Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 1 and Nov. 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Dropper.Remcos-7376444-0
Dropper
Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. Remcos is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Kovter-7376187-0
Dropper
Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Dropper.Emotet-7375156-0
Dropper
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Trickbot-7374019-1
Malware
Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.
Win.Malware.Phorpiex-7373816-1
Malware
Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, including malware that sends spam emails, ransomware and cryptocurrency miners.
Win.Malware.Zbot-7373691-1
Malware
Zbot, also known as Zeus, is trojan that steals information such as banking credentials using methods like key-logging and form-grabbing.
Win.Malware.DarkComet-7371375-1
Malware
DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Packed.ZeroAccess-7370742-1
Packed
ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.
Threat Breakdown Win.Dropper.Remcos-7376444-0 Indicators of Compromise Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Snk
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Snk
8
<HKCU>\SOFTWARE\XLR4615DFT-CRBSFT
Value Name: exepath
6
<HKCU>\SOFTWARE\XLR4615DFT-CRBSFT
Value Name: licence
6
Mutexes Occurrences Remcos_Mutex_Inj
8
XLR4615DFT-CRBSFT
8
Global\0e3e6d21-fc20-11e9-a007-00501e3ae7b5
1
Global\96ab2081-00fe-11ea-a007-00501e3ae7b5
1
Global\d24f50c1-00fe-11ea-a007-00501e3ae7b5
1
Global\77238861-00fe-11ea-a007-00501e3ae7b5
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 179[.]33[.]68[.]255
4
179[.]33[.]152[.]127
3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences proyectobasevirtualcol[.]com
8
Files and or directories created Occurrences %TEMP%\install.vbs
8
%APPDATA%\System32
8
%APPDATA%\System32\Snk.exe
8
%APPDATA%\Runtime3
6
%APPDATA%\Runtime3\1627.dat
6
%TEMP%\<random, matching '[a-z]{4,9}'>.exe
5
File Hashes 01f18d1d2a28f1fa3df286d745ebe04521031af989db17818db42f6118417f60
1c74e101e6c49184a2766afafc33ab421900927ca39bfb8afc6e0c29c1d4bc4a
2993970ed0df750fb8ead03397e7d209d50c790ccea889f8cd3a57a3257d229a
2a0933719e5f6762061641d337324fe2b9778e13ac4785dfce00b10e3134a7de
3a725a79cc91e882a52237eda542e29d44734c64fce0edd924e1fee62e69bead
44a4d693d208abf527c5d286fdb45791d6bc97fbda6857f2d952a659a39f02fd
46eb980bd84f49f16aab9a9af815caedfffe92ddf0db272b330f6a9b625716cf
5752b25814c46d5084fa204ab381a18ebfb75fd0229ddac048fc673607ae52c1
622bb6dc7e751fc9352e7a23c9bc3ccd2e1855f6d5c37656516a54fe63ae6230
70ee3b93a10475214f534c162c6923ccdff92873709e2912ffd208ad12d447fb
7df44706454b41154f074f55a4bb5c42942a7e4a2dd244dd3d979dd28f81c602
99f7c0b78dac66e3fb5c571c466004e97ef6a75662ed2b1a7e49d17f85fa66f0
a6f8cd54dcd6a563c2195964cf1a65ce0d558ef753d0d9d25618cf5bb24332d9
b1b18b3fb4c4da002c4f8449042569a53be13971036b2b15bccb8a31392e8ce8
d78ec2e34df6a80321bac318055f095f49f244117f0307e3c59aa7326f834ca7
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP Win.Dropper.Kovter-7376187-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ssishoff
25
<HKCR>\.16A05D
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vrxzdhbyv
25
<HKCU>\SOFTWARE\XVYG
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: tbqjcmuct
25
<HKCU>\SOFTWARE\XVYG
Value Name: tbqjcmuct
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: xedvpa
25
<HKCU>\SOFTWARE\XVYG
Value Name: xedvpa
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: svdjlvs
25
<HKCU>\SOFTWARE\XVYG
Value Name: svdjlvs
25
<HKCR>\7B507\SHELL\OPEN\COMMAND
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: lujyoqmfl
25
<HKCU>\SOFTWARE\XVYG
Value Name: lujyoqmfl
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\XVYG
Value Name: tnzok
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: tnzok
25
<HKCU>\SOFTWARE\XVYG
Value Name: usukxpt
25
<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: usukxpt
25
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
21
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
7
<HKCU>\SOFTWARE\YNRVKCYV3
Value Name: kwS6y5
1
Mutexes Occurrences EA4EC370D1E573DA
25
A83BAA13F950654C
25
Global\7A7146875A8CDE1E
25
B3E8F6F86CDD9D8B
25
408D8D94EC4F66FC
20
Global\350160F4882D1C98
20
053C7D611BC8DF3A
20
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 48[.]35[.]9[.]231
2
24[.]6[.]47[.]86
2
53[.]51[.]100[.]34
2
103[.]72[.]170[.]215
2
100[.]65[.]74[.]134
2
214[.]157[.]80[.]109
2
53[.]189[.]39[.]167
2
171[.]50[.]101[.]82
2
186[.]88[.]125[.]16
2
103[.]3[.]144[.]29
2
191[.]63[.]106[.]220
2
132[.]142[.]20[.]146
2
185[.]144[.]48[.]120
2
74[.]188[.]12[.]194
2
151[.]185[.]129[.]250
2
123[.]193[.]218[.]247
2
7[.]184[.]47[.]209
2
11[.]19[.]158[.]101
2
89[.]73[.]101[.]218
2
104[.]7[.]70[.]162
2
111[.]104[.]240[.]101
2
187[.]41[.]98[.]16
2
39[.]158[.]228[.]212
2
67[.]110[.]140[.]230
2
87[.]88[.]172[.]42
2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences cp[.]aliyun[.]com
2
netcn[.]console[.]aliyun[.]com
2
help[.]dreamhost[.]com
1
api[.]w[.]org
1
gmpg[.]org
1
panel[.]dreamhost[.]com
1
fonts[.]gstatic[.]com
1
www[.]cloudflare[.]com
1
httpd[.]apache[.]org
1
www[.]dreamhost[.]com
1
apps[.]digsigtrust[.]com
1
apps[.]identrust[.]com
1
cacerts[.]digicert[.]com
1
www[.]wdos[.]net
1
www[.]wddns[.]net
1
www[.]wdcdn[.]com
1
www[.]wdlinux[.]cn
1
community[.]cambiumnetworks[.]com
1
www[.]cambiumnetworks[.]com
1
x[.]ss2[.]us
1
www[.]wdcp[.]net
1
docs[.]atlassian[.]com
1
www[.]atlassian[.]com
1
staging[.]theplaylist[.]net
1
www[.]10dang[.]com
1
*See JSON for more IOCs
Files and or directories created Occurrences %LOCALAPPDATA%\39b03\6a5cc.16a05d
25
%LOCALAPPDATA%\39b03\7cbdf.bat
25
%HOMEPATH%\Local Settings\Application Data\2501\1ffa.41d68
20
%HOMEPATH%\Local Settings\Application Data\2501\aae7.bat
20
File Hashes 07f6d9e83f537600594c31b3602732e673876773d011ad3827d3b4bfd90263b3
09decefe05efe8d4de76c83d2d25b3688a7aa8a5b64a66d9beda52f1cb84d3e1
1034ec321ee9aacbac4c6eb13c9b7c337ee203f7690c75b03be96f45e7131854
1b027ad776520157003006129c70ffcb5a6df709784553abffc39e231cc35ba4
32ef3ff9e7f8879fac649e0bd47c943c5c9ae41f92ee11223bcdf3e735fcdd4d
4bfd91dbacfc04dd91dd43c00209141b6b33b3ce7d7fce5a40a39190e1020044
535870f540ccf5fa55b7d45b46e12c7f6cca475d7d1ed53a825bf4a74a8deaad
568ed4d9b0ecc820f370f364a9135cb99fe5cc61b953156c8abf2d8b4455ea35
5dc8da99651c7a508063c24d05724b8ce59ad6ae5a7b71d3acf27aa9a46937e0
6159c80c21256280b87b9be98bce4ce08a62712a5472ce88ab91ec58a889a998
670d2eef908fdaccbad25d40f7fc35deaa8a27667c8ae9c64c3c8c3f7b47715f
699f6b25a4d720eec442dab827192c5c3089da861c3c891f08c327918e0034c3
6e99630d9605ab0cdd26b273edc288e70b9b927fbd10bb4c531bdbaedb832842
716ca25938088e90d7529d396391ea45971e7716244684b7e431b46fae5d2f88
72301c500af238cd544b8208e3c5ea02d562143ab58a4fc7d429fb6dbdb5433a
77e117c5483524cd6bf8dcfa0b072d93644f71f15931b8f65be912dd2d4e0ac3
7803321e0e650f836a0260bd38dcac456e0bf822bd7d9159a03f509700f274a9
78bff6ee1f123cf5394c52b22f8bf282258684dc065d6fb3a6f7f11bb0dbb44c
7f9c7a64e9d7e46b31d842401064701c4cbaeee2d231b80e5221bc9b6dcad91c
886db07fb244827ecebfb8a0c807fc418d4e75699fe59d0a33203b2cacc30e08
94107471babcc12730005b1e70af6f59559229a0d2d325c18f88e8990c54a73b
9c3bc6fffc73ce25bd3f178daf44625b1ee681c7593ceef31e76fb5a2387ecb5
9d5304e56d130aeef6505442550c7cf49e3710f2ab7f31a7dd7db4a151fc5862
9f8721f77785853fded20778388a436d3ddc74a5200265a95ce7e168318b5f6c
a1885a9e550677d9bdfbfa79590d9025c006940e540a795ab3700d3e960dc3e0
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP Win.Dropper.Emotet-7375156-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
115
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: Type
115
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: Start
115
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: ErrorControl
115
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: ImagePath
115
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: DisplayName
115
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: WOW64
115
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: ObjectName
115
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: Description
115
Mutexes Occurrences Global\I98B68E3C
115
Global\M98B68E3C
115
Global\M3C28B0E4
42
Global\I3C28B0E4
42
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 173[.]194[.]68[.]108/31
74
189[.]189[.]21[.]214
60
17[.]36[.]205[.]74/31
59
74[.]202[.]142[.]71
53
185[.]94[.]252[.]27
50
45[.]55[.]82[.]2
50
37[.]187[.]5[.]82
50
190[.]120[.]104[.]21
40
172[.]217[.]10[.]83
38
23[.]229[.]115[.]217
38
74[.]202[.]142[.]33
37
45[.]33[.]54[.]74
37
54[.]38[.]94[.]197
33
62[.]149[.]128[.]200/30
32
74[.]202[.]142[.]98/31
29
74[.]208[.]5[.]14/31
29
172[.]217[.]3[.]115
28
191[.]252[.]112[.]194/31
28
74[.]208[.]5[.]2
27
176[.]9[.]47[.]53
27
196[.]43[.]2[.]142
27
193[.]70[.]18[.]144
26
220[.]194[.]24[.]10/31
25
50[.]22[.]35[.]194
24
173[.]201[.]192[.]229
22
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences smtpout[.]secureserver[.]net
69
smtp[.]prodigy[.]net[.]mx
54
smtp[.]alestraune[.]net[.]mx
37
smtp[.]infinitummail[.]com
33
secure[.]emailsrvr[.]com
32
smtp[.]dsl[.]telkomsa[.]net
30
imail[.]dahnaylogix[.]com
28
smtp[.]orange[.]fr
28
smtp[.]mail[.]com
27
smtp[.]office365[.]com
26
mail[.]cemcol[.]hn
25
smtp[.]1and1[.]com
24
smtp-mail[.]outlook[.]com
23
smtp[.]mail[.]ru
22
mail[.]aruba[.]it
21
pop3s[.]aruba[.]it
21
correo[.]puertotuxpan[.]com[.]mx
20
smtp[.]zoho[.]com
19
smtp[.]techcommwireless[.]com
19
zmail2[.]tikona[.]co[.]in
19
smtpout[.]asia[.]secureserver[.]net
18
smtp[.]mail[.]me[.]com
18
smtp[.]qiye[.]163[.]com
18
mail[.]outlook[.]com
17
smtp[.]aol[.]com
17
*See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%\SysWOW64\spooleripspsb.exe
2
\TEMP\694.exe
2
%SystemRoot%\SysWOW64\spooleripspsa.exe
1
\TEMP\L6WtzMgB.exe
1
\TEMP\wdEnqutV.exe
1
\TEMP\pzcc3lk.exe
1
\TEMP\p1cvp.exe
1
\TEMP\ux68b0c6lxc0fow.exe
1
\TEMP\z825f3w9uh.exe
1
\TEMP\gcb5of4v1tlz.exe
1
\TEMP\ezxnt4.exe
1
\TEMP\39v3vti54d.exe
1
\TEMP\tdr3z0u10.exe
1
\TEMP\yqr4645h3g.exe
1
\TEMP\70vol09busiw7g.exe
1
\TEMP\2bn1wg8bam49.exe
1
\TEMP\afoly3.exe
1
\TEMP\yumjilsuex5ce.exe
1
\TEMP\2gb7kk6.exe
1
\TEMP\f80gj19dm6pg.exe
1
\TEMP\itb9yhf.exe
1
\TEMP\sd0ew7kemxl.exe
1
\TEMP\9b65hy6s.exe
1
\TEMP\5q1otsijpw2d6rr.exe
1
\TEMP\002109r7ga.exe
1
*See JSON for more IOCs
File Hashes 02fc8369a88b82e3f3071515dacd5d66dac4a7bbc30c0273ce94f1d1c17016c2
0358ed9153522829b222680b6308ca2bfbb9af02f7577527d290bd6b5a45741a
05813a34ed66ce894edfe1283dcbb4aac108a27a9d100cd1beda364c3a9a14d8
05cb5ec98746d64d138330942f339979762f3d9e2103176927e5298aab38b44d
068c95ddf6682151bfac5a348f3cdc83dd28dbb3636945893c40919e5c2529f6
06bee1b52d91c40d92e37313f5a41dd75ccfe06f4081c8d82cc150de85afa8fc
07ee440c02863990aa804fe41894616f5a660a07cea93bf9f4e21b379637cd04
08a60b24edee93c10a2f7f88f771cada9d5fdb220e236ac7685bc5467187cc7d
09b5cd03af0aeff661f64799a67a1e4b68fe95ed8c19f33b9f79c6ba891e1961
0aef359713281304cb60b92f7f9a4f046e7ae0902809830a306e683830c0621e
0cc6fb091ca3119744ef99cc1a75bf093351962ede75fe01d9689ad6e611eed7
10f54c55d5df2aba0a5f86addb10e2b6022040f9e30541e865e823456526d181
1360747298f09ad4a3231036c557fddae2e65e0544fa2bcd42847fd13793eeeb
15683fc25f400427b06f471235d0080d9b340760e1cf0e53b402cc3f92724904
179dcfe6679c7d9e7527dbc7280807c7abe2ab8b6cd74671ca3a240bdb9f9b13
197b6142da885afd536a49e192dd6259abdb324bd3a278850c74b54d3ad819a4
1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d
1d92855b93ac6e841ca7afe057ceef7c6a52eb1aa511c47c523d25c7f542785b
2089c98c6d15a5c669795eea5a310ec83cbf7614be2aae5bc1ed1721e406360d
2175ae9fcf2321d5855a81146a650a9fe69d622a3d0303076fbfe32ddc645bd1
2275693f9a5b245d54030abaaa757f799c369df22b26cce4a8df84d1497b682b
23f18138a5aa4ff7284e25faa8490b14706170a7980b73a2cb69527fa19a9655
25da27f6d266e9986c93a48d93be82632fdfc607416d42e183c27b404591a808
26213f98dda98e08963a7a2934a6eadb665121a23aa14493cc45f5c6b23e7099
2a80f80c219f9554c9779e86c47a51a27858a767bb7b1c45b1d52055f6b9a30a
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP Umbrella Win.Malware.Trickbot-7374019-1 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER
Value Name: DisableAntiSpyware
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableBehaviorMonitoring
26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableIOAVProtection
26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER
26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableOnAccessProtection
26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableScanOnRealtimeEnable
26
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
11
Mutexes Occurrences Global\316D1C7871E10
26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 72[.]22[.]185[.]208
17
72[.]22[.]185[.]200
9
116[.]203[.]16[.]95
5
216[.]239[.]32[.]21
4
216[.]239[.]36[.]21
3
82[.]146[.]46[.]153
3
107[.]173[.]6[.]251
3
78[.]155[.]207[.]139
3
216[.]239[.]34[.]21
2
176[.]58[.]123[.]25
2
177[.]124[.]37[.]208
2
201[.]184[.]69[.]50
2
179[.]189[.]241[.]254
2
36[.]66[.]115[.]180
2
177[.]36[.]5[.]7
2
185[.]86[.]150[.]130
2
149[.]154[.]70[.]202
2
195[.]123[.]246[.]188
2
185[.]117[.]119[.]163
2
172[.]217[.]12[.]179
1
104[.]20[.]17[.]242
1
185[.]248[.]87[.]88
1
80[.]173[.]224[.]81
1
103[.]122[.]33[.]58
1
177[.]107[.]51[.]162
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ip[.]anysrc[.]net
5
myexternalip[.]com
4
ipecho[.]net
4
api[.]ipify[.]org
4
ident[.]me
2
checkip[.]amazonaws[.]com
2
www[.]myexternalip[.]com
1
icanhazip[.]com
1
api[.]ip[.]sb
1
wtfismyip[.]com
1
ipinfo[.]io
1
Files and or directories created Occurrences %APPDATA%\wnetwork\settings.ini
26
%System32%\Tasks\Windows Network
26
%APPDATA%\wnetwork
26
%APPDATA%\WNETWORK\<original file name>.exe
26
File Hashes 0997acfd174ab60400f87700683b13a8e30003187a1ac95f8e03e7ef42722ed0
16a4034a84ee8568cb2f8eb5dadabc4602c0a8e8868f73672d50dfbf1a7f4d58
1b4e99fdce2dd1e3fec9d2544d998991b7db608fc546f3fcd095116c74abf5a6
1d004310b4da6128d37fbbc500fd2edaaac340ad0c02a6d955bb865b6bbf5a36
22a575f49efea2455bba405158a36e037ffb74a54d19a3594b9b91496235b94a
33174b58598cbfad8263865a35541f8cb45fb8c6bfef793fe8cf959386a01f5d
3614608cb133bd6ee5c664d32a70a4f6daabd51c5aa3e8305481a2c8e8e5e050
3be01a7decf86e147148172f9fd49a1dddb0fc61fa19f1f513200bef005d5621
533fbff0ab14351994eda4fdbfd54521f69b26aea55f1f4cbdc0a766ea665475
63fc0be214ba24b78e8af0c3fcc739bc65f2c93f47f2c0fd5fc36fab7c3b1ee9
6664ecbb04496f8769bd64664cc927aa5b3da2d8db2c90c74f9115d13611f2ee
690160e08d961b5eb173e8d83489182ff1bc593fbacc1ccef29d34b2c123f852
6f9d90e562dbc99bf48c6da0f62acca06483e4cc237f823fd420972e4cab8acb
84b2e1dadf6434fbd682ad5443c07fd584e9ba90ca78cff4e34453da08f9b1a0
8a8e4c0576135b4d7e53e8d371cbaa3044d04aa7487b5165d3a25c7ceb98ef40
8b3ce83864c0fe181a9dc5fc05db1ed0f5b8fa8afb21bf47e13cb42012f99d37
90343d4a110021355c361ba1187512cd992644f1f563451014c330b6100c31bb
918b82b76908de34fc26f1addda953604c608071d2e960aa7ac024dac36b445a
93c68821eea7086225918c163c8480f2f49f3a6b155a221af7211c795ce6b32e
977cc7fd45f54546066ab08ae04f31876d2347948b2631a011756f2a45f8588e
99aad62bb62905258fd7b9ee63811f16c0cb686dc86b49e5f33e0d465d2ecc0b
a169e851112a15be3a17a6059e50cfedccd2928a7a2afde40aa21a13bbb31dd5
a77f072f98bba728809627c5cce0408dffd1e6277a5febf654f11c8e5a63f6c7
a94fb77c70d6d08e50aa251e619f7f6a2bd0983322677a5f0b38ba3cd2c46abb
aa2709ee07f4479a85e0d64e8f4f08c87ff747fe658f8e93e30713ab6d46724c
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
Screenshots of Detection AMP Win.Malware.Phorpiex-7373816-1 Indicators of Compromise Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Service
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Service
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\system32\rundll32.exe
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PIXEDFU
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PIXEDFU
Value Name: Impersonate
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PIXEDFU
Value Name: Asynchronous
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PIXEDFU
Value Name: MaxWait
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PIXEDFU
Value Name: DllName
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PIXEDFU
Value Name: Startup
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pixedfu
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
Value Name: FFC6F26321
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: BCC6F26321
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: *BCC6F26321
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 00FFC6F26321
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
Value Name: C6F26321
1
Mutexes Occurrences .:-Tldr-:.
10
A9MTX7ERFAMKLQ
3
A9ZLO3DAFRVH1WAE
3
AhY93G7iia
3
B81XZCHO7OLPA
3
BSKLZ1RVAUON
3
F-DAH77-LLP
3
FURLENTG3a
3
FstCNMutex
3
GJLAAZGJI156R
3
I-103-139-900557
3
I106865886KMTX
3
IGBIASAARMOAIZ
3
J8OSEXAZLIYSQ8J
3
LXCV0IMGIXS0RTA1
3
MKS8IUMZ13NOZ
3
OLZTR-AFHK11
3
OPLXSDF19WRQ
3
PLAX7FASCI8AMNA
3
RGT70AXCNUUD3
3
TEKL1AFHJ3
3
TXA19EQZP13A6JTR
3
VSHBZL6SWAG0C
3
chimvietnong
3
drofyunfdou
3
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 92[.]63[.]197[.]106
10
66[.]199[.]229[.]251
3
216[.]58[.]206[.]81
3
141[.]101[.]129[.]46
3
141[.]101[.]129[.]45
3
172[.]217[.]7[.]174
2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ofoanefubehauufdu[.]ru
11
osgohfoeaugfoauef[.]ru
8
dio[.]shojnoc[.]com
3
dia[.]shojnoc[.]com
2
ieguaoeuafhoauedg[.]ru
1
Files and or directories created Occurrences \_\DeviceManager.exe
12
\.lnk
12
E:\.lnk
12
E:\$RECYCLE.BIN
12
E:\_
12
E:\_\DeviceManager.exe
12
%SystemRoot%\T-580580975794906058
12
%APPDATA%\winsvcmgr.txt
12
%SystemRoot%\T-580580975794906058\winsvc.exe
12
%HOMEPATH%\Local Settings\Application Data\pixedfu.dll
3
%LOCALAPPDATA%\pixedfu.dll
3
%TEMP%\323221246224071.exe
2
\$Recycle.Bin\_HELP_INSTRUCTION.TXT
1
%HOMEPATH%\AppData\_HELP_INSTRUCTION.TXT
1
%APPDATA%\_HELP_INSTRUCTION.TXT
1
%HOMEPATH%\Desktop\_HELP_INSTRUCTION.TXT
1
%HOMEPATH%\Documents\_HELP_INSTRUCTION.TXT
1
%HOMEPATH%\Downloads\_HELP_INSTRUCTION.TXT
1
%HOMEPATH%\Favorites\_HELP_INSTRUCTION.TXT
1
%HOMEPATH%\Links\_HELP_INSTRUCTION.TXT
1
%HOMEPATH%\Saved Games\_HELP_INSTRUCTION.TXT
1
%HOMEPATH%\_HELP_INSTRUCTION.TXT
1
%PUBLIC%\Music\Sample Music\12EAEF0D255F4C3289F8C16727C42FE6.BACKUP
1
%PUBLIC%\Music\Sample Music\20410F1A046679B6EE5BB84B050B5D6A.BACKUP
1
%PUBLIC%\Music\Sample Music\CD5F520B00FF264246AA4685031109F6.BACKUP
1
*See JSON for more IOCs
File Hashes 01800a0b77486384e49b910debe10f7cee0b315bcf58fde71697f0dd4ec3540e
2032430a872c8bf354dcd1d6ae0f7aca4d02f5b4f0dcfa43ce3d1f795c8c9c72
43503180b734d83a724db448cd4d94b1b4a3096dabec6b9411af061337af8c35
5cf483ced208bc37ee1e71346a22615c88ee294a8b3b411b5d11e77571e2e4fd
7aa31bf90f13024bbcb547c126115b112b17a130fc8169712351c418f93516ca
86d2c77b7dc01092d3591f95f99a7ba79c06e06e83759b7965d18032102a823a
8e56d2ba3bf9e86c66e0eeafe453a8c36f692b4f22edb9e96fecaaef8e894d51
94179eab10b3a394790f3bfd5cf10c5bcabb16cd534997f6361064ac5e686342
af69f159ac7741ff8c72ea41fe76436512c84f7de6870caa6268ca28ac87aabd
c6365099edb25124ad0ac0ffbe5a246d3d27a15c42e5bebb3a6a5994797611ef
ca4a36212c31444ed2f0c173c0fb9a2ca43a8cfdf2ba7663b3eea52e150a02f3
cea3556aa39780fa88283ac4b89f75bb9e0070fc870f8c2f2940d74c124999ca
d70bed520eccb3afa3ebaac4a1644e1b603e407c386a5a3dfeee864acc8be52d
e1ef644770cf7cb312df7b2112a140386e246e6bb8c5fb607707e08bc1ad31ad
e96f931910f1f64cadda65519f52c5ccd2311cd9d4aa705815b28a21559a4f18
f00fe52b605c93783f69f8ff95605484c73600a0c4ef33336b565e3adfd7bf8b
f22b9841d6cfca96f89543e43f6dce478dbed764c3083b7a2dce8ba42e8a2b34
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
Screenshots of Detection AMP Win.Malware.Zbot-7373691-1 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: LoadAppInit_DLLs
48
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: AppInit_DLLs
48
Files and or directories created Occurrences %System32%\Tasks\aybbmte
48
%ProgramData%\Mozilla\thfirxd.exe
48
%ProgramData%\Mozilla\lygbwac.dll
48
%HOMEPATH%\APPLIC~1\Mozilla\kvlcuie.dll
42
%HOMEPATH%\APPLIC~1\Mozilla\tfbkpde.exe
42
%SystemRoot%\Tasks\kylaxsk.job
42
File Hashes 0008d767954ff4cd48317862040f44a8550279d2f80730db9d8c9a6c3e6f69f7
01b1b04fd8af635ddc5953b9c3bd87d510c38476477f201fa59b6ac1ebc89265
02e089e46e5d3a515394aec09a6f8a37cb8be989730bc9a7c29660bfe8f2e1aa
0878a61c44c6f24ea9b7455e663c9ae1f059f5581067957564af8cc90d7bead1
08c3aed6e3b36b219a22d80947cb02a1da27cdd955dcab8938f366c938641d99
0a586547643e008b351990181c6434a4ad1b1d91e2d8cfd2dcc654459e415652
0be41d1d76850b8b1bd55121ecb12c43b20493e7ef00a83d366092998b126a66
1142bde6260aacc7770f40931f1b10a3d72e479e482536590df5c8af3fe7cdb2
11f76ef08d086a6e3f87466f8a77c7bc63dd754dbd5aaf27deaf4e78abe46c4e
12ccd85f6d507d2b558259c0e987c1c0d104dddd62af38b6597c21055bb35f7e
13235beb6e3d194b599cc7cb1eb82ced9cad5ee17ddac09ae13942aed2b4ff14
143471cc5a4f7299a4009841fb1b92ec52bec2f78b426281d0bacc02946855b7
171fdd6c8d3e43050ab23eb0327fd74094ec7d813c5fb4f2f5668a6650e5088a
1be73946fc11127b9587440b45b8ba9452273c1b47698060562f5d6b0c914514
1ed93147bbaf222006509898c620b1cb65866d1f57d12c7f69a0db49cb459730
20a5e8c87d9d5f9c4f212c8324e1c51941c2c92e4193bb460454451c43763c65
23a1c96747d375ef9098389078a48ffe53305fce872ae8d056697aa1f4aee4bf
23f6e421ea4cdb20ba4d0f1b94100847dd67537fa438d0b0579579bca2aa9e64
249534c79cd24e2d4f756ee051f5fa3da34a85ac4d60b24afc19d0d01b03f446
24cfdb52074fedadb316ec85968e36576f44660b618edc8582c4a9d1134a4344
25bac99d7d11cb4a6da8d9a1742da2e31bc59751ed7d557677a11c5ec251a149
285c4a1f783602c538395337b0724f384806f308be12fef1654f77f667762412
29286b6965a37a18bb510f2ceff996456133395c0af62e2d87e58c86877b7a5b
296d4d39691aa73e5392b57a1dff3cf34f7f1e3548ab38d22e7c1bcceb30fc11
2bf03d005dc768b24c4a27218e41c5781902edd872f934d24c02958fd172fbc0
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP Win.Malware.DarkComet-7371375-1 Indicators of Compromise Registry Keys Occurrences <HKCU>\SOFTWARE\DC3_FEXEC
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
1
Mutexes Occurrences DC_MUTEX-F54S21D
10
DC_MUTEX-<random, matching [A-Z0-9]{7}>
6
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 88[.]67[.]72[.]218
5
189[.]24[.]196[.]171
3
187[.]14[.]155[.]193
1
Files and or directories created Occurrences %TEMP%\dclogs
12
%TEMP%\tmpcmd.bat
1
File Hashes 198fd0be4b6734556acf2ac56b3caff28d402ef10c0875180ab02a62d320b9c1
3201cfb883cd1c3b8f13b639a40cd08b3a701df41d6488228b586d7909a6f9c3
384fb4c37f5649edff99a8ce89b65b66a74fffe0e27dc8ad0abc6b949391e7e6
386a72805830c4e97a5970ab2c50e973394d2f0c2d89f1be33219a79ae988ab5
3ca6b7c42876362f7c1b27c86e45f5d95443a385ffa01226ab25cea998176219
42b444b7738492be745183895147d005f825dfa44c4b2cb1e256f6a146e3fa63
54f3ab508247399214721d27e61b5f9be1797cf54e1f80590a6075f1086df697
6283cb17aa670de5710f160fe411ba49cd8d6f12ec96141c787311f03d3dbfa0
7175a539ad4450790dcb7fc70b3a83c8fb85001b2fca89e5bdef6b106175c586
7d82900300161ba47eb3ec68e9ebea0f55986a33affff5bbe43e0dd5fee2d907
a7b843e8ece17f12410ed58e1de94c03126d74192d3732dae6071aefb6b190f2
b18d500a121437df8d1170fdf315b8dbe53d0f69214963a665c484bc47a1d3cd
b7cfcc21847f1be733342c7c635d30152e3cbc7ac456d44faeb3d0d61933f02d
d4c3d0934d55956d694a8097bcd0b69c4743e681ab1985e689d71827514fdd63
dcfc58bbe29cd4d7634c21ac390cca9c3f12becaf8584ac3d3a90da2cd329585
fbaf7fd94f82e6f9dc6de640564350f00b0901763249e14ad29748a79bc41a43
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP Win.Packed.ZeroAccess-7370742-1 Indicators of Compromise Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
8
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32
Value Name: ThreadingModel
8
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
8
<HKLM>\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000010
Value Name: PackedCatalogItem
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000009
Value Name: PackedCatalogItem
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000008
Value Name: PackedCatalogItem
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000007
Value Name: PackedCatalogItem
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000006
Value Name: PackedCatalogItem
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000005
Value Name: PackedCatalogItem
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000004
Value Name: PackedCatalogItem
8
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 180[.]254[.]253[.]254
8
166[.]254[.]253[.]254
8
135[.]254[.]253[.]254
8
117[.]254[.]253[.]254
8
119[.]254[.]253[.]254
8
134[.]254[.]253[.]254
8
206[.]254[.]253[.]254
8
222[.]254[.]253[.]254
8
182[.]254[.]253[.]254
8
190[.]254[.]253[.]254
8
184[.]254[.]253[.]254
8
197[.]254[.]253[.]254
8
66[.]44[.]141[.]253
8
183[.]254[.]253[.]254
8
158[.]254[.]253[.]254
8
204[.]254[.]253[.]254
8
230[.]254[.]253[.]254
8
71[.]17[.]221[.]85
7
217[.]209[.]16[.]149
7
84[.]40[.]68[.]14
7
75[.]64[.]4[.]243
7
24[.]145[.]85[.]120
7
83[.]233[.]106[.]6
7
24[.]176[.]111[.]7
7
24[.]92[.]71[.]93
7
*See JSON for more IOCs
Files and or directories created Occurrences \systemroot\assembly\GAC_32\Desktop.ini
8
\systemroot\assembly\GAC_64\Desktop.ini
8
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8
8
%SystemRoot%\assembly\GAC_32\Desktop.ini
8
%SystemRoot%\assembly\GAC_64\Desktop.ini
8
\$Recycle.Bin\S-1-5-18
8
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f
8
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@
8
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L
8
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U
8
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n
8
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f
8
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@
8
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L
8
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U
8
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n
8
%ProgramFiles%\Windows Defender\MSASCui.exe:!
8
%ProgramFiles%\Windows Defender\MpAsDesc.dll:!
8
%ProgramFiles%\Windows Defender\MpClient.dll:!
8
%ProgramFiles%\Windows Defender\MpCmdRun.exe:!
8
%ProgramFiles%\Windows Defender\MpCommu.dll:!
8
%ProgramFiles%\Windows Defender\MpEvMsg.dll:!
8
%ProgramFiles%\Windows Defender\MpOAV.dll:!
8
%ProgramFiles%\Windows Defender\MpRTP.dll:!
8
%ProgramFiles%\Windows Defender\MpSvc.dll:!
8
*See JSON for more IOCs
File Hashes 1d2d42263d68f09b1946be33971dcc04706ccc597993007b59806c3a23f1ffac
4f59080cc3450aab4dbfae69f1223e79069e3c315bac2df45ea845a68439bcde
559ecb68cce08a6d1d5b27d96295fc81ddc3df2edf1dbf3d765a9831262402c5
907c8629bcd73adf85f6163bacf17831830f0410f7e9840a146b364fb0bb2945
9117e953fe785d1b5c2f350921bd8ec6e14f1e34c0a26059c66c4abfb98e7a55
a026a103b42e4fd2a1b1b21931983d477e53b94210900f2a464cf71dd4868f27
b05d35fe02909b09b6a2c347f619430495530617f209ddba7b357db26cd154d1
d038daa7418565e12cd449a5c13d9f36eef7c3cf76c7739db4f41df68649837f
e8a06267aade079e638ab09d0ca9b2697079be1292c237846f93bf802d9c8746
ec683faba46071aa2c11667714ee9d1abbbc1b4a6d6d024b77fc97e497eb5673
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. CVE-2019-0708 detected - (47418)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Atom Bombing code injection technique detected - (522)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The
malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Process hollowing detected - (244)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Kovter injection detected - (196)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Installcore adware detected - (99)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Excessively long PowerShell command detected - (90)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Gamarue malware detected - (89)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Fusion adware detected - (43)
Fusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware.
Reverse http payload detected - (33)
An exploit payload intended to connect back to an attacker controlled host using http has been detected.
Dealply adware detected - (31)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.