Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 11 and Dec. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Packed.Razy-9807129-0
Packed
Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, and sends it to a command and control (C2) server. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.LokiBot-9810026-0
Dropper
LokiBot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Packed.Dridex-9807477-1
Packed
Dridex is a well-known banking trojan that steals credentials and other sensitive information from an infected machine.
Win.Trojan.Gamarue-9809766-0
Trojan
Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Dropper.TinyBanker-9805436-0
Dropper
TinyBanker, also known as Zusy or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.Cerber-9805579-0
Dropper
Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.
Win.Malware.DarkComet-9805462-1
Malware
DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. The abilities of this malware include downloading files from users' machines, mechanisms for persistence and hiding, and relaying usernames and passwords from the infected system.
Win.Packed.Phorpiex-9805496-0
Packed
Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, from malware to send spam emails to ransomware and cryptocurrency miners.
Win.Adware.Tovkater-9805523-0
Adware
This malware is able to download and upload files, inject malicious code and install additional malware.
Threat Breakdown Win.Packed.Razy-9807129-0 Indicators of Compromise IOCs collected from dynamic analysis of 15 samples Mutexes Occurrences pqjesxbetoipuevrzns
2
jkkwscxyxgicsrajtct
1
gysgkglikgrljg
1
vfgergret34543gretgregegregre
1
lmiaweiaeqbdx
1
ykqyyitwabfdyas
1
wughsbrcbs
1
rmyzowadprmodo
1
acakncjkxas
1
3Tg$whNpq57
1
khjzjmiphbahelzzxhz
1
wsm
1
lwqtipbgnfjzskf
1
pxcnhmkpvrbvb
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 193[.]161[.]193[.]99
2
192[.]169[.]69[.]25
1
204[.]79[.]197[.]200
1
104[.]23[.]99[.]190
1
104[.]23[.]98[.]190
1
3[.]125[.]223[.]134
1
3[.]124[.]142[.]205
1
3[.]125[.]102[.]39
1
89[.]151[.]179[.]219
1
172[.]86[.]75[.]184
1
190[.]96[.]9[.]250
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences pastebin[.]com
2
0[.]tcp[.]eu[.]ngrok[.]io
1
shaguma[.]shaguma
1
pashalol[.]ddns[.]net
1
windowhost[.]duckdns[.]org
1
drei[.]ddns[.]net
1
lufeteme08-28070[.]portmap[.]host
1
Files and or directories created Occurrences %TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp
12
%System32%\Tasks\Chrome
3
%TEMP%\Chrome.exe
2
%TEMP%\tmp9296.tmp.bat
2
%APPDATA%\chrome.exe
1
%APPDATA%\Microsoft.exe
1
%APPDATA%\discord.exe
1
%TEMP%\tmp2054.tmp.bat
1
%APPDATA%\windows updater.exe
1
%System32%\Tasks\windows updater
1
%TEMP%\tmpE91A.tmp.bat
1
%TEMP%\tmpE708.tmp.bat
1
%APPDATA%\Isabellamenu.exe
1
%System32%\Tasks\Isabellamenu
1
%TEMP%\tmpD9A0.tmp.bat
1
%APPDATA%\spamSTRNG.exe
1
%System32%\Tasks\spamSTRNG
1
%TEMP%\tmpDAB8.tmp.bat
1
%APPDATA%\granr.exe
1
%System32%\Tasks\granr
1
%TEMP%\tmpE10F.tmp.bat
1
%TEMP%\tmpD25F.tmp.bat
1
%APPDATA%\windowhost.exe
1
%System32%\Tasks\windowhost
1
%TEMP%\tmpEC55.tmp.bat
1
*See JSON for more IOCs
File Hashes 2999619e991cfe7e3bb4328a77af501f6e579cd1669f34a5205c29ffb2cbb4bd
3278f4bf51aae1514f016d4330d67b5b3604119ffe27e8f826741859a756945f
43a2e6ac77d7abe026cf67a34f5d4554a91dd468ce2c49704c62e863e17743eb
635764fd5b8571b5062d8c3c6c65ab13bd79400e56a318b615d7309f8f08d3c1
7717611ab94371aa922a4f43b4eee8281806e96db49343e7d01a10d96736fa04
7c819c2018cb3379e4d86fd484ed934b2e4a54ec0dde44672cddb3326d2839f6
96a353ce7629e660fd9a2f338d93780bbd97d41ad97f6138656e5cbc04d0a8cb
b7827a3c564104b8f7554cd23eed39fa64fde30d7a214deabc0452bdaedbeac2
be1a6ee20a575f37c4e088e2abd065e6442d7128957cf3c8b73669543609a768
c3c634e5d4ee8aa6eeb7896e14bc39c6ab8b4ceb39dc26bc09418e4bfa9b0820
d18d5ddac89212055c40dec27fdcaca767fb4837be90b3083f010b967632c6a1
d2000f86d47cc1a1ab87f3080c90b4b61aaa317aac5c2d4cd8609286ebacee8b
d65a440cf4aa514549c170ab23a4dd10dd1cd10ffc463e4614a9e7907d5f52db
e10377d38b8109ab9d8e183d5a5454a40930e06f3d347040f4798caea735e9bb
fff76a9025af33a54cfef80ff36c3c404a2a7651b0e87c0f8070667dd3d3e43eCoverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Dropper.LokiBot-9810026-0 Indicators of Compromise IOCs collected from dynamic analysis of 18 samples Mutexes Occurrences 3749282D282E1E80C56CAE5A
18
9DAA44F7C7955D46445DC99B
18
Domain Names contacted by malware. Does not indicate maliciousness Occurrences techsupdate1[.]com
8
pionveriy[.]com
5
resgisupdatex[.]com
4
seeuaround[.]info
1
Files and or directories created Occurrences %APPDATA%\D282E1
18
%APPDATA%\D282E1\1E80C5.lck
18
%APPDATA%\7C7955\5D4644.lck
18
File Hashes 041a012857581e0ba47e34c8dd9b04244635ac09c00c0654b6e2e030c9c31827
0a4b7dd6ccf1750636e5f74ce6f585f2aa5fe1dc47d713a74ca25c54c403f6a6
1d82fae9f22c8b45d1b55896b090941ae358cc3b9f6a0f4d2ce6c94a512137c4
2f6b02f2cc7eac9bb57a6975605ada140b77b085bfffd4f35f9d3060ac439f35
44da978b7ae48c8478863501356144f3174f6a4903a70700d8c8c1ea07918011
48acb3ef5106e99fc286e627b5248819ad9977da6fb988edfc7a821443fb50fd
7b70695e1126854b4d8ae9b74e0230b8af259041a99e81bbae2fa6af97fc3562
7bb1a1b5d3cde416cf0bd6e415c72e71e86875496c769586b9d93eef5e0460db
846de7e8a718bad7201687c51e1fbd0f060693f6e627e69f3b6407a10e2b0497
91ec719c360c1df573add1f07c7f3d1388e3788c50272dba76fd114c24ece746
aa93570516c9f63788671d50401d1204dc0692f6a5b421d7ca8243188276f77e
b84003d47b0e314bf4c582061891059498cf60bbe9701e88aa0a782e2e10a54a
bbfd4677e7c920f92c538f36b1d6bfa4d0c58aea06185b9c66f2b925a17d1af3
c42c269bf5a416490d0e719d3e1c43fe164411a8e5f97eaaee5fcb4ae4bb170e
d9950c4638bd7361213d4fb5bbd690e7b0fd5af28d3fe63a108643122eef7090
db67c41032b030e09c8469c39132cc5a9d40abedb5bf8f0a4dde480e76d9ea3d
e14dfc06ae8f19022e328edbd62018064f6b0df962e78f956e519d87b3c57051
ed52dca2da06f590161223262b2db3965338ec527a768dcd52315789f51f0868Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Packed.Dridex-9807477-1 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
25
<HKCR>\LOCAL SETTINGS\MUICACHE\7C\52C64B7E
Value Name: LanguageList
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
25
Mutexes Occurrences 2GujNArCSc
2
N2FPG7E5w0
2
XFQwKgZVek
2
ZAPmiUZXa4
2
pMMmGdBtae
2
xuvkWx8erY
2
y5xWLULRTH
2
2FLaR1DVHA
2
5euE6Q5UdU
2
Amvh1TUYCO
2
OQYsOOWoCe
2
Rji3nPWZDC
2
T4TegwGSUi
2
Xa57p3qapW
2
zAq7ad7lBy
2
d2l4rOq4Je
1
laKpLBSItA
1
HUKYs7D4Jj
1
eYw4upHTxK
1
Jdf4wguXMf
1
gUS5503cXZ
1
PBMC1A4Eux
1
gGyHUo0Jie
1
ozvMyrLtPr
1
v7M0tPZUJJ
1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 172[.]217[.]7[.]14
24
104[.]23[.]98[.]190
15
209[.]85[.]232[.]100/31
11
104[.]23[.]99[.]190
10
209[.]85[.]232[.]138/31
6
23[.]3[.]13[.]88
5
72[.]21[.]81[.]240
4
23[.]3[.]13[.]154
4
209[.]85[.]232[.]113
3
209[.]85[.]232[.]102
2
8[.]253[.]156[.]121
2
204[.]79[.]197[.]200
1
8[.]253[.]131[.]121
1
8[.]249[.]223[.]254
1
142[.]250[.]64[.]78
1
74[.]117[.]178[.]58
1
199[.]101[.]134[.]234
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences pastebin[.]com
25
ctldl[.]windowsupdate[.]com
17
a767[.]dscg3[.]akamai[.]net
9
cs11[.]wpc[.]v0cdn[.]net
4
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net
4
www[.]ahspbpwk1e[.]com
2
www[.]czh1fjrqbm[.]com
2
www[.]fdqcscjz9v[.]com
2
www[.]gs3dgvse7l[.]com
2
www[.]m59zmtepu8[.]com
2
www[.]xg8jlax2h0[.]com
2
www[.]yco4dnredv[.]com
2
www[.]chy114ol6d[.]com
2
www[.]ehxxgzl8ut[.]com
2
www[.]fczzcla0ty[.]com
2
www[.]hgsipef84d[.]com
2
www[.]i2tkslgkdy[.]com
2
www[.]pjbqb6vedg[.]com
2
www[.]tsw4gdbisu[.]com
2
www[.]zlimtm2d66[.]com
2
www[.]mxjae3i3xa[.]com
1
www[.]ntavnfvtpa[.]com
1
www[.]oabnb7bvwq[.]com
1
www[.]pfdkwobjxd[.]com
1
www[.]vg5g0m57va[.]com
1
*See JSON for more IOCs
Files and or directories created Occurrences <malware cwd>\old_<malware exe name> (copy)
25
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp
15
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467822.exe_1ed742ed4e534123c337623953b1f5d0715bc_e38ee6b0_0cde4e42\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467822.exe_1ed742ed4e534123c337623953b1f5d0715bc_e38ee6b0_0d322ba6\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467822.exe_1ed742ed4e534123c337623953b1f5d0715bc_e38ee6b0_0dee3a6b\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467822.exe_1ed742ed4e534123c337623953b1f5d0715bc_e38ee6b0_0e61b52e\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467822.exe_1ed742ed4e534123c337623953b1f5d0715bc_e38ee6b0_0e79bfbd\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467822.exe_1ed742ed4e534123c337623953b1f5d0715bc_e38ee6b0_0ed5cb37\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467822.exe_1ed742ed4e534123c337623953b1f5d0715bc_e38ee6b0_0f061d10\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467822.exe_9c91d35c9df2b551ab20b8c1dad1453c47fcb4aa_e38ee6b0_0e35a938\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467822.exe_9c91d35c9df2b551ab20b8c1dad1453c47fcb4aa_e38ee6b0_cab_0ddd7bcf\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467822.exe_9c91d35c9df2b551ab20b8c1dad1453c47fcb4aa_e38ee6b0_cab_0ddd7bcf\WER772C.tmp.appcompat.txt
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467822.exe_9c91d35c9df2b551ab20b8c1dad1453c47fcb4aa_e38ee6b0_cab_0ddd7bcf\WER77AA.tmp.WERInternalMetadata.xml
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467822.exe_9c91d35c9df2b551ab20b8c1dad1453c47fcb4aa_e38ee6b0_cab_0ddd7bcf\memory.hdmp
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467822.exe_9c91d35c9df2b551ab20b8c1dad1453c47fcb4aa_e38ee6b0_cab_0ddd7bcf\triagedump.dmp
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467910.exe_72d61c97e5bb78be7ba41a4e2327fd518cc4e067_368797de_024ddb76\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467910.exe_72d61c97e5bb78be7ba41a4e2327fd518cc4e067_368797de_043de4dd\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467910.exe_72d61c97e5bb78be7ba41a4e2327fd518cc4e067_368797de_06e1fe41\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467910.exe_72d61c97e5bb78be7ba41a4e2327fd518cc4e067_368797de_07be7814\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467910.exe_72d61c97e5bb78be7ba41a4e2327fd518cc4e067_368797de_0cd24a5d\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467910.exe_72d61c97e5bb78be7ba41a4e2327fd518cc4e067_368797de_0dd23f51\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467910.exe_72d61c97e5bb78be7ba41a4e2327fd518cc4e067_368797de_0f565625\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467910.exe_72d61c97e5bb78be7ba41a4e2327fd518cc4e067_368797de_0f766121\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467910.exe_80909fc915b6a6d0b9db212be35ba76fbe637af1_368797de_08a5d397\Report.wer
1
%ProgramData%\Microsoft\Windows\WER\ReportQueue\AppCrash_465467910.exe_80909fc915b6a6d0b9db212be35ba76fbe637af1_368797de_cab_0b65badf\Report.wer
1
*See JSON for more IOCs
File Hashes 00b131fa9a8c08d98433d8595034e51b80784932d8fa4bac863ce8f70f3af856
033d5b7ac424bb285b3b7c4e188acf66e92fdb06e2f494e0786a713f11bc5675
0514c7cb8e069ce657e5672d83d31e68b65c99ae7f6e5a86d08d89c690c09af5
072cb9fe091174548a907eb6fba16e0a7076d7eff6e5623f2109d28b58a66af5
091d12b78592ea8db5f83dba429b3a088e3ae62fdcca489861824062c8f5ff23
1379bc713816753b7f9b8bd97cba679a87084d73f3c386647a649d8980bbbd42
14c56a06a97877ff946460855d2422d306fa6bf4972f686c45168160e79c45c4
16bd5a90214d427113dd67424f717e4b8d11985e773f5380c59280a42da0e822
16f5711bf9635e679ac65141c651e4740a2b9fc349d8e335e6b39f44a4fabbf9
1913d9841d42884fbcb51b74f1806eefbf619b8dc3e36569388870a796153e12
1a9ef6ff0a5f76f096ad4375296d15c14e6ea96f42e62af8ef191b4e4517be17
25420b5af983fdf54059c50ace2e34a9432fa0e3148a0e6363376f9e9617619f
27c7557bdf25884fe3b58f98277fae4cc7a77f24c292fbeed6abb2549d16e9ba
27f353645626f39108c9a1cfc2e28cd1c089972dd41621cd17610ec48c90e90d
2b33ce94b42bd98a812c657d492e9ece222e53d3c119f356534d5cfd6b1b2ffb
2b7a34bf7b088f72ed736dfaddacce547d19f87c9910883b5460de8946db0633
322861c1b4b43d32a1331539d59ad573558f61672773430651929e40d19dafd5
36a430d0daa727ce672cfe495d0c614e10f8045af1580344148e8b9148f07fa0
43125487b748bcb6220b45f46ffa491740f75d4cf71a8823a15b400fd0243d60
4435683d1e47f965aeed38d754e02e52f7b45f68a4fa4708532af93d8b2a9cd5
49c4328e898a926bfbff4a6d530af9ebe107839ececfb09693133275f5ccd614
49d217b942b6f3da7a2f37457c8bf240c6da8577b24518e0d415ea961b7b953d
4dd17d724ad88aabcb8319f4d2a3df0b375b164378e009ff1b2607e7036c6b66
4e1b16b99a4f5790578691146350c93f9c0957daecdaaf798e100e39c1279688
525314e37bd5fe61793bf85d54fbaacdbf5e82e9fb8f328168ee2a83492fb268*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Trojan.Gamarue-9809766-0 Indicators of Compromise IOCs collected from dynamic analysis of 27 samples Registry Keys Occurrences <HKCU>\SOFTWARE\LOCAL APPWIZARD-I__CxxFrameHandleR
24
<HKCU>\SOFTWARE\LOCAL APPWIZARD-I__CxxFrameHandleR\LINEDRAW
24
<HKCU>\SOFTWARE\LOCAL APPWIZARD-I__CxxFrameHandleR\LINEDRAW\RECENT FILE LIST
24
<HKCU>\SOFTWARE\LOCAL APPWIZARD-I__CxxFrameHandleR\LINEDRAW\SETTINGS
24
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {32382BC4-48A5-6DE8-F0EE-B8109DEC3228}
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 2827271685
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
3
<HKCU>\SOFTWARE\NETSCAPE\5.0
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: owgkjfld.exe
2
<HKCU>\SOFTWARE\NETSCAPE\5.0\F563576C
2
<HKCU>\SOFTWARE\NETSCAPE\5.0\F563576C\QF563576C
2
<HKCU>\SOFTWARE\NETSCAPE\5.0\F563576C\WF563576C
2
<HKCU>\SOFTWARE\NETSCAPE\5.0\F563576C\EF563576C
2
Mutexes Occurrences qazwsxedc
24
rmf563576c
2
cie0
2
cme0
2
<random, matching [a-zA-Z0-9]{5,9}>
2
InstalledMutex
1
v&xEiR43#$
1
616403000000010001D6D313OKcOGFlpCvoEY
1
0CC03AF50000048001D668C9OKcOGFlpCvoEY
1
rmf7348708
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 209[.]239[.]112[.]229
4
40[.]70[.]224[.]146
3
109[.]123[.]78[.]10
2
66[.]54[.]51[.]172
2
108[.]161[.]128[.]103
2
195[.]210[.]29[.]237
2
5[.]35[.]249[.]46
2
5[.]159[.]57[.]195
2
206[.]210[.]70[.]175
2
88[.]80[.]187[.]139
2
188[.]93[.]174[.]136
2
130[.]133[.]3[.]7
2
162[.]144[.]79[.]192
2
79[.]110[.]90[.]207
2
72[.]18[.]204[.]17
2
212[.]129[.]13[.]110
2
66[.]228[.]61[.]248
2
193[.]171[.]152[.]53
2
129[.]187[.]254[.]237
2
178[.]248[.]200[.]118
2
133[.]242[.]19[.]182
2
195[.]154[.]243[.]237
2
80[.]237[.]133[.]77
2
158[.]255[.]238[.]163
2
91[.]198[.]174[.]192
2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences m[.]googlex[.]me
10
w[.]googlex[.]me
10
bolte[.]pw
3
ggell[.]pw
3
xviesse[.]pw
3
kpxkubowvkllwf[.]cc
1
kqhmknyidxjuxx[.]com
1
kwnyotlewqgwyl[.]cc
1
llswdkqmxgjcnu[.]com
1
lpblgqdmnjnjqa[.]net
1
lxybtvndxcfnbx[.]net
1
maxbyulweifvcy[.]net
1
mhaclspkylcgle[.]in
1
mpqjgedlgobigs[.]com
1
mvrayrcjuobjly[.]tw
1
obifmsurqodhbb[.]com
1
ongyichcmybdrb[.]cc
1
pktthwxaqvmktb[.]net
1
pmkgfsxvuqlovm[.]cc
1
qalhugqpkgbeyk[.]com
1
qglscxdeacnhnx[.]in
1
qjjvlpqqfmiixq[.]in
1
qojpalhvxdmrqn[.]tw
1
qpragpmmbglnkk[.]in
1
qudqihusnvymjx[.]cc
1
*See JSON for more IOCs
Files and or directories created Occurrences %APPDATA%\Identities\owgkjfld.exe
2
%APPDATA%\ms2591055.bat
1
%TEMP%\~47CB20E3.tmp
1
%TEMP%\akk111eccc24757.bat
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\System Check.lnk
1
%SystemRoot%\SysWOW64\GyPIRMM_pHDLqc.exe
1
%APPDATA%\ms3735546.bat
1
%ProgramData%\YanuGsewu\OamaqEykot.rgz
1
%TEMP%\~0002260C.tmp
1
%System32%\config\systemprofile\AppData\Local\CrashDumps\spoolsv.exe.1476.dmp
1
%System32%\GyPIRMM_pHDLqc.exe
1
%APPDATA%\ms8483048.bat
1
File Hashes 011c853d55681b6c66de4a6e236e877f70bf4281f99717904681c40e22bb5c80
1699c2a2b4bf5f645ff10746a2fe9d8c372180b69c35cbc5d7c04dff2e974323
16d0f98d949e04a355180417be7f90d5afb50c883fa00de4e6aab33153bf773d
22daa9c2625a897ecc2c7c44a1fdc803cd31fc657226ee59a979ff63c87435d7
3bba0873c9073799c90d5d688b5e134d363fe7144d33ac1e4caf67000b8cb8d6
4c4e8864dbf4cfc79f261adcb345375746bdfb3de6dc0ee76ed1018e5c542d88
51777f5d039d22be89a4b1b97d188ce67e7494de5ecf9e70bd6859fd6d421800
5f52a4e48eadb456a2dd706e890ba32a4e68f5878e58ebf4bd5ec0cfa04d4a32
681753ed0b405c635d6ccf2abfb76abb543467de5185546d28766d321e434f43
6a7cdd9cf6f68072082ab7f8edb5edb5477eb5d84b1b42f40564f361961aec87
7b576f0975f65fde9ed902ae96649423bd158f4efc7b5624353953f8e78580a7
7db5ae0f1fabb2b231f63189ced5e9ac4948ecf0bac4187c0e3f07dc6c36c853
842d57b78a49aeb676ae3c77e6659289a2ee5f2cf92dd79ee4d806884b01b80c
8e4ac877d3d9ee05c7fe74f5dcaaaebf040d36a0d5d9d03eb17c67b191316e42
935c702a47820490d153f561a3c00bbec4313fbb9f42a08f14ee21cda0e06afd
97a7775f7ac2cab570cf489787b3df280883e552b4dd157a30de03005c56f3c8
99ca0c57bb4b1437407c582ee811faa657fcf4049e5cee73a9477979aee6b754
b04b37e08455b865970640e27d152e488c21c884d107db64c85078bd31112598
b613ef4484c38b8d6b0847236b31ce8d916125766d28d3275605fe4e2068ca4c
b6c2dcc6ea4160d06b1b9c077c60c20a696633cbed86cbc82f4c24e01205ff90
b7448cfff0c84067cf6df321b07758cf860b8c430b5a236c5559cd06aead156e
b973fdc59f3e05c82eb6cec874cee7e6b8e7b0724519e05e7796174b67e2585a
c0e4576d21f795d68d581160635c4a415a595689e930043a24e32976e530e470
c7a40850e819f294e552934b1388265692c497ee8805153d630d8ee52dd29a5d
c82f7cf10f22a13cd3e09fa382200e795a956fb1aefb4ec08e6432b61209c3d4*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Dropper.TinyBanker-9805436-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: F5DBF765
14
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS
14
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\SKATING
14
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\SKATING\RECENT FILE LIST
14
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\SKATING\SETTINGS
14
Mutexes Occurrences <random, matching [a-zA-Z0-9]{5,9}>
18
F5DBF765
14
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 216[.]218[.]185[.]162
13
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ggvruxovlbrm[.]com
10
qvvksmeemfgd[.]com
1
Files and or directories created Occurrences %HOMEPATH%\AppData\LocalLow\F5DBF765
14
%APPDATA%\F5DBF765
14
%APPDATA%\F5DBF765\bin.exe
14
%APPDATA%\0F891552\bin.exe
1
%APPDATA%\612048E2\bin.exe
1
%APPDATA%\6E284C28\bin.exe
1
%APPDATA%\407F9FC5\bin.exe
1
%APPDATA%\18DE0691\bin.exe
1
%APPDATA%\4CF78C75\bin.exe
1
%APPDATA%\660E86CC\bin.exe
1
%APPDATA%\50ABF68A\bin.exe
1
%APPDATA%\56B4E95D\bin.exe
1
%APPDATA%\6649AC7E\bin.exe
1
%APPDATA%\7A59218D\bin.exe
1
%APPDATA%\038C94DE\bin.exe
1
%APPDATA%\36FFAEA1\bin.exe
1
%APPDATA%\28A99454\bin.exe
1
%APPDATA%\5342F042\bin.exe
1
%APPDATA%\33B128F0\bin.exe
1
%APPDATA%\2A150C9C\bin.exe
1
%APPDATA%\72FECBFF\bin.exe
1
File Hashes 0543ecfcaf691518b4643991f71e4647682c14907f382741d28965aa7a724052
08d69180ae2b0846ed6acf716015c4e68973b5ed7f4d86f8e37f63b079a31ebf
0eeb2bfc75858d42c261182404d94ac82f2cde375c703de1f926896a8976e889
12e4c3392b017e005e05ccd457fd84279eca8d38c5636fc3b2859965b5a8d11a
1c03137c6329d7181402d41b4a84f67712bed20e21c183881bf9fdf3b2565d67
1e5888f40b96662211a73ddb0d76d2af3a492f529520e5f515bb9f86856e356d
33ac75376b9094b89d45837c9d2f7f082c40257a615fa4cc6464b42b5b545e72
469bfc07379bd0eb03c7b386fd2e62cad9f0dcd9ba410ef3470a0be2da2a0443
54fdb72b652be3d6213392eb9ec840807b8a82f421a082da0c246dfa96ad9098
552ad96447571f7f15a6c6dc14cf8e60dac95b1dbaa7821effe6f3f1566d4b64
55a0634f58a29f17eac346c7f8bf1dd36d2e91d314ac802a80cabab0db8638a3
7924c666af0b6368fe5dcb415d0ae077c6abecc929b06379a142bf39c9176b63
7c5f7c66cf5faefe31d62db314c86478ed599a0c422464e0a1ed91641ed9a78c
814d4504830a178e61f0df10adc7d3e15cd4610509fdc2595a268aeedefbaf87
84bf368081e3b6bae2975ab373ff9861d081c723ef4ed5f5c0c9bd22c36e62a8
857b229d5f0ca5e93943702fa0509c4d61fa452dacf80391859049a64a9238cb
8a938abae32729d75f9040075069718b8066515c8c7689730e71abdc4f3d859e
8e6e4a3e3aeae38ccad55a52279a6dc5207a3a177d9be523bd8381d5e9ea4875
a03495e6b421438baf31b99f6af4a3148959f07ba41d91e91fda8b933905d6b1
a2f8d6567bd6ecf7349d4285a82b3989120788e928c5d6d503c9b4e0568c4d7e
b2ef57bcb2fe53d8d313c5d553a91abc6c644d238821a4c0c8e4680284c535b0
b345a067c7df7a88618b2cc6fbddf8b3bb47e71e86dcad487467e320e6dd45d0
c54c911572bec5aad2848cc12a8955b9e0e3e83aee5e8b1ab2642330cd834d05
ca25f22e673397c51128044cd756d4b790a909c157cd94196f9ea74adce5ee50
d8dc17f32fe8de8de5aff7bcbc5ece1f941f9335318971abd8a970d308e54071*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Dropper.Cerber-9805579-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Mutexes Occurrences shell.{381828AA-8B28-3374-1B67-35680555C5EF}
8
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 87[.]96[.]148[.]0/27
8
87[.]97[.]148[.]0/27
8
87[.]98[.]148[.]0/22
8
Files and or directories created Occurrences %TEMP%\d19ab989
8
%TEMP%\d19ab989\4710.tmp
8
%TEMP%\d19ab989\a35f.tmp
8
%TEMP%\~PI<random, matching [A-F0-9]{2,4}>.tmp
8
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp
8
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp
8
<dir>\_HELP_HELP_HELP_<random, matching '[A-F0-9]{4,8}'>_.hta
8
<dir>\_HELP_HELP_HELP_<random, matching '[A-F0-9]{4,8}'>_.png
8
File Hashes 030cc59f7517d9b586ca0b133e23ddd2be15bedc8f547c1cae8c46a0b254d0fc
0c836b5d9e97fcaaf9f53b2c17ceda7574d40f7da8f4d140bb427e9a8dc66048
0cd867fc1290502b910e868fbea20cd4898f81ea1fd96c0a720141b0942ddfba
0fdd198111693e3a755161fed32597bce26475f80e15b453ab83e82dd4617461
16b70e2c47082a3c2f32c60b9f80e7643dd18703c88cc96ed40e6038840afc28
3513256904802677444c90bca6e2d22f89d698a5ec5ce9209571b195b20ebe2c
4174178191528ca5cbcc9aad9f65c1224aa13f3d50e417497086fdea063f96ac
4dd4ce1042e23e401546e6e8d1a2fece8ee2db6e38206c74163b7ae92537d2db
4e9babd66e1132ecc89877b226c7479d9a44ee0293cf5cfb916330c95c18203d
52836b0fb3d6c9613d19be0398a2288d0116419c9e0402a8727f5ddf4b730c52
564112715121625678d89faaac074d50a68f9501cf256529dc81404e9b2f714b
574607d64e64ac5986a1870cb1d312fd5746f918932a36288fb0d8a3fde33721
58c3698dd87c55e4100d89235676fdff5216441f79af114d97a3b0a1a545eec3
66bbdb7cb4fd9623edccb130e694f1901474b0c05d2529fe936f2048f0a9c0a4
714b6bee277c9159cdc424097990ccd3fe5a8f4e500cf3577127efdcfc30fd06
7a646dcacfea44a2e6ff8a1b50ac4dbcd1687fe70c97b774dbac20c68d57a445
8b837b4f0b28a24360503a5073048424185eeb42a21c85c820147945f6e517a4
8fb2584814fc45b59577c6e8e6b34e97415dda87d4e8980db2b01c3ecb296d7a
98ada641b7dbf2ff92ca961adff2f73b9dfdc097015380756dedb9c2321c3d80
a270313ceb2756a4294aab37e2685fa632a62ad1160855dc1ce6e7f7be62eb2c
b397ab38ee3776a23ed2582ebb18ec918567de113ec357e633398cc9b4418126
b7564a48e464d4d7e60392d2526e0168a08e2c3a493f0b76a4574fa531886907
bd6a6ef76ce3c325dcd0b68d0e84ffb7acc8b31878dd1d9fa5836275b33cc1af
be3aaaf876084f4089a937353b3f14d1127b5fbf7687bfe0cd1c6164c72ce6b3
c72451a0c51a3782125b134d676f10d9f5c5b061802f14846a9e08c573026ae3*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Malware.DarkComet-9805462-1 Indicators of Compromise IOCs collected from dynamic analysis of 19 samples Registry Keys Occurrences <HKCU>\SOFTWARE\DC3_FEXEC
6
<HKCR>\LOCAL SETTINGS\MUICACHE\7C\52C64B7E
Value Name: LanguageList
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel
1
<HKCU>\SOFTWARE\WINRAR
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
1
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
1
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ïðîãðàììà âõîäà â ñèñòåìó
1
Mutexes Occurrences DC_MUTEX-BYAECN6
4
KyUffThOkYwRRtgPP
3
DCMUTEX
1
Local\https://docs.microsoft.com/
1
DC_MUTEX-14UFAVA
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 204[.]79[.]197[.]200
4
209[.]208[.]79[.]114
3
13[.]107[.]21[.]200
2
172[.]217[.]7[.]14
1
151[.]101[.]0[.]133
1
151[.]101[.]130[.]217
1
152[.]199[.]4[.]33
1
65[.]55[.]44[.]109
1
151[.]101[.]64[.]133
1
23[.]5[.]234[.]11
1
23[.]5[.]230[.]228
1
140[.]82[.]112[.]3
1
40[.]91[.]78[.]9
1
35[.]174[.]20[.]103
1
13[.]107[.]246[.]13
1
142[.]250[.]111[.]157
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences dnsfix[.]ddns[.]net
4
schema[.]org
1
www[.]google-analytics[.]com
1
stats[.]g[.]doubleclick[.]net
1
github[.]com
1
avatars1[.]githubusercontent[.]com
1
az725175[.]vo[.]msecnd[.]net
1
aka[.]ms
1
avatars3[.]githubusercontent[.]com
1
cdn[.]speedcurve[.]com
1
w[.]usabilla[.]com
1
iliarub3[.]esy[.]es
1
www[.]garota-rat[.]com[.]br
1
angry1337[.]ddns[.]net
1
Files and or directories created Occurrences %APPDATA%\dclogs
5
%TEMP%\MSDCSC
4
%TEMP%\MSDCSC\rundll.exe
4
%ProgramFiles(x86)%\Microsoft
3
%ProgramFiles(x86)%\Microsoft\DesktopLayer.exe
3
%TEMP%\RUNDLL.EXE
3
%TEMP%\TESTADOR ANONYMOUS.EXE
3
%TEMP%\TESTADOR ANONYMOUSSrv.exe
3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
1
%TEMP%\Microsoft
1
%ProgramFiles(x86)%\Microsoft\px3CF.tmp
1
%TEMP%\Microsoft\winlogon.exe
1
%ProgramFiles(x86)%\Microsoft\px8FA9.tmp
1
%ProgramFiles(x86)%\Microsoft\px64B3.tmp
1
File Hashes 0202b64e4d4e2b7395500931211d17713e0ca789e924268c3ba1fb78bc782e9c
165c6c102d6c211f2416baf833ab1ff4313ad889da8acfb05b31c3c8e7493faf
173634dffb28185829c508979581f0826927b3dfd1e941f7fb04daae6d92eef1
22580d73bc80bd4402be750f3cc9f2734069b242eccf261c4fd3f3c9b72b7edd
41d1825942bb8fa90f8a9dd69e52978851884254e9379990b0b71d853809ef23
42f62fd4e6f14ab2769e3c80d9357d2a0cff26e8adbf9fbb4f8f20992caa5bdf
45aefcd50e62d9d5a9535d9d99f78a5c6725fd7ffcd378ef181d3dbbf2a115a5
48ec17ec1d23ecc75f1fae90efd2e662a42603c1eeef91fc3249e82e2641f3ba
4e14ae8bbce9f93bdfb26b1bf4a983adc1dac04d22f1d04b9c087a7a733d3229
5d88210378d3099dfed060e03a7c02d60a333ed31493624392f60aa66b0b7715
7cba819f12c4d1632bd48102fe794c2a1e0baaeb12578bceede3c5a1748d9a6c
96aa8617ac0db2fee0dd0020dbff45bce8991aa29b17976d3a33babd841adda6
b0c3b434f0bb6331164e1f45006d334eef1f7ed06c95d6b4604dde3571e43518
c15f9e3cbf4350512bbd4304f9b2c662273ea72fcffa4f38e363abe5db34c307
d15464707baa16c0ba03b6bd6a245b03b54133df4b5fc9fb697c75ea3f677b51
d8fe14a2801a429b90cb9027bd8437e5802d4db8d560957aa277d1ee02608685
d981a0f71c2e44dd91c0d4c915aead79a14b33cf1c440aaee1cffd7da6e85695
f8287b945e0b4e22ff754e37278dcc95bb29c38b77294a7bfcd0f44a20f1e9c3
f82f5652d0a825a04313512c84f7f806f15d7c375ec3169e7384ed6ff60af1a5Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Packed.Phorpiex-9805496-0 Indicators of Compromise IOCs collected from dynamic analysis of 24 samples Registry Keys Occurrences <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
21
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
21
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
21
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
21
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
21
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: DisableSR
21
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesOverride
21
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AutoUpdateDisableNotify
21
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Services
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Services
21
Mutexes Occurrences 50705477504
21
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 92[.]63[.]197[.]153
21
35[.]205[.]61[.]67
4
Domain Names contacted by malware. Does not indicate maliciousness Occurrences rghirgsrogrshggir[.]ru
4
Files and or directories created Occurrences %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\winsvcmgrcfg.exe
22
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\winupdsvcs.exe
22
%SystemRoot%\60804350607050\winsvcs.exe
22
\_\DeviceManager.exe
21
\.lnk
21
E:\.lnk
21
E:\_
21
E:\_\DeviceManager.exe
21
%SystemRoot%\60804350607050
19
File Hashes 038d1de536eebac9f9d1279777ceb5375e9bdf26593d2e9cef0deaa85434b64d
0fb2be0b70ded0d999f7ae0a7708d841b4cbaa80ed730dc5e5701daa257ccc5b
101329685805850cb07f12c3021bd9f54a5e6b25654d10ca33f8f0e79c36b6b6
13f0e73aae7e5ca7e67e7090b9dc0a3041f0b23bca82d2d20d9e65ff95311602
1413614442785cc2f832c0d6d9447506bf1caee72390c9035900c4bc3ca6fd4c
226212f9681cd5f9b6151f046686c53756046ce97be058618f5c204ec737132e
279da584e4a1198650d2514b46ad1233c2b5af01019266ad2c2a708c5cd7b68b
3658f60cd1594dd2d60e76cc872b8d105ad0248ae20d36c4ffa43433ffcaede8
498a2f78716bf221a00c3414d1b9b5922b91ace212609e0811baf5fc49d60d26
4cc2ff08f85a2c6b4f64f6f47e6bf618b84cd4026413f794c0ad307eef0db417
503e5946bce935f1dfa54048131712b2607b4763f674436306b6d57bf24dc481
5fa6c3f4f614ea84f2b05c560c8325d662ead5f35569b0770bc250bd460f1637
77683ea7b4c6ef401e70cad1eef6651b66a3a170b7858a26bfac8bbe4605ed2b
80ff5f8e4de0eaf266d3e73f9c52493f48600c002c8d8fd4436a313a014c8f59
86cb16f05d0dc935474178ff425e2b44d1c25d93d998bdd8042cf9f13a9ceee0
8f7da634dfe3e4d1b87ac3734b0a8d836bf24f1d33e8f23be498b3650810ff49
9af21c1dc0084f10420edb915a7911edb316cf5f76455e6cb6fdbb93f938b0a4
bd117c316ccc9e04c269949f569c5fc4fd163d2e8cab536053db9906799294ac
c5e91b0daea9146e0e45167e229d383a0afd2d46c3bbdeb7e9a50640565f87f6
cabf376ba19a4a16517e90634a99840e9cae1beef06acb76345d2b9ab8044c63
d2931fc8189d7f0fb35f82e8fa66d83252fe6d4f94d2a743f8ca45542ee0757f
d810c0e503bebbbb290bf92d344800ed69addc978527e9f225c0bf60ed3abda5
e44503145f269028e90c4b19261b99476c2e45d2cdc31fb572e77a8fb2b887c4
f46104009added65d7622a12c6809376b91c961c61d41e28a968dd9d8d0a753aCoverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Adware.Tovkater-9805523-0 Indicators of Compromise IOCs collected from dynamic analysis of 54 samples IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 204[.]79[.]197[.]200
47
35[.]205[.]61[.]67
47
13[.]107[.]21[.]200
27
34[.]107[.]221[.]82
13
35[.]244[.]181[.]201
12
35[.]167[.]169[.]250
6
52[.]38[.]202[.]57
4
99[.]86[.]230[.]24
3
99[.]86[.]230[.]114
3
44[.]237[.]178[.]15
3
99[.]86[.]230[.]13
3
34[.]213[.]158[.]239
3
99[.]86[.]230[.]122
2
99[.]84[.]222[.]88
2
34[.]218[.]181[.]13
2
44[.]241[.]216[.]61
2
52[.]43[.]72[.]100
2
99[.]84[.]222[.]3
1
34[.]216[.]80[.]151
1
34[.]214[.]44[.]170
1
44[.]236[.]152[.]85
1
52[.]36[.]207[.]147
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ecosystem[.]unvocal[.]ru
49
appcat[.]centralus[.]cloudapp[.]azure[.]com
23
bamboo[.]westeurope[.]cloudapp[.]azure[.]com
23
detectportal[.]firefox[.]com
11
prod[.]detectportal[.]prod[.]cloudops[.]mozgcp[.]net
11
aus5[.]mozilla[.]org
10
prod[.]balrog[.]prod[.]cloudops[.]mozgcp[.]net
10
search[.]r53-2[.]services[.]mozilla[.]com
8
search[.]services[.]mozilla[.]com
8
d1zkz3k4cclnv6[.]cloudfront[.]net
8
shavar[.]services[.]mozilla[.]com
8
tracking-protection[.]cdn[.]mozilla[.]net
8
shavar[.]prod[.]mozaws[.]net
8
prod-tp[.]sumo[.]mozit[.]cloud
3
support[.]mozilla[.]org
3
denweryankee[.]top
2
File Hashes 00725719798ea8eab9fcd1bec4baee986dcaf8dd5dd4c88b44d42443539e6e93
01f7f1e731bc908ff86d83f63a23ac276b64497de53c1be380426c16a9f801db
03c9795ce065675e850120977db7153b569aa56fc0cf6119876dbda01b022ffd
0573255ba08ab854460c43f1c812af695d6d48ac3f13585671084d0daf8133ce
05b98f95d524723ff252eb1b7d06b08ef53ed0167890ee08a0259df07364ca19
0b48ed9210e2523a82e690faa6851816667a3445f85d9b36deeeedb72056f1f6
113065116d670e6286f22a2e5ea3cf29287558f29c6c3879f65f0ca1644956d7
1174be2e499b873531b2b2d6709a6337cad035f7da42450280276ba41fa916d9
1186cd45952246257cb72414a3b0058b8410d402654dbd1ed0e326b109b5f8ad
13350cda5210d1e2e18f6ef53fb0c5576eb40c7072b2955af85c0ce7afae115d
1364fdda62735a6cc319b7ef003e1ed3d8e149a4504cd6499a7f509482bf1478
1722bfb1b4935ac46f8ce5f7872936d4df04520d72c1e6c92c31856def1aeb2f
1831f04415370a6d876620aa25f209840426ba22823e9d41f1e005ec0f34d272
1979d0914c482db43f6547b8dc0ce1fd84f50efd747ba23e8f59b36d83e5dff1
1b8f48c4373b96ca4129f2c436859f42f118f6182d094f2307731a99de3996b1
1d82614d38b99ba7de5ffaca1f6c1b7fafcaf20a84531a38df2e2d819967a1d0
2045865f12d0082a865528dbfcc1f0ce0d0914c1d48e4c373c4a8c009c20c5c5
22a2be28e4e4ab5e0bbaf4671f2fc43bd80c994d8bc5e234cabba23dfc2f42f9
22c978caecbe4a1fdf30f694baafe2cf308ad62bd83d2990830347ba2e4fb2e2
237a2c7719cdf90744d166e26438d1c40c3472e61079597e5a33b2cde9769a59
2484a4f84e20e51999e12f6a3d949a072831b0fb0409b163b768aa4a3de64556
269939e975336bda2bf73f448ee4f3f901e3d7e4696fc9776b1940b2505dedb8
27ced4278a6980f1f30fd7d3b685409ecf9bfed82f0edacdd08f6c344fe3c4f2
2ac6bc144a6ac5cd51791b1a8569e902ffd5f0b450c1b9cbd82385ff8da4ad0a
309a44279ce68b8cd4e689d6ac954e6e595c1c48ba616fdd8afbef7d9c72a2ef*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Dealply adware detected - (2624)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Process hollowing detected - (2566)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
CVE-2019-0708 detected - (1660)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Crystalbit-Apple DLL double hijack detected - (1285)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Squiblydoo application whitelist bypass attempt detected. - (1243)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
A Microsoft Office process has started a windows utility. - (775)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Excessively long PowerShell command detected - (534)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Smoke Loader detected - (348)
Smoke Loader has been detected. Smokeloader is used mainly to execute other malicious software, like ransomware or cryptocurrency miners. Its initial infection vector is usually an email with a malicious Microsoft Word document or delivered through an exploit kit. Smokeloader uses various plugins designed to steal data from its victims, particularly credentials stored on the system or transfered over HTTP, HTTPS, FTP, SMTP, POP3 or IMAP.
Kovter injection detected - (301)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Certutil.exe is downloading a file - (254)
The certutil.exe utility has been detected downloading and executing a file. Upon execution, the downloaded file behaved suspiciously. The normal usage of certutil.exe involves retrieving certificate information. Attackers can use this utility to download additional malicious payloads.
