Threat Round Up for Feb 16

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between February 16 and February 23. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

Win.Packer.Givelet-6454616-0
Packer
Givlet is a packer that compresses and obfuscates a malware payload. It has been used to pack ransomware like GandCrab.
Win.Packer.WizzPack-6454612-0
Packer
This .NET packer has been seen being used by Wizzcaster adware which will install unwanted applications.
Win.Trojan.Generic-6454586-1
Dropper
These samples drop additional malicious files on the infected system, including cryptominers. They also use registry keys for persistence. And perform some host environment checks to evade sandboxes.
Win.Trojan.Generic-6454615-0
Worm
Win.Trojan.Generic-6454615-0 is a trojan that will contact a CnC server and try to steal information from the infected host.
Win.Trojan.GenInjector-6443827-0
Trojan
This family is highly polymorphic and malicious. It injects into another address space and it uses process hollowing techniques. Moreover, it gains persistence through the Windows registry and it complicates the analysis with several anti-debugging tricks. This particular cluster is able to contact SMTP servers and sends spam messages.
Win_Trojan_Regrun_6454954_0
Trojan
Win.Trojan.Regrun-6454954-0 is a trojan that will install itself in order to ensure persistance, and will modify several settings on the victim machine in order to conceal itself (file extension and file hiding configuration), hook certain actions (registering itself as a file handler), disable Windows Shell, register itself as SafeBoot alternate shell, disable the registry editor, and other actions to prevent the user from repairing the infected system.
Win.Trojan.Startpage-6455053-0
Trojan
This trojan changes the browser's start page. The start page can be a single site or a set of sites that will be opened when the browser is first opened.
Xls.Dropper.Powershell-6454576-0
Office Macro Dropper
Excel workbooks that use the Italian message 'FARE CLIC SU "ATTIVA CONTENUTO" NELLA BARRA DEI MESSAGGI' with an unreadable image to convince users to run the macro. Powershell is used to download and run a malicious executable.

Threats

Win.Packer.Givelet-6454616-0

Indicators of Compromise
Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value: qdobxoamsza Mutexes
Global\pc_group=WORKGROUP&ransom_id=4a6a799098b68e3c IP Addresses
193[.]0[.]179[.]152
151[.]248[.]118[.]75
5[.]154[.]191[.]67 Domain Names
gandcrab[.]bit Files and or directories created
%AppData%\Microsoft\motopn.exe File Hashes
10f2ed852befc9c9c15e5231b2167bbec66e3700c44bcf324312a32e932fa819
1257a5650f02a4cbff43c190452517e17f4aa46284b7063162e4a54d318aff79
14944d9db8baace4d7fb97cdf285009b5e0472bd6aa4d9cb530a1f3893287682
17d14ca09aa5f447fca0d8d5d1ae9dee5731846588d1c15987eb3de5cd57e90d
184ccb64f12601a3797e9c73ce77c89d05b50f2a668f94ec8cfd1c7414906c0e
18635915a4453bd1c68de152c139326023a165c0ae191ef501a6425615aa5d84
18dd0a662f77ca2ec235b3ae761cf7f4e6a3adb3fe32b2c994c080b6b7f10389
19519e38242877d2a689efaddecb8b8699d122051cd4b189de6466a83422f7c3
19cebd1722376f2c62a1922214903052a964ad1d2505fa698376c5f3b4d0594b
19e5e3d8fbf0db27d943090114c88051294bb918f0c9ce2d4894d9c8c290c21b
1ddca770b20bf8748a2a0435cf4f7316167ee4dbc7311fd3fd8e9600c79fc7ec
1e7eebcaf485682da709a94fb1c679555a9090592cfe54564f5eb396c7458044
1eae0edf899f881fd86f0500b58f9b6497d5b94a99ac439307d61c0f24cb1573
2155517a296dd90f86ef3bb09455444c387d9b1384bb435c997105acd88a281f
29ce80f75b8877e22cdcdf3fbecb01d2d1a65161f18311facdbbd090769b5ee6
29ff9ee8e9d85e836de88304ee4251ff373bcec4abc5c45496192952ad08a0a5
32ee0ff7fbec042edbb9420e522eda1a126e1872da2b7a13b0627a03be4d1d59
336e7c9dfef94fecf00c1c0b2a539c7332453e72367efc0b25c5115d90d94180
3570b95ea454efd6735bf4942d69521d608ab7d0c9745cfa636f1107acc6a23c
3732c9fd5ff38c31fda2492dd81584819f12cce5731f7361f536bdf8040c724d

Coverage

Screenshots of Detection AMP

ThreatGrid

Win.Packer.WizzPack-6454612-0

Indicators of Compromise
Registry Keys

N/A Mutexes
RasPbFile IP Addresses
94[.]23[.]252[.]37
46[.]105[.]121[.]115
94[.]23[.]199[.]17 Domain Names
asedownloadgate[.]com Files and or directories created
\Program Files\S941OEL096\uninstaller.exe.config
\Program Files\S941OEL096\S941OEL09.exe
%SystemDrive%\Program Files\P56VHIGDGI\P56VHIGDG.exe.config
%SystemDrive%\Program Files\P56VHIGDGI\P56VHIGDG.exe
\Program Files\S941OEL096\uninstaller.exe
\Program Files\S941OEL096\S941OEL09.exe.config
%SystemDrive%\Program Files\P56VHIGDGI\uninstaller.exe
%SystemDrive%\Program Files\P56VHIGDGI\uninstaller.exe.config File Hashes
a7bca25940ec920dbbcc05ef606b1d0a1192d46de612b432a1072d3aa1fa5a07
22a96cc3fcc81a7475fc4c6253fd8e39bda56bd97afc5c98864c1eab9c2f625f
c9bd472f6fa6af9f0ba855967c4a061e6e559e48734b4e85c30742a14274a5f8
ea4ddb43aa08c17216262c7251fb47d6f8c2c3f2369c6efed6c7914d9f0e16c1
17873809b8b5c0df00a414ed8ac4ccd356d46bb5726d79552c3e5d5f0e63c889
e63962df00ffdc4e99d59019b588c0b34a0c56368bedb9736cb684274fac3833
3c7d21d1ae2103a9610f3073c3e805ef76adfc978c13c19585830d2e17d3c912
9eea6555c0fbc9753b5a7f68d367269872538850b326a2eea3ad4c26fe910073
0c0124adc78b717b24505119f4faa70b1ce9fd217d7c5fee574b77eccd13d755
11d808a9eb56223bdb3e1a66a3d55a8ea12f077bb5ee2db66d193cb779a02f62
a085a4dac6d01166072c7296ec4e4089e50a45ed0027a691854c62ed0c5be611
e05db1be09272fb01803d46ca5b9b55e324776058a87f9695e1b39f8f9bd3e17
f8f7422827e5874604c69ab1d2de11d893f7432a6b346b1a6d0feddce700d24d
2815d64f1dcbb9ea459b969da34c7d319440c854fcee7d5b12b138f5540f7a10
f6bddc85724ff45d2b64f17685dcce98c7e5f7435d9b268debd523cbebc14260
899a119818fbdd16989380e5e4a62998e2d68865dc5f5dba82c2931e6d20bcbd
f2dbc26b7b7dd8f552e954ce4e8b685a9600506a633a90c2735a303aec80e0a0
4727f0952de54fb024c30de9188d2e6e81ee0a675f229159013b6d753e985a6e
8e8bdb56d72a73da3d4367a59ca2235495fc7837aa48dd15201a6a0ff1a8d7ef
c59a5a9e3cb8bc3794d17a480e4709b1b96b28a469c2a1ff1d9ab4972f7a043d

Coverage

Screenshots of Detection AMP

ThreatGrid

Umbrella

Win.Trojan.Generic-6454586-1

Indicators of Compromise
Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: AudioHD
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: internat.exe Mutexes
Local\MSCTF.Asm.MutexDefault1 IP Addresses
N/A Domain Names
N/A Files and or directories created
%TEMP%\svchost.exe
%AppData%\AudioHDriver\AudioHD.exe
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\AudioHD.url File Hashes
013ede62c35998c847f9248bcede46dce801480743a064d488341f95094c0d4e
166ee27653415896013b0e775c03ffc27db5a7b6daa7a4c78976fdd7bc166416
1f1ec9a132226bc4eac25a6e999cc9b937718cb356c8d41b2bb08266ca1c5a38
2d1cfd1ae428729b32af03264179cb7640d4aa7b1e3c299cb106a77cfe42d216
38cf958875c3eb34a07f15163e7ceb8294ada5eccb765aa37ea69aba4fe79cd8
3b0e9faf07e32d593b54cdfebd725707988bdaa7d81ab2ab396630384127fdc9
3ff03a32f5a944c6655789bbfa124a7d52bb17df771c975685a5dce69c124d04
45b40df9bc6508a11c7fdf06de88a039485dca91d985fb667a91a4af35a08b2a
4ca97c879d841e79a5588f350cea663272bdfab1a1e7761b109c6bc72da523fe
5943eb982b5def7773628c728369398d5722c39f67b978c10782311eb00a50bf
9414096ebca4dd3e948014b7348578e5adfec4729e5a9f15f6b06dfffbd13408
a6a9ec0af4abe94b72e557f4b9c9d4d0b59b4296aca3175a1551b84efefed856
ab1c0fd38656ae73d1ec96bb5b3ee5e354022feca924653c606ad5dbc3ae0c47
fddbec3a6e8fca4f3f388ff5856b8030005339967ffda594035f9353f5c71bd2

Coverage

Screenshots of Detection AMP

ThreatGrid

Win.Trojan.Generic-6454615-0

Indicators of Compromise
Registry Keys

<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\eapqec.dll,-102
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\eapqec.dll,-103
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\eapqec.dll,-100
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\eapqec.dll,-101
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\dhcpqec.dll,-102
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\dhcpqec.dll,-103
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\dhcpqec.dll,-100
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\dhcpqec.dll,-101
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
Value: PnpInstanceID
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\napipsec.dll,-1
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\napipsec.dll,-3
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\napipsec.dll,-2
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\napipsec.dll,-4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: internat.exe
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\tsgqec.dll,-101
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\tsgqec.dll,-102
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\tsgqec.dll,-103
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: @%SystemRoot%\system32\tsgqec.dll,-100
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: 35f4cf4b9d22a75d4f44d45247335d79
<HKCU>\SOFTWARE\35F4CF4B9D22A75D4F44D45247335D79
Value: [kl]
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: 35f4cf4b9d22a75d4f44d45247335d79
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value: di
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: LanguageList
<HKCU>\ENVIRONMENT
Value: SEE_MASK_NOZONECHECKS
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value: ParseAutoexec
<HKU>\Software\Microsoft\Windows\CurrentVersion\Run
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI
<HKLM>\Software\Microsoft\Fusion\GACChangeNotification\Default
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
<HKU>\Software\35f4cf4b9d22a75d4f44d45247335d79
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
<HKU>\Environment
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
<HKU>\Software\Microsoft\Windows\ShellNoRoam\MUICache
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
<HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
<HKU>S-1-5-21-1258710499-2222286471-4214075941-500
<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas
<HKCU>\Software\35f4cf4b9d22a75d4f44d45247335d79
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups
<HKLM>\SOFTWARE\Microsoft\Tracing\FWCFG
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs
<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig Mutexes
35f4cf4b9d22a75d4f44d45247335d79
Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7
\BaseNamedObjects\35f4cf4b9d22a75d4f44d45247335d79
RasPbFile IP Addresses
52[.]15[.]72[.]79
52[.]15[.]194[.]28 Domain Names
abdullahxd[.]ddns[.]net
achreeff[.]ddns[.]net
fatehtawba[.]hopto[.]org
youdkme6[.]ddns[.]net
boubou14789[.]myddns[.]me
hixx[.]ddns[.]net
hoangvanloi[.]ddns[.]net
hackingisis[.]ddns[.]net
aymandz[.]hopto[.]org
deface666[.]duckdns[.]org
ramzy778[.]ddns[.]net
adsvcksl0[.]hopto[.]org
hostalukkzattack[.]ddns[.]net
4mmujnm11[.]ddns[.]net
love-5aled[.]ddns[.]net
njrat511[.]hopto[.]org
rootbot2[.]ddns[.]net
force-ss[.]ddns[.]net
aadlallame00[.]ddns[.]net
ksa-99[.]ddns[.]net
updateservice[.]ddns[.]net
forever12qut[.]hopto[.]org
wydad2002[.]ddns[.]net
feedback007[.]ddns[.]net
sniper1994[.]hopto[.]org
falcon777[.]ddns[.]net
pikhateamspeak[.]duckdns[.]org
krkr-7rb[.]ddns[.]net
sagadegemios[.]ddns[.]net
sniper04[.]ddns[.]net
omerbahram00[.]ddns[.]net
koshtmna[.]ddns[.]net
colorado[.]ddns[.]net
minhahostvitimas[.]ddns[.]net
zkiller[.]ddns[.]net
1[.]tcp[.]ngrok[.]io
hussein1984[.]ddns[.]net
sniperusa[.]ddns[.]net
sodotest[.]ddns[.]net
notfoundd[.]ddns[.]net
portaclore[.]ddns[.]net
al38lal56er[.]ddns[.]net
paubrasil123ei[.]ddns[.]net
samuli[.]ddns[.]net
droid[.]ddnsking[.]com
naoe1noip[.]hopto[.]org
njrat98[.]ddns[.]net
windowssystem2017[.]hopto[.]org
dndon[.]ddns[.]net
plon[.]ddns[.]net
kskhtk[.]ddns[.]net
belegugamaniawr[.]hopto[.]org
boubou14789[.]hopto[.]org
samirsuheib12[.]ddns[.]net
machouche17[.]ddns[.]net
menescraftson[.]ddns[.]net
tronn[.]ddns[.]net
zombi16[.]ddns[.]net
hamaditigwan[.]ddns[.]net
r4y3n[.]ddns[.]net Files and or directories created
%SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\35f4cf4b9d22a75d4f44d45247335d79.exe
\TEMP\R8v6FbJV.exe
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\35f4cf4b9d22a75d4f44d45247335d79.exe
%AppData%\server.exe File Hashes
e537ffeb2bc202f2a8289e9c96115c5c03280cdbda5a82a81d83b97570ccfcce
eada793b386002f297ad511a2ae780cd011b189f1dccbd6ca62d89345095d6e6
49fbf92ef158694f0ed792403f7a066d88831ba71e5f4018f707010f2627210d
4c54271a9c1fc98d0561c6f8ab45be77121bb382453e07d49f2b56d89bd263ab
b6712bdb9c15e7e3cbeb71a32cd2103c1286509a85e7db870baed53d71b0dcc2
15fa9fff9515ae191c98aabd7a870699d3683ad9ae0b9fbdb4fb875e35c43183
8def70bf3014498d6c05556fd1b5b72982205423bb5bfa9d25ab4288ecbb506f
658e4b5c23b609d535abc535901b848569dd294f26952fb07a25dc3537116bf8
a4b0b9b8b4240370b6c9f030eaac7b852f10da8069b36d3387fd1b96e472d73a
2f2e7e92f633924afa45b5da925e217643ed08e605ced40949f0ca78adb36d6f
a1d8135b1ff1c5d8c28016b4ff09bb47606f04f815a4f268c6d82d25398f7bec
46a5a182b94569e4db66ae877064a18a1ca470aa0302d400eaed02545d83c1eb
9bce170ab8da2c93a54bac556b0666f93ab09bfa9965b03bdbc7861ee413448e
90e7a37c2183bd83b02d3a6ac8af8a3afd19e0a1561bf16f2338476802dcfefa
e1673a3ed97150082c0e89712386c71f6feb8fd1d7428fe633cfae0d1ca9baba
ba1d8858e7863db19f04cf44cfa92906887833a84099f2bc810ed5c6863b46b1
59a56a0d81bac39e5a7a9299ae700b5734b1b038fa800c006463c5592620107d
de3357a9ab3d0f03cb4025862a0f0a38f1eb2e0d2909f9537597c4e341cc14be
bc9c84da6bac2680ae866d540768af8f744c321d2cedcccd97fb17299d5904c6
2e7b6747e309c3d8fb98ebe25eeeb9f4644162084b304a68ef00a5690be27b46
8d3b285e6b1a0c1f21e9a950ab580800f184b0d6456dd117c74edc37020c31f3
b371a4708ba510da541267981d4b05bb6dafbe4b07b387952c582db4ea691e26
dde1cc674ef61703752be1d3354f0f766724678aa0fdeb6376e7448a901d7f78
ff2269482bf29fef74fdb1d15cfae2417955f1aaa80cd8e3c296d21bec23bf98
ce533f8f084a79294aa1254db01fd630dab95ccff22124d9fb4c51fe16a2948a

Coverage

Screenshots of Detection AMP

ThreatGrid

Umbrella

Win.Trojan.GenInjector-6443827-0

Indicators of Compromise
Registry Keys

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
Value: FileTracingMask
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
Value: FileTracingMask
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
Value: MaxFileSize
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
Value: ConsoleTracingMask
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
Value: PnpInstanceID
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
Value: LanguageList
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
Value: MaxFileSize
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
Value: FileDirectory
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
Value: FileDirectory
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: internat.exe
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
Value: EnableConsoleTracing
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: FSjrvbtr\s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
Value: ConsoleTracingMask
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
Value: EnableFileTracing
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
Value: EnableFileTracing
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
Value: EnableConsoleTracing
<HKLM>\Software\Wow6432Node\Microsoft\WBEM\CIMOM
<HKLM>\Software\Wow6432Node\Microsoft\Tracing\regasm_RASMANCS
<HKU>\Software\Microsoft\Windows\CurrentVersion\Run
<HKLM>\Software\Microsoft\Fusion\GACChangeNotification\Default
<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<HKLM>\SOFTWARE\CLASSES
<HKLM>\Software\Wow6432Node\Microsoft\Tracing\regasm_RASAPI32
<HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
<HKLM>\SOFTWARE\Microsoft\ESENT\Process\regasm\DEBUG
<HKLM>\Software\Wow6432Node\Microsoft\Tracing Mutexes
\BaseNamedObjects\7261cb8c-207c-4c90-b816-c6717f9f50fe
7261cb8c-207c-4c90-b816-c6717f9f50fe
RasPbFile IP Addresses
208[.]91[.]199[.]224
37[.]187[.]116[.]23
208[.]91[.]199[.]223
192[.]168[.]1[.]255
208[.]91[.]199[.]225
66[.]171[.]248[.]178
208[.]91[.]198[.]143 Domain Names
glop[.]me
us2[.]smtp[.]mailhostbox[.]com
smtp[.]tridentsaefoods[.]com
bot[.]whatismyipaddress[.]com Files and or directories created
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp3.tmp
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp2.tmp
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp5.tmp
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\8a30b2df-789d-2a28-7167-76c811ca3a9f
\TEMP\IMG-PRO-FORMA INVO.2017.1.11.exe
%AppData%\FSjrvbtr\AVetZPQw.exe
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp4.tmp
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp7.tmp
%System32%\wbem\Logs\wbemprox.log
%TEMP%\a998c159-9477-9c4d-f909-8a857896ecad
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp1.tmp File Hashes
021492b2cc3c242851207e402e9ba284ed32350379deac649f38426130b2c01f
048800615c3449d53e8b3c28489fabb4e8f4d758ace9f585f8f2ea585d3c7fad
18d5300979ddaa3b65ff7579aa3725921b44e945e40ed54e55a0396add9d3323
2cd6fc2a4572f4b1a39371a8df8c664eabe119608908d441257e72eb203737f4
6346200d4e21bcd391e3557b72791f033c51fc72ebfeb359498b63c1c8d832ca
7ad83d75a4223be0dec837d26fa78e4d7a69e4379c01c3ae31f3aa82483fbd2d
90cd726b06dffb129795b132f92d39750492d168206ef22b0ee422a6a55663cb
b111124ced4570df72cefd1b5d0d1afc1f1dae7db1319c4e720f52c23b76c0ad
b9a43f89e0b974b2f2b2af15e80353b10175ed3e9d4e015d85f96d7d38e65c6c
be9f065d0330585bc300e3a56c7ade7da01a48af2d1c7634e20c2896c45a2024
d90dc3f22cc7bd92f22bafa9d77b0e373849386eae57606b42239f915357084a
e128f7ad54a882d2d269733a956f49e5b1bf2b182781f24f98f058f2d8f48787
e4b1ee306ab7080c48b05746da8130fdeede8730214e00778c8231f6d8d6e7c0
fb237b7fc75cec8180f4d853c44911dc0dbdb705be39c3e6f1f2a523b79ff9d5
7a7afe3c990a21f1076dd57769d2e199e081ef04f5fb250da5c6d4d109034dc0
a9657835057ff11177054c128e834217fd6ba5e55279caab16391f12147c0757

Coverage

Screenshots of Detection AMP

ThreatGrid

Win.Trojan.Regrun-6454954-0

Indicators of Compromise
Registry Keys

<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER
Value: DisableMSI
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: System Monitoring
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value: NoFolderOptions
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
Value: DisableCMD
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value: DisableRegistryTools
<HKCU>\CONTROL PANEL\DESKTOP
Value: ScreenSaveTimeOut
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE
Value: FullPathAddress
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: xk
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
Value: DisableConfig
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT
Value: AlternateShell
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG
Value: Debugger
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER
Value: LimitSystemRestoreCheckpointing
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value: Userinit
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: internat.exe
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value: DisableRegistryTools
<HKCU>\CONTROL PANEL\DESKTOP
Value: SCRNSAVE.EXE
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG
Value: Auto
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
Value: DisableSR
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value: HideFileExt
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value: ShowSuperHidden
<HKCU>\CONTROL PANEL\DESKTOP
Value: ScreenSaverIsSecure
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: MSMSGS
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: LogonAdministrator
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value: Hidden
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value: Shell
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value: NoFolderOptions
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value: ServiceAdministrator
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System\
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
<HKLM>\SOFTWARE\CLASSES\lnkfile\shell\open\command
<HKCU>\Control Panel\Desktop\
<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore
<HKLM>\SOFTWARE\CLASSES\batfile\shell\open\command
<HKCU>\Software\Policies\Microsoft\Windows\System\
<HKLM>\SOFTWARE\CLASSES\piffile\shell\open\command
<HKLM>\SYSTEM\CurrentControlSet\Control\SafeBoot\
<HKLM>\SOFTWARE\CLASSES\LNKFILE\SHELL\open
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
<HKLM>\SOFTWARE\CLASSES\lnkfile
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run\
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Installer
<HKLM>\SOFTWARE\CLASSES\exefile
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
<HKLM>\SOFTWARE\CLASSES\exefile\shell\open\command
<HKLM>\SOFTWARE\CLASSES\LNKFILE\shell
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\System\
<HKLM>\SOFTWARE\CLASSES\comfile\shell\open\command Mutexes
N/A IP Addresses
N/A Domain Names
N/A Files and or directories created
%WinDir%\Tasks\SCHEDLGU.TXT File Hashes
d86831a343b89136da7a224b0abfae57a79b1ce5d0ae3447bef628d262fb0f12
c137279e9650a0112f3a3460172a41f307e32aba43016c6d85b1d33859079bba
060bf8faec0beb953af3c72b54ea334abc1057f5bc96a65a140810ac55d2e6ce
b6a80a6ed3bc851a1685ef19dc3a89424813b93a10b25a0684631a532dea71ca
13cf35842c9ef3f362bb7d3c6c8c50957f5b156e865b45b57e2e420416a3f656
e6f2a103d62c0dd55cdbd3776578fd8ff3ea28532404a811c0dcd9ed7df473c0
ddc14512ed0a1c00988ef4ea0ea59b832d4e17a25500e7a2f7d5caaa6aae0245
4a66e0bfcdd2addfccd8ba68c50d2b803beb2b8120a6cf4f8fecf4a0b0cf1678
9dda2f8f7543c8074f4c284c00e5310a599b364def138a99d7425ec1b205b7e0
b2d99e9bb7d597d69b139b07c3ac03aeb37f959094ab0f50bc2a8269d340b8b6
59695cfe42cc0d5418a4568d946949af5fd9de14bdc160d1a5d12d5916a9b411
2c4d182d15533ea845e2d8741a3012998f339a3a6411735a07e4a5722ed0738c
80fd45667ccd54a83e5a54339fa4f5260929bc59f1a57be49251e3ebdcd5abce
f0c6a8ed12cb35d5986a1ad51f035f684f0b2953c8b4738e5243777920d23169
04b54cac517f204d2f4159a819b63825a8be41a0470d9666ea2110607888c857
3c7e07a560d5cd46a054d44663440f7ef38b48157ae16c39e7a8c8859d517d80
6262f5c8735e38bc8ab646dc1edb6f989478c3d50abadd7b9b58a5e63d558dc1
5d5175472fbb0a943818f84a6b2423c410c212390310daca531e6f0f880c336d
57b930abca5b4f3cdd3c7c50b77224ea732dc5d44d2e8443c9199b7701a8307d

Coverage

Screenshots of Detection AMP

ThreatGrid

Win.Trojan.Startpage-6455053-0

Indicators of Compromise
Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{69910372-D455-48F9-811C-B1191062C1B7}
Value: URL
<HKU>\Software\Microsoft\Internet Explorer\TabbedBrowsing
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
Value: LanguageList
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{69910372-D455-48F9-811C-B1191062C1B7}
Value: SuggestionsURL
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore
<HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{69910372-D455-48F9-811C-B1191062C1B7}
Value: DisplayName
<HKU>\Software\Microsoft\Internet Explorer\User Preferences
<HKU>\Software\Microsoft\Internet Explorer\Main
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
<HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
<HKU>\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
<HKLM>\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
<HKU>\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}
<HKU>\Software\Microsoft\Internet Explorer\SearchScopes\{F7067876-A17A-4A11-A92B-185B2E8D39B6}
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\trust
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\CA
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLs
<HKCU>\Software\Microsoft\SystemCertificates\TrustedPeople
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{69910372-D455-48F9-811C-B1191062C1B7}
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\trust
<HKCU>\Software\Microsoft\SystemCertificates\Disallowed
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\CTLs Mutexes
{5312EE61-79E3-4A24-BFE1-132B85B23C3A} IP Addresses
1[.]1[.]1[.]1 Domain Names
N/A Files and or directories created
N/A File Hashes
6daffa157bd0a686cec232c2d1ffc764b7b85d7a94a6c2b13b46e3903fcd78b8
60dbf376cedaecb73bc2bd558024a2af9a95a3044d7343850a7ca03d098943f1
9eea8a80c3d01e16ab4ed53e9743d1dee0351b9ce6dd632dad938b71d78f8cce
e74e9dd028c909ebd85012866f2e9ac33bc1db243499230d0e0c225eee9adb1b
18afad450f4b7816ddf1451e48684cefce677671ae5d6747fe90be2c3d8bd82e
ab15bfd82688bd582807715e61aaa40f018f80fa0e99bbd018bc47a6c1aa80f4
399c3b0534f83e5778e2e1f65633d12e92b7b395d38315d964a640df646d32d8
dbc1311001ddb6e3069e7b6d5dce0ce3618d736e1603f0271ffc52abbb8e2f0c
32bcd39615ac8e11e42b24925b24e74f4a4540acc763c5255c7bde0a00e1f253
f31f9f266b453ddde95d2bab56548a32269b12d8c54c6efc7a91628b2a72273e
a0014494734eb608b9f7af9f3c71057babf7f486e19745286bc574f766b4760c
228a8c340397acc65c36004acac69a29204840167527deb1f6ed02b75c8cbf1a
f9552c1892cb3bd49289fb7eb541353027e6d431194d326c24b231b529adc0ba
62d5c29939f8c70c80797165dcff9b9170a77a82354bc0d2a5625c115a7dbc6f
cc8a88dc216648a8ea78174b04c0c874cecbec2a2e6b93a742eaa530264cb563
ab8cc1d317663161a27eba9a23d54f3c6d71bfb774dda248eadc052062e76cb1
13b51f0088c3c341d59467f89601703b20f160585d6008707572b12862ae894d
91fd6e5bf7737e284fc80757fbdf0e141564d37c0e50e447e1b7dc2ce1cb7a2e
abc0a5ea42a72483a16308ea888d1a56f27c8e8c02b6a93d816339e7acab9c49
33033fc8af66d92c077aeeb997043c90a64d4aba8840779dedb4f446be7b94f4
d463ae2543a2a81dc89d84b6ca9f195c430d65cf25fb753a9e4ab5fad1b4df2e
0b11ccc6fc403eeebd9edd0e9087406beeaf5aea9b38cfd7d4a57139e777619f
6b148642e7d64be68a97a13d776b03a76406bd2553ef0314b5afcb5906ad43d1
278cda56d3b11ab3712751f7c3848465a728aa13cf07980722509b04d992626c
e32a73c2356c41a50e83cd9e7bac747249aed1fe68f17ee71d0a90887c3c1401

Coverage

Screenshots of Detection AMP

ThreatGrid

Screenshot

Xls.Dropper.Powershell-6454576-0

Indicators of Compromise
Registry Keys

N/A Mutexes
N/A IP Addresses
192[.]168[.]1[.]114
192[.]168[.]1[.]255
192[.]168[.]1[.]1 Domain Names
bitcloud[.]gq Files and or directories created
%TEMP%\CVRA534.tmp.cvr File Hashes
1955b36980486ceb95b0194fe10ed7aa9b317b7c3d6f79f152ff4f0aebba50eb
471c4a3ac3ee5f32cad237e320bbacc99c0b1cc52cadd351a9cd35eebc36ea97
1e0c9247ec3bb3d9f0e7a9e422aea3263ec32db17ffed0b4ae6a6e4b791fa195
9adfcba2c8a8e25433eb3cb88593d22314d59e0d420f1735df2908df7e7b8881
2241ad38594e08c9a72417e1f232ae1256c551f3b466d53a3ecf0fe4b3ac976f

Coverage

Screenshots of Detection AMP

ThreatGrid

Umbrella

Screenshot

Cisco Talos Blog

Threat Round Up for Feb 16 - 23

Threats

Win.Packer.Givelet-6454616-0

Indicators of Compromise Registry Keys

Coverage

Screenshots of Detection AMP

Win.Packer.WizzPack-6454612-0

Indicators of Compromise Registry Keys

Coverage

Screenshots of Detection AMP

Win.Trojan.Generic-6454586-1

Indicators of Compromise Registry Keys

Coverage

Screenshots of Detection AMP

Win.Trojan.Generic-6454615-0

Indicators of Compromise Registry Keys

Coverage

Screenshots of Detection AMP

Win.Trojan.GenInjector-6443827-0

Indicators of Compromise Registry Keys

Coverage

Screenshots of Detection AMP

Win.Trojan.Regrun-6454954-0

Indicators of Compromise Registry Keys

Coverage

Screenshots of Detection AMP

Win.Trojan.Startpage-6455053-0

Indicators of Compromise Registry Keys

Coverage

Screenshots of Detection AMP

Xls.Dropper.Powershell-6454576-0

Indicators of Compromise Registry Keys

Coverage

Screenshots of Detection AMP

Share this post

Related Content

Threat Roundup for November 3 to November 10

Threat Roundup for October 27 to November 3

Threat Roundup for October 13 to October 20

Indicators of Compromise
Registry Keys

Indicators of Compromise
Registry Keys

Indicators of Compromise
Registry Keys

Indicators of Compromise
Registry Keys

Indicators of Compromise
Registry Keys

Indicators of Compromise
Registry Keys

Indicators of Compromise
Registry Keys

Indicators of Compromise
Registry Keys