Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 20 and Aug. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Packed.Barys-9887065-0 Packed This is a trojan and downloader that allows malicious actors to upload files to a victim's computer.
Win.Malware.Lokibot-9887069-1 Malware Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.Remcos-9887578-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Phorpiex-9887077-1 Packed Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, from malware to send spam emails to ransomware and cryptocurrency miners.
Win.Downloader.Upatre-9887082-0 Downloader Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Malware.Ursu-9887083-0 Malware Ursu is a generic malware that has numerous functions. It contacts a C2 server and performs code injection in the address space of legitimate processes. It is able to achieve persistence and collect confidential data. It is spread via email.
Win.Downloader.Zusy-9887097-0 Downloader Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Malware.Razy-9887791-0 Malware Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts it, eventually sending it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.Tofsee-9887377-0 Dropper Tofsee is multi-purpose malware that features several modules to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet under the operator's control.

Threat Breakdown

Win.Packed.Barys-9887065-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Registry KeysOccurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1 1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1\0 1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1\0\0 1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1\0\0\0 1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: MRUListEx 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1
Value Name: MRUListEx 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0
Value Name: MRUListEx 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0
Value Name: 1 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1
Value Name: MRUList 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0
Value Name: MRUListEx 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1
Value Name: 0 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1\0
Value Name: MRUList 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1
Value Name: MRUListEx 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1\0
Value Name: 0 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1\0\0
Value Name: MRUList 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1\0
Value Name: MRUListEx 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1\0\0
Value Name: 0 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1\0\0\0
Value Name: MRUList 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1\0\0
Value Name: MRUListEx 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: NodeSlots 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1\0\0\0
Value Name: NodeSlot 		1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\\1\0\0\0\0\1\0\0\0
Value Name: MRUListEx 		1
MutexesOccurrences
Administrator_ServiceEntryPointThread 20
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
216[.]218[.]208[.]114 20
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
domptorang[.]com 20
ranesken[.]com 19
Files and or directories createdOccurrences
\TEMP\ OwArFFUxZ 25
\TEMP\XWYIyWxmZi 25

File Hashes

0021b7e732d7e3db7ee25920a26a5f51cc59339311144297394ce38c3f464321
0795dc3c5c11184d86f07da6c903de40dcffb9dcbdafcc9a92203b2f22da532c
0f47ce6da98c8f383a38c87b8324abcaf8be7e96a98e6563e6fda08634e819b4
2866daafd31bd60ba4d76c80e82486c552ce6e615091c69c0717045d3b1404d0
2a0de02b4d6e333f908f7996747d1344a47326d918b6bb3902fd5fd30e3f8745
2a84e89e685f5c1f4f0cd3f72756b3617a2bd4aa96304e14fa5b8b04280ba0f3
315813c71faf88703ab7b1d08429674206a9aa7b16f7010694d76a18d88bb5da
3a3025d7eedd687ce6c2d59b1be29a1d39a900f2a2a2c4d0130ca7c3cd072d31
3c5a8eee570b3bb1ed8e685dd8e00d3822231047d099c5548feef189f1857ead
405c063d8369d8c80a7773e58514bf9057a55f9fdd80d463a3f5e6baf0ab6381
4f3417fe48ca1c77c0e47bac776f74967586cc64462bfd1c182471f328f45a26
5174c19f27e3c7c6bda7b8f6ffe1720ae32da5682cd21909cd8305c058ebeea8
5241deccc67cee5a18db847a9636ac94a951722197ae7263397c37ffe4a30c91
57805836719e3a3a3f3543f8cc51afacbd8a83531a679bcf4152617ee2f119f9
58a03581d9e48aba0e01e180be9ed0df458cd5a2e964509007a15d69c36cb98c
598fdeebd4270fa442ab8ca6fd7bf2a742d7dbbe2f7df9fe4a8387e1028b51ee
5f22ef8944cca81a1211d5eed27461c24a5fe01ac7f5ebd33995052083ab31ef
63d3f86b5c116e783b04635474546c1151ebad1e9ff90e1592fed9a5c2ac6a49
6a4bbf6ceacaf0bf9b5f1af21ee97ee9482b8676d6189ffd9289438ff271fbaa
6c842af254a3fac832db40f1a37dc790174363b6cdcfe8e28970297ede92d352
7106ec4c7194a383e07045cb7b0f4724f80de8986d5620dc232121914163f9b1
7f23c9143233ebdadb67225b16efb46d9dbcb359dbb495deeaad22cd98f55315
806b8607f8a2962415328eb4decb00b2b13ebd70c0723098408f80e8c31ff094
924eabf33a2823c5e4684530f5028120f8afe04464d8f7d72f236c869c862ef4
9296651be9fe1dc681f474e8c8996b44bdd2b3f7a43aee0ad7f53d82d71aa3a9

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Malware.Lokibot-9887069-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 39 samples
MutexesOccurrences
3749282D282E1E80C56CAE5A 36
9DAA44F7C7955D46445DC99B 24
Global\2b71d381-00a3-11ec-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
23[.]95[.]132[.]48 36
Files and or directories createdOccurrences
%APPDATA%\D282E1 36
%APPDATA%\D282E1\1E80C5.lck 36
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 36
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\file.vbs 36
\TEMP\test.exe 36
\test.exe 24
%APPDATA%\7C7955\5D4644.lck 24
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1160359183-2529320614-3255788068-500\a18ca4003deb042bbee7a40f15e1970b_24e2b309-1719-4436-b195-573e7cb0f5b1 24
%APPDATA%\7C7955\5D4644.exe (copy) 24

File Hashes

04ac26dd0305cd3b14a9b6a099b43f51e1069014ef856727808aa6d5e6a88ce3
0b81758cfd73125072515cfd1a7a11a42e2a3bad368d0e88dcf7a053afa6960e
0ce118aefeab086051a2c061cc7f34d2b979480f80e08131776e62657587ed73
119f21e2ebe27c3e178c88c72e465fd5924615c0b4bb82586e677db62118757b
121d48c2d93498023237f775a09c01cd9856e327ff138573d7cfd374484fe2a7
1bb788ab0376bf6f702f7dd15a16f4320ef7a5644ab50779e9decedc042c9398
2394287e26409be6a543e6a03772f8e0f165fa7a3322cb3c5de73bd42ba28b6e
257f32161fb056bf88d761bc99858c722315f6696a162e2376681e730fc6fdb7
266342ff4d60419a82a53a5f8d03aed0c080cfc788a4adbe9d36f8aeda89c808
28c5f87ba139b1b78d20f2093b2866d15839b9c14c31a557928718567d9e4176
3c0130ab7b8a9988f30104180a102ce7c9a2a347f80c3355853f957237930d55
3c09d7d48081c6181b54a8288f2cf38fcfeb72cfbf1ca5ec57f4a4c9e2a2d971
3f49b4017cefd283d3599079a17ea781d2ead4b307103ce4fa2b2cf019af0b15
41b8924ab3c87339504e5817bf0364f9a4546e51ee62c71c5860894bb25179e8
497adcbafabf836785f0212b7733fc8f3bd0bb0187ae01bfa4ee24f6e0ba649e
551c3ff81ba1069d9e8faf9fa1549c38c9946b2c352351d2266d548d6ea9162a
63e179f1af84fa7dfb844fc4d2c162ecaa97cea1c8023c29441d197c340d83cb
67a93f527e70175ea5e1bdaaa3d2e9b201984d42b1bbd81cec0e54fc47fa8b09
6834a8b4558baf03f91faa26910c425fcd1a32e485195266e2dd805f31c342d9
7358e1f61c5dd9734fd5456222ff6d2160efb6626d3dce4244d23b309be8001c
74f37ba38ada746cae3364ca451b2e32f98554bf98b3ca3eb68b8bc34c877efa
77881e60f8750c98c0f083461968453ab5e5f845dfdaa77cdc4b557641b06834
877e30aa0d65cf476e2322cae03df3c27c9e5d4d01c6c1be10da2f9c3024496f
888f8f932e93c9f26cf1914bd211a0d942c49c65734a7a318cb5b510671d20d7
949e6d2911da67036abb80fd33e572cb16178b24d35b5ea97bb637dc01958c93

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Dropper.Remcos-9887578-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 47 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: remcos 		43
<HKCU>\SOFTWARE\REMCOS-8CPBWM 43
<HKCU>\SOFTWARE\REMCOS-8CPBWM
Value Name: exepath 		42
<HKCU>\SOFTWARE\REMCOS-8CPBWM
Value Name: licence 		42
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE
Value Name: StartMenu_Balloon_Time 		1
MutexesOccurrences
Remcos_Mutex_Inj 43
Remcos-8CPBWM 43
QbadYqlvbXURmYYmbqvZcd 43
Global\7065f501-01c2-11ec-b5f8-00501e3ae7b6 1
Global\fedbbde1-02a5-11ec-b5f8-00501e3ae7b6 1
Global\f37f0ce1-02a5-11ec-b5f8-00501e3ae7b6 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
mmiri1[.]ddns[.]net 42
Files and or directories createdOccurrences
%TEMP%\install.vbs 44
%APPDATA%\remcos\remcos.exe 44
%APPDATA%\EUfYRs.exe 44
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 44
%APPDATA%\remcos 43
%APPDATA%\remcos\logs.dat 43
%System32%\Tasks\Updates 43
%System32%\Tasks\Updates\EUfYRs 43
\TEMP\test.exe 43
%APPDATA%\Screenshots 42
\test.exe 24
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\remcos.exe.log 24
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\test.exe.log 24
%APPDATA%\Screenshots\time_20210821_165724.dat 22
%APPDATA%\Screenshots\time_20210821_165729.dat 22
%APPDATA%\Screenshots\time_20210821_165729.png 22
%APPDATA%\Screenshots\time_20210821_165730.dat 22
%APPDATA%\Screenshots\time_20210821_165730.png 22
%APPDATA%\Screenshots\time_20210821_165733.dat 22
%APPDATA%\Screenshots\time_20210821_165733.png 22
%APPDATA%\Screenshots\time_20210821_165737.dat 22
%APPDATA%\Screenshots\time_20210821_165737.png 22
%APPDATA%\Screenshots\time_20210821_165724.png 21
%APPDATA%\Screenshots\time_20210821_165731.dat 21
%APPDATA%\Screenshots\time_20210821_165731.png 21

*See JSON for more IOCs

File Hashes

03c5c143049d9a01b94885b6fa6d65de0bb4c6fd233d15f271fbb8141db12e6c
07244660fda51f3a48e6746d749de4d4871252ff2281bd78a36c3d2b3a1228b0
07ad48c31139e1e1d10aaf5e253a7799cb6995efd7051e1de7f7e897a37ce225
18c1f6929f8bd77e42e929874f0a6a99e2971eeb359ef8322ea2be7fa404a471
20b75f3e479b0881f9d7efd915a7bad5f4260772349b568e3d65061dc06e52a6
22915bad486e7cf403b301edca36ef65eea35c9f8990114a59ffc966529220c1
2331796fbf3d080a76744f63dc09724cc374f20cb1e1fa4a234072522756ea31
30d369bfb9809db7548387e6999e753026055dc0abfa37dae13e19a8cc9de592
33bba8db846a6c26fca8f893292a93378d3a290f3092b5812c7c48ee100fbb09
3452319c9c4f570d94c9e49cf672bb9983cdf129cafbbce26b75bc47555f9a78
39125afb4422ba36d429f186450cfb88546f1dd1c5874dbec356f21e9f9be130
3cc49ca3a0d354efde74d2b60201460bb764b2439fd86d9e213443aea2dc3066
3d798d8b0beca4c0cc080be5e4ea73db2e766319a99ad0846e5935307f27f996
3d9573a5692dc1a5cebaab1bcd49f0b062623cc9d02e870ad449b429c6327cfb
3faa185802205814772b161e6f4b2cda2030c2f7e3789387ee5dd053bdf15dd1
42b0fec30bdcec1eabb1953baa047aa5cab94258f912562469602a8f9a5c8f61
43cf21293b1aab37697807596dd980207f8ff225e84801d7da150356964f196d
4ff0c05aaa00f7133c1cb5d907c8fcb51203765019073b5e5b48fffe47e04056
50b4b0aa6f34627889dd02700e74ef060eeea378f3cf2cb87e46adddfccba929
53947d3c3fe7526ef319f18a5cc7a38dea29682788bcba6f56966d8dff90cd9a
5458ecc78971f8e7a475685f9cb3c6a0e9fb79e8881d210090c3c06117c0071f
5acb1e778dfdfe2c396cde69111f5130dc5b46de894d464feef891fd305cf67d
605c33f570d0bcdf496a04a25eb8536a4b3391d8609bfbb7bd63cf460377bd23
60e4f03e02399e34c1e809393ca534d859eecd6d7b0c4857f15fe5c850a7abe5
673674a840095485b134079ffba71648cb0e43792448554a39f9f384bfcbaea2

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Packed.Phorpiex-9887077-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride 		16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify 		16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify 		16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride 		16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify 		16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: DisableSR 		16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesOverride 		16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AutoUpdateDisableNotify 		16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Services 		16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Services 		16
MutexesOccurrences
595030390 16
a6c92143cac02de51d4a 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
92[.]63[.]197[.]48 16
72[.]5[.]161[.]12 16
173[.]231[.]184[.]122 16
173[.]231[.]184[.]124 5
92[.]63[.]197[.]60 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
slpsrgpsrhojifdij[.]ru 16
osheoufhusheoghuesd[.]ru 16
ofheofosugusghuhush[.]ru 16
suieiusiueiuiuushgf[.]ru 16
fuiueufiiehfueghuhf[.]ru 16
sisoefjsuhuhaudhhed[.]ru 12
opllforgirsoofuhohu[.]ru 8
aaeiauebfaneifuaeif[.]ru 7
oefosfishiudhiusegf[.]ru 7
eooeoeooejesfiehfii[.]ru 7
naibfiahdiauehihhre[.]ru 2
auaeuiihaehifhahaud[.]ru 2
oieoaidhhaidhiehheg[.]ru 2
fisiuuiedesubdibesd[.]ru 1
efiiuehdiahiuediaug[.]ru 1
sfiushidhseiugiuseh[.]ru 1
oeiieieisijdingisgf[.]ru 1
Files and or directories createdOccurrences
\autorun.inf 16
\_\DeviceManager.exe 16
\.lnk 16
E:\autorun.inf 16
E:\.lnk 16
E:\_ 16
E:\_\DeviceManager.exe 16
%TEMP%\Windows Archive Manager.exe 16
%APPDATA%\winsvcs_.txt 16
%SystemRoot%\405096696004033930 16
%SystemRoot%\405096696004033930\winsvcs.exe 16
%TEMP%\2380432049.exe 2
%APPDATA%\Adobe\Acrobat\10.0\rdrmessage.zip (copy) 1
%ProgramData%\GCxcrhlcfj\cfg 1
%ProgramData%\GCxcrhlcfj\cfgi 1
%ProgramData%\GCxcrhlcfj\r.vbs 1
%ProgramData%\GCxcrhlcfj\winsrvcs32 1
%TEMP%\2859628131.exe 1
%TEMP%\3229831746.exe 1
%TEMP%\2719713455.exe 1
%TEMP%\2738614679.exe 1
%APPDATA%\Adobe\Acrobat\10.0\D7a00272 1
%TEMP%\1483440200.exe 1
%TEMP%\3078938264.exe 1
%TEMP%\4128736634.exe 1

*See JSON for more IOCs

File Hashes

0a172b69f7a773e7a1465fcba6dc36c17889a91ba57e9261b94d36acbdde550e
176f0a49b7d34d20b512e91f0395280e661ac0511e0246dee1f912ff97bf5db0
3138fd3339dbed9a8c64ebe189ecfdf19ae43447a5f1a0ed701515424d84dd49
39af54b3b330327805534160ee196b0c83df28b4c3fdc4e509bf1f82368f7704
424fa96a3f8bca56d24f8a2d7612ef07c8c06c1843ad0e96ec6ddae044e960b4
535d4685e4926bb47fe221e9b0279a3b4f1a23b9f3dbd38beca704f50a596c01
5a7044fee737cb066bf480c869f010e9761c7380da410e4f9274da6986a0fe60
6843801fa2e691b3092cab4d4c49e899541017a4dc73e26a0762915671a79590
823a0d8e9836ecc03299718c4b64b358c6e2a663a639149e0bfe434eaad0997d
b4f92f83983cb43f574dca721c2f1d8429f1b7943aee991c47861dc6e3f5f13d
b87261db98cadc52c5118a6dadaf3db93bb21d1b48fc99e0aaa3d26c5d9884be
c36c74f95f8e28899109c3a72947dc9a310df838fcca9f5c628901170a0d72bd
c738674edc734f8eb93e0ce738c98c61ef1939b4ff3a95e2d955b14e53179399
c88deaa1919387b6f3d41133160186f47f683949b41254d059ccdf9570c4c115
dcc0dcc7d2867e1e62dfa933af3ebd14d5f43f077aa5b820e3feab6071e274fc
e21b408c07760253b87156dde7b68b3265a78485a84999dc82ed61d40f4eb407

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Downloader.Upatre-9887082-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF0
Value Name: Blob 		4
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
173[.]231[.]184[.]124 15
195[.]157[.]15[.]100 3
205[.]185[.]216[.]10 2
205[.]185[.]216[.]42 1
23[.]46[.]238[.]194 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
huyontop[.]com 15
cds[.]d2s7q6s2[.]hwcdn[.]net 3
Files and or directories createdOccurrences
%TEMP%\nddkje.exe 15
%TEMP%\fcbnaf.exe 15

File Hashes

038c4e07c2ad41aa604b14d051db783b93a84fb949dce1e210cc183ab56b84b2
4326541f9786bb0d41c151d14c6a950c78eeaab067d6d03de91bcc5d06cbe1a7
5646c761b4fe9e4b3bd47617c01c776aa125c72f15d39d891568a4852e444a79
5e308277574b9dff8c67edd1bc40e004b559123d7adb7eeda6d3c95f2cacc421
74c3ff0a252af0f4849a3356d999422359dd70c89cbb126933dfb0df449738c4
957c4d95547c8af76b66436611a096490ed209c045072ee1216a245dd63b89ce
9a65228d1e2400fb85ecd86da306a6af2af4f0cf98fbcb2c718b999f4d825b1e
a04f1dc5e8c33ecf9125e5a87ac239d850233354c6404155cfb6c3dc3648e9cd
b0d91399603e3826aa04578406e261a0172757978a91acf45b49e5d4645e1eae
bfcf53333beda38c20dc664a7a8dc069387670f2eff528e5700d557a3d149858
c3298d427e592259be7876a8d566025778d5f80ee8a3798b65defe9d96bf1908
c3e3fc7395211fff50a52876512c57ffdd47061f9e0f16b5b6e745a5f17c76e8
c847c8fac2af7cd83bc7e86b7e43c50e6e4e7470df286b7586be01bf4a38ecf1
f0468701343f113a2cd3c8fa2a31b70a9fa170021598b7f8fc7f2ca29d5a229a
f187a8c00b1862a419b0d12c3dc7835179138f11411e3232546fde538eb13bc3

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Malware.Ursu-9887083-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\KAZAA 17
<HKCU>\SOFTWARE\UNDERMINE 17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MYCOMPUTER 17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MYCOMPUTER\UNDERMINE 17
<HKCU>\SOFTWARE\KAZAA\TRANSFER 17
<HKCU>\SOFTWARE\UNDERMINE
Value Name: Hunatcha 		17
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTERNETREGISTRY
Value Name: Hunatcha 		17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MYCOMPUTER\UNDERMINE
Value Name: Explorer 		17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Hunatcha 		17
<HKCU>\SOFTWARE\KAZAA\TRANSFER
Value Name: Upload 		17
<HKCR>\IRC 17
<HKCR>\IRC\SHELL 17
<HKCR>\IRC\SHELL\OPEN 17
<HKCR>\IRC\SHELL\OPEN\COMMAND 17
<HKCU>\.DEFAULTSOFTWAREMEGALITH SOFTWAREVISUAL IRC 96VENTSVENT17 17
<HKCR>\IRC\SHELL\OPEN\COMMAND
Value Name: Send 		17
<HKCU>\.DEFAULTSOFTWAREMEGALITH SOFTWAREVISUAL IRC 96VENTSVENT17
Value Name: Send 		17
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
44[.]236[.]48[.]31 1
34[.]117[.]237[.]239 1
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\update.exe 17
%SystemRoot%\SysWOW64\inetsrv.dll .exe 17
%System32%\update.exe 16
%System32%\inetsrv.dll .exe 16

File Hashes

0f28c481ec61071133e772a0d2b220b019f6b8eaf6a8ffaf42f844944be08641
22305922a65afee3165f8f219e07c3eedb673c3689f55dcc5754fc5115c39aa4
27ad4dfcb0b9bdb29f271a47f300e94bbc78c03aabcb55bda1e56d4be959f4cb
2a74c32dee1c25674bc9f69bc04d598e38f5969700bcba2ccb54883822713be1
2f907d87dcb9cceeead8d5903ccb9a5f50078d76c12c8203c92660b832d5b3f8
40b34c9721e0e3f70d7a39e465422be247ed08852c8e6494338d2c41b93d80df
4a067a1b75fb6447bd086e2cb00a0603209730aa4f521bfc3b1bae9121c396a8
4e2d6e4d92d11250af6bfc063a429ff3b221e891c4854f340fd5e3f8bd0c9c92
4eb4c2001049eb9c09591c2b5d9bac60bf4a64e8e373fda24d32be1c81921905
58a747907810378905512f50899cc82f1a1a97769b3727a8a4ec59df5e069dcd
5dfebacef97e277f7db258221e5b2fc3105fdbfc118a81e9e0266699dca544a5
6ca12cbd643351bbfdd889ef661d50684288164a25ca1d046017dd72f8830c23
6f8f2ac7c3b0403d1907a35c5517a4e86c842dd94c46b75a704c41423dcf8921
79c99b5ce6e0e2247fec571534a6ac18bb6aa90fc87bc2958125d6fa2b61abc4
7aed620d7301999a294134abf408c647e2d279cdeac85e4fabe5cc2c5fa53397
9439047b693f7f813ca46c72a0ab6a026b602c514d52b5903fee18aafd82fdff
a891b2d9dfd7baaf0fd1d47fce5d2c735dc274dad874d7ccb3c31965c9bf7e5d
aad7ca08ec3e1ba527e17d2b830f6a9a16c6934d486a91a2edfea4df6dfee3a1
ab3966072df416f1e4e469558631f7c47a21fe08c1df9835f9f41f88821c8dcf
ba1ea52fc8f2f7a54722410cd3cf99d790c8e2da250f59acf34007ad95d8b4d8
bbcd99dc3047803b7ddb3b5174ccc90464e7a8b8636ac92582bbc0d2660b1806
bcc727e2f966c80ba6674192cd2482c8464e3e892ba991c0b0806aab9e9cae58
c0d6548915a0b7ad23fd30a65cc38dc31fd293168d1033780d6d7c98dd5bd059
d2ddacc4c6e55515923a2cd129b6f17740f4814b759cafb42ddff1c73e08d8fc
d41cefc33696664207927a4b8de90073e24c77cb897984ee5e5f8a72588a6cb7

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Downloader.Zusy-9887097-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
94[.]229[.]72[.]121 7
162[.]210[.]196[.]172 4
199[.]115[.]116[.]162 3
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
update9876[.]dnsd[.]me 11

File Hashes

07d5c216bb0e75a39b4de555bdc8748bf0bb5e8d5af425f2f7162e61ff50e9af
105d472adb9c7b5c7fa759480a728075bf085dbbf68d8d588d0bc1f88ae10a6d
163ca276c717c6231e0f64059230a793d4e29721bb98be9060549cf9e15a188c
2b6fed4b8a03f9bacfc59a6daabee4b9b622270b278e526c0010fe3c41c46287
49ff6d71407d9f75df26b9e9d9428e3b966a735643a90a9d5e00cf79a7481645
5de7586c60f86460d1239fb8927d7ae2a4837059e50e0282a8674a735cc58c99
660a0a09540c3e0d57b7b4107075584e76cd183230b19107d2f8470c20734c86
79f75fe187cd7a15bc40f49ade0323807565dfc0310cd3416aeebf4ad16e7550
8fda18bb89bf1998fe8386eeaa5624b39b4e9dd39b0d56fda3baf339459bca0f
a9fa6c323bf0ad1317e6f2f0177de4224973e95d8572e3d742b60cf88ef35f73
f631e398b3da4139b5ecfd945a10c243d3a8beb53820c1b17b621c3bcf8581e7

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Win.Malware.Razy-9887791-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
52[.]232[.]252[.]84 23
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]descargasmnyl[.]com[.]mx 23
Files and or directories createdOccurrences
\Seguros Monterrey NYL\Descargas\_Version.txt 23
\Seguros Monterrey NYL 23
\Seguros Monterrey NYL\AsistenteDeInstalacion.exe 23
\Seguros Monterrey NYL\AsistenteDeInstalacion.tmp 23
\Seguros Monterrey NYL\CotizaNet 23
\Seguros Monterrey NYL\Descargas 23
\Seguros Monterrey NYL\Descargas\_PresentadorRetiro201706.msi 23
\Seguros Monterrey NYL\Descargas\Version.txt (copy) 21
\Seguros Monterrey NYL\Descargas\_Factores201806.msi 13
\Seguros Monterrey NYL\Descargas\Factores201806.msi (copy) 10
\Seguros Monterrey NYL\Descargas\_Factores201706.msi 10
\Seguros Monterrey NYL\Descargas\_Cotizador201809.msi 6
\Seguros Monterrey NYL\Descargas\_Cotizador201709.msi 6
\Seguros Monterrey NYL\Descargas\Factores201706.msi (copy) 5
\Seguros Monterrey NYL\Descargas\_Cotizador201806.msi 5
\Seguros Monterrey NYL\Descargas\_Cotizador201804.msi 3
\Seguros Monterrey NYL\Descargas\_Cotizador201901.msi 2
\Seguros Monterrey NYL\Descargas\_Cotizador201708.msi 1

File Hashes

07719ad03fa0d21e850263f590be506b00ff2b9900c83b0d1c8a17cdc01cb085
08f5188dc72b8bd897f3b62db321c59f074cd65eb2509bfd2efd0ba03933d5ab
15e2ec5c9f10817d26e21688b09cc053229418ab6a3dd570d1daaf39f7068119
1ccd39d9b774e35de70f0930e28108d8e744a755fd8e5d8d4c75c6dfb6b52b77
254ec9a3f1b8665c0301d195dd4b6eebf344c0b06068ee36b26280e93196dbb6
2ae2bbc3675aa9d3a98d5cb6a45a97d680995df9c5361cb30308a6afde5cd8d6
44081663e309d8506429593ca9c586e36fc97772f8d14ffe07bf8a3f978d40d2
62cd02027e885f469501b1c4d9bf71b2aa2f62416db74da5ffa8a5507f87bca8
735748a96cb48098a9ffc14a3a4b2d9fdebf4b90cdc71cfac2b475381cc92193
7854bf7afd93f5052bafeefda752d73a3d2311e52d01b162f4d6ee70eb164d5d
7b7d409532f6c627de1941a0d4dd8b9cd0734e4a039582be4d04d67389b99e99
7cb6a0d46d1e855c503eb2e59d69f93ca1c015312f8b733e18a5864893333215
819eb71e2c8a96ada5832365f6bbc7bfa009606e2ef9572d4d6ee14d175cb074
93083038cecbcc0af848af93a3a6f154107f2b3a76e8c1724c0e9f71bc2d7007
9922efd298df2f49a6136f00593b37bf555be45d1deaac0c7d0bda06b4cf441b
9d70a41a5d5bf0da3a673709fe56b6fd811aca0d47d7bda98319e4c594526a47
a42569e64c2be0ea222a01e410915a4bb15be0d074703b187a798f6b131fcb6e
b170643f1382e654a6ffc5d49448465c178677085475832c390269020ef0fde7
bcf7d13a1ed87d38835efbabf8b611135e86d030f1946cbf2dd610cca719897f
c5bca552baa25696801a5e48a8491727e01105f520621c258e2821f696b418e1
d9ec83a827665475d8e2a7187dc1a88a405e4d9109b6ae1022719525a5408588
f40f4443fd4356820526db064b7c46d7ef6ee02d335cc56f6d8f7bb8fac7d6e1
f4ebcf27be5c127225643ff2054d97bb7abdf52f1b9f1057814c9ba814b80914

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK

Win.Dropper.Tofsee-9887377-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 110 samples
Registry KeysOccurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3 		102
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type 		102
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start 		102
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl 		102
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName 		102
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64 		102
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName 		102
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description 		102
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 102
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 102
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1 		102
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2 		102
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0 		102
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath 		35
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj 		9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\lesyxfla 		9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\piwcbjpe 		8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\rkyedlrg 		7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tmagfnti 		6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\jcqwvdjy 		6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vocihpvk 		6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ibpvucix 		5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu 		4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\cvjpowcr 		4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc 		3
MutexesOccurrences
ServiceEntryPointThread 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
5[.]61[.]37[.]41 102
95[.]216[.]195[.]92 102
213[.]227[.]140[.]23 102
193[.]56[.]146[.]188 102
193[.]56[.]146[.]41 102
193[.]56[.]146[.]42/31 102
142[.]250[.]65[.]164 92
192[.]0[.]47[.]59 77
157[.]240[.]18[.]174 70
216[.]146[.]35[.]35 66
216[.]239[.]36[.]126 62
208[.]76[.]51[.]51 61
208[.]76[.]50[.]50 55
104[.]47[.]54[.]36 52
104[.]47[.]53[.]36 50
173[.]194[.]204[.]26/31 47
208[.]71[.]35[.]137 41
43[.]231[.]4[.]7 38
199[.]5[.]157[.]131 36
195[.]46[.]39[.]39 36
51[.]81[.]57[.]58 34
142[.]250[.]80[.]67 32
23[.]64[.]110[.]75 30
199[.]5[.]26[.]46 29
89[.]233[.]43[.]71 28

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 102
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 102
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 102
249[.]5[.]55[.]69[.]in-addr[.]arpa 102
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 102
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 102
microsoft-com[.]mail[.]protection[.]outlook[.]com 102
microsoft[.]com 102
lazystax[.]ru 102
whois[.]iana[.]org 77
whois[.]arin[.]net 76
www[.]instagram[.]com 72
app[.]snapchat[.]com 62
mx01[.]oxsus-vadesecure[.]net 34
www[.]google[.]co[.]uk 30
auth[.]api[.]np[.]ac[.]playstation[.]net 30
www[.]bing[.]com 28
ip[.]pr-cy[.]hacklix[.]com 26
mx1[.]naver[.]com 24
ameritrade[.]com 24
mxa-000cb501[.]gslb[.]pphosted[.]com 24
mx1[.]seznam[.]cz 23
www[.]google[.]com 5
live-com[.]olc[.]protection[.]outlook[.]com 5
msn-com[.]olc[.]protection[.]outlook[.]com 5

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile 102
%SystemRoot%\SysWOW64\config\systemprofile:.repos 102
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 102
%TEMP%\<random, matching '[a-z]{8}'>.exe 101
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 38
%System32%\config\systemprofile:.repos 11
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 10
\Documents and Settings\LocalService:.repos 5
\TEMP\1122537683.bat 1

File Hashes

023fd0e5de906d95a296fefa581b3ff71f6537a166804bbd9afb54ae9db26368
051b51558366b3c7d05b5b2ea00e8295503be6d2c16a8054f5d7abe3092e7e18
0749d1d77fbcf6b9b80e7a363ffd8eab17820a3ad3564197f6181818cd9833f7
07b48745f8519a712f3f7898dedced56686b17e143db6ba2d09a4bfbe4e41138
09bb9e617b142a9d28f4f3d266908df367b271836976afecad595e03abfb9025
0aeeec91101a3e2b24480fed8cc4204a9278fd65bf03d4291e18fef9ed264d0d
0dcc1b7a2b2240f49dc3fc7165d7c1c2e3cb514f135a19e3b850505ea5f5a7a3
0e0c4fbd7ec28dc4eaa3fb5dc7be58dfef1bf6aec4b8e1c935b1374f1d15dc36
0e0ca75d378940153d90aa5854589382ec881f8fe15dde7854c354e20656acad
12bab4d21babf349705e0e04270710ce4f9d40c86c4bb742e5125e1f6219352d
1388f896853f0b167148679500fd9e1173d265c1c461deae7614a95542a3e560
16fdd4e662c27a0d215c518adedec27567ccdf8886ff0cac8f50df383803fb38
18bbc6d87bc31915ddd7f3f3d5ab7b344b77588f99c83b8bc1c9efc2d2c31ace
19a3f2c596e09f4daace53c6b81843419474d55c093913a884c9021d93aa06a7
1d0e915ba7a5d11b9723f412592406f20f6d5cd2e55d77311415552595c4b605
223bc06d774c8be5a6217d95d27951f0c63796569162da32a6d548fd40714a00
22430b3222097f37c58ce42157db41c9a1064b23cd65c6df731d6bf8ad9c07ec
2601c1ea5dd7376b7d0423a08de0c1064bf38d28fe00331e21bed4333233acf6
2bf61aac3921567bae041c7c655f7ef6fb6b9df9af3022dc1b59885e3b0b719d
2d1883d5a7afdb6d46e83ce680ff6e92a3c2311abd0a5ae79b9ce99c7ba2b177
2d580f61c4041b4bf86019246703002a61f5b6e7471b83a19d0d2bea9d509a7d
2e484abb8cd81edbb861598083703cb2378651a29e64316823d1014e58037201
34bc5c2f6b12f24d52ad663ccaae81b011656c7f019fe7c3f79ad56f314424d9
358b603601d2ea692d1d69baa928cfc8826d88bb598b8b5c30bbf08dd93657df
358f5c52f0736cf7658a26c5575ea584aedc0770cfc000f8b2f686ce44c438e1

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK

Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (16908)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
A Microsoft Office process has started a windows utility. - (11703)
A process associated with Microsoft Office, such as EXCEL.exe, OUTLOOK.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Excessively long PowerShell command detected - (3591)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Reverse tcp payload detected - (1551)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
CVE-2020-1472 exploit detected - (1462)
An attempt to exploit CVE-2020-1472 has been detected. Also known as "Zerologon". This is a privelege escalation vulnerability in Netlogon.
Crystalbit-Apple DLL double hijack detected - (1179)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Dealply adware detected - (984)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Kovter injection detected - (266)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Squiblydoo application control bypass attempt detected. - (167)
An attempt to bypass application control via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
CVE-2019-0708 detected - (94)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.