Friday, September 27, 2019

Threat Roundup for September 20 to September 27

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 20 and Sept. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Doc.Downloader.Emotet-7181535-0 Downloader Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails. It recently resurfaced after going quiet over the summer of 2019.
Win.Ransomware.Shade-7178907-1 Ransomware Shade, also known as Troldesh, is a ransomware family typically spread via malicious email attachments.
Win.Dropper.Cerber-7174760-0 Dropper Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, this is no longer the case.
Win.Dropper.Kovter-7173679-0 Dropper Kovter is known for it's fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Malware.Zusy-7173469-1 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Packed.Tofsee-7171939-0 Packed Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.

Threat Breakdown

Doc.Downloader.Emotet-7181535-0

Indicators of Compromise

Registry Keys Occurrences
<HKCR>\INTERFACE\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} 31
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} 31
<HKCR>\INTERFACE\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} 31
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} 31
<HKCR>\INTERFACE\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} 31
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} 31
<HKCR>\INTERFACE\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} 31
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} 31
<HKCR>\INTERFACE\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} 31
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} 31
<HKCR>\INTERFACE\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} 31
<HKCR>\WOW6432NODE\INTERFACE\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} 31
<HKCR>\INTERFACE\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} 31
<HKCR>\WOW6432NODE\INTERFACE\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} 31
<HKCR>\INTERFACE\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} 31
<HKCR>\WOW6432NODE\INTERFACE\{4C5992A5-6926-101B-9992-00000B65C6F9} 31
<HKCR>\INTERFACE\{4C5992A5-6926-101B-9992-00000B65C6F9} 31
<HKCR>\WOW6432NODE\INTERFACE\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} 31
<HKCR>\INTERFACE\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} 31
<HKCR>\WOW6432NODE\INTERFACE\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} 31
<HKCR>\INTERFACE\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} 31
<HKCR>\WOW6432NODE\INTERFACE\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} 31
<HKCR>\INTERFACE\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} 31
<HKCR>\WOW6432NODE\INTERFACE\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} 31
<HKCR>\INTERFACE\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} 31
Mutexes Occurrences
Global\I98B68E3C 31
Global\M98B68E3C 31
5CAC3FAB-87F0-4750-984D-D50144543427-VER15 2
Local\{F99C425F-9135-43ed-BD7D-396DE488DC53} 2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
74[.]208[.]236[.]145 31
190[.]158[.]19[.]141 27
139[.]5[.]237[.]27 27
5[.]45[.]108[.]146 8
86[.]109[.]99[.]70/31 8
17[.]36[.]205[.]74 7
173[.]194[.]68[.]108/31 7
195[.]114[.]1[.]181 7
82[.]223[.]190[.]138/31 7
181[.]123[.]0[.]125 7
80[.]94[.]2[.]233 7
217[.]116[.]0[.]237 6
62[.]149[.]157[.]55 6
195[.]20[.]225[.]171 6
173[.]194[.]175[.]108/31 5
201[.]214[.]74[.]71 5
212[.]227[.]15[.]158 4
182[.]50[.]144[.]84 4
193[.]70[.]18[.]144 4
193[.]17[.]41[.]99 4
212[.]227[.]15[.]142 4
162[.]210[.]102[.]199 4
212[.]227[.]15[.]135 4
217[.]116[.]0[.]228 4
62[.]149[.]128[.]42 4
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
otc-manila[.]com 31
smtp[.]mail[.]me[.]com 7
smtp[.]movistar[.]es 7
mail[.]tradeus[.]eu 7
mail[.]serviciodecorreo[.]es 6
smtp[.]1and1[.]es 6
imap[.]1und1[.]de 6
smtp[.]serviciodecorreo[.]es 6
mail[.]aruba[.]it 6
mail[.]ionos[.]es 6
mail[.]gwiazdeczka[.]pl 6
smtp[.]outlook[.]com 5
pop-mail[.]outlook[.]com 5
smtpout[.]secureserver[.]net 5
smtp[.]1und1[.]de 5
imap[.]serviciodecorreo[.]es 5
mail[.]zenithexperience[.]es 5
mail[.]comcast[.]net 4
mail[.]1und1[.]de 4
pop[.]asia[.]secureserver[.]net 4
smtp[.]orange[.]fr 4
ssl0[.]ovh[.]net 4
poczta[.]o2[.]pl 4
smtp[.]aruba[.]it 4
mbox[.]freehostia[.]com 4
*See JSON for more IOCs
Files and or directories created Occurrences
%HOMEPATH%\657.exe 31
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BD21D10-EC42-11CE-9E0D-00AA006002F3} 1
%SystemRoot%\SysWOW64\gcycF3Sb1.exe 1
%SystemRoot%\SysWOW64\qoOwTVXh.exe 1
%SystemRoot%\SysWOW64\gMVKv3.exe 1
%TEMP%\CVRF2C.tmp 1
%TEMP%\CVRB39.tmp 1
%TEMP%\CVRDF3.tmp 1

File Hashes

075a45f9c68a9f5af201e7863394c91cf5a1f939d2a6b21fbd9c749c0a10696f 291a9820bceb930a4106c341c6bb37f2242b5ca0c653923db92dcac50d9c953f 2926d350ee2037949c36a19aca959b8404626f09d32bf930cf9b218424f7cf27 2991af9ecbba0ae304f43ab19ba172ef2ff18345b5fd8f7abc4bc4e2b0a775b3 2a078275cdeb69e448bd7cea359ce34c05ab028713357df0b70448dcdb9f8f0c 3e390763b85cd1322e1fe528ab15923df480ce1f2dabff373bfc67ed8d0d5aa7 5855ccd73204841b2e32d2cd93598ef8b5e0698abc5a8cea26b7e14b279a7448 5a8c51d22698e05215e2f3fdc50a14342fb3108acf6bde761c87d9ae2106d5d1 5c221d09b195901d9435a897f131cb06b9c88bc24d34f7effe2168a66bf935cc 6a8beeef74251f9d91d1965649cabfd7f9840e4ba63259c91c8ecd9020cdda45 6bf59378b0897e410d4d9faa0a23d22e6e96ebedbe3d543338d1f9f3d9c3f21a 742719dfdde109a1cff437941a1f14d8eb3a844a22da6c010d09b835366bb2dd 777d585b5e7e30bce1d8e8e343a007e9d0b6e4f45afa9f415b3fb8b3296a50f0 77d0c4316554e2f7c78b7554f0d067c210c242cb0150a8a1aa3ab4b0d6ccc9df 7a375d0966ac0053e566827ddd3a6c9d2f8251f2a754f0502a61a89f98a94ea9 83f74cedc1e06f0b2377df8d41e67ed0273948888705fbe391e1d82849c54330 8ce63dc6baa9a80c3913d462bdb19fc1bc1ba635bde1d5a6c26fc5f7cf325ea4 a44828c3d4266e7b6518fb6be06907d6d9de2c48546d7ea2c73c2fed3f3fa75c a88780c026c4094e0580a2ab21118b96dab08e00d1935bd6fae2946fd81bdb03 b1d366a828f6eb91a08dd023aa98f2b8b9737497eff937e2d169e5a6b6377d25 b637cedefc7244a8a84bede6eb7733803744f4ac140ed368da9a64c06e98dc28 ba3f8c880453fc3cd667709325895c93cfe6a1e371456c58336e6bb7455668dc c19c5960f37853a5f2db86cc749593dd98b124ddd21d39b8ca53c921389a0bd6 c4c30e304d232b9b5cf276d9534675dff3a541ee41b271fed54a37b3f1fd9aef cbb3ac37b40296794f6f30dd6efc2a9cb3cc35f2438b8ba89f14b58971e14d26
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


Malware




Win.Ransomware.Shade-7178907-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xi
155
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Client Server Runtime Subsystem
155
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xVersion
155
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32 154
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION 154
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xmode
76
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xpk
76
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xstate
76
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: shst
75
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: sh1
75
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: shsnt
73
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: CleanShutdown
36
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPLETS\SYSTRAY
Value Name: Services
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TELEPHONY
Value Name: DomainName
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TELEPHONY
Value Name: TAPISRVSCPGUID
13
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xmail
9
Mutexes Occurrences
GeneratingSchemaGlobalMapping 64
cversions.2.m 35
Global\47348ae1-defe-11e9-a007-00501e3ae7b5 1
Global\f1f16ad1-df02-11e9-a007-00501e3ae7b5 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
66[.]171[.]248[.]178 75
128[.]31[.]0[.]39 57
208[.]83[.]223[.]34 56
194[.]109[.]206[.]212 53
154[.]35[.]32[.]5 52
76[.]73[.]17[.]194 51
171[.]25[.]193[.]9 50
193[.]23[.]244[.]244 46
86[.]59[.]21[.]38 46
131[.]188[.]40[.]188/31 46
132[.]148[.]98[.]116 19
79[.]98[.]28[.]28 13
198[.]187[.]29[.]35 11
173[.]236[.]177[.]100 8
162[.]216[.]45[.]5 6
46[.]105[.]57[.]169 5
198[.]54[.]120[.]231 5
94[.]23[.]64[.]3 5
13[.]107[.]21[.]200 4
204[.]79[.]197[.]200 4
5[.]9[.]158[.]75 4
23[.]6[.]22[.]189 4
145[.]239[.]6[.]188/31 4
47[.]101[.]49[.]13 4
66[.]33[.]211[.]13 4
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ipv4bot[.]whatismyipaddress[.]com 75
api[.]w[.]org 12
gmpg[.]org 7
www[.]breilginestet[.]fr 5
getjobportal[.]com 5
saschoolsphotography[.]co[.]za 5
www[.]loudgraphicsonline[.]com 5
login[.]microsoftonline[.]com 4
filesextension[.]com 4
www[.]solvusoft[.]com 4
shell[.]windows[.]com 4
fileinfo[.]com 4
openfile[.]club 4
file[.]org 4
www[.]techwalla[.]com 4
opentmpfile[.]com 4
freeformmanagementco[.]com 4
manosapnas[.]lt 4
www[.]wuyufeng[.]cn 4
jdcontractingomaha[.]com 4
www[.]lalogarcia[.]es 4
www[.]mobiadnews[.]com 4
paulbacinodentistry[.]com 4
levente[.]biz[.]pk 4
www[.]anniechase[.]com 4
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramData%\Windows\csrss.exe 155
%ProgramData%\Windows 154
%TEMP%\6893A5D897 154
\README1.txt 76
\README10.txt 76
\README2.txt 76
\README3.txt 76
\README4.txt 76
\README5.txt 76
\README6.txt 76
\README7.txt 76
\README8.txt 76
\README9.txt 76
%APPDATA%\Mozilla\Firefox\profiles.ini 71

File Hashes

01a47aefed5ad89958df66ceaaece3eb1028f5eb339b5fc405c365bf016652ae 0450d2d5b575c24bf8fc23859a53432ba1ea2bcb44bf9e143e1740c2643074f1 04d08fed39c68ff27751497d6cb543d8a7d082cd2efdda0515853a9fa0f8d70c 053eb4558f17ff9d2e8af9fc171f279b1a43be35a309ca1298f581eb332a8790 07e7472cce0ba35d0f9548372f2b93d56e5fe7597a8de0de337c3a2d96f2c69c 093b4505194249591522a9bed6abfc24d9911d4a64c89a51a46ac75d41a0f3a4 0bdf07fea4e8ae1e9d2e0bb4404770dd32eca713a3d6e1aeac9e61fe99925e46 0cf81c6a0a6181bbce5722c133852889b4dc09752453df36298179ef4d944deb 0ff03d25c9b864f54528b717a00fe970de388859ee81927a396621cf8dbf863b 1130c8c8e7efb0f284f7d6b8b1089668209ff18dba350d3e92fd79ad926043e7 1182d3ff1023ae91fb020eae5e94d8cbba61830118e0056fa3258a4e12759582 12df326da78cbb6da153914c68589ead268cace00a86085ea499c6f7f1562586 146c7a3b418c9b3525b2f5e87be07d252c25be2443600d3f72cddb45b8d3090c 149fa66f4458bb3300e1ff199d2f7f49922dce62980355b011625ed420215687 154c8df75639241776394de1d5c049f7851f0aef4471d4bf52d570707d0f768e 15e2104c27574da42e078a601acf2eb4c0bf70dabfaa9613b490fcb9b44a244f 17c184a6bb5976dcdc89a192409c80e9b4034334baf31017cff23fb2236316ca 180018cdf5693f805c584fa96443960fa18d94f98e17c8d9ebee15e33439a717 19eebbaaebcc15648f5a7c54b4090587cb63ff5ca61a18ea5261a9d5c4e20913 1ab04b2a9761d339b42f963aa0329e53e388b3c685ebb388cb7165cbd0eb7ee4 1b3b09c6ff6a035dba76d90f401127e58cc897895c077a9c5842b7d1890720f8 1d5d51d82b63ac0ad56d91b39f7b4d271a2e4413e90d36fcf38804dddd321018 209d05880be9d0626504cc03ad8c05b5f967186dfbbd6f7f020b377dd692fbed 20d5c1348fcefe4920bb03dd859a1967116a7f09f21fa30ba46c47b94d0bc259 20ec024bae45dadd7f89e4c2ac2d883135593e0d9de294c7d2d0daaaf7c024e9
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Dropper.Cerber-7174760-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 37
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
37
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 37
shell.{<random GUID>} 22
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
94[.]22[.]172[.]0/27 37
94[.]21[.]172[.]0/27 37
94[.]23[.]172[.]0/25 37
150[.]109[.]231[.]116 28
3[.]225[.]205[.]112 19
52[.]86[.]198[.]63 18
178[.]128[.]255[.]179 9
104[.]24[.]110[.]135 9
104[.]24[.]111[.]135 8
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]blockcypher[.]com 37
hjhqmbxyinislkkt[.]1j9r76[.]top 28
bc-prod-web-lb-430045627[.]us-east-1[.]elb[.]amazonaws[.]com 22
chain[.]so 9
bitaps[.]com 9
btc[.]blockr[.]io 9
Files and or directories created Occurrences
<dir>\_READ_THI$_FILE_<random, matching [A-F0-9]{4,8}>_.hta 37
<dir>\_READ_THI$_FILE_<random, matching [A-F0-9]{4,8}>_.txt 37
<dir>\<random, matching [A-Z0-9\-]{10}.[A-F0-9]{4}> (copy) 22

File Hashes

0290d4b80c48806f165fc69f0ad6f61ae4279a3c4aa85f24a23f6166e2056880 0675dd9ca7d0258f82f849b923c9f73574f7dc18660243964af3ca5ff5f83263 09558b11776fef2c9fe97ce334bcde4ab8bda7e6befc0becf0e06899742a102e 0e64387a13170fd75c61600e8420aaa93249265813cda9555c47b1d09c1f5cb9 115efdb3253671c21f525ef951c3427c210b0d762e81230e1071927a9081aa69 17fba2ecea6df6d1097de2bdedfce13dfc93884cf0725cdc0144bd61c9b3c49b 1e1a3c08ab28baa17331e96a2741f193120d81be3728975a8617322ab59cacea 21261d7e4e8df88ed2b02b84d6089cb5a3967b4d720ae1316f587fdfb0502754 2eb147f2c94c81e3e031a7aaa8f5f46e94d30a27f957b694bb43d9c7700a9a2c 2f94adf1f16c33bc8fd151ff86278a076bc9a817410ba8c4fe70e3a47594f934 398e36ca258b2004f6532081a5f4f7b8487af2f2fc47999469db795186fbfaaf 3c61509268caa1ddfc237409e46456ae862d1b8f058c178073139013ebff5cba 4148780b48335a6080b75d9d881f2c8c4e876ff2d5a0e8787c6fb7fbb5880114 42d25d3a5e18cdd4293b7cc17d3037695a47104ed6f874411fdf1be067e849a0 4580ecc3393d75b0ce69a8458afe9d19f460d2a618d2607e7a04e4bcc0810ad4 4623e856d3a24d187a33c89ca3f4d9a0333cbde4e051fc7c5d612cf01231ec05 52d7d75140381ab82780710ccb60fbde8251b7f31b85e533ecaff7dbec9b4ca8 592c9b4c77c295aa32bb9774b3b968f9dc9d55c17faaadd92b4629d6def1ad61 60c82c336eb368cc3a24c141513b4cf3789a7db7133967adb57ef81287305b3b 63ae7ce0bc9774b278fd6c349aea2af5b83e5779691fed96074b98ec44f059b7 6ee82f9a8090b3a074b19472f4ba79fff42495c261814e85db46582a3824f595 7e727b8dccd44f0cfc6b3771806243ae8d68a643dbdb4bdc9c2b54bccee7284d 8ed9c0eb8ab59f127ddfb578d2ff65030eb22fcf11f129f7ad0e2b551245d79a 99f5973656d5950ded3d862340ff5f25770c82a4b93827075b8d11b76f7aeb4c a32ea31bc647853875b02c2ead84c6ad872ddc100185308d4978db841bd72f21
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


Malware




Win.Dropper.Kovter-7173679-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade
22
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed
22
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78
Value Name: 0521341d
22
<HKCU>\SOFTWARE\FC6A75BE78
Value Name: 0521341d
22
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78
Value Name: b5e001e3
22
<HKCU>\SOFTWARE\FC6A75BE78
Value Name: b5e001e3
22
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78
Value Name: 0905afc0
20
<HKCU>\SOFTWARE\FC6A75BE78
Value Name: 0905afc0
20
<HKLM>\SOFTWARE\WOW6432NODE\QYFTG2
Value Name: 3X3ii1
1
<HKLM>\SOFTWARE\WOW6432NODE\QYFTG2
Value Name: bDH1PvniwF
1
<HKLM>\SOFTWARE\WOW6432NODE\721AB795C7C67F3DC 1
<HKLM>\SOFTWARE\WOW6432NODE\0MI0EBD 1
<HKLM>\SOFTWARE\WOW6432NODE\18F3F1A771B2D052 1
<HKLM>\SOFTWARE\WOW6432NODE\EGDJPDTYRP 1
<HKLM>\SOFTWARE\WOW6432NODE\721AB795C7C67F3DC
Value Name: 95635A6FA6E8366D
1
<HKLM>\SOFTWARE\WOW6432NODE\18F3F1A771B2D052
Value Name: CF87DF8672E1A15F
1
<HKLM>\SOFTWARE\WOW6432NODE\0MI0EBD
Value Name: u0Lsan
1
<HKLM>\SOFTWARE\WOW6432NODE\0MI0EBD
Value Name: DS2VgqHGE
1
<HKLM>\SOFTWARE\WOW6432NODE\EGDJPDTYRP
Value Name: jPILeBsM9v
1
<HKLM>\SOFTWARE\WOW6432NODE\EGDJPDTYRP
Value Name: kGvXXUg
1
<HKLM>\SOFTWARE\WOW6432NODE\EA246A9E9F458BD5954 1
<HKLM>\SOFTWARE\WOW6432NODE\SVN2OQM 1
<HKLM>\SOFTWARE\WOW6432NODE\EA246A9E9F458BD5954
Value Name: 2CA8F0C3E2A3881649D
1
<HKLM>\SOFTWARE\WOW6432NODE\SVN2OQM
Value Name: Ck6a8biOX
1
<HKLM>\SOFTWARE\WOW6432NODE\SVN2OQM
Value Name: m7MJLVAz
1
Mutexes Occurrences
C59C87A31F74FB56 22
Global\42EDC1955FE17AD4 22
0D0D9BEBF5D08E7A 22
1315B41013857E19 22
BAD24FA07A7F6DD9 15
863D9F083B3F4EDA 15
Global\EE662FBC96CBCB1A 15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
176[.]111[.]49[.]43 2
46[.]4[.]52[.]109 2
209[.]214[.]91[.]122 1
76[.]229[.]109[.]110 1
220[.]85[.]229[.]169 1
80[.]88[.]109[.]65 1
59[.]164[.]225[.]69 1
15[.]155[.]62[.]37 1
216[.]150[.]65[.]196 1
121[.]230[.]123[.]110 1
6[.]213[.]48[.]113 1
99[.]248[.]253[.]80 1
77[.]80[.]6[.]37 1
19[.]43[.]124[.]213 1
118[.]121[.]204[.]109 1
36[.]244[.]111[.]17 1
142[.]100[.]180[.]91 1
15[.]198[.]236[.]200 1
209[.]194[.]106[.]166 1
153[.]235[.]117[.]235 1
110[.]145[.]21[.]95 1
7[.]83[.]197[.]163 1
223[.]108[.]247[.]60 1
222[.]180[.]100[.]74 1
72[.]139[.]210[.]78 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ottensen[.]de 1
www[.]tastingtable[.]com 1

File Hashes

2c09d76519ef840e68d07428643a76b32cc15672ea227b1a373ac68d25364446 3d98668f8b44ff601400103fa4aabac3b9066892f0d32d6ad680ebfd6e22dc16 49cda94863ca85a318f0990f2d092a05746ef7d961a595ec268f0c9cc45968a2 6eccd1f893534539a478c8ec9e9eba5c57095dc3ebf53c3b0c74c47a6b306b51 71533197271e536d08e551a226133c4e2efb1262521498b5d021c3b7e5458062 734eab522ba7c0c5c3afeb61a6e8cae6c3b4c5375716aa15541e388fe2d03547 949a7cec76633cc63b11f3748d304b88fa89ef679927e2911b46639c91c0f9ce 9856c913730a44ee3d02ef3b36ed9c6da721a5ec55118c367ba69926753e6a42 9e7bc2705e9c9d0173e6fb49bd400dc8ccaca56e51557c31c17c814c8256f3e2 b00b3dd9bef667e32501e21a13a8af398d8d8a9778e95f1df2c21746a08ee102 b36e6ed7ff386b9f4d5e8c0284fe177d08eca668d46e70aa48340b883d696e27 bb3cd50224232eb7809baa208fd5b14f9e9d1aed691c383092f7245c89005241 beeeed6fc246f493b6be8f65c76cd328995147069d5091f4e2d01e927e631fe7 c245b59592220a1b4cd08432e842cc391845b471fc2eeb494aa0cb57453cf6e8 d3bdca637e70ed87cdc31d97c7e46320f20b73ed7c4af1fa25e11e9efab8e9f7 d4413827ff12f897303b585bf28ddf3edd7d836a92847671a178dfc8dc48cb7c d5b5c2669ae45d436595ca86076208154f354de9a03135c23db20703ad034d08 d848892262acf288673c23c37be7f284b8b8747e8a424ed1ab342bfada5ff6b2 e4cd277d934fc543aea55870dd316bdf8b7437907a14332a441d6730ab4212e7 ede4f19e39c2e6c794c3ae97e5ba66b6eba29503ac8d71e9d84a10b697e8e5bb f6d37485e3e3f9412bd6eeb3767a17949cfb87ccfec649f1a4590d8ac189ab50 fe5e1062716fe717363599ee27f85553a1598dd5e7b9b16f83de57e828a04e03

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Zusy-7173469-1

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: EEFEB657
25
Mutexes Occurrences
EEFEB657 79
4A60888F 13
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
216[.]218[.]185[.]162 13
216[.]218[.]206[.]69 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
brureservtestot[.]cc 9
Files and or directories created Occurrences
%HOMEPATH%\AppData\LocalLow\EEFEB657 26
%APPDATA%\EEFEB657 26
%APPDATA%\EEFEB657\bin.exe 25
%APPDATA%\4A60888F\bin.exe 13

File Hashes

00afaf857ac8a4185bf3c413a0e4ec739cee9a3add5587042176270e2ba45465 0a97cd074abef0a20d0abacc579a0cb8de4eacda90bff198c69c58635085000d 12688cb61170c54096bce727b51225e5ac0d7614389634dab3ffeb41c207eab9 12c1420737fc88fe942c45cfa08c071d1e71cc085d108a8822566ccb7b832384 13548f2c1a514d85d5b47f719dda62ddf24cb1c71283b048aa8171a218a03b26 17999d48dc7614dc4f5c9fb078575df2396a0ba5e255685185ed5d2e2eaf8c85 1ed34a43106c50971c74b903f431e6564356ca6d67aec1233e83a1294375331c 1eeb3abd65800306e131d3de28807d183b9b430d9383a210b783c17f2048c1ca 203bbe399a62a7c8d30cf540647495d8fa7de90d8cbb0d666a901444942e9d1d 24ec9675730ebbd18fb3ce3f206a9e655bb83cced94e9aa9413944d34d159be3 261eeef081001542bbb3a528323e03a2f451930e304283e12e6668a764a1cac2 275943755b7ac0ce098df1d040396388b28de93bd8afde32f09b70b85800de79 29a4810fe9a54f55f4ece5797c593c474f62abc0a6b5d3dc3b3a0b21199993e8 2f6fff7aedc91ca250f42ee261df91fd5dde94741c54e6bcec4177a83bd665d1 39c130462d81e7488499d5f82adbe21f6a6e4926c52302a3f8d5151712869e54 45c2a30595130a32670a68527863cda01572870ab58c49ea12fc26dfd7e1f835 4979596ca617c43eedb54615f3443252c34a94793c3b94d35c44fed705843626 4aa3743336f0260b0734175365b6d409170009e5c1f223cb18bcc53fd3ad9b46 5153276508219d637a03570d1a228dbb60846849cf5659fc189c4d23a6555aa3 5c2529c1e5e740724ff97ef607c65cd2eaa39a096c52947946815187bf406376 5f35edd69fac10f629c53ee3d067ee0cb811fa3bc089b3f6c3d5ea98240675f7 62a73bcebe68715f7c79346d5d43c1017efb469d906cb62cd95949f4fea00b09 684d0bba591a3d78b3720573fa348ce327ac3d9be0ae3e6c337a77dfb294861e 6a8b78f181b0391908613fc6bb362ef1a3d0500c2ee80204e8a8c9099ec56ab7 6b324fe79b3118bf435ff17c4192e606928deb54613c2601ec0c763955e64a1b
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Packed.Tofsee-7171939-0

Indicators of Compromise

Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
10
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
10
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
10
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tmagfnti
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\qjxdckqf
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\gzntsagv
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
239[.]255[.]255[.]250 10
69[.]55[.]5[.]250 10
46[.]4[.]52[.]109 10
176[.]111[.]49[.]43 10
85[.]25[.]119[.]25 10
144[.]76[.]199[.]2 10
144[.]76[.]199[.]43 10
43[.]231[.]4[.]7 10
192[.]0[.]47[.]59 10
173[.]194[.]207[.]26/31 10
85[.]114[.]134[.]88 10
172[.]217[.]197[.]26/31 9
98[.]136[.]96[.]92/31 9
172[.]217[.]5[.]228 8
67[.]195[.]228[.]84 8
67[.]195[.]204[.]72/30 8
213[.]209[.]1[.]129 7
216[.]146[.]35[.]35 7
211[.]231[.]108[.]46 7
104[.]47[.]53[.]36 7
213[.]205[.]33[.]62/31 7
188[.]125[.]72[.]73 7
104[.]47[.]6[.]33 6
23[.]160[.]0[.]108 6
216[.]163[.]188[.]54 6
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
250[.]5[.]55[.]69[.]in-addr[.]arpa 10
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 10
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 10
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 10
whois[.]iana[.]org 10
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net 10
whois[.]arin[.]net 10
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 10
eur[.]olc[.]protection[.]outlook[.]com 10
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 10
aol[.]com 10
hotmail-com[.]olc[.]protection[.]outlook[.]com 10
microsoft-com[.]mail[.]protection[.]outlook[.]com 10
honeypus[.]rusladies[.]cn 10
marina99[.]ruladies[.]cn 10
sexual-pattern3[.]com 10
coolsex-finders5[.]com 10
mta5[.]am0[.]yahoodns[.]net 9
mx-eu[.]mail[.]am0[.]yahoodns[.]net 9
etb-1[.]mail[.]tiscali[.]it 8
tiscalinet[.]it 8
smtp-in[.]libero[.]it 7
libero[.]it 7
tiscali[.]it 7
hanmail[.]net 7
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 10
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 10
%TEMP%\<random, matching '[a-z]{8}'>.exe 10
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 8
%TEMP%\hjekdqa.exe 2

File Hashes

08d08aedaab20d189db5d91b829e46d6485c9a80b0de1865ae66a6636a8f10a4 1060301d58657b07ab260d50e92c44112125ca9b225b049dafd428e47ff8c864 4518935de0954262f693d572260e01c37c5b3805358b4d8034f58a47208c15c3 7939dc52cea024666043b03e3dd324c3d0f24adb4cc9f05c75d45443eca6ffe7 8d1595bd4b6e37b043fbceffce01667b5a711cad028499a69285ced37db4a909 924242b90be9bca981b3ed8b7a7dcac8d6e192077d6ab0ce70d64390af8263a4 a97806cc79281fd6a5eb1f45b50787e5677f7a49c5e009629c260e2d33bc4dbb b34fc64ebd852b6e63c7926dff44f6bfee7d5b99201ace20f20c478162437410 c515f1bc8e5a44616976ea05ba3061b81670f5b5a2763b7abb2e9d0abcb62642 e6b5db7be9886ce7547bc05f42d87003215824316ac7126f3722518e7a1f6cd1

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (9723)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Excessively long PowerShell command detected - (6212)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Kovter injection detected - (1773)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Madshi injection detected - (1501)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Process hollowing detected - (755)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Trickbot malware detected - (636)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Gamarue malware detected - (190)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Special Search Offer adware - (110)
Special Search Offer adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware.
Installcore adware detected - (95)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Dealply adware detected - (84)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

No comments:

Post a Comment