Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 27 and Oct. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Malware.Zusy-7191579-1 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Malware.Osiris-7191711-1 Malware Osiris is a banking trojan derived from the Kronos banking trojan and is known to include features such as the ability to communicate with its command and control (C2) servers via Tor and the ability to intercept credentials typed into web forms.
Win.Dropper.Cerber-7192026-0 Dropper Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, this is no longer the case.
Win.Virus.Expiro-7192043-0 Virus Expiro is a known file infector and information stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Malware.Neurevt-7192122-0 Malware Neurevt, also known as BetaBot, is a remote access trojan that employs multiple anti-debug and anti-analysis techniques to attempt to avoid detection.
Doc.Dropper.Emotet-7181950-0 Dropper Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails. It recently resurfaced after going quiet over the summer of 2019.

Threat Breakdown

Win.Malware.Zusy-7191579-1

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: EEFEB657
82
MutexesOccurrences
EEFEB657 87
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
216[.]218[.]185[.]162 54
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
brureservtestot[.]cc 57
Files and or directories createdOccurrences
%HOMEPATH%\AppData\LocalLow\EEFEB657 84
%APPDATA%\EEFEB657 82
%APPDATA%\EEFEB657\bin.exe 82

File Hashes

027ecc7f1e2d38d420486e9e0fe9d50bdceb8b50512258a922e69f55e0c18ec7
0a72c56814a288218c9346115935828be03e870fa858a721f738af4dab311205
0a9fd449b13193c771c2d401dd6538cab6dbb2c37e0573b05cc72802b90687cf
0b1fa36c3ae5bdb7c52c40e08566cceac37965265e5b2552fdf121add431ce45
0ce401aa748f86238016408aa5c7b082a83499a2cbf2d5a1370b3bef8b983be1
1266c2bccc5fa61af8b611d3c7f210b11fed7d22dbb24305bf6003b1891399fe
12ef657ff31b48b90fbb20b212643f7aa62b66dae80cd19feed7356089f18451
149e17e85475bf4f6b4be6c0f1924e8554ec982f949fcb833c8c6bc3a7673669
1a0d6dda8e405f9342fadc87a1a6b395250bfcf910f5e2e4cfba806de2b58eee
1b3ddf7b2a71290a0a86e974a323dde16999e7eaa2be2b8cd63c066a7ba6a052
1fa747673986b53ed65fa0a6b39a024ef02191966184a6fd8844e742fdbc3d58
22b172ead1618e0c49a6d94c4da6c7ba1d401549276bc3a7f3d78c18909e6793
2b9b82e7ee0d8661b2268f83a010e8379e28930cc7f9f224d06fcd37b48f566d
2ba984bf6a2e039225b78faf309d087db56a6a2eac5efc73f5f20ff941c58442
2c33aa852da4527f49dae1e6bb1940b4c7cd2c814da0a90ab8a2a5de5fee6726
2c594bcf891b90e24c8bd445d5ddbe9cb50f5d101d559d564ab8246535d2af53
306774877254b8ca51a2bf446834cc34126ac56ebaf9d935442c25e533485fc1
38efe6d2c2e264e83d54cebc4bb14766c344741e39b510b027882d1ef2bbb798
43aee0e0761a3e90aa35d3401634397be8d1691d88ed2bdaaf2f60c915de53e2
467e66e8fc95c740cc3beee432d6a5e85bc533aa6dd609865376dacf0a0ef6e7
47bc6db08ad7826b5a68644d6f013405e4e6842525b8a4d05a2abdabfd735fc4
484f52c4598eddc67147f8558c9bf9701d1c4d2f5bcc1b619a43422863d1e8ce
48624a37bd7f3faacc3d56c106a40189c413dc4ec4407c00a1034578cfb6a9b3
4a3a67a893cf7e49a5aef587d840867589841e93ae7f418019d6f94daba58c47
4bd1deaa13a4a9cef75f84dba895645a24ac7f4b4bd69d22ea5800a3c682cc54

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella


Win.Malware.Osiris-7191711-1

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: HideFileExt
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION
Value Name: d41d8cd9
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
Value Name: d41d8cd9
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: d41d8cd9
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: d41d8cd9
11
MutexesOccurrences
Global\d41d8cd98f00b204e9800998ecf8427e 11
Global\{B1F6EFF9-6297-200E-B1F6-F9EF29AA7A00} 11
Global\{BF6093C4-5FBA-D878-BF60-C4933C20A000} 9
Global\dd4b21e9ef71e1291183a46b913ae6f2 9
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
updateserver4[.]top 11
updateserver7[.]top 11
updateserver5[.]top 11
updateserver9[.]top 11
updateserver2[.]top 11
updateserver8[.]top 11
updateserver10[.]top 11
updateserver6[.]top 11
updateserver3[.]top 11
Files and or directories createdOccurrences
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\user.js 11
%System32%\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb 9
%APPDATA%\Microsoft\{56984C2C-8905-4BFA-8553-0BE17726FCD5} 4
%APPDATA%\Microsoft\{56984C2C-8905-4BFA-8553-0BE17726FCD5}\d41d8cd9.exe 4
%APPDATA%\Microsoft\{56984C2C-8905-4BE2-8553-13E17726E4D5} 2
%APPDATA%\Microsoft\{56984C2C-8905-4BE2-8553-13E17726E4D5}\d41d8cd9.exe 2
%APPDATA%\Microsoft\{9A96A2D0-FE36-485E-B81C-0132628C474C}\dd4b21e9.exe 1
%APPDATA%\Microsoft\{03FFB58D-7238-49DA-9378-5224CBD1F546}\dd4b21e9.exe 1
%APPDATA%\Microsoft\{575A5E0A-FD63-4DF1-BF50-033349A4ADA1}\dd4b21e9.exe 1
%APPDATA%\Microsoft\{33C67668-6248-47D0-8FDF-197713CA89A1}\dd4b21e9.exe 1
%APPDATA%\Microsoft\{FA144B4E-77DF-4C1F-A472-60E20FF489C2}\dd4b21e9.exe 1
%APPDATA%\Microsoft\{507C47B0-1E13-4926-92BC-C40E8A4CB040}\dd4b21e9.exe 1
%APPDATA%\Microsoft\{F807BD90-CAC5-40B0-828A-CA06ED52C5F4}\dd4b21e9.exe 1
%APPDATA%\Microsoft\{780EBCFD-EADA-4438-9DC3-324538311844}\dd4b21e9.exe 1

File Hashes

05ba5705db7ff502d4422ea7d4ef32422d9b2c0966a42b6b3d76c126d51e846d
0aae22c6557c43cf199421eb6b367d23469909b5f860468c1e42b0e5730808d5
2c5fdc198324cc33dc93d20dc58195608661ed5c83cf10619efdbc1fddeb51e5
4c6f284b0be38d51af26ee87e687cbba32184e0b21203758419953e1f476e841
4f645f4ae3dcf8bfebf4dde1b6d20497ce25fbbc1f6f691d40a95d7bff7a2d6c
5ba866dbb2ace005cfa32382404ac0927695f52bedce0804564549e633be8318
6478b2ce18a6a7671a39aa254ba0c4aaf123a0f5b27e9c86e323b663332f18f8
6f2add6401f59d813de66bc1152240f2e7622e293a0b10c5a804790b7068195b
6f9d45cf7571949de6db54d2e4c642ae63e30ba0eaf4f3075b8cd36749171377
919d3b68ee264053ae4f0f3d9caf93c055c421dabdc419d5d52d09d089142498
f7ce779ae0308c0c0da8280d3182506eda97778e91969eb4ea86dc3bfddb12df

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella


Win.Dropper.Cerber-7192026-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: Run
25
<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
Value Name: AutoRun
25
<HKCU>\CONTROL PANEL\DESKTOP
Value Name: SCRNSAVE.EXE
25
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} 25
<HKCU>\PRINTERS\DEFAULTS 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Magnify
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Magnify
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wusa
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: wusa
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: LocationNotifications
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: FlashPlayerApp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: FlashPlayerApp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: DWWIN
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: DWWIN
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mshta
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: mshta
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: autoconv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: autoconv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: RMActivate_isv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: RMActivate_isv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: eventcreate
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: eventcreate
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: w32tm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: w32tm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: netbtugc
1
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 25
shell.{785F99DE-E95E-3921-EE78-D7777849AA01} 1
shell.{967822DD-7042-E624-BEA7-C7EF520E90F5} 1
shell.{A92873EC-3840-982A-DA5D-DDDC12AA8495} 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
31[.]184[.]234[.]0/25 25
216[.]239[.]34[.]21 8
216[.]239[.]32[.]21 7
216[.]239[.]36[.]21 5
216[.]239[.]38[.]21 5
54[.]88[.]175[.]149 3
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ipinfo[.]io 25
Files and or directories createdOccurrences
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2} 25
%TEMP%\# DECRYPT MY FILES #.html 3
%TEMP%\# DECRYPT MY FILES #.txt 3
%TEMP%\# DECRYPT MY FILES #.url 3
%TEMP%\# DECRYPT MY FILES #.vbs 3
%HOMEPATH%\# DECRYPT MY FILES #.html 2
%HOMEPATH%\# DECRYPT MY FILES #.txt 2
%HOMEPATH%\# DECRYPT MY FILES #.url 2
%HOMEPATH%\# DECRYPT MY FILES #.vbs 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\Magnify.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\Magnify.exe 2
%System32%\Tasks\Magnify 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\wusa.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\wusa.exe 2
%System32%\Tasks\wusa 2
%System32%\Tasks\mtstocom 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\odbcconf.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\odbcconf.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\netbtugc.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\netbtugc.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\expand.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\expand.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\AdapterTroubleshooter.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\AdapterTroubleshooter.exe 1
%System32%\Tasks\autoconv 1

*See JSON for more IOCs

File Hashes

151143935c4283f66a837eca1761400ab0573929e04217a5be0286b28eeb9d15
1736c692db984e5ceb7e15a127f2478400a78c30785fd3c195ae4d9468b80259
185f85a2fbc3e27f87b099ff50a1f03f89e724e7927ec9edac4c4416dc87c109
1da732e9670f73e980723ea167abb29c5b553603c3804ec4bb9a03a4d506e8a4
3a6ca5a46ac5ac3ef7972b22e2fa5cdc4af2e137150691ed1b7a15b1ce9030a4
3c7e1a50d31138b53165e98d7bc2ba570304359bb4f7baab7ded17cc3fb3bc4c
4574e5aeda39aadfadb399654d2a6db00884be85b0882fb0acc4dbf14153ca0e
4e242ff308fc31ada637861fed73373c30eb2d5ecfda92760498fcbe30a9bb07
503baff89f763142c5b49a527972c7119be3f95fcc8cc2a1cde8bb71fd76cd02
561caadf62f59ee8dfd6d9c97e5692875458c55b3e2d53ba43e9496c40ee0824
5dbfa76bd1edb0ae7a516a08c760e2234506d64ae7c905f8e0e8830d74ef8613
65afc018d8cdcc9ec4756e98000265e3ecc3e394b7e5d493dfd6d106cc15118a
6971a5b1aa7e57abad2939f4be1a92651ea7ac12251b804ae17f2ecb1e1bf200
70b5c51e692dcd2f432c05170f7f823fdfd5b6857267117a92fe9d358a7026ed
84a45eec021015ee2eeb5acb7251f3c50c626b41bf47b8fce7c822253e175c64
999a1e5659ac864771ad420c7cad50de5b5118adb5abb80ffe18ad28c932f5a0
a51de392aae3ade74991dd86b1d205c2cc5ecb0752cac2a02c95d61ff14a558c
a80ace30082b76edb75d6c9a4f9165af721a8f8b13ac0862bc438589e0af01bd
a8fe11512ba3e48b178ad9ef994f48ec581394e69cbdb808f15c1432a762c636
b1e46c28ddff91c0d586933b500ce29bcf83fc094864c4227b6e70fa1981f064
b7cf83e8596736ced202a1de5e67fbaa5bdf9074697d548fdd83800802732ec4
b8c85a34ed5ccfe058c8ba65606add1efdcfe694d0f32e6b91e4b977da1392a8
bd68985801dd6b820c3a0c21883aa4ace809b2a62cbba278ac3a4d53166bcf85
cc1efac0bf7786ea4bbd4963d78aee4498e034dd778adce6977eca3d78666483
d3080983742d3deacdbc53a43b1482cfe1573ec8d957fba0f456a676dca3bd90

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP

ThreatGrid


Win.Virus.Expiro-7192043-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
1
MutexesOccurrences
SetupLauncher 12
Global\<random guid> 11
gazavat-svc 8
kkq-vx_mtx<number, matching [0-9]{1,2}> 8
{7930D12C-1D38-EB63-89CF-4C8161B79ED4} 5
{79345B6A-421F-2958-EA08-07396ADB9E27} 5
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]10[.]110 5
87[.]106[.]190[.]153 4
18[.]213[.]250[.]117 2
91[.]195[.]240[.]126 2
208[.]100[.]26[.]251 1
18[.]215[.]128[.]143 1
46[.]165[.]220[.]145 1
46[.]165[.]254[.]198 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
atw82ye63ymdp[.]com 3
xxsmtenwak[.]com 3
grbjgfprk[.]com 3
ydchosmhwljjrq[.]com 3
ygqqaluei[.]com 3
wwyreaohjbdyrajxif[.]com 3
bekvfkxfh[.]com 3
caosusubld[.]com 3
warylmiwgo[.]com 3
xomeommdilsq[.]com 3
mdofetubarhorbvauf[.]com 3
gfaronvw[.]com 1
wstujheiancyv[.]com 1
kbivgyaakcntdet[.]com 1
dvwtcefqgfnixlrdb[.]com 1
yrkbpnnlxrxrbpett[.]com 1
oawvuycoy[.]com 1
citnngljfbhbqtlqlrn[.]com 1
bungetragecomedy9238[.]com 1
oeuwldhkrnvxg[.]com 1
kbodfwsbgfmoneuoj[.]com 1
wdgqvaya[.]com 1
ypwosgnjytynbqin[.]com 1
jlaabpmergjoflssyg[.]com 1
ausprcogpngdpkaf[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 8
%System32%\alg.exe 8
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 8
%SystemRoot%\SysWOW64\svchost.exe 8
%System32%\<random, matching '[a-z]{8}'>.tmp 8
%SystemRoot%\microsoft.net\framework\v2.0.50727\<random, matching '[a-z]{8}'>.tmp 8
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 5
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock 5
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat 5
%LOCALAPPDATA%\bolpidti 4
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 3
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log 3
\TEMP\ShMnr23 3
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 1
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 1
%SystemRoot%\SysWOW64\cjnnhbik.tmp 1
%SystemRoot%\SysWOW64\hmdklpnd.tmp 1
%SystemRoot%\SysWOW64\ghnjiafh.tmp 1
%SystemRoot%\SysWOW64\nojnfemc.tmp 1
\TEMP\emf 1
\TEMP\J3OHIb3 1
%SystemRoot%\SysWOW64\ggaiaabg.tmp 1
%SystemRoot%\SysWOW64\elmmpkjb.tmp 1
%SystemRoot%\microsoft.net\framework64\v2.0.50727\jjicllfe.tmp 1

*See JSON for more IOCs

File Hashes

08c199483a9569dbe74565c65ab0dfe038338ffe0c37061316a3a45116a9adb0
0b75593bf5cec1a4e6beecce8927ba895307c03d22387611fb6ced7805c2fa7b
293263135eb196a8027f6aea0f74038d60b848103f09db6d39e55b763d6bf26a
29ec1dfc85cfed46ccf8a53ca2e9f207cb126f6cec92a3b829ae61590bea1b1c
32ed07783188242c60837a208a6ebab9e37fa69fb69da9b28629c3e3971ccfa6
36e5bd8e4a5c7758dd28acda1ad479bfbfb268ca1c5339b4e9953daea48392ac
63530b594d1605211d405951823a3f5ac249660aa0ca542cb00247652dc3b544
664bd013762c59a6f0b0c8fbd7dbed06f971d2dfbc2921e10faf8b5e8aba2e8a
c075f037fea0578197e56a520708152779a9332195b96a52bac64ff10a914d82
d28f2744b436cb2816ee6a63a44e2cfd4f952483b65c026ea8b4f384cc6b7e5e
ea5a419cb19fc22c11d3751f0560f049631571b99c33d37482ddbca1ee4e3d6f
f2fffb85b3e49c138128ef141b69a49fd09e3c7362ed8beed43dc6c46deadbcb
f5fec4cf85c3e2c936455b0f0ec8a6cbbb138dfa5e31db4920037f9baf46ab65

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella


Win.Malware.Neurevt-7192122-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\WIN7ZIP
Value Name: Uuid
26
<HKCU>\SOFTWARE\WIN7ZIP 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\PUBLICPROFILE
Value Name: EnableFirewall
9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDPSRV
Value Name: Start
9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE 9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE
Value Name: Debugger
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: random
2
<HKCR>\CLSID\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\10DF0332\CG1
Value Name: GLA
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OMYLCQKSW.EXE
Value Name: Debugger
1
<HKCR>\CLSID\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\6EDA084A\CS1 1
<HKCR>\CLSID\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\6EDA084A\CW1 1
<HKCR>\CLSID\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\6EDA084A\CW1
Value Name: 1916
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Javaupdate
1
<HKCR>\CLSID\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\6EDA084A\CG1
Value Name: GLA
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BZSBKOTIU.EXE
Value Name: Debugger
1
<HKCR>\CLSID\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\5BDD0726 1
<HKCR>\CLSID\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\5BDD0726\CS1 1
<HKCR>\CLSID\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\5BDD0726\CW1 1
<HKCR>\CLSID\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\5BDD0726\CG1 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
239[.]255[.]255[.]250 9
52[.]185[.]71[.]28 5
208[.]100[.]26[.]251 1
40[.]76[.]4[.]15 1
20[.]41[.]46[.]145 1
40[.]67[.]189[.]14 1
94[.]130[.]148[.]39 1
176[.]56[.]236[.]180 1
143[.]215[.]215[.]205 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
update-silo[.]com 1
frizzcams[.]com 1
fapncam[.]com 1
theafam[.]info 1
pl1[.]co[.]vu 1
kasn5[.]name 1
up-windows[.]in 1
myssfii[.]eu 1
emicrosoft[.]eu 1
allegro[.]ga 1
frky7[.]name 1
marklou1[.]eu 1
s1allegro[.]net 1
b[.]dqwjnewkwefewaaaaa3[.]com 1
fe298c697c247af42926ae65f504cbab[.]380d71f68b776c687229362c8017cfd4[.]sink1[.]doombringer[.]pw 1
b[.]2uandmearevideos2k2[.]com 1
e4afed3b6057875d3cab2c8acadf19b0[.]9079efdb6bd50d249cecbf60d0cf8a59[.]sink1[.]doombringer[.]pw 1
b[.]12thegamejuststarted10k12[.]com 1
9f1338aaa955b14adce82b28456563dd[.]8e38e1a12b675dd8ad0879ac9df9dd43[.]sink1[.]doombringer[.]pw 1
0a3871225132117b6a5a3ca80e3637e7[.]bd822b74f0f09fe15387a4e573dfd4b8[.]sink1[.]doombringer[.]pw 1
5fa5dd9e6db7852950c1d75652840205[.]d30bfb82739133ccfd1a869f816afd1e[.]sink1[.]doombringer[.]pw 1
a289b7027c3a8ccd97e35492ec62c4a7[.]79c70407c7e6ecfca660191065cb2e91[.]sink1[.]doombringer[.]pw 1
82ffe6077d09c53372a2f4177b3a00fd[.]2418805ba4dbdf2b323c3ee2d28fd899[.]sink1[.]doombringer[.]pw 1
b[.]6worldwipemek6[.]com 1
ce5ccbd7434dc4f3e00d5d615c8f1cfe[.]f919bc55f255fc49078e2b0e54e60b5e[.]sink1[.]doombringer[.]pw 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%HOMEPATH%\My Documents\My Videos\Desktop.ini 18
%System32%\Tasks\Windows Update Check - 0x00000000 17
%ProgramData%\riaiccape 3
%ProgramData%\riaiccape\desktop.ini 3
%ProgramData%\ubvhynpxh 2
%ProgramData%\ubvhynpxh\desktop.ini 2
%ProgramData%\hemxccape 2
%ProgramData%\hemxccape\desktop.ini 2
%ProgramData%\randomfolder\desktop.ini 2
%ProgramData%\rpeulaaql\desktop.ini 1
%ProgramData%\odoaztybt\desktop.ini 1
%ProgramData%\mwvaztybt\desktop.ini 1
%ProgramData%\safpdndnn\desktop.ini 1
%ProgramData%\Javaupdate\desktop.ini 1
%System32%\Tasks\Windows Update Check - 0x6EDA084A 1
%ProgramData%\dtdasndku\desktop.ini 1
%ProgramData%\Winrar_Update\desktop.ini 1
%System32%\Tasks\Windows Update Check - 0x6E3308B1 1
%ProgramData%\omylcqksw\desktop.ini 1
%System32%\Tasks\Windows Update Check - 0x5FF907D6 1
%ProgramData%\svchost\desktop.ini 1
%System32%\Tasks\Windows Update Check - 0x19CF045A 1
%System32%\Tasks\Windows Update Check - 0x0E7302EC 1
%ProgramData%\skskjbpjx\desktop.ini 1

File Hashes

00922eea9dc5d3b1d91cf0e5b244d86957e0a5dab9f22b37db91983d154849f5
00e830529982d3b12b63616473f8e77b1e9f59d26d7464a916ab4ccb7d252338
0f9b382f50574eb1da03ab59cc0138d0cdddbcccdbf4fb04377235377e2bce60
19a17d03eaa9d66aee48704b368513cb4ce2ea571004561046897e5fe194fcb5
1d5a814d7034b2ffc16acb036e10021410d1592b491fd4e3c6737ffa48c19f55
205a780668f504064a7a326217529d3dd585fefe2c91b9ee141aa0c0411c88d6
2252337eb1ee8bfcdc05cdd90533c4f9c73326c3c38438730feffb47a67dde13
228cdf170c3b7f8c4b08f89def8b979c147aada601d7e1d0708916a3101732fc
23b79c36c6c5b9b35e11159486bf8f1e0a2366af780c9508bfee93de63fdeb86
2b55f40e873b564258185612ea6518761ab9393f271d1acd3908d65dda91c3f2
2d6b0b02396b515544d508ace60ef5de186961843c6fda12c311716c63b631b4
47fce8ed6989d5946ef8b4a10898d103ded7ffe6d5046d1583aefa21218cbe49
48b4df7d8192fb653ca5d4ef80903794b6cf7baa25bca70624acbcafd1c5f4e1
514e41ef73aa0e6b581168304fc5e4c11a81706d4a00e8dadd8c5e604493e85f
5822b7304c297b694c9826e07c653d1a5071af711f24abf374213dbf73df99d8
69808dfac8e39bb71644ca5b9a354c8407d713e723c49a2bb54ba6a6f54e52d3
699b83596749933b26e4a8cd79df7e961859dce598a28b0a09a7d1a6ef051ba5
714042e00adf37f5772ade261d283e66bfd787ba4622ff188ec9befc05817bcb
82fd5b23902d7114095c356c9820e65b89d7c4dd5da1312e262373608e536e4e
8f0ab0d5a8d06ffb54e69dec00c3d2e920794be65cb3b9f316a04af9c3d3ed35
96e0342a3295906bf604f8fcffb8845e3d4a72ceb8ca34443f54216616467ddc
97f3a82738d8dc6703828c406ecafd16acbc019bf8c810516912302ec1d2b553
a925cb47ff812a85faee0d1a39c2f16ac6b99dff405d01741fc253ec76cf29aa
ac2c823fe5be07bc030e77510922ec076642c5ef5966b0ec56b6dfefcba06e34
aee901442f82ad32986e1c36969d48d76d4cc88bb8b084d0a2749220a86a26b5

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid


Doc.Dropper.Emotet-7181950-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.JS\OPENWITHPROGIDS
Value Name: JSFile
38
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.JS 38
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.JS\OPENWITHPROGIDS 38
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.JS\OPENWITHLIST 38
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\RECOVER
Value Name: Name
37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\RECOVER
Value Name: Path
37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\RECOVER
Value Name: Extensions
37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WRDPRFCTDOS
Value Name: Name
37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WRDPRFCTDOS
Value Name: Path
37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WRDPRFCTDOS
Value Name: Extensions
37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WORDPERFECT6X
Value Name: Name
37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WORDPERFECT6X
Value Name: Path
37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WORDPERFECT6X
Value Name: Extensions
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YELLOWREPORTS
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YELLOWREPORTS
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YELLOWREPORTS
Value Name: ErrorControl
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YELLOWREPORTS
Value Name: ImagePath
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YELLOWREPORTS
Value Name: DisplayName
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YELLOWREPORTS
Value Name: WOW64
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YELLOWREPORTS
Value Name: ObjectName
37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS 37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT 37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\RECOVER 37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WRDPRFCTDOS 37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\OFFICE\14.0\WORD\TEXT CONVERTERS\IMPORT\WORDPERFECT6X 37
MutexesOccurrences
Global\I98B68E3C 37
Global\M98B68E3C 37
Global\M3C28B0E4 19
Global\I3C28B0E4 19
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
181[.]123[.]0[.]125 15
18[.]217[.]99[.]164 15
119[.]159[.]150[.]176 13
80[.]240[.]141[.]141 13
184[.]69[.]214[.]94 13
186[.]75[.]241[.]230 11
124[.]240[.]198[.]66 11
209[.]182[.]195[.]22 9
173[.]194[.]68[.]108/31 8
69[.]43[.]168[.]232 8
104[.]31[.]71[.]182 8
110[.]36[.]234[.]146 8
197[.]211[.]244[.]6 8
125[.]99[.]61[.]162 8
115[.]88[.]70[.]226 8
207[.]204[.]50[.]44 7
217[.]116[.]0[.]228 7
162[.]251[.]80[.]26 6
104[.]31[.]70[.]182 6
72[.]167[.]238[.]29 5
74[.]208[.]5[.]15 5
196[.]25[.]211[.]150 5
17[.]36[.]205[.]74 5
217[.]116[.]0[.]237 5
148[.]72[.]198[.]247 5

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
themodifiedzone[.]com 15
www[.]pics4game[.]com 14
www[.]creativespad[.]com 9
smtpout[.]secureserver[.]net 8
smtp[.]secureserver[.]net 7
mail[.]secureserver[.]net 6
mail[.]apnabazar[.]co[.]in 6
smtp[.]1and1[.]es 5
smtp[.]mail[.]com 5
pop[.]secureserver[.]net 5
secure[.]emailsrvr[.]com 5
mail[.]heraldsopenaccess[.]com 5
mail[.]heraldsopenaccess[.]us 5
smtp[.]mail[.]me[.]com 4
pop3[.]telkomsa[.]net 4
smtp[.]telkomsa[.]net 4
outlook[.]office365[.]com 4
smtp[.]orange[.]fr 4
remote[.]jubileelife[.]com 4
mail[.]keycargroup[.]es 4
server[.]isnstores[.]com 4
mail[.]r10networks[.]com 4
smtp-mail[.]outlook[.]com 3
smtp[.]comcast[.]net 3
mail[.]rediffmailpro[.]com 3

*See JSON for more IOCs

Files and or directories createdOccurrences
%LOCALAPPDATA%\Microsoft\Schemas\MS Word_restart.xml 38
%TEMP%\0.7055475.js 38
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 38
%System32%\adjustmove.exe (copy) 19
%SystemRoot%\SysWOW64\yellowreportsb.exe 5
%SystemRoot%\SysWOW64\<random, matching '[a-zA-Z0-9]{4,19}'>.exe 4
%TEMP%\inq6vpuc4.exe 1
%TEMP%\llh1np4ba.exe 1
%TEMP%\x5ra7abr9.exe 1
%TEMP%\tlcebiev2.exe 1
%TEMP%\qy2w0i9c1.exe 1
%TEMP%\jrtj6nk6o.exe 1
%TEMP%\fe2zt4mrb.exe 1
%TEMP%\zmmkb0j7x.exe 1
%TEMP%\ns8q8axim.exe 1
%TEMP%\s1ucq6p8d.exe 1
%TEMP%\fxmnkq4qt.exe 1
%TEMP%\4l4u8k8s6.exe 1
%TEMP%\lvn7pj1tq.exe 1
%TEMP%\qz03ja0fx.exe 1
%TEMP%\o2a6n5yed.exe 1
%TEMP%\h04mv88ph.exe 1
%TEMP%\9m0sfw639.exe 1
%TEMP%\waymo412t.exe 1
%TEMP%\9611f6amr.exe 1

*See JSON for more IOCs

File Hashes

04506f92dbebbdad34850d0344014c9acf170a1f532660d18512975d62756fbd
16a9929e17b9fcc99f8d2eb5ec86b365239b0f957b187594f77319540ce5e5f1
1b5fd4653bdbb88ef0615c3a4b38e642630fddfd738ceafb893b6c860beb117a
1be7caaba5194edf4387892d03521e968be5fa4b784a833b0c6321285694a660
1cfe976389fe9d737b7419de0fac59fa4dce4e78c73714124b1689011e3ce732
1f8d4a7a30a8f819c87095b98c10328764b56a877915105815442f4192804571
26706d48f23fdb7c40aca350271921e8050870ce4f6d957d94ad308dd3f409a2
298762d4a2ff39b2de5427c13ff95e75a4f4ac07b5f64c46d82ee1043fc52ed8
2b05fd27faf1cc06b2db7e25b67e19ce5ff5c7852e61bf122eaae92345b54a77
2e8ec9034066e25159978c9c8429e0b2762a2e193a48a0d14fe5a45518c5b5a8
3643f64d1633ebca53e1f94f6aba030cc495b68942b532afae9c74f8016d631f
4331d5382007c68ac994c5a45e86985d8fcde1fb478aa69b394a19058d807f67
471ebd4880bf8cfee1920152ea36f170cf9331f37e45bf52f5b9bcfcbd326ffb
4781987ed5962518144b03612044b8dea7e5a29107a2ad2f7a2c0738313586ee
4e2f28c6260342e1d56264f6cb861d81987fff70905700660034a240c59d75d9
4ebd8502f68223342be072867f79338fb13dfe6b68b209bfdb27f5effef40d05
5fae5b96569a4759bd5cc6494b24edef1639bcc28ed105bc3eb8f9fa09bca4c9
7362434686fb62fe3ce77a4ea84886f0f82768112b6f9832cc86bbdfc83bdef9
7c067959175e72df745b86f91dd1fa402f4b3b3c0ad17ca70b77a1f6185a285c
7d06e0759eafca0709823dadb15c5d37c7a3cada38bad9bcb4ca678d3895bfb0
807cfe5cb5d6075af492a911fd096b0a3705f9fe7cd0a7263d94e4efa21a50f4
857f05b3df88059eeeaecea4da6901ad6e45e5cbb9be21d1ae7d17b946cba355
86c47685c49f4d0cec1c54b0b6cc8247ebd8c17b01a63da2ac19c0b02d426ebd
89763a9eefa6606d925392aa2718facb16958916ee2564025edcd1d74712536b
a0703d7150ce06752f04e53ea2ad6f102551e1bdb8588fdc2e6bf90668e1de7e

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware


Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

CVE-2019-0708 detected - (12639)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Excessively long PowerShell command detected - (5242)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Madshi injection detected - (2444)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Kovter injection detected - (933)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Process hollowing detected - (443)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Atom Bombing code injection technique detected - (389)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Gamarue malware detected - (195)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Dealply adware detected - (186)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Trickbot malware detected - (174)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Installcore adware detected - (116)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.