Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 19 and April 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Gandcrab-6954107-0
    Malware
    GandCrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB". GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.
  • Win.Malware.Kovter-6953553-0
    Malware
    Kovter is known for it's fileless persistence mechanism. This family of malware creates several malicious registry entries which store it's malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
  • Win.Packed.Scar-6952917-0
    Packed
    Scar will download and execute files to the system while attempting to spread to other machines by copying itself to removable media.
  • Win.Dropper.Lydra-6952708-0
    Dropper
    Lydra will monitor user activity to steal sensitive information like passwords and setups various persist mechanisms to ensure execution at startup.
  • Win.Trojan.Zeroaccess-6952579-0
    Trojan
    ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns.
  • Doc.Downloader.Powload-6952235-0
    Downloader
    Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing Emotet malware.
  • Win.Ransomware.Cerber-6952131-0
    Ransomware
    Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
  • Win.Packed.Tofsee-6952124-0
    Packed
    Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
  • Win.Malware.Emotet-6947486-0
    Malware
    Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails.
  • Win.Malware.Mikey-6953803-0
    Malware
    Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. This threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request.

Threats

Win.Malware.Gandcrab-6954107-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: mrtauqkjwnb 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: taiqbyxzlxk 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: kgdxylqkehn 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: wthkafbhnnz 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: csrzoywxadl 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: wyvcshrzmzp 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: htiqstanrob 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: wpxojreokly 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: blyfivnejxn 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: lrrnacksfnc 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: kamceprdczy 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: itqfvoapacm 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ncqtnmbrepx 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: wiuqosifjbq 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: sktkqyirmst 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: bwipaxisell 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: hdcpovptyus 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: jquurrwhzkq 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ysblnuivkrs 		1
MutexesOccurrences
Global\pc_group=WORKGROUP&ransom_id=4a6a799098b68e3c 19
\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=ab8e4b3e3c28b0e4 19
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
66[.]171[.]248[.]178 19
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
1[.]1[.]168[.]192[.]in-addr[.]arpa 19
ipv4bot[.]whatismyipaddress[.]com 19
1[.]0[.]168[.]192[.]in-addr[.]arpa 19
malwarehunterteam[.]bit 19
ns1[.]virmach[.]ru 19
politiaromana[.]bit 19
gdcb[.]bit 19
ns2[.]virmach[.]ru 19
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 19
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\O1OD133V.htm 19
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\desktop.ini 15
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\ipv4bot_whatismyipaddress_com[1].htm 15
%APPDATA%\Microsoft\hghbta.exe 1
%APPDATA%\Microsoft\gknrwh.exe 1
%APPDATA%\Microsoft\fpimav.exe 1
%APPDATA%\Microsoft\menqqw.exe 1
%APPDATA%\Microsoft\yajjhk.exe 1
%APPDATA%\Microsoft\fttqrq.exe 1
%APPDATA%\Microsoft\ggxike.exe 1
%APPDATA%\Microsoft\lxhknn.exe 1
%APPDATA%\Microsoft\aojsiy.exe 1
%APPDATA%\Microsoft\nsxpnb.exe 1
%APPDATA%\Microsoft\tywgei.exe 1
%APPDATA%\Microsoft\ucihie.exe 1
%APPDATA%\Microsoft\odrxqe.exe 1
%APPDATA%\Microsoft\clhbpq.exe 1
%APPDATA%\Microsoft\vacwir.exe 1
%APPDATA%\Microsoft\pzgooz.exe 1
%APPDATA%\Microsoft\ivnaov.exe 1
%APPDATA%\Microsoft\yvudxg.exe 1
%APPDATA%\Microsoft\lfkjbm.exe 1
\Win32Pipes.0000052c.00000017 1
\Win32Pipes.0000052c.00000019 1
See JSON for more IOCs

File Hashes

  • 1156e142aafbd439ee6bd2a9d0e8cd9fd4719ee9d9242b9c1916bfe1b45db99a
  • 14f1688ab3d4c0866797ad43dc7df51d913a5df763fb12c7b72391075945cd8d
  • 194966a4700fbad5d329b75df3794730255ec8afe5c2f385e45c79337f1cbb39
  • 1f2a5163a9b3206f45a03c23bb05ad6c71d22add96374d9c127db58fe72289a2
  • 3c8cdaf3626ede0754ea0f16a67c079ef4670cba8d0e1c4a88bd47856dbd49cb
  • 45376d6ccfe68d1b2b82ad50f59f376917e17a09e2be48da015770f6a549f7af
  • 468ea3dc192ff158b09e6cc09c8d4a190d5744dff6225edb93ae2385a75d9120
  • 4cd88fe74eabf6fff9bcf700cae21da6021a1b45ad2c759b873f00031ec2f60d
  • 5783f8f86692861ff73c02a84860086940a1dc31aa9c821804188f0e8e8ff1d0
  • 5e0171a3a7832430d85b4681a247bb0f82aa3f07f024fa8605d3e9f7836ca6ec
  • 7db58ac99c57662954d7f4183a5945bd352e7db6a0e3aebf31c19c29bc78a7d9
  • 8745527a3c123b9155ae7d470cc549fcecbd97be2c515b8711412e93071c1bab
  • b1a195b1dc49ec6adaed3f6a9eb1e3a1089106ab8503f5e541897230c9c2fd5e
  • c6a7fa1f1f89d235957ce7fd38051a7e9a921847a30c6309da1c5e8cffb71e5e
  • d3cd9d746c796dc68b4dfae7657fcec9bad4c00cf2addb4f90ac1480beb8e0b2
  • d8752dbe07dd9642d6bb7f65701338d99ce8fb718ae803eb12ea41ff5ca15671
  • e1f314bc382f2163df72cd7aa083a2d3a4a78b0e6315689359bb543b5ee872ae
  • f1f63b367f7731f515f3076835426af9086e950b218b5371bc23d8c51e3a7c02
  • f8fd3c82782868205270cdc0b2edfd8c51a5da900bede625a16c1943b4ccd1e3

Coverage


Screenshots of Detection AMP


ThreatGrid


Umbrella

Win.Malware.Kovter-6953553-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WindowsUpdate 29
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUpgrade 29
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe 		28
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade 		28
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed 		28
<HKLM>\SOFTWARE\WOW6432NODE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 28
<HKCU>\SOFTWARE\3a91c13ab1 28
<HKLM>\SOFTWARE\WOW6432NODE\3a91c13ab1 28
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 656f27d6 		28
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 656f27d6 		28
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 96f717b3 		28
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 96f717b3 		28
<HKLM>\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION 27
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 01b2a448 		25
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 01b2a448 		25
<HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel 2
<HKLM>\SYSTEM\LastKnownGoodRecovery\LastGood 2
<HKLM>\SOFTWARE\WOW6432NODE\8A6FD29F760019C2A 1
<HKLM>\SOFTWARE\WOW6432NODE\S191vn 1
<HKLM>\SOFTWARE\WOW6432NODE\8A6FD29F760019C2A
Value Name: 22F2A9371858821393B 		1
<HKLM>\SOFTWARE\WOW6432NODE\3E4A82EF50861857D 1
<HKLM>\SOFTWARE\WOW6432NODE\LM7zAclcB 1
<HKLM>\SOFTWARE\WOW6432NODE\S191VN
Value Name: noVD3r8i 		1
<HKLM>\SOFTWARE\WOW6432NODE\S191VN
Value Name: Ja8WDQ2COI 		1
<HKLM>\SOFTWARE\WOW6432NODE\3E4A82EF50861857D
Value Name: B6FAE5718727427E545 		1
MutexesOccurrences
B3E8F6F86CDD9D8B 28
A83BAA13F950654C 28
EA4EC370D1E573DA 28
Global\7A7146875A8CDE1E 28
\BaseNamedObjects\408D8D94EC4F66FC 24
\BaseNamedObjects\Global\350160F4882D1C98 23
\BaseNamedObjects\053C7D611BC8DF3A 23
\BaseNamedObjects\Global\ServicePackOrHotfix 2
\BaseNamedObjects\Global\F7E10F769B0682E7 1
\BaseNamedObjects\2594BA9F8AA549A0 1
\BaseNamedObjects\95780D7FD6724D3D 1
\BaseNamedObjects\93444A15B4316C7F 1
\BaseNamedObjects\8AD0B80D27B7A6E8 1
\BaseNamedObjects\Global\CE758B9A90197724 1
\BaseNamedObjects\3E54017756DC8D88 1
\BaseNamedObjects\Global\E04DD8EC68AC932B 1
\BaseNamedObjects\254092C2E3B50CC1 1
\BaseNamedObjects\1AF828CB730214EA 1
\BaseNamedObjects\6CF52592B2A80076 1
\BaseNamedObjects\Global\15907BF02B9082CF 1
Global\ebcd2841-665f-11e9-a007-00501e3ae7b5 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
23[.]10[.]207[.]183 2
96[.]16[.]151[.]89 2
23[.]96[.]52[.]53 2
23[.]196[.]183[.]170 2
126[.]51[.]184[.]10 1
104[.]119[.]186[.]70 1
55[.]20[.]15[.]80 1
27[.]121[.]99[.]80 1
166[.]57[.]220[.]214 1
24[.]210[.]219[.]136 1
103[.]83[.]13[.]134 1
192[.]201[.]48[.]88 1
94[.]105[.]89[.]64 1
49[.]27[.]243[.]48 1
31[.]109[.]216[.]73 1
122[.]210[.]74[.]190 1
97[.]158[.]71[.]252 1
177[.]96[.]54[.]160 1
207[.]4[.]93[.]221 1
73[.]58[.]236[.]14 1
51[.]103[.]86[.]160 1
157[.]32[.]43[.]20 1
174[.]135[.]47[.]97 1
59[.]76[.]122[.]178 1
212[.]180[.]197[.]146 1
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
e10088[.]dspb[.]akamaiedge[.]net 4
e3673[.]dspg[.]akamaiedge[.]net 4
www[.]cloudflare[.]com 1
cpanel[.]com 1
cp[.]aliyun[.]com 1
netcn[.]console[.]aliyun[.]com 1
www[.]timo-ex[.]com 1
Files and or directories createdOccurrences
%TEMP%\WindowsXP-KB968930-x86-ENG.exe 4
%HOMEPATH%\Cookies\administrator@microsoft[1].txt 4
%HOMEPATH%\Cookies\administrator@microsoft[2].txt 4
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\55F5KQ7B.htm 2
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\BY8YMTTN.htm 2
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\DRMICMKU.htm 2
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\DU14067I.htm 2
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KACXHDUX\desktop.ini 2
%SystemRoot%\inf\oem13.PNF 2
%SystemRoot%\inf\oem13.inf 2
%System32%\CatRoot2\dberr.txt 2
%SystemRoot%\KB968930.log 2
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KACXHDUX\WindowsXP-KB968930-x86-ENG[1].exe 2
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KACXHDUX\en-us[1].htm 2
%APPDATA%\Microsoft\Windows\Cookies\DU14067I.txt 1
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\index[1].htm 1
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\00A87HPC.htm 1
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\9UBKMUJA.htm 1
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\FQVQQJXR.htm 1
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\V69XW46D.htm 1
\5965c0b5c4bb27a5399e\wsmwmipl.dll 1
\5965c0b5c4bb27a5399e\wtrinstaller.ico 1
%HOMEPATH%\Local Settings\Application Data\cacipe\cacipe.exe 1
%HOMEPATH%\Cookies\administrator@104.31.137[1].txt 1

File Hashes

  • 03dae55b56d3cf11136529cd2be296e4d6aa1a017f44a898d11ecc0b1b43e16e
  • 06f1a2cffda751ae87026e4d5f54c2767a474b3aca7c9ddd2b1f7247a3ff75f6
  • 0b01f3a59fcaa6520b12f9e3bdda2615e25b41e1d5c9e23e36a5f61c75e960ba
  • 19c78081714b6154ce25bb431959dc537618338038ae30c866afb3d6d0094996
  • 1f3a83a9744812c5b094691b4a87c4475fd8cbb85e69bf298edf917589261d4a
  • 296af0b5e6f6e033108a2a7109f40e1152f1c4ead15db644dc5d0d0973de21f4
  • 2a5c411fd65bb32f8f72b06ad17d8cb20258fc92dd1a7051e44550c314cc77f5
  • 3b94d3a36980ad21baaf5c62d669160988880e9aac3c2db29c3f23609a4eaa53
  • 3cbcc6671e6a7092a8a3f52d3cf93ff3d7c420fe6b0a34ec8bd0071a7d685217
  • 3eab679b54cca6b0352b05c821b65dbc34e16f323d60986d728ea955897a55ee
  • 44c5491ef99c542e06b1e166e5313dfb0007dd248bd08c6edaf72ce32f45232b
  • 4b21ddc1d7e40802368f07299c0634f96323285c829aacea603aefc8f8f97e28
  • 4f586d783cbd24a2cddee826f172ffeffbb953913721b87090f73cdc20e5da1b
  • 5423ba59c1ae44dcd47385f0820c020657f56e2511453937adeb1eb73dcb5b2c
  • 54d941b8f77a638074bc1a7f59f8f1650ca7e4e3077b7af6c79ebb9448656d15
  • 552d1a03140e12a901753649a8eb234a337ee08dd57c1892f3a641bd7c1e332c
  • 613d13d8759215714c4af6dc6f7af9e8984816d10265fc4203e3b87dddc784d7
  • 7c54f727e0a21feecd3f1f4757050ff27722b0097db4781b25a157376c7e3693
  • 83779e88704948dc02873d609db5d3efb4a47f968b5ce9d0e5edf02a7b7e56e7
  • 91441e8775ea05faace24c054d0d913459d9e2d61d9cb2edec9692d2dc099e78
  • a5d9ccde01ee0baee4d86ae8bedce0bee0e6637f818e9707582481fa3459b87c
  • a606074562594ed99706376dec2e0991de42f98dd5c2718253e796b75b7d748c
  • b15ffdd820f05d45e29a1a58a15a0ac04e2c694e0507146de04f2038e52e5187
  • cafc5428cde0b46cc3472becf2a7360c309b6e7fd6b87243238eff0684215b84
  • cb5be428b5adeb1cfd372ea525bc8ee0e6244f05e4a25779e9ba5d1da57b2f12
  • See JSON for more IOCs

Coverage


Screenshots of Detection AMP

ThreatGrid

Win.Packed.Scar-6952917-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\localNETService 27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LOCALNETSERVICE
Value Name: Type 		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LOCALNETSERVICE
Value Name: Start 		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LOCALNETSERVICE
Value Name: ErrorControl 		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LOCALNETSERVICE
Value Name: ImagePath 		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LOCALNETSERVICE
Value Name: DisplayName 		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LOCALNETSERVICE
Value Name: WOW64 		27
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LOCALNETSERVICE
Value Name: ObjectName 		27
<HKLM>\Software\Wow6432Node\localNETService 17
<HKLM>\SOFTWARE\localNETService 15
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_8350 		1
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_31696 		1
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_12733 		1
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_33107 		1
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_24485 		1
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_29347 		1
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_48270 		1
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_58951 		1
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_3373 		1
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_25588 		1
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_8958 		1
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_16087 		1
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_3445 		1
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_2899 		1
<HKLM>\SOFTWARE\WOW6432NODE\LOCALNETSERVICE
Value Name: Value_24818 		1
MutexesOccurrences
N/A -
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Files and or directories createdOccurrences
%ProgramData%\localNETService 27
%TEMP%\jzq100219.dat 27
%ProgramData%\localNETService\localNETService.exe 27

File Hashes

  • 042b5f70f7211b31877525378d4e96bfe446f8f0e180962446a65c5e8a17eb08
  • 08729005569c47f4d36611ac6f04e476e365e17578e6275c71b09b1007162907
  • 0da7373b6529e881f8de9d33bbe4717b934d3f9eb1159166537ae93f58b02a29
  • 0e7cccc382e99f10ef64bee8ec7be4c61e5dd2a2b41402e1c824912158e9d097
  • 0ec741d2518772fc28534da4da8fbc7581d1cbe14864022412b971ae9fb8febb
  • 25782acb55d3cd762558994ac725e31083cb8f10eb483877b3b9c3a178cba927
  • 299325258ce603f5cbc78002e165f7b988596b2a626d5e5632c8f7c0b97d9fd0
  • 2a13a36bc24d110399adde37adcbe1128d66ddf33bdccd3c90e37a5353eb1dcd
  • 316803348e02989f019715f85e1f479506a3e74a67744f6dbe589380d8b9ab3d
  • 514c836caccb6cf621230443278632465b7b10c4170b8a20109f0fb067444a65
  • 572b94765953cd7d0d8a9bc4128b3805327104207af71bccc32f8f0cd580b4ff
  • 5c7283a449024ccf30840ebedd11134742695875568e9619cda06b39bec6ec67
  • 65d6f8a3358165bdbff21a025d43f182efbe9ea87feead320d5e10eea961fbd2
  • 65dcb37789486112ef98cd5ce423b36beaa1b7fd1f854348b62d3f76b0f20540
  • 694f63471c9fa8220b0312b71a1a268eaf6fc3a9e1c2c2be17c79a000ef0f1ca
  • 789b97d71b0ad420bdba65d5da91a82cd3e6a4c5a5f6ed3f2f440e5e3bfed327
  • 845f60e36148fd53502baea5c223f8103c1e214fe8fbfaba15c1b57b3ce100c7
  • 8884ba2c677a3f6280211683ff0c28fd6522044d59f86662fd630ad8311d7353
  • 8c0a5bdae921786a11fbfe67389a04caffc271fcb67633776cff4fe16d1a47a7
  • 8d2d5b172a07beee3b67ac16076b89a140f98d189d8ae0873dd110bdc6b28692
  • 8d34f3d96b6f7eb3f99b865cb449735fe2ec411d44498a5a61e148ffe166a714
  • 8e684a3f609ac8e4e47ceabcda4abd75d80f699b313de65fba2e5adedee1f874
  • 9161e4bf4085fe4f6256178832565a787e6853b0003dbcbdce3e3777b614cf71
  • 990851a27f622a2a4f8d3d818b9383a4551fd29c00ee327dc509fb088bbdc03b
  • 9f522963850cbc45dac570eea66a46822c21ea3aed095eb8aa8ec8381eb15bf5
  • See JSON for more IOCs

Coverage


Screenshots of Detection AMP

ThreatGrid

Win.Dropper.Lydra-6952708-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe 		42
<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 42
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\policies\Explorer\Run 42
<HKLM>\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A} 42
<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run 42
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices 42
<HKCU>\SOFTWARE\WinRAR\General 42
<HKCU>\SOFTWARE\WinRAR 42
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}
Value Name: ThisEXE 		42
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lsassv 		42
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: msrpc 		42
<HKCU>\SOFTWARE\WINRAR\GENERAL
Value Name: Sound 		42
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: c:\windows\servicew.exe 		42
<HKLM>\SOFTWARE\Classes\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A} 41
<HKU>\Software\Microsoft\Windows\ShellNoRoam\MUICache 41
<HKLM>\SYSTEM\CurrentControlSet\Services\winsys 38
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: winsys 		38
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: winsys 		38
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES
Value Name: winsys 		38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSYS
Value Name: DependOnGroup 		38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSYS
Value Name: DependOnService 		38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSYS
Value Name: Description 		38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSYS
Value Name: DisplayName 		38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSYS
Value Name: Group 		38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSYS
Value Name: ObjectName 		38
MutexesOccurrences
N/A -
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Files and or directories createdOccurrences
\Documents and Settings\All Users\Start Menu\Programs\Startup\AdobeGammaLoader.scr 42
%SystemRoot%\mui 42
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\AdobeGammaLoader.scr 42
%SystemRoot%\calc.exe 42
%SystemRoot%\lsassv.exe 42
%SystemRoot%\msrpc.exe 42
%SystemRoot%\mui\rctfd.sys 42
%SystemRoot%\ole32w.dll 42
%SystemRoot%\pool32.dll 42
%SystemRoot%\regedit2.exe 42
%SystemRoot%\servicew.exe 42
%SystemRoot%\setupiwz.dll 42
%SystemRoot%\unrar.dll 42
%SystemRoot%\winsys.exe 38
%SystemRoot%\ieks32.dll 38
%SystemRoot%\viaud.dll 38
%SystemRoot%\woron_scan_1.09_eng.exe 29
%SystemRoot%\smart_scan_eng.exe 13
%SystemRoot%\syswin.exe 4
%SystemRoot%\ikf32.dll 4
%SystemRoot%\iksec.dll 4

File Hashes

  • 0b0700bab86aadc28b8216e487747e1f248b64db255972efd82b8a0b0e9fbaf0
  • 134610cf4c7463abd435a7e9e5c3957e1b013d74b73248129f77eda2023bf341
  • 149aa87d3b637af6bc98b1b317c88c0faf1aac59d3ae0228f82375dc63668e27
  • 16877fdf6baa760ff501d6ffac2d827175debe7d1788bb1d9ebf96359d3ea8ed
  • 181fb91a7a3ea5d60862a240abe074d704385a41a4fd2a7c343171452ab207a3
  • 19ed54738b7eacd638cb8f6c7f41bebce61c596071ff8048c85c2c94ceb9b59d
  • 1be2192207e35f4d286154428882707f8fbc947073f87de650e3cae25aac6a53
  • 1bf0f79aa7076f8e0499646d892b1c883a12b76720ec1ee95583e4f0bd1e2548
  • 209c3027ee89df1f9c43caa49f33d2ae796a6e4f75f41fa3d29a6c618236aeb5
  • 23e8478e532060223d05a4172626d3ce7280d0a50a3c98e55a20f3b67527d598
  • 3448fc8f0ba01e5e3f1c2200e09cb8ae7cdd0fb683a078520a8980b7cd8dbfd1
  • 385aba59012ba5552914fa5fa5c000d4327631b33eae8173c4c0ed39fdaf86e8
  • 39b0887601c58b9fa9703611d4a41790db3f5c42eeac30320796005d7cd3149a
  • 3ec22bdc7999fdfee532c1f83f3026dd2935b4210325664024c3de0ce60cbd92
  • 3f927933cb408dc994ce17f3afab04a2b0d6c6f63f13622c92b3466e3502e20f
  • 462b020edeec013d02f371189b6e26b868c9058f870de778f3bef56a3dd033ca
  • 48c62b14b624255d0887c3c7dcd7d2863b82ece90129b1214abb9a829eeb39a3
  • 490204655d5f6a89ee33f2b70efd100edbcc564ea27083cd30ae5bddda319e7e
  • 4b2c8b21a1c0350c52740a0e21151dec03786f2a1c2280315dac70815fb6ca23
  • 503e790a64d6232628252bb99642e3dbe0da13d6ee748a60ce5ee9bf0b91758d
  • 5619dc4d1f452579077dc95c069e9b9a059fc93285f734925133906e1d2bca1b
  • 5b2455a6d058652270681d6d7040111e74f468fe771f41588ad8038fe3d59803
  • 5dfa493f6d6b13c44867ed1e60a90462629383a7330f9fb0ffd1f43c017362e9
  • 795f0d8204993cd7c79551555b8b8d37a2d0cbe18ff1d01fc5cb3131c95ee958
  • 8267bc6bb334a0f103bc55df5d8a231dc485b76588eb664639cbb16972fef4d6
  • See JSON for more IOCs

Coverage


Screenshots of Detection AMP


ThreatGrid

Malware

Win.Trojan.Zeroaccess-6952579-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WERFAULT.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\UI0DETECT.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CTFMON.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WUAUCLT.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\HIJACKTHIS.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAM.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMGUI.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSERVICE.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SBIESVC.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIEWUAU.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIEBITS.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIECRYPTO.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIEDCOMLAUNCH.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIERPCSS.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SBIECTRL.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\COMBOFIX.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PEV.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\HIDEC.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SWREG.EXE
Value Name: Debugger 		28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\HELPPANE.EXE
Value Name: Debugger 		28
<HKCU>\CONTROL PANEL\SOUND
Value Name: Beep 		28
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: NoFile 		28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SR
Value Name: Start 		28
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: NoFolderOptions 		28
MutexesOccurrences
!PrivacIE!SharedMem!Mutex 28
Local\VERMGMTBlockListFileMutex 28
Local\!BrowserEmulation!SharedMemory!Mutex 28
Local\URLBLOCK_DOWNLOAD_MUTEX 28
Local\URLBLOCK_HASHFILESWITCH_MUTEX 28
UpdatingNewTabPageData 28
{5312EE61-79E3-4A24-BFE1-132B85B23C3A} 28
{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D} 28
!IEFileUpdater!Mutex 28
Local\InternetExplorerDOMStoreQuota 28
©Úü×À»¢Íéõèò© 28
Local\https://www.hugedomains.com/ 28
Local\https://tiny.cc/ 27
Local\http://mediadiscovery.net/ 20
Local\http://widgets.outbrain.com/ 13
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1252 3
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1176 3
IsoScope_13c_ConnHashTable<316>_HashTable_Mutex 2
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_316 2
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1604 2
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1876 2
IsoScope_1f0_ConnHashTable<496>_HashTable_Mutex 2
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_496 2
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1932 1
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1964 1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]79[.]197[.]200 28
172[.]217[.]10[.]4 28
172[.]217[.]12[.]206 28
72[.]21[.]81[.]200 28
216[.]87[.]78[.]25 28
172[.]217[.]3[.]106 27
172[.]217[.]7[.]3 27
23[.]20[.]239[.]12 27
192[.]35[.]177[.]64 27
192[.]241[.]240[.]89 27
72[.]52[.]179[.]175 27
107[.]22[.]223[.]163 27
23[.]10[.]130[.]155 26
172[.]217[.]6[.]194 25
104[.]25[.]37[.]108 25
199[.]59[.]242[.]151 25
172[.]217[.]164[.]132 25
107[.]178[.]240[.]89 25
172[.]217[.]15[.]74 25
96[.]6[.]58[.]4 25
67[.]225[.]218[.]50 25
104[.]25[.]38[.]108 22
173[.]192[.]200[.]70 22
199[.]59[.]242[.]168 21
104[.]28[.]29[.]32 21
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
cdnjs[.]cloudflare[.]com 28
www[.]easycaptchas[.]com 28
secure[.]statcounter[.]com 28
cdn[.]pubguru[.]com 28
fonts[.]gstatic[.]com 27
ib[.]adnxs[.]com 27
www[.]googletagservices[.]com 27
bit[.]ly 27
HDRedirect-LB5-1afb6e2973825a56[.]elb[.]us-east-1[.]amazonaws[.]com 27
static[.]hugedomains[.]com 27
www[.]hugedomains[.]com 27
apps[.]digsigtrust[.]com 27
apps[.]identrust[.]com 27
tiny[.]cc 27
fastlane[.]rubiconproject[.]com 27
m2d[.]m2[.]ai 27
cdn[.]convertcart[.]com 27
tinyurl[.]com 27
directorio-w[.]com 27
www[.]qseach[.]com 27
www[.]directorio-w[.]com 27
bidder[.]komoona[.]com 27
c[.]statcounter[.]com 26
web[.]hb[.]ad[.]cpe[.]dotomi[.]com 26
securepubads[.]g[.]doubleclick[.]net 25
See JSON for more IOCs
Files and or directories createdOccurrences
%LOCALAPPDATA%Low\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico 28
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\favicon[2].ico 28
%APPDATA%\Microsoft\Windows\Cookies\A71QDCIP.txt 28
%APPDATA%\Microsoft\Windows\Cookies\VF90XW39.txt 28
%System32%\drivers\etc\hosts 28
%APPDATA%\Microsoft\Windows\Cookies\HW3YF7T7.txt 28
%ProgramFiles(x86)%\Mozilla Firefox\searchplugins\google.xml 28
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\urlblockindex[1].bin 28
%HOMEPATH%\27F6471627473796E696D64614\winlogon.exe 28
%APPDATA%\Microsoft\Windows\Cookies\SISHQLM4.txt 28
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\domain_profile[1].htm 28
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe 28
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe 28
%ProgramData%\Microsoft\Windows\Start Menu\Programs\winlogon.exe 28
%ProgramData%\Microsoft\Windows\Start Menu\winlogon.exe 28
%APPDATA%\Microsoft\Windows\Start Menu\Programs\winlogon.exe 28
%APPDATA%\Microsoft\Windows\Start Menu\winlogon.exe 28
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\domain_profile[1].cfm 27
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\t[1].gif 27
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\t[1].gif 27
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\domain_profile[1].htm 26
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\domain_profile[1].cfm 26
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\domain_profile[1].htm 26
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\px[1].gif 26
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\t[1].gif 26
See JSON for more IOCs

File Hashes

  • 2e9167886bb73eb0f56b7a64245a5bf4a87b9321cf9c32f2c93c646c32223eef
  • 2f6cdf0428403cbefc3d9b4ac5b906b56f202c952eafa49b1a6d4b4394e7ba9d
  • 4448b12c3707f70823189f20d310846d2b9de24ca3b76f33e345358d14dfd7c0
  • 472fd77b2a880f424513a2b2ec18a1dd6ac8f15f4756787d10818d35c344e8ab
  • 558cebedb7814ef92e02b020a444ed6a0dcb23dec761ccd3270548911f646c2b
  • 686aa9a0dc49bdd733c78b6ff0f180b2887696365a6304069db8a485913c21de
  • 68c892240aee5b55b6b8fb19593b9378fd7f23d42318566d73c4fbc42a77776d
  • 80d68a9698e2f598f7c703d78eaa8a500d5f716cb93009d5cc1bacef47f88e2a
  • 84aaafc52bd192f0bd17ea8e5dd34318c28a6ac87a84fa3efd629e3f9f3bf0b2
  • 9994bd60526b01b3631a7b4ec012f50251966a0cb841b7ec583d12a374df24e8
  • 9abc698de28993cd3f687686e12bca1b185dfb8687c4751b47ce7a265167725a
  • 9b45576ccb59e5b083892fe7d6154cd8c3a0795088db2053f770b589f2769108
  • a66292bc2d1c99dfb5e8c870444e603798c923ecba4ac633f88d4430b19731a7
  • aadb0c76ee084384a9acbd3981a5c22e39431a45c82438a8f8b245043b1dc05b
  • aec1d3b9323fde4b0d192c7e4b4448d517b180f4776a0cbd266b3c0d843c1214
  • b021e5e867ed34c56aae7007ccdb0965c59d49b621a6aa3f3c4052f69e082b79
  • b05f01500646b2d52b30d146a39d07047311e200a4215afef7c6ff45f1e8279b
  • b156f81c67063ebde12bd89572d4f8fce933e725c2d6b2deab80f767bb5e6faf
  • b322ada9d35b5e884d7c2c63ede85a1e11d1b2ab7d136e0c05b14cdafe8c5423
  • b871a929a4c5bbeed88387296c7270ec20c76f40361ba87e0aa84a63a16c748b
  • bbc346b483d913d44549fcff8e6a240fa3e035bbbd468299d72a7a33b447cb6e
  • bf32e669b25059e41d0f296d183136c796030374a5fc848eb5dcd6b9020283c8
  • c72efd27ec54698b361fae7dceb14bd6dfe8883ffcc29c0d8e25fecd83249ffe
  • ca1dbce8a0e3ff901cb022b57267673ee9d1f6f42384189be4eb670c44796e45
  • d0a2e479604e92ece7d75295260f938091a62b807999a993d7c5377a4fbe3ca1
  • See JSON for more IOCs

Coverage


Screenshots of Detection AMP

ThreatGrid

Umbrella

Doc.Downloader.Powload-6952235-0

Indicators of Compromise

Registry KeysOccurrences
<HKCR>\INTERFACE\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} 25
<HKCR>\INTERFACE\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} 25
<HKCR>\INTERFACE\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} 25
<HKCR>\INTERFACE\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} 25
<HKCR>\INTERFACE\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} 25
<HKCR>\INTERFACE\{79176FB2-B7F2-11CE-97EF-00AA006D2776} 25
<HKCR>\INTERFACE\{4C5992A5-6926-101B-9992-00000B65C6F9} 25
<HKCR>\INTERFACE\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} 25
<HKCR>\INTERFACE\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} 25
<HKCR>\INTERFACE\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} 25
<HKCR>\INTERFACE\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} 25
<HKCR>\INTERFACE\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} 25
<HKCR>\INTERFACE\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} 25
<HKCR>\INTERFACE\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} 25
<HKCR>\INTERFACE\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} 25
<HKCR>\INTERFACE\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} 25
<HKCR>\INTERFACE\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} 25
<HKCR>\INTERFACE\{5CEF5613-713D-11CE-80C9-00AA00611080} 25
<HKCR>\INTERFACE\{92E11A03-7358-11CE-80CB-00AA00611080} 25
<HKCR>\INTERFACE\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} 25
<HKCR>\INTERFACE\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} 25
<HKLM>\SOFTWARE\Classes\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\sourcebulk 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: Type 		25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: Start 		25
MutexesOccurrences
Global\I98B68E3C 25
Global\M98B68E3C 25
Global\Nx534F51BC 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
152[.]168[.]82[.]167 25
197[.]91[.]152[.]93 25
47[.]99[.]85[.]122 25
66[.]228[.]45[.]129 15
77[.]82[.]85[.]35 15
239[.]255[.]255[.]250 1
216[.]98[.]148[.]157 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
dudumb[.]com 25
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 25
%HOMEPATH%\778.exe 25
\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8 1
%System32%\en-US\tzres.dll.mui 1
%System32%\WindowsPowerShell\v1.0\FileSystem.format.ps1xml 1
%SystemRoot%\SysWOW64\bVjUjfFnlezvN1Uus.exe 1
%SystemRoot%\SysWOW64\Iv7bzYqWHO4xGd.exe 1
%SystemRoot%\SysWOW64\Kyo1lmFLAsBgZNy.exe 1
%SystemRoot%\SysWOW64\AsiXrqyEtbD.exe 1
%TEMP%\CVRB4E.tmp 1
%SystemRoot%\SysWOW64\4lfjNl8nHPqt1Js4Bp.exe 1
%SystemRoot%\SysWOW64\fVyEM3EWs7XQ.exe 1
%SystemRoot%\SysWOW64\rwzinD3GMw1HRORxO.exe 1
%SystemRoot%\SysWOW64\myqCWvEqggyRaDCYm.exe 1
%SystemRoot%\SysWOW64\QrGtyKE.exe 1
%SystemRoot%\SysWOW64\EWRwGw7IYRd.exe 1
%SystemRoot%\SysWOW64\BDlBrj99pY7wbdknU.exe 1
%SystemRoot%\SysWOW64\ti93nsoZWFJbLoZ.exe 1
%SystemRoot%\SysWOW64\10czIsyY6Qn52PBJ8.exe 1
%SystemRoot%\SysWOW64\gCOkjmOgE39uf7.exe 1
%SystemRoot%\SysWOW64\a9xRIWvuM1dZbNKU.exe 1
%SystemRoot%\SysWOW64\hsCc2.exe 1
%SystemRoot%\splwow64.exe 1
%SystemRoot%\SysWOW64\EFTI4zp.exe 1
%SystemRoot%\SysWOW64\swlZVw2znOToKUOSMk.exe 1
See JSON for more IOCs

File Hashes

  • 01664c310c364946846933f45a9db25326db7133275446e38e7eccd56f2b80b4
  • 14c53e5330f82bf1449cda84130abcf0b3ffe2ce29d16a6d7a8b3c17601bffea
  • 185d2c002d778f0fec20cd7a6cb749d19577b95839be3cb7af13916e6870a7ef
  • 1ecfe0e89a380160df4b62d4b56321bfad3624ea07334f4271b9b3a0de323fdf
  • 1f2acd076d0c1aaf5832d9c30ca76cd469562fd79625b308714e87e029379052
  • 2cdc8b8fa281a4b2ab63a8f8098a71dc05d50dc06858cb0ae701487608bda79f
  • 37317c48991a92e9deb17122cc64e572e9dac5402cf89aa47db8866ba9ea93e0
  • 37f9cc3f495f80e03c1454869205d757959c9f46171ae6cb7ded62bb6a4bc37f
  • 3fa5e87f6b8331816fb77091303df6c30a124c8359cdee61127a05353c561961
  • 42c76634b3baf9017b152bfd49863669f3aaa5423f084bc4fde730587e07d8fe
  • 4832624b2bbc3d9a98ecea0d2e9ae0db57f90d6cc314a7fddc86521edd7bd979
  • 500e41605b772679750255bfae4e6c369051ff64ca3aceae7e1d32c859529f1d
  • 748968b90d8f84cec298ea1edb0cf037a4eb580b8c0dbcb10f3252f520a3b5a6
  • 7cbd6f18182bf68d5506a164a42bff14759a2be77b5adc5f35e77a7ba68fbe12
  • 7d5f2a044fc3fff1aa2053a86da81068c53c12ed8b9ad4b2adf7693a73e134b4
  • 8284710f69f25d748299231f7764e53fc963049bd46fd0aed36146868d8e3df3
  • 8f8e289691e3f7a6ad872a72c601d634e825972c9562d8f849bc571026327f62
  • 97ec98bb0661fb192eac75f8e184d56dd2ce8395cf1b7420ed2975f372cca267
  • a05e3987b94e0dde5d20f902133a5571ee60ecf7e077e4497be5183bbb472d9e
  • a29afb3beb3244232df4083ba09eac61a60c2f1a23108f60d1205d43a7be59ec
  • a791c7c95cb9310ab719abebc47c63424ffaab3ea180ff71ea369f33c1c1061c
  • b0c3ffe7cf0c331ad9a44790ad48c6b57ed7b38d3612aba23e8a02685735531c
  • bf4f44397b89e0103a1422962049db2e6935ee3b89575131baf195aab69c41ed
  • c2c3d7e6e279d271edcc78b072b24e0ada5c0f4a83e997a33ed26953bc951f23
  • c5710bc33402f7e096d1518df37b1e43e7a5de4286863f3a5840543e2bae9e9d
  • See JSON for more IOCs

Coverage


Screenshots of Detection AMP


ThreatGrid

Umbrella

Malware

Win.Ransomware.Cerber-6952131-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: internat.exe 		14
<HKCU>\Software\AppDataLow\Software\Microsoft\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: api-PQEC 		14
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client 		14
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: {F50EA47E-D053-EF14-82F9-0493D63D7877} 		14
MutexesOccurrences
{A7AAF118-DA27-71D5-1CCB-AE35102FC239} 14
Local\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269} 14
Local\{7FD07DA6-D223-0971-D423-264D4807BAD1} 14
Local\{B1443895-5CF6-0B1E-EE75-506F02798413} 14
{8303E239-0653-AD8E-2867-9A31DC8B6EF5} 4
{07C292C9-BA97-D1C3-FC2B-8E95F08FA299} 2
{FB179D42-1E2D-E531-005F-32E93403862D} 2
{6B06C8E1-CEE8-D5D9-30CF-E2D96473361D} 1
{97FA9976-0AD7-E1DA-CCBB-DEA5C01FF2A9} 1
{AFC31B69-429D-B93B-C453-96FD38372A81} 1
{E73AB138-1AFB-B10F-5C0B-EE75506F0279} 1
{C352A3DA-46D9-EDDF-68A7-DA711CCBAE35} 1
{3FA15864-923D-C93F-94E3-E60D08C77A91} 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
87[.]106[.]18[.]141 14
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
groupcreatedt[.]at 14
Files and or directories createdOccurrences
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\prefs.js 14
%APPDATA%\Microsoft\Dmlogpui 14
%APPDATA%\Microsoft\Dmlogpui\datat3hc.exe 14
%TEMP%\5932\2C99.bat 1
%TEMP%\65B0\B2D8.bat 1
%TEMP%\C924 1
%TEMP%\C924\E492.tmp 1
%TEMP%\C924\E492.bat 1
\TEMP\670E9F~1.EXE 1
%TEMP%\C1A4 1
%TEMP%\C1A4\60D2.tmp 1
%TEMP%\C1A4\60D2.bat 1
\TEMP\708D16~1.EXE 1
%TEMP%\F6A8 1
%TEMP%\F6A8\30.bat 1
\TEMP\AE71FB~1.EXE 1
%TEMP%\752A 1
%TEMP%\752A\BA95.tmp 1
%TEMP%\752A\BA95.bat 1
\TEMP\7634AC~1.EXE 1
%TEMP%\5FB8 1
%TEMP%\5FB8\AFDC.tmp 1
%TEMP%\5FB8\AFDC.bat 1
\TEMP\B89CC6~1.EXE 1
%TEMP%\1724 1
See JSON for more IOCs

File Hashes

  • 55c79a0a7d5bc93ae1e0edcbd6c838fa361e67d404f8f38089939a01d5cc27c5
  • 670e9fc88468a253b00e9ca9783baccebcc6effa0c5902026b649da6b72f3249
  • 708d163c05a5986c1691f48bbff37ccfda13cda6704d6a1a9ac0e295dc6739ae
  • 7634ace88199348cc6bff675c216b9d26c13803d59bc112eae19188cd535a565
  • 77517b420d96ac130c586d567b3ce4f12ef34918e268339758cd663a54296806
  • ae71fb978b5abbff24740db3a7e083392f3301e46ad2b904064e9f48825bc52e
  • b36d27dd1a266aa0e29131e78835a4b00ff337bc4ccd72af1cc16af93d252cc7
  • b89cc647d71b28c7bd382299e7b574ad6dfd7ecbcf6dae011513874c5a5ddab6
  • ba0bbae843fd8675f57e7cf62b1f48781de38c25adb33e64083cd1af1b2b2f69
  • c7f6fb53efdb5080fdb1fa29c84c66eb7e63369a1525dc84586eaee5ec942589
  • c8e133e78982e35707b339263fdbb89e41c8b02e9eb80a89255c982fe07374ba
  • cd16db51872581108c2e9beb6a2ba93153c67f85db299f10b4fe11f6e7a8a19d
  • d9891ebd33d5b507598c11c6855c5dae0c10e4c8a41069020ca9c786960b30d4
  • ee85ff6ee5b001904f3ba1be01d3e7f67e7fdcf222a39f5a1e451be999b8e18c

Coverage


Screenshots of Detection AMP

ThreatGrid

Umbrella

Win.Packed.Tofsee-6952124-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas 17
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs 17
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig 17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups 17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI 17
<HKU>\.DEFAULT\Control Panel\Buses 17
<HKU>\Software\Microsoft\Windows\ShellNoRoam\MUICache 17
<HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 17
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0 		17
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1 		17
<HKU>\Control Panel\Buses 17
<HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel 16
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3 		16
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2 		16
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn 		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\yrflksyn 6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YRFLKSYN
Value Name: Type 		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YRFLKSYN
Value Name: Start 		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YRFLKSYN
Value Name: ErrorControl 		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YRFLKSYN
Value Name: DisplayName 		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YRFLKSYN
Value Name: WOW64 		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YRFLKSYN
Value Name: ObjectName 		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YRFLKSYN
Value Name: Description 		6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\YRFLKSYN
Value Name: ImagePath 		6
<HKLM>\SYSTEM\ControlSet001\Services\ylrseput 3
MutexesOccurrences
Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7 17
liqbftsowkinegql 17
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
69[.]55[.]5[.]250 17
144[.]76[.]199[.]43 17
98[.]136[.]96[.]73 17
98[.]136[.]101[.]116 17
176[.]111[.]49[.]43 17
46[.]4[.]52[.]109 17
144[.]76[.]199[.]2 17
85[.]25[.]119[.]25 17
117[.]53[.]114[.]15 17
67[.]195[.]228[.]87 17
66[.]218[.]85[.]151 17
64[.]98[.]36[.]4 17
43[.]231[.]4[.]7 17
98[.]137[.]157[.]43 17
52[.]73[.]137[.]222 17
167[.]206[.]4[.]79 17
34[.]212[.]80[.]54 17
18[.]209[.]118[.]139 17
172[.]217[.]164[.]132 17
94[.]23[.]27[.]38 17
65[.]20[.]0[.]49 16
35[.]162[.]106[.]154 16
167[.]206[.]4[.]77 16
74[.]208[.]5[.]4 16
208[.]89[.]132[.]27 16
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
smtp[.]secureserver[.]net 17
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 17
mx[.]lycos[.]com[.]cust[.]b[.]hostedemail[.]com 17
hotmail-com[.]olc[.]protection[.]outlook[.]com 17
cxr[.]mx[.]a[.]cloudfilter[.]net 17
aol[.]com 17
mx[.]optimum[.]net 17
comcast[.]net 17
mail[.]com 17
ntlworld[.]com 17
naver[.]com 17
earthlink[.]net 17
cox[.]net 17
optonline[.]net 17
netzero[.]com 17
gmx[.]net 17
lycos[.]com 17
netscape[.]net 17
doctor[.]com 17
mx[.]bt[.]lon5[.]cpcloud[.]co[.]uk 16
btinternet[.]com 16
mx0[.]charter[.]net 16
tiscalinet[.]it 16
mx0[.]gmx[.]com 16
peoplepc[.]com 16
See JSON for more IOCs
Files and or directories createdOccurrences
\net\NtControlPipe10 17
%HOMEPATH% 17
%SystemRoot%\SysWOW64\config\systemprofile:.repos 17
%SystemRoot%\SysWOW64\config\systemprofile 17
%SystemRoot%\SysWOW64\yrflksyn 6
%SystemRoot%\SysWOW64\IPHLPAPI.DLL 3
%TEMP%\wdqqtewr.exe 1
%TEMP%\nmyuzjtg.exe 1
%TEMP%\vmfipcon.exe 1
%TEMP%\awqwcewn.exe 1
%TEMP%\vrlrxzri.exe 1
%TEMP%\euatucsb.exe 1
%TEMP%\mmlrcqxa.exe 1
%TEMP%\mkrnmvtk.exe 1
%TEMP%\cahdclja.exe 1
%TEMP%\nuhhkvni.exe 1
%TEMP%\vlrkltjs.exe 1
%System32%\huabnydc\younowmv.exe (copy) 1
%TEMP%\mreehgwb.exe 1
%TEMP%\wwvbmahk.exe 1
%TEMP%\lkwsxhre.exe 1
%TEMP%\tfgavrsp.exe 1
%TEMP%\sefzuqro.exe 1
%TEMP%\amnhcyzw.exe 1
%System32%\sflmyjon\amnhcyzw.exe (copy) 1
See JSON for more IOCs

File Hashes

  • 0cc2e91e71b1e5fef8599413fbc7c8b3fa3a4cdaa92452304bdbb38cdb6d1161
  • 15bf8fc46b91cb25730330dfbefcae2cb478e7ecbc18ac15d13b7b8eec01b697
  • 1d045908a196354bf1c0f0da5c4eeff5e7aaa36a1b5ee7f21764a7133e6ec4c8
  • 32a5d89a77130e01c19a58a0d3ff639d02c05ef2442f4e6b55a2e2b0a886926c
  • 32bce81459bff859b7adff1113f6bda122a804a25e44c0d38951ee3ed39a1557
  • 33e921f8c006374a78ab957ac1ce13183d65b4c633d2c7538c585d902f90ff44
  • 3d97b118c14ce36766873e178c9ef124936767dec5312806213dd295ed0d5448
  • 5c7ef91e7e96515dd59d0a252eca92d0d93a1bd9fa914eaf8c71933fcf7c8077
  • 7509fa7e6294d05e0f25f96ea99fb9ea8b791a08128580ae86dda44fcb6c6d55
  • 77cd1c22bb9099c666721a639bb980c1a5cde86cbc6323bc221f9184f6d9c092
  • 77da1a87f241047d70d54b5a3e85e8bab4e349b32c58818766b9965c9fd40949
  • a69d1518f15d8d435010727797a40d687be8069de1edc522facb0669ffda324e
  • cfb237792af9dea590b59278d9ec73c301309d961cb78f15651c7757782c0671
  • d20e573316508252a71fe9b8c7f32fbbb9daf110a9e7aa13188f713509aedaaa
  • da359fbb459923a0e385cbd80d5d7c7505d8596a32f777e280b5784c4ba9a382
  • df134bd359722960fdcd67d79900ff8350616e73f25ab1204e7a7a0232cdafec
  • f267501b0cd9862743e760e2c0686968019a68bf1a69843cea19b14c51773440

Coverage


Screenshots of Detection AMP

ThreatGrid


Umbrella

Win.Malware.Emotet-6947486-0

Indicators of Compromise

Registry KeysOccurrences
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: ProxyEnable 		40
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: ProxyServer 		40
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: ProxyOverride 		40
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: AutoConfigURL 		40
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: AutoDetect 		40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\sourcebulk 40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: Type 		40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: Start 		40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: ErrorControl 		40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: ImagePath 		40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: DisplayName 		40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: WOW64 		40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: ObjectName 		40
<HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 39
<HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 39
<HKLM>\SOFTWARE\Microsoft\ESENT\Process\guiddefribbon\DEBUG 39
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\9c-aa-fb-e9-56-c8 2
MutexesOccurrences
Global\I98B68E3C 40
Global\M98B68E3C 40
\BaseNamedObjects\Global\M3C28B0E4 39
\BaseNamedObjects\Global\I3C28B0E4 39
Global\Nx534F51BC 2
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
152[.]168[.]82[.]167 16
189[.]166[.]20[.]113 16
103[.]11[.]83[.]52 16
197[.]91[.]152[.]93 15
77[.]82[.]85[.]35 11
66[.]228[.]45[.]129 10
216[.]98[.]148[.]156 10
177[.]231[.]157[.]189 6
65[.]49[.]60[.]163 4
201[.]248[.]5[.]197 4
82[.]0[.]19[.]40 4
165[.]255[.]52[.]192 4
31[.]172[.]86[.]183 3
45[.]33[.]35[.]103 3
181[.]37[.]126[.]2 3
239[.]255[.]255[.]250 2
209[.]85[.]144[.]109 2
74[.]6[.]141[.]43 2
81[.]169[.]145[.]103 2
104[.]236[.]185[.]25 2
181[.]30[.]126[.]66 2
179[.]62[.]249[.]189 2
204[.]232[.]250[.]252 1
81[.]19[.]78[.]83 1
216[.]128[.]11[.]5 1
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
smtpout[.]secureserver[.]net 2
imap[.]strato[.]de 2
SMTP[.]AMAZON[.]COM 1
mail[.]strato[.]de 1
mail[.]gmx[.]a 1
MAIL[.]CLOVER[.]COM 1
mail[.]hotmail[.]de 1
mail[.]fsfsc[.]org 1
mail[.]pearl[.]ch 1
mail[.]hub[.]afsinc[.]org 1
smtp[.]gatehousesupplies[.]com 1
smtp[.]bonuscard[.]ch 1
smtp[.]cranespotters[.]com 1
mail[.]securemail[.]us[.]cibc[.]com 1
smtp[.]employmentsolutionsinc[.]org 1
mail[.]tecnoparaguay[.]com[.]py 1
www[.]chetgreen[.]com 1
smtp[.]account[.]zopim[.]com 1
smtp[.]prodxbm[.]co 1
smtp[.]creditkarma[.]com 1
smtp[.]my[.]yotpo[.]com 1
SMTP[.]PERX[.]COM 1
smtp[.]bobjohnson[.]com 1
smtp[.]facturacioncapufe[.]com[.]mx 1
smtp[.]app[.]intercom[.]io 1
See JSON for more IOCs
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 40
%System32%\guiddefribbon.exe (copy) 3
%SystemRoot%\SysWOW64\UtHbYIvdhlNvu.exe 1
%SystemRoot%\SysWOW64\R597iayBjMdh.exe 1
%SystemRoot%\SysWOW64\C7eHkb20PeU6wpDtjp.exe 1
%SystemRoot%\SysWOW64\1MEitC9prK.exe 1
%SystemRoot%\SysWOW64\kmnu.exe 1
%SystemRoot%\SysWOW64\4I7gXzdy4.exe 1
%SystemRoot%\SysWOW64\5x2P.exe 1
%System32%\HwVezokkuv.exe 1
%SystemRoot%\SysWOW64\ISUH5rlS.exe 1
%SystemRoot%\SysWOW64\xFkV4xOuG.exe 1
%SystemRoot%\SysWOW64\7tooAA2H.exe 1
%SystemRoot%\SysWOW64\dqhwpEfDiqdYk3.exe 1
%SystemRoot%\SysWOW64\98SvoQAlyGHCi.exe 1
%SystemRoot%\SysWOW64\Y9t7.exe 1
%SystemRoot%\SysWOW64\OEkk.exe 1
%SystemRoot%\SysWOW64\QEeaZTtWugEn.exe 1
%SystemRoot%\SysWOW64\faEA7KV70hn5.exe 1
%System32%\hLikoqY.exe 1
%SystemRoot%\SysWOW64\oURffFdtgFONll.exe 1
%SystemRoot%\SysWOW64\b1zR.exe 1
%SystemRoot%\SysWOW64\bEjEWEYxmjgCJVecQcp.exe 1
%SystemRoot%\SysWOW64\yVYv57xuqKB.exe 1
%SystemRoot%\SysWOW64\oglx98jdm6.exe 1
See JSON for more IOCs

File Hashes

  • 0106fad7a1ceb64a7d2ebed424ce86d979ac976cb352326c0fca9c7d0ac5330f
  • 0123e3c82d1b40e5b1ec1cb62a30317cb209371dc8fe546f10b96c6113e37229
  • 0911c843ef0b50a6b7359384d774350c43ea81970e47b6390782a3b59619df23
  • 0b5980e79cb0b4565db500cdb5b15970624aa8f3fce0bc14a13a097fc9c098ca
  • 0fe4721f05bcae958a1e294f92832144acd17791a850507bd98572347968eb6e
  • 14e5b08440e75c48bd1ff1486c8b36f32fb0cd4d21dbc138861a0b9af90aba7f
  • 1cd3db53176d88f4b7244429ef03ee120373c066335a8a5b81f94e2597188636
  • 1cda16c8d2e935d3ed762d5c7d18c945ebcfc183898ac5b87846dca084e043cf
  • 1ec9145cc88f7e619398955d6377ea4a6aa2f5fc8d53b87a467468d284352d61
  • 22d4075bf5828ede0c20dbea9023775ebbffb6e867272945a6a69697ea015c8c
  • 2430252f3c13ab866847db4905ff53380375d818085358a6f2d158f5ca6f9847
  • 25806bac5ca5b7b3dc6f1cdcbc4d72ade84828ae4173a858c3e9fe028d51b7e9
  • 270696e681aae3f24c7a3886f75952fd82c2bc94374c7fa1e72c5ae1583efcc0
  • 2d979f92140e9b7ad385cfe47c59e960ef5df19bff9388313908a14464bc0064
  • 3286340a92b48cf2a64c066f4cec1b078d9c23df987dd9aa07f249fffc5a9cbf
  • 377ca271dd3000fe310674488c93822601be7434325661f4158e8e64e83ab247
  • 3e77f7b1c2a160ebd1f6bda9235c9ae43f057cba38f6ef77f50df7dd1bd6d229
  • 448d67c96c008988d24046abb6a7e736db585c79b83c1e831023649133d83dad
  • 45ee3965183c5fecff0268fa7480aad3f4b0364b3e63fbc4259a1669f1cc48f8
  • 478968aeea42221e0c760a811af1560eeaa6489b77cdf69b4ae3763c59e60be0
  • 48900a85a1a4afcf216ea9912176bb20edab059d1bb27d02caa6fbbcc060d35e
  • 4937ac330845c1504e65a3655050ffa5a8cfc3602298ecef627ca8d4114631fe
  • 5ca10a11eb88b1c5e38e0359419fe8d39a321571e89268a578d2a0e272004caf
  • 61ffe36301e722b85088cfceb5d5a703e57eff907119ef305dc92da45c254aaf
  • 65eb33dbb0f1a4e78ffdcc5dbed725ac929c7c917923544af329226ddecf0f14
  • See JSON for more IOCs

Coverage


Screenshots of Detection AMP


ThreatGrid

Umbrella

Win.Malware.Mikey-6953803-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASAPI32 15
<HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASMANCS 15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: EnableFileTracing 		15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: EnableConsoleTracing 		15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: FileTracingMask 		15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: ConsoleTracingMask 		15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: MaxFileSize 		15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32
Value Name: FileDirectory 		15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: EnableFileTracing 		15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: EnableConsoleTracing 		15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: FileTracingMask 		15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: ConsoleTracingMask 		15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: MaxFileSize 		15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS
Value Name: FileDirectory 		15
<HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel 2
MutexesOccurrences
DSKQUOTA_SIDCACHE_MUTEX 14
.NET CLR Data_Perf_Library_Lock_PID_378 6
.NET CLR Networking 4.0.0.0_Perf_Library_Lock_PID_378 6
.NET CLR Networking_Perf_Library_Lock_PID_378 6
.NET Data Provider for Oracle_Perf_Library_Lock_PID_378 6
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_378 6
.NET Memory Cache 4.0_Perf_Library_Lock_PID_378 6
.NETFramework_Perf_Library_Lock_PID_378 6
ASP.NET_1.1.4322_Perf_Library_Lock_PID_378 6
ASP.NET_4.0.30319_Perf_Library_Lock_PID_378 6
ASP.NET_Perf_Library_Lock_PID_378 6
BITS_Perf_Library_Lock_PID_378 6
ESENT_Perf_Library_Lock_PID_378 6
Lsa_Perf_Library_Lock_PID_378 6
MSDTC Bridge 3.0.0.0_Perf_Library_Lock_PID_378 6
MSDTC Bridge 4.0.0.0_Perf_Library_Lock_PID_378 6
MSDTC_Perf_Library_Lock_PID_378 6
Outlook_Perf_Library_Lock_PID_378 6
PerfDisk_Perf_Library_Lock_PID_378 6
PerfNet_Perf_Library_Lock_PID_378 6
PerfOS_Perf_Library_Lock_PID_378 6
PerfProc_Perf_Library_Lock_PID_378 6
RemoteAccess_Perf_Library_Lock_PID_378 6
SMSvcHost 3.0.0.0_Perf_Library_Lock_PID_378 6
SMSvcHost 4.0.0.0_Perf_Library_Lock_PID_378 6
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
64[.]188[.]12[.]182 3
185[.]212[.]130[.]14 2
185[.]212[.]129[.]184 2
46[.]249[.]59[.]122 2
185[.]225[.]69[.]101 2
52[.]36[.]131[.]229 1
54[.]248[.]125[.]247 1
104[.]18[.]39[.]18 1
103[.]11[.]102[.]48 1
104[.]28[.]16[.]149 1
202[.]181[.]185[.]162 1
43[.]241[.]73[.]221 1
202[.]181[.]196[.]26 1
202[.]155[.]223[.]18 1
103[.]13[.]50[.]180 1
54[.]183[.]102[.]22 1
116[.]251[.]204[.]136 1
206[.]218[.]248[.]173 1
203[.]185[.]61[.]196 1
101[.]78[.]151[.]172 1
192[.]185[.]5[.]69 1
103[.]13[.]50[.]28 1
115[.]160[.]155[.]94 1
118[.]143[.]28[.]56 1
103[.]13[.]50[.]62 1
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
gangbulk[.]icu 2
striblingm[.]pw 2
SHOP[.]HPINH[.]HK 1
ajqqn[.]hk 1
SHOP[.]HPC[.]HK 1
SHOP[.]HYHEB[.]HK 1
ALODRINK[.]HK 1
SHOP[.]ICAN[.]HK 1
ALIVECOR[.]HK 1
SHOP[.]IAN[.]COM[.]HK 1
shop[.]imylv[.]hk 1
shop[.]ina[.]hk 1
SHOP[.]HY[.]COM[.]HK 1
SHOP[.]ICXLB[.]HK 1
SHOP[.]HOTFROG[.]HK 1
SHOP[.]HYY[.]COM[.]HK 1
shop[.]icfp[.]hk 1
SHOP[.]HYPOXI[.]HK 1
shop[.]htv[.]hk 1
AIR[.]HK 1
SHOP[.]IHK[.]HK 1
shop[.]imore[.]hk 1
SHOP[.]HUGOMAX[.]HK 1
shop[.]hps[.]com[.]hk 1
shop[.]hoops[.]hk 1
See JSON for more IOCs
Files and or directories createdOccurrences
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite.bak 10
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\places.sqlite.bak 10
\??\scsi#disk&ven_red_hat&prod_virtio#4&2556063a&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} 1
%TEMP%\tmpA4A.tmp 1
%TEMP%\tmp2BCD.tmp 1
%TEMP%\4a5beb4e303c4a1a9bcd3624dfec7cbe.exe 1
%TEMP%\tmp4167.tmp 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe 1
%TEMP%\4a5beb4e303c4a1a9bcd3624dfec7cbe.exe.pid 1
%TEMP%\s.bat 1
%TEMP%\tmpCAF3.tmp 1
%TEMP%\tmpB734.tmp 1
%TEMP%\tmpB63A.tmp 1
%TEMP%\tmp77F3.tmp 1
%TEMP%\tmp742C.tmp 1
%TEMP%\tmp6695.tmp 1
%TEMP%\tmp717E.tmp 1

File Hashes

  • 0ee1dc48bdc775152554357cbb9190834a58a5ccbc01e27d20f2cf0064211206
  • 0ffa3428f95f2a5c79a169976d3c5d58fa885cc05265c41fa4dcf4e33be17a12
  • 1ee4c1201f038a48a854fd993455142b15acbf44b41a8820af4790f17c31fba5
  • 45945d97bf9f1cb63b1b7a74629bb90567933a981d2cc77f4dc46018c6f8c169
  • 471f646bc59743f27f1bb08ef688a699c3ff268eeab403cea8ec7467f303c2f3
  • 4725b43862585b4e78f06ef7209a32434dcfe809986a19cb9b89bcb673a6a555
  • 49065e33bbdf2b25f4cdd1a8994df53135a9b41b725bd94958682325fb8c237a
  • 58fb3bc46e231b9ad07f5f8210a2acf1d225c25e287eee73553ae280ac9e89d9
  • 6f79069e751211f3077e90bd4e20c7116f8c3c9c41fa1ce7eacbd7710fdecf0e
  • 96667406cc9e8bb5e9da9e418a4b4196900364cc100d965b5d2714c62eb5e402
  • 9ac94b8404ee4300330c56257c66f77662904a2dc7f732125f36365c4a788129
  • 9e87a651befb171f0145718bc52d4d8b1a40f420cbb8d66d3e8b60e4377fa8c7
  • be140dfc59df6e21eb3b799cfe6511b9b8c5d010be0079b5f64a2b1dc3ab4fcb
  • f1e262b02e2b357f56225184539e2a3c35623b15397a85f343a368c5999dbd5d
  • f7f5d6e71a69332960e2025790db65c9bd29037157930a599c28969645bec5c9

Coverage


Screenshots of Detection AMP


ThreatGrid

Umbrella

Exprev Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

  • Madshi injection detected (3400)
    Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
  • Kovter injection detected (2256)
    A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
  • PowerShell file-less infection detected (1079)
    A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
  • Process hollowing detected (503)
    Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
  • Gamarue malware detected (190)
    Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
  • Atom Bombing code injection technique detected (107)
    A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
  • Suspicious PowerShell execution detected (100)
    A PowerShell command has attempted to bypass execution policy to run unsigned or untrusted script content. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
  • Dealply adware detected (87)
    DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
  • Excessively long PowerShell command detected (85)
    A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
  • Trickbot malware detected (75)
    Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.