Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 03 and May 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Trojan.Tofsee-6965613-0
    Trojan
    Tofsee is multi-purpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
  • Win.Trojan.Zeroaccess-6965107-0
    Trojan
    ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns.
  • Win.Dropper.Emotet-6964837-0
    Dropper
    Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
  • Win.Trojan.Darkkomet-6964750-0
    Trojan
    DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.
  • Win.Malware.Kryptik-6964485-1
    Malware
    Kryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user's knowledge, include collecting system information, downloading/uploading files and dropping additional samples.
  • Win.Packed.Kovter-6964099-0
    Packed
    Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
  • Win.Malware.Python-6964012-0
    Malware
    Win.Malware.Python is a generic name given to malware written in Python and, typically, compiled into a Windows executable using tools like PyInstaller. There are a vast array of supporting libraries, proof-of-concept exploit tools, and example code that makes developing malware in Python easier than with lower-level languages. Examples of functionality commonly seen in this type of malware include the ability to spread laterally by exploiting EternalBlue PoC scripts and file encryption performed by ransomware.
  • Win.Ransomware.Cerber-6963958-0
    Ransomware
    Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
  • Doc.Downloader.Powload-6959926-0
    Downloader
    Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing Emotet malware.
  • Win.Dropper.Qakbot-6962757-0
    Dropper
    Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.

Threats

Win.Trojan.Tofsee-6965613-0

Indicators of Compromise

Registry KeysOccurrences
<HKU>\.DEFAULT\Control Panel\Buses 24
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3 		24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\fymsrzfu 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: Type 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: Start 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: ErrorControl 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: DisplayName 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: WOW64 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: ObjectName 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: Description 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TMAGFNTI
Value Name: WOW64 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TMAGFNTI
Value Name: ObjectName 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TMAGFNTI
Value Name: Description 		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\jcqwvdjy 		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\zsgmltzo 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: Type 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: Start 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: ErrorControl 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: DisplayName 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: WOW64 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: ObjectName 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: Description 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\jcqwvdjy 2
MutexesOccurrences
\BaseNamedObjects\ServiceEntryPointThread 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
239[.]255[.]255[.]250 24
69[.]55[.]5[.]250 24
46[.]4[.]52[.]109 24
96[.]114[.]157[.]80 24
176[.]111[.]49[.]43 24
85[.]25[.]119[.]25 24
144[.]76[.]199[.]2 24
144[.]76[.]199[.]43 24
212[.]227[.]15[.]9 24
43[.]231[.]4[.]7 24
74[.]208[.]5[.]20 24
192[.]0[.]47[.]59 24
207[.]69[.]189[.]229 24
94[.]23[.]27[.]38 24
64[.]136[.]44[.]37 23
172[.]217[.]10[.]228 23
47[.]43[.]18[.]9 23
64[.]98[.]36[.]4 22
212[.]54[.]56[.]11 22
65[.]20[.]0[.]49 20
208[.]89[.]132[.]27 19
117[.]53[.]114[.]15 15
74[.]208[.]5[.]4 15
125[.]209[.]238[.]100 15
213[.]33[.]98[.]149 14
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 24
mx00[.]emig[.]gmx[.]net 24
mx1[.]comcast[.]net 24
whois[.]iana[.]org 24
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net 24
verizon[.]net 24
comcast[.]net 24
whois[.]arin[.]net 24
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 24
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 24
hotmail-com[.]olc[.]protection[.]outlook[.]com 24
cxr[.]mx[.]a[.]cloudfilter[.]net 24
microsoft-com[.]mail[.]protection[.]outlook[.]com 24
cox[.]net 24
mx00[.]mail[.]com 24
earthlink[.]net 24
mx[.]optimum[.]net 24
optonline[.]net 24
mx1[.]mail[.]icloud[.]com 24
mx6[.]earthlink[.]net 24
victoria1999[.]hotrusgirls[.]cn 24
irina1993[.]hotlovers[.]cn 24
hot-beauty[.]cn 24
hotladies[.]cn 24
mx[.]dca[.]untd[.]com 23
See JSON for more IOCs
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile:.repos 24
%SystemRoot%\SysWOW64\config\systemprofile 24
%SystemRoot%\SysWOW64\IPHLPAPI.DLL 10
%SystemRoot%\SysWOW64\fymsrzfu 3
%SystemRoot%\SysWOW64\winnsi.dll 2
%SystemRoot%\SysWOW64\kdrxwekz 2
%SystemRoot%\SysWOW64\nguazhnc 2
%SystemRoot%\SysWOW64\tmagfnti 2
%SystemRoot%\SysWOW64\zsgmltzo 2
%SystemRoot%\SysWOW64\jcqwvdjy 2
%SystemRoot%\SysWOW64\xqekjrxm 2
%TEMP%\chuuxwmr.exe 2
%TEMP%\tpjpvxpg.exe 2
%System32%\mzfgsdih\tpjpvxpg.exe (copy) 2
%TEMP%\nnmsdryb.exe 1
%TEMP%\vqxutqmn.exe 1
%TEMP%\nmyuzjtg.exe 1
%TEMP%\dtzstbra.exe 1
%TEMP%\tvqhyszs.exe 1
%TEMP%\gidulfmf.exe 1
%TEMP%\qtbbzxbk.exe 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\04fa61ce-e4d7-48c8-9def-427199d4e004 1
%TEMP%\vyggecgp.exe 1
%TEMP%\hcjgfcyz.exe 1
%TEMP%\omtpoxvm.exe 1
See JSON for more IOCs

File Hashes

  • 0647fc954ed93c7ea544d83e63a40d502f5fffd8a13f30017a73b67e9a45f1b2
  • 06cd974d945d25823b35d71c42c63223e70e3117e457e93dee236b32767bd7ec
  • 0780495fcad283f3b4d0a8c67ab1f899901a411609e5d418c32d63ea341ab025
  • 10d8ca95e213491b05ec904bb8632212e22886d66c45525c104678dc80f670ae
  • 125c11dec65eb1649338f5ed9442a65f79a0bcfd386e7db297de44ac7674c0b6
  • 243c7f05dc3569c907f03ed8a84d215ff9aa72c83cf3a2204d60e82c66d9aaff
  • 2db74b28c8d6fb6cd5dc708a4f63b5f0552edfdef708c2f86ea3a40361e963fd
  • 3a9fc763818d743f0b87fffc92d2fd29f6e76f182142a43a6b65c9d12dd3efd4
  • 3f057b371908761ce99846fe561f0c86376ee18ad0124fd8e848d7f2862e8c05
  • 43726985501f447b624194119724d9bf9673a6ec4a9b4d4367d8157569f5dc7f
  • 456d4a6d6fbdc25b6c9cafde2af81b6023293e564ddd6473e42f8e420f1fcdd5
  • 4623e1ce31a8671e59640e83fc545a5f19e167c31cfc6e8d097864c7a4c27859
  • 539975f3e33f6b41f3038ed1101633ce5635004bce96ca7764c19a79fb4f83ca
  • 5a0f61ab9e096aa16c514f37f60853a708b3eed62dfe8c14643dcc2652141d96
  • 61baf3c68654787eab765e7361c07270cac1b7041a07062dff7485aa860fc4b5
  • 63f7598a21986a406d2a1ac946184140a80558bc7598bebabfcff82214895d75
  • 658a040596a2b67e36bd8af81037fefd039eae1bcf63b99928f3b5125e414019
  • 751ac2eb414eba0c3f93245c865f2162e328c461c5c844271ffb299df5d1e4df
  • 79c2cfd759cc6d1727c7f7015e40333900bda4571e91d18899b98025c0480b94
  • 7f5b069015e694544a2a693ddc7815c82c9ac6ec0d523ae9ed06d77b78965be4
  • 82fbb918e0d47f7d9992cd3c5479ee1468d608d1e176f7570994e99ffc66e6b0
  • 858f2612c45ad1bb0b986f74274f61224b827912f4e1a80f9121cad40edabacf
  • 8ac67c280615873b5aec89d5bd5838d2a23552e7c47511a99b64799d28d659ff
  • 8ad48911e8594b3530022ae45fbe12e40438c71cca38d2a7e85a8d3efd220180
  • 93cb0db5f5aecff9574b756b557280b61d557724591817013c016a3a68096be5
  • See JSON for more IOCs

Coverage


Screenshots of Detection AMP

ThreatGrid

Umbrella


Win.Trojan.Zeroaccess-6965107-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start 		17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag 		17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start 		17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start 		17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start 		17
<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch 17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start 		17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag 		17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag 		17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag 		17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\Epoch 17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start 		17
<HKCU>\Software\Classes\clsid 17
<HKCR>\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} 17
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InprocServer32 17
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32
Value Name: ThreadingModel 		17
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender 		17
<HKLM>\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32 17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type 		17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl 		17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type 		17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl 		17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type 		17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl 		17
MutexesOccurrences
N/A -
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
64[.]210[.]151[.]32 17
77[.]52[.]81[.]243 17
72[.]47[.]100[.]38 17
89[.]228[.]63[.]37 17
65[.]30[.]151[.]36 17
98[.]247[.]217[.]244 17
173[.]217[.]71[.]246 17
101[.]63[.]15[.]35 17
209[.]195[.]111[.]246 17
87[.]218[.]204[.]33 17
115[.]240[.]123[.]32 17
114[.]75[.]62[.]32 17
96[.]26[.]208[.]30 17
70[.]64[.]83[.]30 17
82[.]22[.]40[.]30 17
75[.]224[.]240[.]29 17
84[.]228[.]113[.]26 17
119[.]149[.]38[.]25 17
212[.]72[.]112[.]24 17
46[.]194[.]56[.]24 17
84[.]231[.]16[.]23 17
72[.]192[.]54[.]21 17
117[.]217[.]106[.]247 17
91[.]67[.]192[.]19 17
77[.]11[.]149[.]19 17
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
promos[.]fling[.]com 17
Files and or directories createdOccurrences
@ 17
L 17
U 17
\$Recycle.Bin\S-1-5-18 17
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f 17
n 17
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@ 17
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@ 17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n 17
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8 17
\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\@ 15
\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\n 15
\RECYCLER\S-1-5-21-1258710499-2222286471-4214075941-500\$ad714f5b8798518b3ccb73fd900fd2ba\@ 15
\RECYCLER\S-1-5-21-1258710499-2222286471-4214075941-500\$ad714f5b8798518b3ccb73fd900fd2ba\n 15

File Hashes

  • 07c405ee534570f541b59cdaa0f96ff7504589dd26b9e2c6f71e5b89b70fe77f
  • 105a3a1a379be2fc1efe05678726a2ff34183a3f6453af7fe11d3c93b00a06c1
  • 1f286fca031ace5bcd5d09af6aa0bbe2e01d709274ac02db69409b24d1605f63
  • 2334dabfb999ed340bb820f8db859248c8bda0345c044271effb482e08663397
  • 23b236a0c3a4f078b90afb13fb32d0c3f6bdd11b301cad889729699664f2e5e8
  • 2a7ec665835825ff43db2b82df1884ee5d481ef371ad4c3f8ce0e4e18bd9a2a4
  • 550ad9dda25a0f1130dd0da04ddef0621a1158db98a5c5ebf90113842c2164e8
  • 68ec8422d27625d1af4e31d6fccadd07f71cc055761b417d141a1865e58e6886
  • a68f8aa154a3c12d066e1876619eeee00034692251e4e1edd23c8c7028e9518d
  • a7f5fe66ec05e1672d7ce83e0745c028fb366c3341c8e1a907c99087dab346fc
  • b08915d6e08d92a3de5977effd344b6e22b2b0aafce2479a1aadd4842c159ab3
  • b7540ca2429a0ea057c84962b1ddb211dc20ac018b593dec8cb2501a74ab11a4
  • bdfb9125073845bdc6bebf19a27fa02d248dac1f7fe4c59fd0b677e8a0ec9f65
  • c2dc4f333f3ae35f5d40363a69639756e7b4533db364cb20f838543935510d1d
  • cdc9f0d84b8813ae03d846bf7596130a85151683e65bae067a7a1f44d066561f
  • fc84363a134bd0b2c3686c226773bc9a93e33189b2c606815e909b7d7fff79f7
  • feb2afe93c29bba4bf068e198b1e91ae95add4c104430969ae89f2f4202ba65a

Coverage


Screenshots of Detection AMP

ThreatGrid

Win.Dropper.Emotet-6964837-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride 		3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify 		3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify 		3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride 		3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify 		3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify 		3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications 		3
<HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\Registry Writer 3
<HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\COM+ REGDB Writer 3
<HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\ASR Writer 3
<HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\Shadow Copy Optimization Writer 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start 		3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk 		3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy 		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start 		3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender 		3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit 		3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit 		3
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion 3
MutexesOccurrences
60F16AAB662B6A5DA3F649835F6E212598B68E3C 4
{7930D12C-1D38-EB63-89CF-4C8161B79ED4} 3
\BaseNamedObjects\{137A1518-4964-635A-544B-7A4CB2C11D0D} 3
\BaseNamedObjects\{137A1A2C-4964-635A-544B-7A4CB2C11D0D} 3
\BaseNamedObjects\{137A2419-4964-635A-544B-7A4CB2C11D0D} 3
\BaseNamedObjects\{137A1A2D-4964-635A-544B-7A4CB2C11D0D} 3
Global\I98B68E3C 2
Global\M98B68E3C 2
\BaseNamedObjects\Global\M3C28B0E4 2
\BaseNamedObjects\Global\I3C28B0E4 2
MC8D2645C 2
\BaseNamedObjects\M19FB434 1
\BaseNamedObjects\111OurStarterProcessMutex111 1
\BaseNamedObjects\222OurMainProcessMutex222 1
98B6-8E3C 1
M1CC2778A 1
M10F36403 1
\BaseNamedObjects\A0E8BDA3AF02242419905B05DA0C46C13C28B0E4 1
\BaseNamedObjects\M10E3D08B 1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB4C11D0D} 1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CBC291D0D} 1
\BaseNamedObjects\MEE09898 1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB7411D0D} 1
\BaseNamedObjects\3C28-B0E4 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
23[.]41[.]248[.]194 4
23[.]5[.]231[.]225 4
23[.]52[.]7[.]20 4
104[.]88[.]26[.]245 4
173[.]223[.]236[.]215 4
13[.]107[.]21[.]200 3
96[.]6[.]27[.]90 3
87[.]106[.]190[.]153 3
172[.]217[.]12[.]174 2
178[.]162[.]217[.]107 2
166[.]78[.]144[.]80 2
204[.]79[.]197[.]200 1
172[.]217[.]10[.]110 1
178[.]162[.]203[.]226 1
85[.]17[.]31[.]82 1
172[.]217[.]5[.]238 1
136[.]243[.]154[.]86 1
23[.]221[.]50[.]122 1
23[.]218[.]141[.]31 1
209[.]34[.]241[.]202 1
23[.]218[.]127[.]164 1
23[.]46[.]53[.]71 1
5[.]196[.]73[.]150 1
184[.]107[.]147[.]18 1
23[.]6[.]69[.]99 1
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
outlook[.]com 4
www[.]java[.]com 4
www[.]onenote[.]com 4
dev[.]windowsphone[.]com 4
www[.]msn[.]com 4
web[.]skype[.]com 4
java[.]com 4
BROMNTUUD[.]XYZ 4
trenkulotd[.]xyz 4
QBULINTULU[.]XYZ 4
TRETITNUNI[.]TOP 4
www[.]torproject[.]org 3
supp7[.]freshdesk[.]com 3
n224ezvhg4sgyamb[.]onion 3
ygqqaluei[.]com 2
atw82ye63ymdp[.]com 2
warylmiwgo[.]com 2
caosusubld[.]com 2
bekvfkxfh[.]com 2
ydchosmhwljjrq[.]com 2
xomeommdilsq[.]com 2
xxsmtenwak[.]com 2
wwyreaohjbdyrajxif[.]com 2
grbjgfprk[.]com 2
mdofetubarhorbvauf[.]com 2
See JSON for more IOCs
Files and or directories createdOccurrences
%HOMEPATH%\NTUSER.DAT 4
%HOMEPATH%\ntuser.dat.LOG1 4
%APPDATA%\Microsoft\gawbgrrs 4
%APPDATA%\Microsoft\gawbgrrs\jisgivdt.exe 4
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 3
%HOMEPATH% 3
%PUBLIC%\{846ee340-7039-11de-9d20-806e6f6e6963} 3
%PUBLIC%\Pictures\Read_ME.html 3
%PUBLIC%\Pictures\Sample Pictures\Read_ME.html 3
%PUBLIC%\Read_ME.html 3
%PUBLIC%\Recorded TV\Read_ME.html 3
%PUBLIC%\Recorded TV\Sample Media\Read_ME.html 3
%PUBLIC%\Videos\Read_ME.html 3
%PUBLIC%\Videos\Sample Videos\Read_ME.html 3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\jumpListCache\Read_ME.html 2
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\safebrowsing\Read_ME.html 2
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\startupCache\Read_ME.html 2
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\thumbnails\Read_ME.html 2
%LOCALAPPDATA%\Read_ME.html 2
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\Read_ME.html 2
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Read_ME.html 2
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\Read_ME.html 2
%APPDATA%\Mozilla\Firefox\Read_ME.html 2
%HOMEPATH%\Contacts\Read_ME.html 2
See JSON for more IOCs

File Hashes

  • 1e04bcdb51abfed7d2093115cbcaec092b5e8840556f172f368c0a62057c7a37
  • 20c8e37dd60b38bbc9af1f55478e1d7618131bcc5bf383378a2bf00c6ffc1a08
  • 2d7102eb62f9f8c523b7500c5b47eb4cadeff07b2980552e5f8f59aede506eb1
  • 42697c161579c4e96b49f91935b12b3ec042ce5bfc5a583e8b44b416eb5fcf8f
  • 433ad951f81e55b63f14fafe5c606532dc08343bb803d149867c767953a94a66
  • 5550f5e1a7f27b537a1de8c945877755f8a89c28376c12ed2a635a6cc6f375b3
  • 7dbcdbf63ed234c18481358441ee78e0c156f3da60bee606c6c52eafa25fe499
  • 8196fe92cc4b2a674b7014b4505ba3339e8ad36a004d03d77b125e1f9aec76ad
  • 8b2699e4d5ac77bdd3674321b114c05e674f30979b0f032c53a4fcf5a3b11aa5
  • bd86fa60126d2c23abd5e75dbd4b6b952550a7ab1c17139ff009bca37729d7d7
  • cdc8557f6b22789a9d4e10149f9c60f94f217bcb1f695b239fe7a12a0dffaa67
  • d77d9f14025de5483c623673b3f5c4bbe8cdd01c55658c25b62970bf1be6a736
  • d9d2d222e053edc845ce56cdc0ff3516f8e962ee226434772609ee8ce6edfc91
  • e63d957b42d76bc73d03a937d1e2267e4f92c0d9ac0b678124785ea14ce9b991
  • e6c00d963b75e7e5e3f037d54dd3d7099f92dfae0cda82fb5d483e6e8ce8b33b
  • f00a7ca48e367919a09a255d040f3321e3a189ecf7533b0233b3299c9f61f207
  • f1e2beb854ed706d5837ebb789373b83ff0a658f717173227f02bcb4e40ad1b8
  • f88c591028ab0a8084ae15fdeee2afcc87be6980198d9c0ff863e9ac4c5a807f

Coverage


Screenshots of Detection AMP


ThreatGrid

Umbrella

Win.Trojan.Darkkomet-6964750-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\DC3_FEXEC 9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit 		8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall 		5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\System 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications 		5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA 		5
<HKU>\Software\Microsoft\Windows\CurrentVersion\Policies\System 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify 		4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start 		4
<HKLM>\SOFTWARE\Microsoft\Security Center 4
<HKU>\Software\Microsoft\Windows\CurrentVersion\Run 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\Policies 3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CurrentVersion 3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\Explorern 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify 		3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel 		3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft 		3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate 		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicrosoftUpdateService 		2
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2 1
<HKLM>\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\189271E573FED295A8C130EAF357A20C4A9F115E 1
<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Data Serivce 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: winupdate 		1
MutexesOccurrences
DC_MUTEX-C6LXJS9 2
DCPERSFWBP 1
DC_MUTEX-5E3YFKY 1
52hfxfx52 1
DC_MUTEX-75QQLTV 1
DC_MUTEX-P1ZGY19 1
DC_MUTEX-MZMFQQS 1
DC_MUTEX-CNAFSEW 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
69[.]55[.]5[.]250 1
12[.]167[.]151[.]119 1
216[.]146[.]43[.]70 1
162[.]88[.]193[.]70 1
104[.]27[.]193[.]92 1
104[.]27[.]192[.]92 1
51[.]38[.]231[.]9 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
dezgorm[.]ddns[.]net 2
250[.]5[.]55[.]69[.]in-addr[.]arpa 1
checkip[.]dyndns[.]org 1
119[.]151[.]167[.]12[.]in-addr[.]arpa 1
www[.]whatismyip[.]com 1
checkip[.]dyndns[.]com 1
worgodd[.]no-ip[.]org 1
oliwierze[.]ddns[.]net 1
testezinho250[.]no-ip[.]org 1
weath[.]ddns[.]net 1
sr3u[.]und3rgr0nd[.]tk 1
Files and or directories createdOccurrences
%APPDATA%\dclogs 7
%HOMEPATH%\Documents\MSDCSC 3
%APPDATA%\MSDCSC 2
%APPDATA%\MSDCSC\msdcsc.exe 2
%HOMEPATH%\My Documents\MSDCSC\ Microsoft Update 2
%HOMEPATH%\Documents\MSDCSC\ Microsoft Update 2
%SystemRoot%\SysWOW64\MSDCSC 1
%SystemRoot%\SysWOW64\MSDCSC\msdcsc.exe 1
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\MSDCSC 1
\Documents and Settings\All Users\Start Menu\MSDCSC\msdcsc.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe 1
%HOMEPATH%\My Documents\MSDCSC\msdcsc.exe 1
%System32%.exe 1
nigzss.txt 1
%APPDATA%\svcost 1
%APPDATA%\svcost\svcost.exe 1

File Hashes

  • 28b4c182eede85890244ea0678da95e9744cdf175dd8748e257064e6e867824d
  • 32f509646e99c7aea9d15d180ec891328fcba9dd156750d370f481dc586d674c
  • 548d4d3ee7271c7b57f7b99c0b1348da5d1c94e7acfe1adc47f296a562af47d0
  • 725fc28899391ced1970b4caffa22f4b92a636a4a5596c587855f4040f93e557
  • a3117c0c2a3d2bbe0bb4bdf2ee37d3bd461c3116ff018277c70aad51498552d5
  • a7e82cc0def7a4884816f9a97e85675cc0d1d4d8db8ea0c01f35f26de41b654e
  • b1c674e44363aae15e87840db0f5a1123e98228a1c33110b41270318cd2f4ada
  • d5f888e61113f8cef35692be3a876caf5ac1bbb6fa7983a28e0a1de0f964cd92
  • f78968d304d87b83e759cedde480ba74011e92fd9701c77207bcdc0935735940
  • f99d91a32c833a44ff5d8f938251401eae021320777e2e6f217948a50f8af428

Coverage


Screenshots of Detection AMP

ThreatGrid

Win.Malware.Kryptik-6964485-1

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mbihas 		9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: anblid 		1
MutexesOccurrences
OneiricOcelot 10
OnlineShopFinder 10
P79zA00FfF3 10
PCV5ATULCN 10
PJOQT7WD1SAOM 10
PSHZ73VLLOAFB 10
QuantalQuetzal 10
RaringRingtail 10
RaspberryManualViewer 10
RedParrot 10
RouteMatrix 10
SSDOptimizerV13 10
SoloWrite 10
StreamCoder1.0 10
Tropic819331 10
UEFIConfig 10
UtopicUnicorn 10
VHO9AZB7HDK0WAZMM 10
VRK1AlIXBJDA5U3A 10
VideoBind 10
VirtualDesktopKeeper 10
VirtualPrinterDriver 10
VividVervet 10
WinDuplicity 10
WireDefender 10
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Files and or directories createdOccurrences
N/A -

File Hashes

  • 06aa0afbdfa537fa2a213bc400553e62935911ff40b2e899c839109b3aa76343
  • 0a8dbca58db6fd04e3b0fcb3ba3a08843676eb43362794b13d2b294b1428a8e5
  • 310433c733a765de4ebad4517cc227c0aa326bd496e9a0971a2c5fb2cc080e05
  • 516873875312e95e415216eecdbb0fe3799559cd774d68dd10f67b2e413cb646
  • 6155690a39ca14c04877424c2292c638910cce74e766d55036e6c3f8133f0c8c
  • 70b6964498ad91dc5cf69bca30abec8c65f549e6f11ce47b62cc999bfe167374
  • 85d7d87f0fa1cd3a5d405274286f4298ac9d66c6cd17bf90d7245bb2e0bc5b8b
  • 94c981cfdc9ec45d961a33c802e24c3c8c50771ed36e66fc5d06e7faaaba602b
  • ab44bd641e6fabcb49e6f7febd81073e296b8df9b868cf6cbadcc8515c089355
  • e1abb836355f1085113d6e4605b0eb941c965720eea05092993b8180756fb738

Coverage


Screenshots of Detection AMP

ThreatGrid

Win.Packed.Kovter-6964099-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: svchost.exe 		16
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: explorer.exe 		16
<HKLM>\SOFTWARE\WOW6432NODE\Policies 16
<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore 16
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
Value Name: DisableConfig 		16
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
Value Name: DisableSR 		16
<HKCU>\SOFTWARE\MICROSOFT\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS 16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\Windows\CurrentVersion\Policies\Explorer\Run 16
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\RATINGS
Value Name: .Default 		16
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_AJAX_CONNECTIONEVENTS
Value Name: svchost.exe 		16
<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths 16
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\Safer 16
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\WINDOWS
Value Name: þ 		16
<HKLM>\SYSTEM\ControlSet001\Control\Windows 16
<HKLM>\SOFTWARE\WOW6432NODE\D1B9ACC6 16
<HKCU>\SOFTWARE\D1B9ACC6 16
<HKLM>\SOFTWARE\WOW6432NODE\D1B9ACC6
Value Name: 3 		16
<HKCU>\SOFTWARE\D1B9ACC6
Value Name: 3 		16
<HKLM>\SOFTWARE\WOW6432NODE\D1B9ACC6
Value Name: 5 		16
<HKCU>\SOFTWARE\D1B9ACC6
Value Name: 5 		16
<HKLM>\SOFTWARE\WOW6432NODE\D1B9ACC6
Value Name: 2 		16
<HKCU>\SOFTWARE\D1B9ACC6
Value Name: 2 		16
<HKCU>\SOFTWARE\D1B9ACC6
Value Name: 4 		16
<HKLM>\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore 15
<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings 15
MutexesOccurrences
D1B9ACC6 16
D1B9ACC6E1 16
D1B9ACC6C2 16
D1B9ACC6C1 16
83EA3AF0E3D35BA8DAAEABE15EF52FFB 16
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
fastfront80[.]com 15
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\Preferred 16
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f7a-10cabfeabcac 2
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f7a-2ccabfeabcac 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f77-20cabfeabcac 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f7a-24cabfeabcac 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f7b-10cabfeabcac 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f77-14cabfeabcac 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f79-13cbbfeabcac 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f78-13cbbfeabcac 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\bb5ca9a3-5378-4a8e-a195-7aa28d9ef0c9 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f79-2acabfeabcac 1
%ProgramData%\Microsoft\{5c7b6c54-f92c-e302-cc6c-11c738737558}\{5c7b6c54-f92c-e302-cc6c-11c738737558}.exe 1
%ProgramData%\Microsoft\{51f28878-5ee4-7fc7-2641-51d5b1ab0163}\{51f28878-5ee4-7fc7-2641-51d5b1ab0163}.exe 1
%ProgramData%\Microsoft\{2c1f2442-de97-b471-1e5a-e1b8cd979bac}\{2c1f2442-de97-b471-1e5a-e1b8cd979bac}.exe 1
%ProgramData%\Microsoft\{98b64c08-f14e-d5bc-4a88-5494c78ae8b5}\{98b64c08-f14e-d5bc-4a88-5494c78ae8b5}.exe 1
%ProgramData%\Microsoft\{c5ca3f16-fae8-6d16-a509-2b3ce12f8839}\{c5ca3f16-fae8-6d16-a509-2b3ce12f8839}.exe 1
%ProgramData%\Microsoft\{03cb90f2-8403-8565-a4ee-fbb9c4bec76b}\{03cb90f2-8403-8565-a4ee-fbb9c4bec76b}.exe 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\bb5ca9a3-5378-4a8e-8196-7ea28d9ef0c9 1
%ProgramData%\Microsoft\{9f9c3524-008c-a947-9125-69a3e6df8b87}\{9f9c3524-008c-a947-9125-69a3e6df8b87}.exe 1
%ProgramData%\Microsoft\{5590699f-0760-ca35-28f0-aed17ac9b62a}\{5590699f-0760-ca35-28f0-aed17ac9b62a}.exe 1
%ProgramData%\Microsoft\{c1735532-f3d2-0705-27fb-c9515444a59c}\{c1735532-f3d2-0705-27fb-c9515444a59c}.exe 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-af75-13cbbfeabcac 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\bb5ca9a3-5378-4a8e-8199-78a28d9ef0c9 1
%ProgramData%\Microsoft\{349d3e26-16cd-3c5a-17e8-a6b5712e298a}\{349d3e26-16cd-3c5a-17e8-a6b5712e298a}.exe 1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-af7b-2ccabfeabcac 1
See JSON for more IOCs

File Hashes

  • 967d47c136b9b0572999085bdf88035b47ac413a0fcc643379235a656c7b19bf
  • baf12e28c9f22bbc6343d8fd52ec0f9bdbec595887a3bb86ac8276b73a6149f0
  • c97d5b490cdb6a003c7fbc4f01d6e96b6eb7daa401fabb91159df441a7c3a414
  • d0e6edab6f229bddae3ba675045d31dae31ecfebc5071bcef6fb5bb75d7114bf
  • d101f5b175f474b2e8f7768e8ae0492f3732a776367b1df256412d2918edeabb
  • d229bf0e951fbb466a7a695021ff001f29b8a14e9236386fa23d64c0292fcabb
  • d7bfc27b9cae97fd12fc37aca51e72e11ad55a545d8fc1ef1cf1262b3a75d1cf
  • e09390b6cac41111e9573db97340727c493b7d61db4bd5f7be5e298bce1feb61
  • e7cf854f13c13b4356b79196b1703033ea820eb9d9c0539202774cfa62f4ddc1
  • ea4109825ea5dd469b35237206639f261ab9dbbc9029f6ff5cbe245e19708253
  • eeb139134e8f9ae9a06f2b88a5d710aff711ba5ad5f653300a2bf4f874d8cf90
  • f26f413104736c1e442bf3fc3d90f7e7ebf37015b8c81c8c8d8a3cb98ca17112
  • f644f06fe38ad3643c026e0a2eda3e0fd17b8dc3e248699d824df192455310e5
  • f76268c3dff77dddabcec092f5bc236cdacab5d052f5bac4ab3b1be932fe2f1e
  • f857b7ea2d8a195080fef9a188eceddd5c35d88bcad8cdc0ad074b937b0b4d71
  • fc8fce6392c14f721d61f41f1fdb794bd3abf8c0edbbe84e6b5f0efed38ca9d7

Coverage


Screenshots of Detection AMP

ThreatGrid


Win.Malware.Python-6964012-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION\PARAMETERS
Value Name: TrapPollTimeMilliSecs 		20
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156Agent 20
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CurrentVersion 20
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION\Parameters 20
<HKLM>\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters 19
MutexesOccurrences
Global\D0E858DF-985E-4907-B7FB-8D732C3FC3B8} 20
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
79[.]98[.]145[.]42 17
45[.]79[.]77[.]20 16
153[.]92[.]4[.]49 5
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
info[.]abbny[.]com 19
info[.]beahh[.]com 19
info[.]ackng[.]com 19
42[.]pl 17
ip[.]42[.]pl 17
jsonip[.]com 16
Files and or directories createdOccurrences
\TEMP\m2.ps1 20
\TEMP\mkatz.ini 20
\m2.ps1 19
\mkatz.ini 19
%TEMP%\_MEI19082\Crypto.Cipher._AES.pyd 4
%TEMP%\_MEI19082\Crypto.Cipher._ARC4.pyd 4
%TEMP%\_MEI19082\Crypto.Cipher._DES.pyd 4
%TEMP%\_MEI19082\Crypto.Cipher._DES3.pyd 4
%TEMP%\_MEI19082\Crypto.Hash._MD4.pyd 4
%TEMP%\_MEI19082\Crypto.Hash._SHA256.pyd 4
%TEMP%\_MEI19082\Crypto.Random.OSRNG.winrandom.pyd 4
%TEMP%\_MEI19082\Crypto.Util._counter.pyd 4
%TEMP%\_MEI19082\Crypto.Util.strxor.pyd 4
%TEMP%\_MEI19082\Include\pyconfig.h 4
%TEMP%\_MEI19082\Microsoft.VC90.CRT.manifest 4
%TEMP%\_MEI19082\_ctypes.pyd 4
%TEMP%\_MEI19082\_hashlib.pyd 4
%TEMP%\_MEI19082\_mssql.pyd 4
%TEMP%\_MEI19082\_multiprocessing.pyd 4
%TEMP%\_MEI19082\_socket.pyd 4
%TEMP%\_MEI19082\_ssl.pyd 4
%TEMP%\_MEI19082\bz2.pyd 4
%TEMP%\_MEI19082\ii.exe.manifest 4
%TEMP%\_MEI19082\msvcm90.dll 4
%TEMP%\_MEI19082\msvcp90.dll 4
See JSON for more IOCs

File Hashes

  • 2d5c9619b85111c8af13ad75bc334b26713839eed3ac96e9b22447039296aa0e
  • 30117d30a63aaf64648199e3874762f0a31d1c45f35ff73820d3bb65827dbc89
  • 4af89e0f76d112342c2ac7e5cd3696974027a5c771fb4655faa78fefae4774e8
  • 5304995ff9b9ca3d6f597fc2eb1e456125eb5c42dc42df234173e47184df71f2
  • 568db055c4fb8890fe7f3ef0ef3d32c250ac4d997e94571f84b3463805befedb
  • 5795c318c70fd3009a470198ce1ccb6a7d74af59f3758385fe034520d657c45c
  • 59a6c6c90be9cd113afafad6261fce0f23decc1c453ffd3f135e028073fde501
  • 5f6a3155166e492a8acf391d70b334e985d24dfd43b9ea12f5e47a2d7222ea49
  • 6059747fb8a2c5429313d835f610d9c4a6965c5f63719c694ba20533450da3f7
  • 605cbd5701cbbc4a36935599525e6d0d5c1a043c9252aa081cb9c2f3724fc8ba
  • 613531d0a4eeffaca1e34fc90de6ce2a042dac8983fe8ac30d5868f2d400d4e2
  • 619b34db1e2b672ab7709c581a43ecc902b4f36fc817c007cd557b75d7dc67bf
  • 64c06234473e62abe6b4dd9dcb8c0df812344f4808fa8d2c594e3117bb22ac8e
  • 6503fd5020dc940cb38a647c1d6ee211259e418593d6bdf9db3aeb79621a4a6c
  • 6859d6615d5de8f981ee996de57b6f2c838420c2b21cf328b8a258a500e2ebc5
  • 6921860fd202f8de479af08511a6b5ddfb9c84654a89020f133243cebf0bee9a
  • 693df72f101e68cb4a19a921c89301779552e4215830498bc8b5c7843e35e5e2
  • 6a2a3089e6adf58b64a3800b94bc53d0e2b6b05a21aa6127ce57620268b49f08
  • 70c258ff7c21f6319d1434480d5ae6f2e111feb864a5e33b81b01f8364247d11
  • 70e53a2ffa43d9d4426fc703c04d7d610aa0346c2fb7e37dc234167c613dd515
  • 7149016c8e6cdeb9494dea17b743b298d12adbc35c77dcf7bc0a1e12f8ddea2d
  • 7246bf9b6fdb3b49ce33ff7b0a3f2bae33eb1e0301db635ccb74608313c719e1
  • 763571d4fc7e3d4738941599d41a665bcb859c0180de80ac99765edbe47f93a9
  • 7895313b35d27c7d5bc0fca556736f63e800e99feb6dcde910c76c743d4634ac
  • 79582a03488d2c8a1a14ce512034f65727e4a921f7420e18078d92bf1dd085ac
  • See JSON for more IOCs

Coverage


Screenshots of Detection AMP

ThreatGrid

Umbrella

Malware

Win.Ransomware.Cerber-6963958-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2 11
<HKLM>\System\CurrentControlSet\Control\Session Manager 11
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations 		11
<HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 10
<HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld 10
<HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 10
<HKU>\Software\Microsoft\Internet Explorer\IETld 10
<HKU>\Software\Microsoft\Internet Explorer\BrowserEmulation 10
<HKLM>\SOFTWARE\Microsoft\ESENT\Process\mshta\DEBUG 10
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 11
\BaseNamedObjects\shell.{D31FFF46-7264-2F11-86F6-D577904717A2} 1
\BaseNamedObjects\shell.{009333F1-551C-9DAC-1759-5B4919375F70} 1
\BaseNamedObjects\shell.{AC607669-1359-523E-095D-A88DA96FD1D1} 1
\BaseNamedObjects\shell.{8F606D68-4B19-E718-0DBB-45B7697D4BDA} 1
\BaseNamedObjects\shell.{4A4E1DA9-250C-6EB9-DF1C-D339CF8305B9} 1
\BaseNamedObjects\shell.{93742F5C-F907-5D2F-E50F-7DDF1F2F0F9C} 1
\BaseNamedObjects\shell.{98B816E3-E44E-C421-229A-B8F7963D0F05} 1
\BaseNamedObjects\shell.{33BDE317-B098-C54C-1E87-AECB2544252C} 1
\BaseNamedObjects\shell.{D98CB22B-6CC2-5E4F-BC2F-152CBBE6DA5B} 1
\BaseNamedObjects\shell.{31C26804-8082-BCD2-AE9A-2E0E343C4A11} 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
94[.]23[.]173[.]239 11
94[.]23[.]173[.]236 11
94[.]23[.]173[.]237 11
94[.]23[.]173[.]242 11
94[.]23[.]173[.]243 11
94[.]23[.]173[.]240 11
94[.]23[.]173[.]241 11
94[.]23[.]172[.]190 11
94[.]23[.]173[.]24 11
94[.]23[.]173[.]25 11
94[.]23[.]173[.]127 11
94[.]23[.]172[.]191 11
94[.]23[.]174[.]76 11
94[.]23[.]174[.]77 11
94[.]23[.]172[.]218 11
94[.]23[.]175[.]153 11
94[.]23[.]175[.]152 11
94[.]23[.]172[.]50 11
94[.]23[.]172[.]51 11
94[.]23[.]175[.]142 11
94[.]23[.]175[.]143 11
94[.]23[.]173[.]235 11
94[.]23[.]173[.]234 11
94[.]23[.]172[.]199 11
94[.]23[.]172[.]197 11
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]blockcypher[.]com 11
hjhqmbxyinislkkt[.]1j9r76[.]top 8
chain[.]so 6
p27dokhpz2n7nvgr[.]1j9r76[.]top 3
bitaps[.]com 3
btc[.]blockr[.]io 3
Files and or directories createdOccurrences
%TEMP%\d19ab989 11
%TEMP%\d19ab989\4710.tmp 11
%TEMP%\d19ab989\a35f.tmp 11
\DAV RPC SERVICE 10
\Device\Null 10
%TEMP%\8f793a96\4751.tmp 10
%TEMP%\8f793a96\da80.tmp 10
\I386\DRVMAIN.SDB 10
\I386\EULA.TXT 10
\I386\HWCOMP.DAT 10
\I386\SECUPD.DAT 10
\I386\SETUPLDR.BIN 10
\I386\WIN9XMIG\ICM\SYMBOLS.PRI\RETAIL\DLL\MIGRATE.PDB 10
\I386\WIN9XMIG\ICM\SYMBOLS\RETAIL\DLL\MIGRATE.PDB 10
\I386\WIN9XMIG\IEMIG\SYMBOLS.PRI\RETAIL\DLL\MIGRATE.PDB 10
\I386\WIN9XMIG\IEMIG\SYMBOLS\RETAIL\DLL\MIGRATE.PDB 10
\I386\WIN9XMIG\PWS\SYMBOLS.PRI\RETAIL\DLL\MIGRATE.PDB 10
\I386\WIN9XMIG\PWS\SYMBOLS\RETAIL\DLL\MIGRATE.PDB 10
\I386\WIN9XUPG\E95ONLY.DAT 10

File Hashes

  • 7019c1e1802915ac18691419d277a94b5e30a11209dd445f234ca14b35f5d720
  • 72316d031bea130d9475d57d97f96b05cf11190101b219b106eadbb7ffb41b4a
  • 8518d800daf5c94937948b6f1ca696a7e03faa6f86a689e809218f81f697b80e
  • 860ee1bc900c05313d12f50f17620c330f642a9dcfce66b8dd8141897bd4ed09
  • a8eb934ac833e714578d5d7d2b8fa2388328cb2145e8207553a0f124da942f48
  • ac4851b671d4ecf728681c9587bd7d14bc011c682e6957124aba87660882377c
  • bccbc893aef7ecee4eebeeb2c386e43abb1deaa78d4f03dc54e8f7f409d73b6f
  • c3e5d39b17b60def951d6c0829ed1bf887cc0e71c9d24c9dc14a02d6bdf23c86
  • cf557bc47899bdec8b94a0e8b0b00d73390be2c1c404a973b65828e264c26c77
  • e2e487d62c6c9ef0a965fbb0d99e0af7752a11738a9ef3e1d9d193862b28e118
  • f0e79e62922ddf62d71c4e44aa2e927ad111b4437df9adcf0c28c491b22d633a

Coverage


Screenshots of Detection AMP

ThreatGrid

Malware

Doc.Downloader.Powload-6959926-0

Indicators of Compromise

Registry KeysOccurrences
N/A -
MutexesOccurrences
Global\I98B68E3C 24
Global\M98B68E3C 24
Global\SyncRootManager 1
Local\ShimViewer 1
Local\C9E8AF12-FA27-4748-EC04-38CA71239739_RegisterDevice 1
5CAC3FAB-87F0-4750-984D-D50144543427-VER15 1
Local\{F99C425F-9135-43ed-BD7D-396DE488DC53} 1
CicLoadWinStaWinSta0 1
Global\RecentDocumentsUpdate 1
Global\b48161dd-6c92-11e9-bdf9-00501e3ae7b5 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
37[.]211[.]38[.]50 22
75[.]177[.]169[.]225 22
50[.]99[.]132[.]7 22
189[.]134[.]78[.]42 21
31[.]14[.]103[.]164 12
91[.]231[.]87[.]78 12
45[.]40[.]251[.]243 12
103[.]229[.]72[.]59 10
209[.]134[.]25[.]170 3
200[.]58[.]171[.]51 2
189[.]196[.]140[.]187 2
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
protemin[.]com 12
moda-blog[.]com 12
chenrenxu[.]com 12
depobusa[.]com 10
webaphobia[.]com 3
Files and or directories createdOccurrences
%HOMEPATH%\820.exe 12
%HOMEPATH%\438.exe 10
%HOMEPATH%\813.exe 3
\TDLN-2060-41 1
\Device\NamedPipe\Sessions\1\AppContainerNamedObjects\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742 1
%System32%\WindowsPowerShell\v1.0\Help.format.ps1xml 1
%SystemRoot%\SysWOW64\7Dvm.exe 1
%TEMP%\CVR550.tmp 1
%SystemRoot%\SysWOW64\9LObZfUjohYq.exe 1

File Hashes

  • 07ad82ee6f552024b89e9569759078672295762694af017f35f64bb7284b93c3
  • 1a6641086b78035d6c9ba38c7199aac02d37dafbadf96059a81b6f4c35e49f84
  • 1f4a46bf19d090bee1282d5920e1ce502620c0a50cb4d5165d735d5b52e4a79e
  • 224d99639dbb488494e23f7fd8a60c75630ffc694a3114a6d4f596da2062fbe0
  • 2ade167cc02b318750feb789c0476581e4f2e0864c3a51fd65bd74c25534a74e
  • 3606c54dbaba863109929191dfda5771de069a4fdbdc6322ae75c549aeec3ddd
  • 394d047267664ca7feaa87df65b83ef559a4a97d7660e855fd84ad39ca15c17f
  • 3f832fc27ebcc0391c302aedbc3f8d3dfe7473679d5d9aa0176f9623d4306d68
  • 3f90bc319f969145e499fa90a32a81f0fed988320b255b0febc18befca735484
  • 404f20fabcaf9c4c086a38eb1cb139e49e2e08d6249ef41b88d7eb2c0e628bbc
  • 42981d37b50801d5cdc23d5d9f0a1e0e20f3787e24c4d20f606d2250ce5bf804
  • 438757f58f956c0bf3c4d88c3270f25c6bef6cc6c7599d01e2050871e1c7cced
  • 49b5e70a242f984eadee49435aac4371ca3cb65b02b2f6fbcbfcbfbd9d985782
  • 51d6fab6ccf8fb3460ce156af02cfcbaf6098f74d37e5d323a3d9e2c07e4b8f4
  • 567c4f99a489d6e26cdd76b719f290108f558cb49b7f5f7e2d84dc8929f7613b
  • 571210656adbfe8cde574bb15f96232169cdfb487f4597ce1a4532c7a0258f46
  • 58c44d575aa6041c0d0e87372288f96804c1fa141ee903a67f668e73cb690dec
  • 5f401aefe65751c9e09131d50f1a6ea3f86f542552ecab2973a334a360357699
  • 61e933a06b4a2af4239c378c84211b2ff1baab4effe6b5bf044ac4f2d3371c32
  • 64b75110604d920b41da5dedf56cabebac63da64a209a35cb664ba69764fb8a8
  • 68e686c3f2b87d3169766ffe4bba021a8acd7648ca38c6c75be829a864558ecb
  • 6a817c04b3ec3fb6f85801ecf4999db95505445ecbc8f741cf2985972f2d6f75
  • 6f926261cf70832a6f3332c727eb674da29212109a968a25cab4cb92fced7694
  • 72f28f83d17f71068693f8f34ea40d09dc75d111635427f1b58fa9d4cad29558
  • 7416ebc5373fd8a3ec9ece1dff46c15699738491d703b47f20ae4de8c59bcef0
  • See JSON for more IOCs

Coverage


Screenshots of Detection AMP


ThreatGrid

Umbrella

Malware

Win.Dropper.Qakbot-6962757-0

Indicators of Compromise

Registry KeysOccurrences
N/A -
MutexesOccurrences
Global\eqfik 15
Global\ufwao 15
llzeou 15
4737f7e7a483154476a69b4f5a4a 1
4737f7e7a483154476a69b4f5a4/C 1
f23982a726efd837a3fb23d770ea 1
85ff1bf1196b88d85f7f7092fc8a 1
f23982a726efd837a3fb23d770e/C 1
b274a28e4ad451b106c78e64d91a 1
85ff1bf1196b88d85f7f7092fc8/C 1
ecd2fdff63d752ee98eb1e0dd18a 1
b274a28e4ad451b106c78e64d91/C 1
ecd2fdff63d752ee98eb1e0dd18/C 1
8c5f802a24045fc230207298aa8a 1
8c5f802a24045fc230207298aa8/C 1
908889c25ce86b55fc08b790b42a 1
666d680dfc69cb8931cc724a81ca 1
908889c25ce86b55fc08b790b42/C 1
666d680dfc69cb8931cc724a81c/C 1
d7c6d675543ec8fc13cb6e169f7a 1
d7c6d675543ec8fc13cb6e169f7/C 1
a4be182a1dc5815e8a932795631a 1
a4be182a1dc5815e8a932795631/C 1
99cfbb31846bd275123aa1ab920a 1
99cfbb31846bd275123aa1ab920/C 1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Files and or directories createdOccurrences
N/A -

File Hashes

  • 4737f7e7a483154476a69b4f5a48fb4551ac02ac240a784c4f3377c436dbd203
  • 666d680dfc69cb8931cc724a81cdb588d16602788f7d3bd7955803ce224d6f80
  • 6c4d27124a279c0f49eb46852ea440fdd482bd8798126bfe0b526361f3702531
  • 85ff1bf1196b88d85f7f7092fc8f3905a9ded0e14e06b17475163df47a079e29
  • 8c5f802a24045fc230207298aa825e0fca94d7dd7d8e9f06abd59836d0ed373e
  • 908889c25ce86b55fc08b790b42ab405a485dc498821249c10d5517c47470e35
  • 9258e1004f3ddbf9bc72a4764a77d174b090faf1288afaa2f7b1d16f96fbb1a6
  • 99cfbb31846bd275123aa1ab9206e92b71556ea269e8eeceffff3b3dc27385b5
  • a4be182a1dc5815e8a9327956310222b714dac52ba4c5aa4ba0f72975c716218
  • b274a28e4ad451b106c78e64d917f9da3d1ab46d7e450a3a3908351b25718b3c
  • c6f26163d2c2dc499ffdb86d649e95301329db9d908888b909f4190d3d51ca1f
  • d7c6d675543ec8fc13cb6e169f7df286f33187ee96a3163252c607aa16e7bbf1
  • ecd2fdff63d752ee98eb1e0dd185a1919d2ff72c23c80a7a8c057d4b9f5e9ad5
  • f23982a726efd837a3fb23d770ed2e1eba1cf2629b4466b76ef205b52c19e540
  • f9d48c419ad4ea015efa8258f323a5242b46da80c1755ff2b551592a3b54d0bd

Coverage


Screenshots of Detection AMP


ThreatGrid

Exprev Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

  • Madshi injection detected(3477)
    Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
  • Kovter injection detected (2818)
    A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
  • PowerShell file-less infection detected (1467)
    A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
  • Process hollowing detected (521)
    Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
  • Gamarue malware detected (172)
    Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
  • Atom Bombing code injection technique detected (146)
    A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
  • Suspicious PowerShell execution detected (97)
    A PowerShell command has attempted to bypass execution policy to run unsigned or untrusted script content. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
  • Installcore adware detected (69)
    Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
  • Dealply adware detected (40)
    DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
  • Excessively long PowerShell command detected (26)
    A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.