Threat Roundup for May 04

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 4 and May 11. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

Win.Dropper.Zbot-6533101-0
Dropper
Zeus (AKA Zbot) is a trojan horse malware package used to carry out many malicious and criminal tasks. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.
Win.Dropper.Khalesi-6535750-0
Dropper
A Trojan is a program that gains privileged access to the operating system while appearing to perform a desirable function, but instead drops a malicious payload, often a backdoor allowing unauthorized access to the system. Trojans may steal information or infect the host systems. They are commonly distributed via spam, drive-by downloads or embedded into games or internet-driven applications.
Win.Dropper.Gandcrab-6530134-0
Dropper
Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB" or ".CRAB". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.

THREATS

Win.Dropper.Zbot-6533101-0

INDICATORS OF COMPROMISE

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value: ProxyServer
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value: AutoDetect
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value: ProxyOverride
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value: ProxyEnable
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value: AutoConfigURL
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
Value: SavedLegacySettings
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
Value: DefaultConnectionSettings
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value: CheckSetting
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value: CheckSetting
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value: CheckSetting
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value: CheckSetting
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value: CheckSetting
<HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
<HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
Value: CleanCookies
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: internat.exe
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: {1BBA4DA8-81FD-E86C-47AD-DE1A52F353F7}
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
Value: CachePrefix
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value: DhcpNetbiosOptions
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value: DhcpNameServerList
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value: DhcpDefaultGateway
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value: DhcpDomain
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value: DhcpNameServer
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value: DhcpSubnetMaskOpt
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
Value: DhcpInterfaceOptions
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
Value: CachePrefix
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
Value: DhcpDomain
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
Value: DhcpNameServer
<HKCU>\SOFTWARE\MICROSOFT\NAEGOP
Value: Kypuubb
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value: UNCAsIntranet
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value: AutoDetect
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value: ProxyBypass
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value: IntranetName
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS
Value: DhcpScopeID
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value: ProxyBypass
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value: IntranetName
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
Value: CachePrefix
<HKU>\Identities\{20DF22BC-6CEF-4DC3-9D67-B017F18A4D87}\Software\Microsoft\Outlook Express\5.0
<HKU>\Software\Microsoft\Bole
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\4
Value: 1609
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\4
Value: 1406
<HKU>\Software\Microsoft\Internet Explorer\PhishingFilter
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2
Value: 1609
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2
Value: 1406
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\1
Value: 1609
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\1
Value: 1406
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
Value: Collection
<HKCU>\SOFTWARE\MICROSOFT\Naegop
<HKCU>\SOFTWARE\Microsoft\Naegop
<HKU>\Software\Microsoft\Internet Explorer\Privacy
<HKCU>\Software\Microsoft\Windows\Currentversion\Run
<HKU>\Software\Microsoft\WAB\WAB4
<HKU>\Software\Microsoft\Windows\CurrentVersion\Run
<HKCU>\Software\Microsoft\Internet Explorer\Privacy
<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
<HKCU>\SOFTWARE\Microsoft
<HKU>\Software\Microsoft\Bole

Mutexes

\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-A687-6AA2864FE740}
\BaseNamedObjects\Local\{A3B40D9B-F602-0E7A-E1A6-CDF8C16E401A}
\BaseNamedObjects\Local\{A3B40D98-F601-0E7A-E1A6-CDF8C16E401A}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-0E81-6AA22E49E740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-AE83-6AA28E4BE740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-FE84-6AA2DE4CE740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-E682-6AA2C64AE740}
\BaseNamedObjects\Local\{881268A9-9330-25DC-E1A6-CDF8C16E401A}
\BaseNamedObjects\Global\{C252BB8C-4015-6F9C-E1A6-CDF8C16E401A}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-6680-6AA24648E740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-8A81-6AA2AA49E740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-4E82-6AA26E4AE740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-D287-6AA2F24FE740}
\BaseNamedObjects\Global\{C252BB8D-4014-6F9C-E1A6-CDF8C16E401A}
\BaseNamedObjects\Global\{2A12683C-93A5-87DC-E1A6-CDF8C16E401A}
\BaseNamedObjects\Global\{CEBE6CB8-9721-6370-E1A6-CDF8C16E401A}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-9283-6AA2B24BE740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-2683-6AA2064BE740}
\BaseNamedObjects\Global\{CEBE6CB7-972E-6370-E1A6-CDF8C16E401A}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-9A82-6AA2BA4AE740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-368F-6AA21647E740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-5E8A-6AA27E42E740}
\BaseNamedObjects\Global\{A86A58AE-A337-05A4-E1A6-CDF8C16E401A}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-BE86-6AA29E4EE740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-2E8D-6AA20E45E740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-8E85-6AA2AE4DE740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-C684-6AA2E64CE740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-4686-6AA2664EE740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-1A83-6AA23A4BE740}
\BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-9284-6AA2B24CE740}
\BaseNamedObjects\Global\{320B4DE2-B67B-9FC5-E1A6-CDF8C16E401A}
\BaseNamedObjects\Global\{3D11D76B-2CF2-90DF-E1A6-CDF8C16E401A}

IP Addresses

185[.]24[.]234[.]54

Domain Names

Files and or directories created

%LocalAppData%\Temp\tmp60e9fbcd.bat
%AppData%\Neku
%AppData%\Neku\amto.exe
%AppData%\Leolo
%AppData%\Leolo\peogh.vus

File Hashes

f5dd87d465516dd03308ae2e7673681fc497d4c30751e5a0fcefdf320761b56e
48fcb5ce8670e1829205abd6a911937a9b591d079067c8b25f6867bac059897c
a6b52e4b6803092c91f81aeff5093cdee346b810b415b7b82a24afd63a33c309
59de88ff962f019ad7b0bc2b242120ff0c916743c975f74c169247809ae2cfa5
158a7f507f494481083c4137dbb11474d7d8625c4ca45d0554caa4fcbb903992
8298f4cfb3d5d6838bdebc4642e6b3aba2b1e74562014be11f6fc106af1be491
28a2e64885f1aa2d81fefb0fda91ae7eb2801dfdbf4d9dc65f3848e4bdbf4d65
a3a4c038aa654a5dac595465222404deef3f133828f6209f42ea8395156205da
5f9afad7831895772534737ac2c036b1b65d02a46bc0f91ea0ef2879de3ba8fb
1392b5afc478adfc11e6690ff6b6f9d55658bb2edf064b1cfbf655e674dcdc0f
7326ec6dcf89d8e86d797ab70d4a8ad1a08b672af0c0a45cfb315ef83685cf43
908f86c043b0bb012e639d6c2b102a6af11288b7596c574abc4734213f5d95cb
dd8c0af99b112521bfebdb19afa5fe130925d158703180063c2b2c027b8adbc9
38a951f8f57f1028a92d658841df63068d0a59aa9f140087870b2b6450002baa
f92989215865e61e5cfed94d716d37b4b9fdd92ddd3699ab269b2dad39d0e93a
03eaea48946117d85dde3d2a4668eb24b94323a255bc1fb7536b1de2bd888e74
8db0ff52b62f3f07bc3c7a359dd06cf78e875a18f8b5120107a7f39bed3243b9
6baab60dcfdbd2ee3dbb012b1a00d063a4b05305a444f7ffe633d6175dca6852

COVERAGE

SCREENSHOTS OF DETECTION

AMP

ThreatGrid

Win.Dropper.Khalesi-6535750-0

INDICATORS OF COMPROMISE

Registry Keys

<HKU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Mutexes

IP Addresses

204[.]11[.]56[.]48
74[.]220[.]215[.]63
184[.]168[.]221[.]42
198[.]54[.]117[.]217
187[.]84[.]225[.]36

Domain Names

www[.]backpackerdesi[.]info
backpackerdesi[.]info
www[.]lovelouevents[.]com
parkingpage[.]namecheap[.]com
www[.]riopumpen[.]com
riopumpen[.]com
www[.]shungavietnam[.]com
lovelouevents[.]com
www[.]tourniquetleash[.]com

Files and or directories created

%LocalAppData%\Temp\~DF84B5AD10771E60C5.TMP

File Hashes

db560e6239674b9b4ea242d13e83269bc7cc26972bfc36d1ca729a95bec86311
214252466a63120c1473180e5f4d2558f59a6a12aa8f3c38d3d5f45712965d7c
093bd942ba8d60e579f1f6ec68f997e609d1ec2d1dee37369ea61e33d175ab0b
8c668d6ec3c6a619342d674e6f696403bcb872342fa17d7b18642861b4c9b596
f40486fa225ebc8fdfc133136453d84649860c55bdb03966f58500030c4d50d7
58182cbb334d50f9758cd669ead059ddd8902fe0902bc8e3a9b5d9ad21906a0d
ef52d2737ded930694deb98880041e97a22be13240e143e9fe7c665dd8ba486d
ba8e4a8555628171ee51b9730e3d5fb549936921645b34e4bc5669573fa1fccd
6972e8b418b60905c630c80c8476b43c941eafab0e0f79ebe6a985e3e60bdb00
f047a66647005edfb80ce99ce23dfab6874989081d3ff33c0795ccfddb47b0c7
8aeecbac14b07c7498a0a14ec5f6faba3586ef253e63a6ff035090e937cee4ad
cf0425375056e906b8cb739d432d724ac30870995915342bc275d047637ea54d
1b8f2e90a2be6bfbcb409b0a87236abddfdeb6c8f1e43c87dea1ad384b3853ac
eb8f9802493874e099e8b026be2736f2bb15ecb5c3bc0e82a967fdcf1f319fdf
606d305ed683a5b6b32fb3d4d8f1567416b3e6e0cc57b2a2ae22abc23563fc13

COVERAGE

SCREENSHOTS OF DETECTION

AMP

ThreatGrid

Win.Dropper.Gandcrab-6530134-0

INDICATORS OF COMPROMISE

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
Value: SavedLegacySettings
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
Value: DefaultConnectionSettings
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
Value: CachePrefix
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value: UNCAsIntranet
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value: AutoDetect
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value: ProxyBypass
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value: IntranetName
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
Value: _FileId_
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
Value: _ObjectLru_
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
Value: _Usn_
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
Value: _ObjectId_
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
Value: AeFileID
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
Value: _UsnJournalId_
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
Value: AeProgramID
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
Value: ObjectLru
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
Value: ObjectId
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\100000000967D
Value: AB5
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value: _IndexName_
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
Value: CachePrefix
<HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST
Value: CurrentLru
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
Value: CachePrefix
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE
Value: _CurrentObjectId_
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value: zcwgnjwshlm
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\DEBUG
Value: ExceptionRecord
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value: ProxyServer
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value: AutoDetect
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value: ProxyOverride
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value: ProxyEnable
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value: AutoConfigURL
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value: ProxyBypass
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Value: IntranetName
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value: 100000000967D
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
Value: PnpInstanceID
<HKLM>\SOFTWARE\MICROSOFT\RAS AUTODIAL\Default
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LruList
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\ObjectTable
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\100000000967D
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\IndexTable
<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
<HKLM>\Software\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug
<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\Indexes
<HKU>\Software\Microsoft\Windows\CurrentVersion\RunOnce

Mutexes

\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=359814f23c28b0e4

IP Addresses

66[.]171[.]248[.]178

Domain Names

zonealarm[.]bit
ns2[.]corp-servers[.]ru
1[.]0[.]168[.]192[.]in-addr[.]arpa
ipv4bot[.]whatismyipaddress[.]com
ns1[.]corp-servers[.]ru
ransomware[.]bit

Files and or directories created

%LocalAppData%\CrashDumps
%AppData%\Microsoft\jczhdq.exe
%LocalAppData%\CrashDumps\82128b025ada18df07ae8ea6b24f3cb3a22ff91d8795a697cf03ca28f0601eb3.exe.2772.dmp
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\7TZAD419.htm
%LocalAppData%\Microsoft\Windows\WER\ReportQueue\AppCrash_82128b025ada18df_4525121b7779449a024bea365e36f36721b3e46_9a496044\Report.wer
%LocalAppData%\Microsoft\Windows\WER\ReportQueue\AppCrash_82128b025ada18df_4525121b7779449a024bea365e36f36721b3e46_9a496044
%WinDir%\SysWOW64\rsaenh.dll

File Hashes

82128b025ada18df07ae8ea6b24f3cb3a22ff91d8795a697cf03ca28f0601eb3
8b0122198f51599af74f7e40783bf8f8273e8c5bd1a0e0747161bb3fb74bff75
1c69810013cb87242df28f48ff1b80bd006b2bd0cec8bdcb3ad0c0441a9c48a7
9ba83f1273348883e47f60b3497d14f259656d366cd9c38be1b15c99a4887433
4f5d759ad38c44b01c5442a985f25c10b2863ac890d26f42a3661a39eb6233d3
5cd57d70b048fa751d8d093614cb86096567958778c7bd99ac6ff0355b699d19
a17fba572e8a74bc22061711196df78b603d6a857f8b687f55da21296b3cbba3
6637106cacc9767350a3ad1518e513996accbf45daeb9bebdffb699ae2d89dac
a332b560a01b6e07a5810ec6428314c23e426ea4292280ee0d06bfc2201ac47b
a7250b307556cb0e6716312dce166ce8d6329cdbbe1e7a7ec7d9ad8dc37bef1c
ba7cc79a6b9ee4973b90ce17f4552a6c8a869ebcda495109e7558788f5dd4581
722d9b3b235c118fd93c35d76535310f32ef383037645f9539dd46eedbe908a1
749cc6d350bccd23970b70463abcd9efb782a35da7c03bc8de5c555f2bdda430
e4b1789755f543b508745baaa7325e337e6b7f132cc5e051985ca677836cc571
fd2de37d51a398725239f1c9943604506d52bb623ecfcbc40f6fb474cde9fbd0

COVERAGE

SCREENSHOTS OF DETECTION

AMP

ThreatGrid

Cisco Talos Blog

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Threat Roundup for May 04 - 11

THREATS

Win.Dropper.Zbot-6533101-0

INDICATORS OF COMPROMISE

COVERAGE

SCREENSHOTS OF DETECTION

Win.Dropper.Khalesi-6535750-0

INDICATORS OF COMPROMISE

COVERAGE

SCREENSHOTS OF DETECTION

Win.Dropper.Gandcrab-6530134-0

INDICATORS OF COMPROMISE

COVERAGE

SCREENSHOTS OF DETECTION

Related Content

Threat Roundup for November 3 to November 10

Threat Roundup for October 27 to November 3

Threat Roundup for October 13 to October 20

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Support

Company

Cisco Talos Blog

Threat Roundup for May 04 - 11

THREATS

Win.Dropper.Zbot-6533101-0

INDICATORS OF COMPROMISE

COVERAGE

SCREENSHOTS OF DETECTION

Win.Dropper.Khalesi-6535750-0

INDICATORS OF COMPROMISE

COVERAGE

SCREENSHOTS OF DETECTION

Win.Dropper.Gandcrab-6530134-0

INDICATORS OF COMPROMISE

COVERAGE

SCREENSHOTS OF DETECTION

Share this post

Related Content

Threat Roundup for November 3 to November 10

Threat Roundup for October 27 to November 3

Threat Roundup for October 13 to October 20