.]176
Domain Names
  • keybeautysystemswest[.]com
  • icanhazip[.]com
Files and or directories created
  • %AppData%\winapp\Nkahvx.exe
  • %AppData%\winapp\client_id
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\Olaiwy.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\lubuj.bat
  • %AppData%\winapp\group_tag
  • %WinDir%\Tasks\services update.job
File Hashes
  • 9557c5337e1ebcc8dfe36e284be35c32ce22d2a4fbac56602d326598594899a8
  • b20fac264fb5724f17caafc34df08fc57879c0b30d360352a8e2b1ae3f9c2022
  • e77b85c8d93c7d1093eeea80621ad45ab3f091d537837a425b4e8829a2041aa4
  • fef300c8fad4477c75fd83aaa5a0033ee79c46e948148b4a7ed372943c306f5d

Coverage


Screenshots of Detection

AMP


Umbrella


Umbrella


Screenshot






Vbs.Trojan.VBSTrojan-6336102-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: AutoDetect
  • <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
Mutexes
  • N/A
IP Addresses
  • 138[.]128[.]191[.]146
Domain Names
  • www[.]flemingz[.]com
  • flemingz[.]com
Files and or directories created
  • %TEMP%\ReAIquyDcG.exe
  • %TEMP%\ReAIquyDcG.exeA
File Hashes
  • 940723f511b9ecaf14478330baa01d4384f168de4b9c25a42e2865fde11067e4
  • 5bf717cf8794bc159f95b59fb73e46d8e46fcca03d5dca9b47d0b398fb9db17a
  • a9832474a614d15382a50954c3adf5ab7774698dcf57417c80f2abc640399639

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella






Win.Malware.Dinwod-6336124-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %SystemDrive%\jr8g6w6.exe
  • %SystemDrive%\3t9bd.exe
  • %SystemDrive%\dvdvv.exe
  • %SystemDrive%\69w460.exe
  • C:\Windows\friendl.dll
File Hashes
  • 002eb4fddf6e8f9165e28694da6f368626282bd7e99c11f1eaeb365339c2331a
  • 01b538e451a390f7cfcdc263355dca070ea1a578d083fa94762912cff36b226b
  • 026a7284b6420e06f20e683054e0ed01a0afa14321fe4094c14bdb63a46ee17f
  • 04d8c0fd0f85b534c8a225be38e7bda9dc7edc248b1f6419fb64a99fde5b4b11
  • 050e9daae7c0778e00b17a71d70f34a9ec60c7ac1d309d53ffd23e7a74f81b2e
  • 06ebf78a7f2f3cbc7a8961051f3bfe9211b8dc8fd255be6f9df7b96f261a46ad
  • 07509506034c49b52314ee53984af6556396da7070c9d0069324f555f722db6d
  • 076e08eb3eae357b4ee75f9bc1e9fe8a9ea3b3e3ddafe244e0583e320a0bfd26
  • 07ab8a56baed7f7014781b275e8324e8bb7974360ac05d017c65d40ed05e1869
  • 07b5361cde1a670a587bd7d58160c97282415a025b4b9d1efa806a121e577027

Coverage


Screenshots of Detection

AMP


ThreatGrid







Win.Trojan.AlmanCloud-6336008


Indicators of Compromise


Registry Keys
  • <HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • <HKU>\SessionInformation
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
    • Value: Collection
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • <HKLM>\SYSTEM\ControlSet001\Services\Eventlog\Application
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • <HKU>\SessionInformation
  • <HKLM>\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control
  • <HKLM>\SYSTEM\ControlSet001\Services\Eventlog\Application\Microsoft H.323 Telephony Service Provider
  • <HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • <HKLM>\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control
Mutexes
  • \BaseNamedObjects\Global\RAS_MO_01
  • Local\MSCTF.Asm.MutexDefault1
  • \BaseNamedObjects\RAS_MO_02
IP Addresses
  • 148[.]81[.]111[.]121
Domain Names
  • klcwba[.]com
  • ajiyoh[.]com
  • dpwrjl[.]com
  • uatcte[.]com
  • imtxxh[.]com
  • lobsyb[.]com
  • xcckyn[.]com
  • uvebwz[.]com
  • iazfmh[.]com
  • zisbon[.]com
  • wyspqd[.]com
  • oeuuvh[.]com
  • udvjli[.]com
  • abvjlx[.]com
  • aoogeq[.]com
  • ilo[.]brenz[.]pl
  • lxoalw[.]com
  • wvnyqa[.]com
  • gnapgq[.]com
  • cxniir[.]com
  • gzoiji[.]com
  • rrbuas[.]com
  • tdsuye[.]com
  • kfgsia[.]com
  • vdbqhy[.]com
  • ygmyqt[.]com
  • upeuoz[.]com
  • eqyaud[.]com
  • wouaoc[.]com
  • omkbel[.]com
  • ioiufb[.]com
  • eyakmj[.]com
  • ukjqcx[.]com
  • twngee[.]com
  • bkegyi[.]com
  • dgyolj[.]com
  • ycztdl[.]com
  • dtptuw[.]com
  • aqqvuo[.]com
  • ioafts[.]com
  • caqiny[.]com
  • zqkqzt[.]com
  • dezims[.]com
  • ukngdn[.]com
  • ousvfo[.]com
  • bdgxqr[.]com
  • axqeuo[.]com
  • bidnxy[.]com
  • heuaot[.]com
  • gqugaq[.]com
  • aikuul[.]com
  • eiijba[.]com
  • qsjite[.]com
  • btaeqx[.]com
  • teioez[.]com
  • obwijg[.]com
Files and or directories created
  • %System32%\wbem\Logs\wbemess.log
  • \Users\Administrator\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
  • \Users\Administrator\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{684B4A19-F6D3-453D-B879-0BEB15FECE08}.FSD
  • %System32%\drivers\etc\hosts
  • \Users\Administrator\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF
  • \ntsvcs
  • %WinDir%\Prefetch\273142363.EXE-3748BAA7.pf
  • \lsass
File Hashes
  • a0fc82de8afd8ac9d2a9df4c5f94ea0d44abdad70af70624f168c3c34036d35b
  • 5e0fcf513867bb834af4ebb405a328d66838e528e32e420a89eab7b8619f1830
  • 64091a671d00602e4f81f987207ac2b16f5c3e86f98add903bf369b528db2d38
  • 9727223d176381c88f6f5f17a2e7f99981eaba31282a41c1ceb3158bccbe08f4
  • f095ae655db18fb27667ece1c168b97d42b1b164991cda154022d6f8e270cd49

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella







Win.Trojan.Cuegoe-6336130-0


Indicators of Compromise


Registry Keys
  • HKU\Software\Microsoft\Office\12.0\Word
  • HKU\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\D.tmp
  • %SystemDrive%\~$runme.docx
  • %SystemDrive%\runme.exe
  • %AppData%\Microsoft\Templates\~$Normal.dotm
  • %SystemDrive%\runme.docx (copy)
File Hashes
  • 73c4f4e0dbe8bb08fa68c7aa73e44651a322d5a04e462e546d6cf0c9e4897235
  • 6d20ac8668c1876117cfb7686d1dd71a82a88bc69595a9d698591a5ea41878b6
  • c8810c54be65f65747458e905afaaf534202d2c6bd5dc681309a1872042946b3
  • f3b527e625e6f198b5d44150bd4b5408935e57b7f7b395deba33f1662e2a2737
  • c95ad921fa61c90a84ce29748ee334827fab456bb5807ad2f3e5c688bc539903
  • 5f312c0ec89ad31cb819663059c97505cc72032f429cff33c61995ca651d52c0
  • afc27b6c6deace69313e1e164257ca0b5e5ce003c34c79ca1dc43dd67129f081
  • 55a8224f9b571776935e0340c9093b35b90b9138ef87e8484429b27c9ea61681
  • 9edbd6e5cf7cfa8f6c5ca9a80a487e420996cae0982fbcbfe72206c0b85845db
  • e0d385356bc5dc0a7619553d391259b8acd0f226dafb719b505bec4cba58fb46

Coverage


Screenshots of Detection

AMP


ThreatGrid


No comments:

Post a Comment