Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 21 and Aug. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Doc.Downloader.Emotet-9412146-0
Downloader
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Chthonic-9405917-1
Packed
Chthonic is a banking trojan derived from the Zeus family of banking malware. It is typically spread via phishing emails and attempts to steal sensitive information from an infected machine. Chthonic has also been observed downloading follow-on malware such as Azorult, another information stealer.
Win.Trojan.Bublik-9406364-1
Trojan
Bublik is a downloader that targets Windows hosts. Although it's primarily used as malware to distribute various banking trojans, it's also capable of extracting and exfiltrating sensitive information from the host.
Doc.Downloader.Sagent-9431315-0
Downloader
Sagent downloads and executes a binary using Powershell from a MS Word document.
Win.Trojan.ZeroAccess-9406344-1
Trojan
ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns.
Win.Packed.CyberGate-9446722-1
Packed
Cybergate, also known as Rebhip, is a remote access trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.
Win.Adware.Dealply-9476483-0
Adware
DealPly is an adware program that installs an add-on for web browsers and displays malicious ads.
Win.Trojan.Gh0stRAT-9455238-0
Trojan
Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Ransomware.Cerber-9408183-0
Ransomware
Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.
Threat Breakdown Doc.Downloader.Emotet-9412146-0 Indicators of Compromise IOCs collected from dynamic analysis of 16 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
Value Name: ImagePath
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VCRUNTIME140
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PANMAP
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IR32_32
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASACCT
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IR32_32
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFC140RUS
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFC140RUS
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SDIAGENG
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SDIAGENG
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSCORIES
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PANMAP
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BITSPERF
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BITSPERF
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASACCT
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLFSW32
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLFSW32
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDROST
Value Name: ImagePath
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 174[.]127[.]119[.]148
16
23[.]111[.]156[.]118
16
70[.]121[.]172[.]89
15
64[.]183[.]73[.]122
1
116[.]202[.]234[.]183
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences abcofcricket[.]com
16
reliancectg[.]com
16
e13678[.]dspb[.]akamaiedge[.]net
5
Files and or directories created Occurrences %TEMP%\OFFICe2019
16
%TEMP%\Office2019\M8e9ziy.exe
16
%SystemRoot%\SysWOW64\hnetmon
2
%System32%\Windows.Networking.Proximity\fdprint.exe (copy)
1
%System32%\aadcloudap\help.exe (copy)
1
%System32%\kd_02_8086\atl.exe (copy)
1
%System32%\sfc\directmanipulation.exe (copy)
1
%SystemRoot%\SysWOW64\rdpendp
1
%SystemRoot%\SysWOW64\wecapi
1
%System32%\cscobj\KBDAL.exe (copy)
1
%System32%\LockAppBroker\dmxmlhelputils.exe (copy)
1
%SystemRoot%\SysWOW64\QCLIPROV
1
%System32%\SearchIndexer\WIFEMAN.exe (copy)
1
%System32%\DeviceEnroller\msg.exe (copy)
1
%System32%\KBDLT2\amstream.exe (copy)
1
%System32%\PNPXAssoc\csrsrv.exe (copy)
1
%System32%\ir32_32original\nsi.exe (copy)
1
%System32%\odfox32\ConhostV2.exe (copy)
1
File Hashes 0099a00ee33efc8e25e68b3bd2862656ac4819416a7ce5252da75b326480ece2
05897a743fd2fe3d791b9560b3a3a0d5fa3f4ca8c2dc6f1a490aaf4a7f4f5636
362e736d6f3bff825ce41cbe07673edecd04b460201d5f464ab18f547085ffb5
3780d20be48fb349faf9fb0fc17e1eb9f3a3060e3d57af2bbd7e20d6b0b4223d
597e9c35dd31bf8130c43d9fbcc15b84427dfbc80a72cb31c495bedd4b5fc5d8
6908f421de0201f20066643862907ed1cddc4753f51a42850b8209380bfe1e6f
6a5ecf7dfa844149f405476219f41fc9b8de66e61a0c91285858c8ed994d8d65
8e35e8ba595b5a480cfb07ba4ace588139b959108de6a15519b4db831fefd4af
a89f4a0e07aed6f0db5226aa6c45eca8e232db1686eaaf99f163acf0eb849c37
b114bdb0998bba2f9df4cb49501e222276365890cb0c24f6c0ec94d7deda4d33
c76dd6c988b0d2886904cc2f393b360277487b31602297b5c5268ae59604586e
cbcffeaf57dc69c22c4c1f6eaa6b2102c764aa8b0080b466aa95969f3c0283e1
cec2abed8d3e093ac30ead62cdebfbf1522c763159ec278ecf0af89a16dd1f4c
cfa624d839f73dd527469da0d9c2d9955bfbd320277c47454498beca7877dca2
e6897b31f6e77a3182753226f0781709a200bf67633cd45568c33c4e78b9456b
e7801b2180c3386d049135af6b5e4ad14c56a7a6eda2cf87dcf474e3ce9c4e39Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
Malware
MITRE ATT&CK Win.Packed.Chthonic-9405917-1 Indicators of Compromise IOCs collected from dynamic analysis of 17 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: Load
17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1081297374
17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 1081297374
17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
17
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 104[.]215[.]148[.]63
17
35[.]229[.]93[.]46
17
173[.]231[.]189[.]27
17
35[.]231[.]151[.]7
14
20[.]45[.]1[.]107
11
40[.]90[.]247[.]210
10
40[.]67[.]189[.]14
9
20[.]41[.]46[.]145
7
80[.]240[.]216[.]155
2
176[.]58[.]127[.]165
2
5[.]34[.]248[.]225
2
40[.]91[.]124[.]111
1
93[.]186[.]225[.]208
1
31[.]28[.]161[.]68
1
139[.]162[.]149[.]127
1
217[.]144[.]138[.]234
1
144[.]76[.]197[.]108
1
81[.]21[.]65[.]169
1
164[.]132[.]166[.]29
1
50[.]192[.]156[.]121
1
84[.]16[.]73[.]33
1
46[.]54[.]224[.]12
1
78[.]96[.]7[.]8
1
198[.]60[.]22[.]240
1
78[.]47[.]158[.]133
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]kryptoslogic[.]com
17
europe[.]pool[.]ntp[.]org
17
differentia[.]ru
17
disorderstatus[.]ru
17
north-america[.]pool[.]ntp[.]org
2
Files and or directories created Occurrences %ProgramData%\msodtyzm.exe
17
%ProgramData%\~
17
File Hashes 213e8ed0cd9a5450ca8dc8e2215dc302ef5784a1d893bc920b6faf089aa33588
291089cea1cf25586cfffc61fb1243872018931135dbf177ebcda26f8388933a
2a9ba70589bd6416b4db98c8b068a620e9b3fbf9942300b1bcabfde353937d76
3e593e1d1bbba40902edfb7fa3326b3f56060116157731bd63ec2debd1e196be
4219e1d7f3b437b5307450acbf9ff533e206bf517d01f1409f8b38c757152c27
47e8456d3ac9547ab0792376072b52aff4d5eed4025bcd14577bcd9b051c2651
5052228606f5d14a327e1acf14e8c5ee443204e2f95090c66a478a52ffa5c080
5faa78f9f6587af4b6d1b42fe1603915db67929101c3fe5730c2e134bd03cab2
7227b7ffe4c84548b4d0ad92f0d4e3dc62a6f4409d561eb47a40829b90fefd11
9083da810c49eef9bfa4ab0490c9b1c40b43d5c18f51693d0d199b97966d04f1
a140890e637f598eb6ae102e5835d4bfc123b1013b8f9c70f27e6c0954d28bd6
a81dafcbffe233c09898e7c7837b0991d0f1dbbd08c48fd696305d871d4b01cc
ae8e8a0bafa05a668088aa07e7c9714ba462982a67d3d3191815be02dfe06963
b0d4f9344a1d4e38d193f0582f704ae755b68cc2176cfc4da0f5d79b72c4300f
e3a44d7f30400d05af1d2665f28211878a8c590b4c2cccdc23f4fc673a8c15b9
eac35ecab4412b3725396bde62a2f887892be5fa26482d0a8d4ed0862e25cedc
fd4fa9e654201183ab02f12efa162f4e825e4f9cffeaa5273591ee3223214d96Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Trojan.Bublik-9406364-1 Indicators of Compromise IOCs collected from dynamic analysis of 26 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\LAYERS
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\DOMAINPROFILE\AUTHORIZEDAPPLICATIONS\LIST
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\wmpkl32.exe
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\DOMAINPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\wmpkl32.exe
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WinMedia Services
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\LAYERS
Value Name: C:\Windows\SysWOW64\wmpkl32.exe
24
Mutexes Occurrences muipcdraotse
24
S3xY!
16
V8x
8
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 143[.]248[.]35[.]28
24
Domain Names contacted by malware. Does not indicate maliciousness Occurrences vps318[.]intelbackupsvc[.]su
16
vps360[.]intelbackupsrv[.]su
8
s38[.]intelaids[.]su
3
s30[.]intelcore[.]su
3
s27[.]intelaids[.]su
3
s51[.]intelblog[.]su
3
s70[.]intelblog[.]su
3
s59[.]intelprog[.]su
2
s65[.]intelblog[.]su
2
s48[.]intelcore[.]su
2
s81[.]intelprog[.]su
1
s13[.]intelaids[.]su
1
s87[.]intelblog[.]su
1
Files and or directories created Occurrences \Autorun.inf
24
E:\Autorun.inf
24
E:\SysDrv.{645FF040-5081-101B-9F08-00AA002F954E}
24
E:\SysDrv.{645FF040-5081-101B-9F08-00AA002F954E}\sysdrv-x9349601.dat
24
E:\afk45.lnk
24
E:\afk46.lnk
24
E:\afk47.lnk
24
E:\afk48.lnk
24
E:\p.cpl
24
E:\~mediadrv.exe
24
\SysDrv.{645FF040-5081-101B-9F08-00AA002F954E}\sysdrv-x9349601.dat
24
\afk45.lnk
24
\afk46.lnk
24
\afk47.lnk
24
\afk48.lnk
24
\p.cpl
24
\~mediadrv.exe
24
%SystemRoot%\SysWOW64\wmpkl32.exe
24
File Hashes 01f90706734a3242e1291eb64d4c03f0b7d8e4f16803d1bfd54ab767d6a264c7
03d03cd36d8c2810bd53153b8ea1fc69007d1a895e03cf61d582896b419fb55f
0f727a25ec6f57f93822b0ba890084b4c087f4993024a184b632eccd75a0601b
101700d247dec0ce811a9a0206a4d5519cf4c3c822528575e29e51837ef27eb1
14091ac21e0469513be8f2d02c9ce3fa4740b175ab132413b5ec840eac511b3f
15080ee748c3931d82e81ad1d529b8456cc6626ac83ffc9f6e0db5786b086cda
188790c896d5217ae0281ee48ed9968e7f4d8a08609d846f423ee00ad11c1518
19e3178145302b3e46dcb5feb9877e88e11eb49d48e8d9dc140f9c512c23f41c
1a3939b63e71775a9a2ecd6731a3f2d8849c938b5beb13cdbccdda447fd97a23
1aee694929aac1bc24e47d9fdd983bf4acb5d1a19b7bc9fd4c78b3bfc65b159a
1b574c920e63fd19c7cea277f89c735f70d73573c3a3a45d815cc71e3b3cd609
1c43f31514c447df519707ecd4a6cc9d79f9b6e6273c64425c27c4a5f88b2252
254dc35faa305b0fd5e8510a5e48c1030024ba39e402a9db8b2cf63394a398b8
25dea1a6d70a275c6f94dfdf3133d04d0b6c80485acb4a289fd5f46a5b9f0265
29ff80a4961dff7384a5fc9b031d345282f3e6732e26c53cbcf3ba28b85ffc2c
2b249fa14dbc8fffdcf2beb568c6a6546febd25ad9a6ef8dd045833890349f83
2b2b72d960b7d1736268a6a9b6b3d248e3c2ff58504923ce2bfd7a7085a4fc65
2c9423d0b58466ea9562e0908bb45eefe5afa576c6831ff89cac45d2078fa56d
2cf78a61789bfa678f97329ffcd62f679ed5a11980e0d6696caae4472b833ae7
328a6ee6b2beb48487e7d783b4274ea9a4ac8b23fe62af6ec242014ed166e652
35d571401950954d7566506e25bd621b917b15ba357453563c90acc741907086
3a26f3fa6c6e7e2df5f364bd08d5ea225f2ad22762a9271d98740d7e8647fbf1
3ad2b19e2f0cac1467fc3bcc2a6ac95f1e38403468617ca910d3c306963b4af6
3e42beca6486e79e8aa0fd5620d7af6b967903fb419291da99f7754b33ba73f8
44d3e82f92a3a848db1d97b0b95dbb30c6664e9cd28d0c14ca73536ea5f5947c*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Doc.Downloader.Sagent-9431315-0 Indicators of Compromise IOCs collected from dynamic analysis of 48 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PROVSVC
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\D3DXOF
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\D3DXOF
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRPUXNATIVESNAPIN
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSNMP32
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSNMP32
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PCAUI
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SLWGA
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPROP
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPROP
Value Name: Description
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 173[.]94[.]215[.]84
48
37[.]187[.]11[.]160
48
43[.]229[.]84[.]164
46
103[.]7[.]8[.]131
46
72[.]21[.]81[.]240
13
205[.]185[.]216[.]42
4
205[.]185[.]216[.]10
3
8[.]253[.]45[.]248/31
3
85[.]25[.]207[.]108
2
8[.]253[.]131[.]120
1
8[.]253[.]131[.]111
1
8[.]249[.]225[.]254
1
23[.]199[.]71[.]185
1
23[.]199[.]71[.]200
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences synergiktattoo[.]com
48
justinkongyt[.]com
46
www[.]intelligence[.]com[.]sg
46
intelligence[.]com[.]sg
46
api[.]w[.]org
38
gmpg[.]org
38
fonts[.]gstatic[.]com
37
www[.]yelp[.]com
37
www[.]synergiktattoo[.]com
37
ctldl[.]windowsupdate[.]com
28
cs11[.]wpc[.]v0cdn[.]net
13
e13678[.]dspb[.]akamaiedge[.]net
11
www[.]litespeedtech[.]com
9
schema[.]org
7
cds[.]d2s7q6s2[.]hwcdn[.]net
7
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net
6
a767[.]dscg3[.]akamai[.]net
2
Files and or directories created Occurrences %TEMP%\OFfIcE2019
48
%TEMP%\Office2019\J0z5myj.exe
48
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>
10
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy)
5
%System32%\vdmdbg\KBDINDEV.exe (copy)
1
%System32%\dmcommandlineutils\msltus40.exe (copy)
1
%System32%\wlidsvc\ktmutil.exe (copy)
1
%System32%\AppxPackaging\MDMAppInstaller.exe (copy)
1
%TEMP%\CVR6AF.tmp
1
%TEMP%\CVRBBC.tmp
1
%System32%\RMActivate_ssp_isv\werconcpl.exe (copy)
1
%System32%\es\KBDTAT.exe (copy)
1
%System32%\drprov\rasplap.exe (copy)
1
%System32%\SndVolSSO\Windows.Devices.Printers.Extensions.exe (copy)
1
%System32%\srumapi\Windows.Media.BackgroundMediaPlayback.exe (copy)
1
File Hashes 02480931bf8a8b3e881ba422b102f207249b593518e41fe9d80cfc2260831d94
04b97f646e22eddca85ab67b16cab7dc4afaeba4f91a06d3ad25d98d1985f38e
0988c011847da56047d7c56ecb308a287e7086d8820b4ab5010d03bb4bd1c5ba
0c9bdaf25bc6465c491f19c920faa56544188ae9d41c7a0905bda06a835b6ec4
0ce1f9eb5a77c80202cc0a91a877c8385bcbc61b6c7c2a5fd5a093a7b181fb1b
0f8e990c9307312fb8034c19575537843ef21192f83fe1aa677cd10e045a9e8e
15614f9fe6b5fc4c1239cce9d4f1a1ea18ae400b60efba8c76023d4e9cad758c
157e011b3641dfbfc900a3ca21944bc8d8b69fb4c2804977e5e341f40f93fcce
16ff4fe3cba48e347fb641fca0cb7c6095a6f860fa876f219f68a217d61d1605
1bfd584355dbb008bdd75f8020faccf21ef4d8c89e00486f6717979bf78c38fd
1e30cf6e10390f4e65553597493e92c0e2a00210c5fba3ceeacd75c682d5bae9
205b245311901312ed7d08e486ee280d59cf15060b656390f4ea347a7eb6d485
28f570a49c85e61ededd992a81ac41afc645788e1ebd28b542cbb51fccc9fe72
3047248964013165db7c29d497534910e95c53cce560dd0b52f896d8071085c8
32c5a3488033ba4299a0c21c08fc12c7fce85323855cef8e71788250f6dfa656
32c7119fd7bf1474715501218947a304b37f2891299853952af6dad147fcde31
35bb5a6cfcf9621d2ba567aa7f4bb36717a4e80429bf283a3f3e8bcf336caae8
373746de1051086e14a05098652a92c9cdf9bbe20f23809b9347b2a55cf53e13
3b6e44377bca92d629f9924fa890eda7a54c191d829480a8396c22876429baec
43323bdb41df07f7e469908c9e39ad631fc65ab7bb49def978f136d0e0e12031
44279f3cfc9724d88ffd9da0fcbab6a97f773fffa7e7206cf318e4eba969fc05
46a93eed05754760f5ba802dafeda47962f308540ff4b640d3c11fb2939a080d
4b03db8f1e87958078c087ad30a89527603f05c95ec6619325dd64298856e246
4e132ba6d019767be2f8156e367e5c0f60ee91db33f3517c525d22cace8bfa9b
5114a1e83db1ff843b0500b41fc4d3155bee2bfd98ebfb2f64514427d1d7e331*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
Malware
MITRE ATT&CK Win.Trojan.ZeroAccess-9406344-1 Indicators of Compromise IOCs collected from dynamic analysis of 33 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
33
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: Type
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: Start
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: ErrorControl
33
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 88[.]254[.]253[.]254
29
92[.]254[.]253[.]254
29
87[.]254[.]253[.]254
29
180[.]254[.]253[.]254
29
166[.]254[.]253[.]254
29
135[.]254[.]253[.]254
29
117[.]254[.]253[.]254
29
119[.]254[.]253[.]254
29
115[.]254[.]253[.]254
29
134[.]254[.]253[.]254
29
206[.]254[.]253[.]254
29
222[.]254[.]253[.]254
29
182[.]254[.]253[.]254
29
190[.]254[.]253[.]254
29
184[.]254[.]253[.]254
29
197[.]254[.]253[.]254
29
130[.]185[.]108[.]132
16
82[.]238[.]108[.]66
12
98[.]178[.]156[.]250
12
111[.]169[.]199[.]72
12
98[.]204[.]174[.]164
11
208[.]107[.]225[.]25
11
69[.]112[.]189[.]232
11
76[.]177[.]210[.]91
11
75[.]181[.]56[.]80
11
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences j[.]maxmind[.]com
33
Files and or directories created Occurrences %System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8
33
\systemroot\assembly\GAC_32\Desktop.ini
30
\systemroot\assembly\GAC_64\Desktop.ini
30
%SystemRoot%\assembly\GAC_32\Desktop.ini
30
%SystemRoot%\assembly\GAC_64\Desktop.ini
30
\$Recycle.Bin\S-1-5-18
30
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f
30
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@
30
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L
30
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U
30
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n
30
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f
30
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@
30
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L
30
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U
30
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n
30
%SystemRoot%\SERVIC~2\Local Settings\AppData\Local\Temp\MpCmdRun.log
26
\$Recycle.Bin\S-1-5-21-1160359183-2529320614-3255788068-500\$bc873181c718236380cd637b8be3cfa0\@
23
\$Recycle.Bin\S-1-5-21-1160359183-2529320614-3255788068-500\$bc873181c718236380cd637b8be3cfa0\n
23
\systemroot\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}
3
\systemroot\system32\services.exe
3
%System32%\services.exe
3
%SystemRoot%\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}\@
3
%SystemRoot%\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}\L
3
%SystemRoot%\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}\U
3
File Hashes 0768ceb62a6a9f61088819a45173e7597fa62374a06aa38f1a9fcb468f1abe01
0cc69db658e9ee0e0b67867529df19769a5fbd2abd65665d42888f123b7bd973
0e29ed3a4a56881388d49418c30a5dbbfe88fb6b9bffabfabaf3fe4501dc8058
0ef4e57067637fbdc5870202d8068b2683714cd91cd1e9c0a1c3ff20cdbe0972
0f06d58c1af6abf844006187e206799c5b9071aed65015d4deab39fab48106ad
11fe7a5c5d48ef5bd174e3063ad5a9405e3e514914cce0e1399d356f963f34c6
141779d5782d21252e7aa8de4f457d1134fe61030b413ebb14081934af0a1bfb
142f9fbbe5c29fe44acce248efdb7219691672c9ec5eb587adb0298c476d1cf6
17f6522781da9008dfa877a596ad0028400f36ecd8b657c755017d212c02e271
189f1c97975b7f1531a52e015fac6ec88406f46c8e9ffd0366969d6f3b27ab0e
1bec33956004759107dd425160000abab63e404a9e5a2c90f174f507af4097ad
204b39438cb163b799148b935a5a61c4932c3a59628f3107307410ddef8472f9
29fb4d5dbe99877d30db2d01240d431441b576a72cdd41b8a72e93058deff14d
2dccfcb049594eecaa3896500c0519aa64a394ac797fb89d138c1fbe538e4052
301f916d3c96c12eb602d2608e0ff666f01c4f54ba1c6d86ddbdfeca1a422bd9
3150509b0ea9464a43f0c73c5d58e34b2d101fd9adbf3515b527ac15ef5b5615
355d2753380e49e43305e628803d520f14939df5ff43ec5aa7380ff322cdc57f
39301feefcdd8a92c3d5e53f269f21cde33e9f97f48b4a875841e0a5f64b3692
3b5fcebfd0e6fcb8393b0970c8e2b3bb098f557f9152a4af1eeb594d2406d290
3cbecb4db34eee1e5cd0bfaeec1e5e6209776a1fd8fd62728ac0d14300449166
3f072060be7626f84773860d3a834aee3d7ea724cf5547cc928a3c737e916c69
3f3220f777206569fcd3628c51b53a4f103eeea0288a22159e64f81b1570b931
44353e88ed952d67fc9f7b0453e033eae18f6ba125b35ddbbfd8effb75902b2e
47297023886b6e9b87fdfc6018adfc4ddd6d869bc2e185561d387bfc21f6374e
4a948cc5fc09e6999188476cec8e209e2be2c6e7cc241b40c16d81d0a8097e0f*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Packed.CyberGate-9446722-1 Indicators of Compromise IOCs collected from dynamic analysis of 129 samples Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
58
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
37
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS
36
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
22
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL
22
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID
22
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\ID
22
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\DATE
22
<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{<random GUID>}
21
<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{<random GUID>}
Value Name: StubPath
20
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
17
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
12
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: NewIdentification
12
<HKCU>\SOFTWARE\DC3_FEXEC
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: csrss
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: csrss
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: csrss
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: csrss
10
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\MICROZOFT
10
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: FirstExecution
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WindowsDefender
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WindowsDefender
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: WindowsDefender
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: WindowsDefender
6
Mutexes Occurrences <random, matching '[A-Z0-9]{14}'>
20
<random, matching '[A-Z0-9]{14}'>_SAIR
16
<random, matching [a-zA-Z0-9]{5,9}>
15
Administrator5
11
_x_X_BLOCKMOUSE_X_x_
10
_x_X_PASSWORDLIST_X_x_
10
_x_X_UPDATE_X_x_
10
<random, matching '[A-Z0-9]{14}'>_PERSIST
9
Administrator1
6
Administrator4
6
MasterBl4ster
6
DC_MUTEX-<random, matching [A-Z0-9]{7}>
6
Local\https://docs.microsoft.com/
4
***401C6XX500***
3
***401C6XX500***_PERSIST
3
***401C6XX500***_SAIR
3
FYG4HCTRE1
3
egregregerfwde-readfile
3
**MUTEX**
2
**MUTEX**_SAIR
2
IXGKC56ZVE
2
CWSPROT20S
1
ITL49EY2Q8
1
2BAPBWGP14
1
8A58FNQNRC5VQ1Administrator15
1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 104[.]17[.]214[.]67
5
204[.]79[.]197[.]200
4
212[.]117[.]50[.]228
4
172[.]217[.]197[.]156
4
152[.]199[.]4[.]33
4
65[.]55[.]44[.]109
4
20[.]36[.]253[.]92
4
23[.]5[.]234[.]11
4
172[.]217[.]7[.]142
4
23[.]203[.]29[.]190
4
151[.]101[.]128[.]133
3
69[.]65[.]19[.]115
3
13[.]107[.]21[.]200
2
153[.]92[.]0[.]100
2
104[.]20[.]68[.]46
2
151[.]101[.]2[.]217
2
151[.]101[.]194[.]217
2
151[.]101[.]64[.]133
2
151[.]101[.]192[.]133
2
140[.]82[.]114[.]4
2
199[.]59[.]242[.]153
2
104[.]17[.]215[.]67
2
52[.]201[.]110[.]209
2
92[.]241[.]164[.]224
2
78[.]159[.]135[.]230
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences blackshades[.]ru
7
www[.]maxmind[.]com
7
blog[.]maxmind[.]com
7
dev[.]maxmind[.]com
7
static[.]maxmind[.]com
7
status[.]maxmind[.]com
7
support[.]maxmind[.]com
7
xxxblackfirexxx[.]no-ip[.]biz
7
web[.]private4919[.]com
7
schema[.]org
4
www[.]google-analytics[.]com
4
stats[.]g[.]doubleclick[.]net
4
github[.]com
4
avatars1[.]githubusercontent[.]com
4
az725175[.]vo[.]msecnd[.]net
4
aka[.]ms
4
avatars3[.]githubusercontent[.]com
4
developercommunity[.]visualstudio[.]com
4
cdn[.]speedcurve[.]com
4
w[.]usabilla[.]com
4
oneforall[.]no-ip[.]info
4
tippyshot[.]no-ip[.]info
3
synopsys[.]no-ip[.]org
3
prempmatt[.]no-ip[.]biz
3
lethal[.]no-ip[.]info
3
*See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%\SERVIC~2\Local Settings\AppData\Local\Temp\MpCmdRun.log
45
%LOCALAPPDATA%\Microsoft\Windows\WebCache\WebCacheV01.tmp
20
%APPDATA%\<random, matching '[a-z0-9]{3,7}'>
15
\Autorun.inf
11
%TEMP%\Administrator7
11
%TEMP%\Administrator8
11
%TEMP%\Administrator2.txt
11
E:\Autorun.inf
11
%TEMP%\XX--XX--XX.txt
10
%TEMP%\UuU.uUu
10
%TEMP%\XxX.xXx
10
%APPDATA%\<random, matching [A-Fa-z0-9]{5,8}.exe
8
\Autorun.ini
6
%APPDATA%\chrtmp
6
E:\Autorun.ini
6
%TEMP%\tmpcmd.bat
6
%APPDATA%\data.bin
6
\SYSTEM.EXE
5
%APPDATA%\logs.dat
5
E:\SYSTEM.EXE
5
%APPDATA%\csrss.exe
5
%APPDATA%\lsass.exe
5
%APPDATA%\Administratorlog.dat
5
%APPDATA%\cglogs.dat
5
%APPDATA%\Microsoft\csrss.exe
5
*See JSON for more IOCs
File Hashes 0bae59beb875fb459bb3ef865ae185e9335b3fb29b2901c68e58e24654be3ef2
0baf9884c6b793c75c12410b7665d050ab789f1c94d696187494b999bd932f2b
0bdac277ec7c6b79e1490605cddff5228bdff4837c541f182e0d82ba5844e1c5
0d7a20b908612c157b2c6980cdf28b41e7cd71bf8cd31e1282fb5ac13eb359fe
11ed3d5888bbcc613f74f96c003a32edf3d72f9f931c153acb478c2455213ac8
13b8afd2fdb23045b3e7c25cde989b55c71afea1820c8813f1af4a471dc4629e
14d1a0a0df4afa1a182ad91fd855d31644d31a4bb6cc9f7c0af6ad73a8c10352
17964fadf462c3a94ce55d8f1d13656e7037b8402c031d6eb1e74013e330a541
17af01a87a023b5dfe6858f891c3333e4711063d8b06eed5b6ed18d2e9e31752
17b68ff8923ba0cf30d85cceff8098e2f3ca85409b3c48b27f25d0ccde6034f4
1b30c94652dee2930803d75ace0b29d7df3a6fdfef125b46318bd0dc39ed7331
1e76d257e24f548fbe0a93aac540be21c565bf69506e75e2c7689421d2a66118
1eb310c44523707cbacdb8ab12412d92b732628ff1fde591900c9b5a3a0a73f2
21d8642a8e6e11b88ee6a70c2380f86768ae2022e32fdbcf3f4614894c765922
2367a5b82443e197d7ee1269ddad1e58df256fd16c44a7b243d29d8a6d3a3321
2ca7e0922f77c2027b006730efc4b45b506734827cd344db52bdf815c2184a9a
301168e06dcb03fc1ede4bd39a312a51453f7bb340c26fd945e2d15c373775ba
3152a501494e1494275f3435ab0051f0dbac0eaa43e39a960350d5076b9b07f4
319daab18402cac88c7c51cc919562257b95481a1b682e2e4d2c2a845437e17b
3b49e1428be06dd1f62903514d10e695f0d6c8bdcaccb8303e8898c62dfbe794
3c01cb4b803ac287ade2980ed979c7d59fd17444ff6b2c842a9a705914619c01
4544c3a23d113d2ac541feaee75e648f02bc86fba1164badb1a2d481d78c5f70
45bd8e4f15ece029c60748eb4e25699d6d9147eb0105bf1356a8dcd93156ca22
497becaa7378aa9842b915c8b75fbd408b8f86c7b4906ce7e1c47e2da862cc08
4a4981a681753e14667bf1a82039d45833e5786e04dc0262ae49fac977c583df*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
Umbrella
MITRE ATT&CK Win.Adware.Dealply-9476483-0 Indicators of Compromise IOCs collected from dynamic analysis of 15 samples IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 13[.]248[.]196[.]204
15
204[.]79[.]197[.]200
3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences info[.]opensubcdn[.]com
15
rp[.]opensubcdn[.]com
15
Files and or directories created Occurrences %TEMP%\INH158~1\css
15
%TEMP%\INH158~1\css\ie6_main.css
15
%TEMP%\INH158~1\css\main.css
15
%TEMP%\INH158~1\css\sdk-ui
15
%TEMP%\INH158~1\css\sdk-ui\browse.css
15
%TEMP%\INH158~1\css\sdk-ui\button.css
15
%TEMP%\INH158~1\css\sdk-ui\checkbox.css
15
%TEMP%\INH158~1\css\sdk-ui\images
15
%TEMP%\INH158~1\css\sdk-ui\images\button-bg.png
15
%TEMP%\INH158~1\css\sdk-ui\images\progress-bg-corner.png
15
%TEMP%\INH158~1\css\sdk-ui\images\progress-bg.png
15
%TEMP%\INH158~1\css\sdk-ui\images\progress-bg2.png
15
%TEMP%\INH158~1\css\sdk-ui\progress-bar.css
15
%TEMP%\INH158~1\csshover3.htc
15
%TEMP%\INH158~1\images
15
%TEMP%\INH158~1\images\BG.png
15
%TEMP%\INH158~1\images\Close.png
15
%TEMP%\INH158~1\images\Close_Hover.png
15
%TEMP%\INH158~1\images\Icon_Generic.png
15
%TEMP%\INH158~1\images\Loader.gif
15
%TEMP%\INH158~1\images\Pause_Button.png
15
%TEMP%\INH158~1\images\Progress.png
15
%TEMP%\INH158~1\images\ProgressBar.png
15
%TEMP%\INH158~1\images\Quick_Specs.png
15
%TEMP%\INH158~1\images\Resume_Button.png
15
*See JSON for more IOCs
File Hashes 0a45836679748386146da47bb59a96b5c7620c6672615c2b2f1a781b86fecd71
2146c3c85611f024adc38ce32f9b601d4520fbe7b1407da6167df1ec9b1e8bb7
3b8b24a6699ea37723b95627e05d58ee5db0df8ee5058d96659771ba3d3dc376
4811135b54469df599262cb2dcb25cbaae4dff9886a006029a39d737686a7c27
52f8a4ee10a44c42278558b64e481fc60460bea81dfb1f0630214ea43c26f96e
54a0eb7763a431b09e659c801fc03863b76c2bea6ab686ce7cbf02b4a6ccff51
5b184c02ad821c5d9099eae869a5f42973a36d3723c647e4edc9860a007e1989
71a0a62d30ac584ae69e926d8ba2bb923d50bf96a13357e80447ae92d7dd1a9a
92350a75b5558b4a94ff9a581d39b2c6bcae26059ac53aa0e112e35b897123ee
a22538b7effc6e5b1fd07fd2d62e596ad89c49b4214c999a653b86d36f85a993
a56294862f17c9e2de13172c10cf0d1ed6f5e7e0de6213fb1060898581e995fc
c5a2ae950a318b8472513cc5db8332ce7fd24746af775adfaf8c969d3094bfb8
d6e0f80c4e9c51b3e3036fd0f68d50ca9fea536d9a462b8e64c1c13cf723601a
ea52b13b61a45818f8a25c5c2aea2db0dcf2a3ee873dba289d69d5373cde3936
fc9da101aa25f81ca9d8152d8c3cd6d784fa1de0446a352e411cf78a19bbdd5eCoverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
Malware
MITRE ATT&CK Win.Trojan.Gh0stRAT-9455238-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE
Value Name: NextAtJobId
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: FBBFD190
25
Mutexes Occurrences lsw8.q9p6.com:2555127.0.0.1:2012127.0.0.1:2012
25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences lsw8[.]q9p6[.]com
25
Files and or directories created Occurrences \atsvc
25
%System32%\Tasks\At1
25
%System32%\Tasks\At10
25
%System32%\Tasks\At11
25
%System32%\Tasks\At12
25
%System32%\Tasks\At13
25
%System32%\Tasks\At14
25
%System32%\Tasks\At15
25
%System32%\Tasks\At16
25
%System32%\Tasks\At17
25
%System32%\Tasks\At18
25
%System32%\Tasks\At19
25
%System32%\Tasks\At2
25
%System32%\Tasks\At20
25
%System32%\Tasks\At21
25
%System32%\Tasks\At22
25
%System32%\Tasks\At23
25
%System32%\Tasks\At24
25
%System32%\Tasks\At3
25
%System32%\Tasks\At4
25
%System32%\Tasks\At5
25
%System32%\Tasks\At6
25
%System32%\Tasks\At7
25
%System32%\Tasks\At8
25
%System32%\Tasks\At9
25
*See JSON for more IOCs
File Hashes 030cb9b1d654afb7c56ddcb4043bbeb109a7c6f85c78d5e3f41bf0ca6923360f
0593bf706362b897ed95ff3f42c1d922d210fbe7138a32863bf7c293c20536a0
0c32783e6d40e2c16be39d2b21d49276f915afa4e5331384d13b6ccd256af89b
0d07afe19a374251d30be4a65df595a526bcc26721e6d6c6f4de8454526aef36
160e0b1fcf609297976a222b0ef8d0cb378482ad77c365ee2493c34d7618cb88
1e4eb1b05a1b88a2e3f99132653c2ac0c576b6d347b56938abe42a58b82b850d
24bd90ef1dd1b2b66b1f424445f1a4d4fdd6f6c6171d6bf5cf931a19ff441164
33b4f5b8b38d833bf66ed5603755b6326d21a8a6a893de6be0e652e512f051a8
3ec6c56c4fec56f0304b8807378fbc1764087b741fb4875843075c8698f0d3d5
40d93b6833d74fb1a233af2ca0dbde00ec488410a7a2b97b506947a2c12ee317
46ce940d59aa492d10e7a2c16b75ed2cc61f5af580c11a67e62b5ffa1d77b975
4802f4911362f06f44463ed07c1d8f9967570b68f6e40c64e77d58d314f8157a
520a4f9f74e6b689d55c871668ed0c1fc0aac3c3bacd608b86b88c72d47d1bf6
5e0a7b0103b8985820bb64f6d540256795c1fe31b5d6a9438980e9068fa7b8d1
7033bd3be4915d973123350ed7e2c4e2bb63d7234b661d37c1608c8739770023
74e61026c627788afb97807298d98dfdc6c0a1cd8d1f48366ed9cfbbf3717d34
764c79b760c8a66e22cce3430db56c7fa290e4e75abce537a6f7b20bcb37c5e1
76c3d0ba8a7dbda062179a525f07aa4228a337772a9869530b02a7ec6a9f10c6
787a9c8ef55fa141c035beeebbbda5ed70d033a002fae8273880740a15f0ef05
79c4bec94a99695611111e3a5599b7942094567b06d3c6220139d4c7489e8c7f
7b3153e06ab4a0fac7814d3625ad1387c68316aca924c457af1d0a2fdeb38ef7
870ce7c64dce57c0bc626808bb4c3c3aa7a5061a1125453610a80cccff200f70
a70e132b96f95b2b1f4e5e9990d181c7bb1d478ed07d5e18158fde616ed6eab5
b1a1faabb23265c5994d3615ef780a2ee7c9f66cbba167bf5e88024a48df0f53
b7324d6c2952803a32e2014d82500c45b847124aa1bb21f9b7cfd3d3e759d233*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Ransomware.Cerber-9408183-0 Indicators of Compromise IOCs collected from dynamic analysis of 26 samples Mutexes Occurrences shell.{381828AA-8B28-3374-1B67-35680555C5EF}
26
shell.{<random GUID>}
23
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 31[.]184[.]234[.]0/25
26
216[.]218[.]206[.]69
1
Files and or directories created Occurrences %TEMP%\d19ab989
26
%TEMP%\d19ab989\4710.tmp
26
%TEMP%\d19ab989\a35f.tmp
26
%ProgramData%\Microsoft\RAC\PublishedData\README.hta
14
%ProgramData%\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf
14
%ProgramData%\Microsoft\RAC\StateData\README.hta
14
%ProgramData%\Microsoft\RAC\StateData\RacDatabase.sdf
14
%APPDATA%\Microsoft\Access\README.hta
14
%TEMP%\24e2b309\1719.tmp
14
%TEMP%\24e2b309\4436.tmp
14
%ProgramFiles(x86)%\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta
13
%APPDATA%\Adobe\Acrobat\9.0\README.hta
13
%APPDATA%\Microsoft\Outlook\README.hta
13
%HOMEPATH%\Contacts\README.hta
13
%HOMEPATH%\Desktop\README.hta
13
%HOMEPATH%\Documents\Outlook Files\README.hta
13
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp
13
%TEMP%\<random, matching [a-z0-9]{8}\[a-f0-9]{4}>.tmp
9
File Hashes 003e76a189c72139a69fb8b05506c4edf415746325da0489246253b536c7458c
0059c870db8630cb007aea2fde9b3359ea97359e874a619fb8f5ba1bcfe01052
0110f39ffd440ad6ec2e8ec516dd90d7810178f26898485503cd9c1cfb0330fc
033583835022118ef5af11428a70b52f692e106c027eaf951a7ec3eb277dbbd2
037d36515a2708b10b41faba8193d6ce7c63a689f5c4897967c7dc659425eeb8
0457668fe0994f8d6bef8b01a0c087b9039d4c466b3b89f5f230397886c4f32d
04605951d2e32153b09747fbd55471ea08caaa5f8666fc44889dcdb87371da7e
049c1ca386cf04eab21de1e7ee3be7a33b4cc8708094535e97a59a4f1070b28d
04d949cebf68f37decf3a31fbd46a347429c36a700529ef15a53d1882cf37b1d
055d6753938acc767632db1bec8eb6de783de36972e057b1a0c14bf315d6b387
0777fc68803bdf85239eedf2afe130fccbe3b54fec1667d07079b849fbfc7528
07c90afca8e787147877908ac2081e9bfe95ed2f5a4421b7eedbcac90cf9d789
095c322f0e90b43ff4b9cc6a8b86be6bbf9f1531245e967858c46c5136847fac
09d9b0bd4957f7a751b31e842790ee58072cfb284c3ce6d156b5c5fd942cbd93
0b8392f22c32ff0ddf5aa95566b3f160814479591512a9c44dfb9e4483deceeb
0cbed10c1b2a71335150389875dd118d422e5cec3ab3dd54084a993c046b18c9
0d1fbdf0ec2b7ed2bd6818e46b13b3e14762bd72612970e7a050888382bf0272
0dd0ab144c8e4c1aa207ee829af42a2665b44224968a0f1426e6f792f33e2bd3
0e4139bb0de5bf11bb274bec2e02783a5d6cc550d5b9b952750094a4fbd98626
0e7bc604f6cd985d665d9c435772606038fb629af1a460f01721ca954d3c7ff1
0eb01d713dfe4ec0b5bff83c77d1893c3607922e5ad874a8d5a08cf9c718182e
0efa6308ec98c0a710d6ce9ae4e65cb3a501186da46ac043639793b658c9b301
0f5259e011c4e9f38bbc3621253b71e4a03ea9d566f8ccc24935b16bc7e9ccae
0f6fb32d40667093618ca0a9ce220bf2a2df3d07f6e7f2ce833c0cef6f732b9a
12341057a4946b4505996f6dea6682194e89dd07c4f7577140699e7cccf64834*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Dealply adware detected - (8610)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Process hollowing detected - (2230)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
CVE-2019-0708 detected - (2148)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Crystalbit-Apple DLL double hijack detected - (1162)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Excessively long PowerShell command detected - (851)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Squiblydoo application whitelist bypass attempt detected. - (713)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Malware dropper detected - (493)
A malware dropper has been detected. A dropper will download or unpack addtional malware during it's execution. A variety of techniques can be employed for the payload to gain persistence and escalate privelege if neccessary.
Installcore adware detected - (380)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Kovter injection detected - (239)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Smoke Loader detected - (87)
Smoke Loader has been detected. Smokeloader is used mainly to execute other malicious software, like ransomware or cryptocurrency miners. Its initial infection vector is usually an email with a malicious Microsoft Word document or delivered through an exploit kit. Smokeloader uses various plugins designed to steal data from its victims, particularly credentials stored on the system or transfered over HTTP, HTTPS, FTP, SMTP, POP3 or IMAP.
