Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 15 and Nov. 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Downloader.Nymaim-7391562-0 Downloader Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Trojan.Bunitu-7394346-0 Trojan Bunitu is malware that establishes a persistent foothold on an infected machine and then turns it into a proxy for criminal VPN services.
Win.Malware.Trickbot-7394707-1 Malware Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Worm.Vobfus-7395002-0 Worm Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its C2 server.
Win.Malware.DarkComet-7395004-1 Malware DarkComet and related variants are a family of RATs designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Ransomware.Cerber-7395321-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, this is no longer the case.
Win.Dropper.Remcos-7395733-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. It is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Tofsee-7402230-0 Dropper Tofsee is multipurpose malware that features several modules used to carry out malicious activities, such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.

Threat Breakdown

Win.Downloader.Nymaim-7391562-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 25
<HKCU>\SOFTWARE\MICROSOFT\KPQL 25
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
25
<HKCU>\SOFTWARE\MICROSOFT\KPQL
Value Name: efp
25
MutexesOccurrences
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1} 25
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A} 25
Local\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606} 25
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5} 25
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368} 25
Local\{0F53A50D-AEA8-402A-580B-3C32A490301E} 25
Local\{42FDAA48-39A4-4464-9CC4-6F1A48111B12} 25
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
sqmgdts[.]net 25
wneeuc[.]in 25
jiwlzenl[.]com 25
zgzaztmi[.]com 25
amkqrprvei[.]com 25
srbhfbemi[.]pw 25
yoekgdnoyej[.]in 25
scwafgfxlr[.]net 25
grnorxacnw[.]com 25
futzruakw[.]pw 25
dhcfsfxgb[.]net 25
lmgsmlhidh[.]net 25
fpmuefeozs[.]in 25
wjpbf[.]net 25
yfuoixdwjxpy[.]pw 25
sqwpuwoq[.]net 25
wqjlwcnqbe[.]com 25
tjjqmo[.]net 25
bsztb[.]in 25
gmznk[.]com 25
cejwtluei[.]com 25
rejfedtcd[.]net 25
uktldpj[.]com 25
aanpolaayjm[.]net 25
rdipde[.]com 25

*See JSON for more IOCs

Files and or directories createdOccurrences
%ProgramData%\ph 25
%ProgramData%\ph\eqdw.dbc 25
%ProgramData%\ph\fktiipx.ftf 25
%TEMP%\gocf.ksv 25
%TEMP%\kpqlnn.iuy 25
%TEMP%\fro.dfx 24
%TEMP%\npsosm.pan 24
\Documents and Settings\All Users\pxs\dvf.evp 24
\Documents and Settings\All Users\pxs\pil.ohu 24

File Hashes

009c5d8c565ffc008a15040f7c1ce30a65321089606ad3e6e711e715e65ed5d3
043fd8c728078e4cc3402b65d216e224a482532faaa18dff9ce7baea068666a6
0c6cf23450cb8d2f982780d0b63b32f84c4cef5ed035b336198cfab945d7222f
0e2c7c4988f5d6b83aa46bfaec967e409310588fb31d41aaf752cd0cd1f61e07
159157544afea2dae4868b345f3ace9dbb3946dcdb051afda1f9d3de43b84b5b
27992098e220360f3a5896812a077ba611dce6936c7d8a93a8851b9498534483
2f625f48f37cc6d9ad56bf49690f578d345ca7938750614fce45a6db3ea94ee2
3b8723dccf6a910c012cba048918b741661a40bb9256356935af7dbf1c1417c4
3dccca8f309ddb9675ef1099afa48c99259af991603ffe82a83ad9516b5742f3
5c3ad5d944eb5911e73ced27779e8ecb6a555c64ace076998018e313c058c128
630b0e5f46a932762b7e569f0785e163db04a5e482a1b2c2469343439cd5f004
689c22dc80615221d5c64720f599a33eaa093e27aabcd89191fa446d5dcc8463
75d8010dab02726e712f1ba1cba34ae48d3aabf897c22caf258a552282c7cfa3
776186df1d180131e8272e9bed1901a10156c3f12adacd904b8023fe5f164b22
8837d607c0bf29f0855967de0cb3ac6e36c6418786e693dbcb92cce0addef532
8ad6d601b0d1e03dda4b01708e40fcbcc66e610c2b848f1662b26d70aa358cf6
8b75cc8eeff51a02702262472039bda60c892e0beba4f76d5b3262f1c1482081
8cb66655a63b931fd20483d5b347756980e2a5f1d70a66fb84819b1a10c82722
9c79e22684603ef09d8939a72827d9e39478e2583740f55d4a5f676a4d1cd30c
a02dc770b986b1360c6534907f5c9ad368f7810da498a6df1e2bedd665db75ef
a0977a0743fd97773d06407074172e2e763d5306310075b301833454204fecce
a2eef697284f59a4306ad79669dcb9c1e095595cbf52a73a6775e90a34c790c4
a94e7042aea0920a02775452ec9f05ab07b7ae60a7c9466a2ce8eb8b5e40b428
aaa24779cd52e2685d6646ac379a1c102b8811f1d969e16c2d6b358d00a147ec
ad3f4bd490dd4134e099d505123e528f858463a7e17989c258516c7d24ac3836

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


Win.Trojan.Bunitu-7394346-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\system32\rundll32.exe
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY 25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOEMNI 11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOEMNI
Value Name: Impersonate
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOEMNI
Value Name: Asynchronous
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOEMNI
Value Name: MaxWait
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOEMNI
Value Name: DllName
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOEMNI
Value Name: Startup
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: daoemni
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOMNI 9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOMNI
Value Name: Impersonate
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOMNI
Value Name: Asynchronous
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOMNI
Value Name: MaxWait
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOMNI
Value Name: DllName
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\DAOMNI
Value Name: Startup
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: daomni
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\OMNILG 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\OMNILG
Value Name: Impersonate
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\OMNILG
Value Name: Asynchronous
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\OMNILG
Value Name: MaxWait
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\OMNILG
Value Name: DllName
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\OMNILG
Value Name: Startup
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: omnilg
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: syncfx
1
MutexesOccurrences
qazwsxedc 26
A9ZLO3DAFRVH1WAE 25
I106865886KMTX 25
IGBIASAARMOAIZ 25
J8OSEXAZLIYSQ8J 25
LXCV0IMGIXS0RTA1 25
TXA19EQZP13A6JTR 25
VSHBZL6SWAG0C 25
A9MTX7ERFAMKLQ 25
3G1S91V5ZA5fB56W 1
8AZB70HDFK0WOZIZ 1
NHO9AZB7HDK0WAZMM 1
PJOQT7WD1SAOM 1
PSHZ73VLLOAFB 1
VHO9AZB7HDK0WAZMM 1
VRK1AlIXBJDA5U3A 1
<random, matching '[A-Z0-9]{14}'> 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
209[.]85[.]144[.]100 25
172[.]217[.]7[.]206 21
66[.]199[.]229[.]251 21
62[.]75[.]222[.]235 21
95[.]211[.]230[.]86 16
5[.]104[.]230[.]200 5
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
w[.]topfealine[.]com 20
l[.]topfealine[.]com 14
w[.]netzsoflow[.]net 5
n[.]netzsoflow[.]net 5
Files and or directories createdOccurrences
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 19
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 19
%LOCALAPPDATA%\daoemni.dll 11
%LOCALAPPDATA%\daomni.dll 9
%HOMEPATH%\Local Settings\Application Data\daoemni.dll 9
%HOMEPATH%\Local Settings\Application Data\daomni.dll 7
%LOCALAPPDATA%\omnilg.dll 5
%HOMEPATH%\Local Settings\Application Data\omnilg.dll 5

File Hashes

05fc7a5cbd0145db5324d216eca44799f3089ce93b9020b1e79a8ffd074373e9
155931a83c112e3b9ec9e53170bc01f00f627149abb4df90506ff9746420ac33
1e781bec2e81a7ea35b3170ba13b8c383a5b34333bfdf5fb8c8fc2da89c79b47
21b62ce885fbb5ad9b6de7cec0bcfd9af51818e97f79b780457775515a36b3b7
22becfbe5b71e26f87a6f3525a75af422f9c6903873911290bc20f8869bd0b83
281c088b7ad0f9ed61fbdd599ffb2fdcd934a02ad66fe16b1f40c0e668d203fa
2f2e4c912ae939c550ab3d3d9723d562ceff5cd8f120570bf2ca75975d5dada1
32ea5866bda9068d8c0f10f3c50225823254194f89f841483e6dbad2e8227315
35c4024898d064cea42eebd3efe714e031aeb7a5cd685ff8fc55176762a6c5cc
371abc331dd0d9f9ae078efd7b88a60795e6707f1833f3b31675a7e80b96843f
392a1507494a62ddd1ad5f6659487254930dbba1dbcc98b3d0f34a1ab1852128
3e27faf67ebc38dc381617546201dafb570bcabc12d1d85e2088da56262d80e9
40d378b966cecafc1ba06ddfcbfb644fd408f83792e40109cd810914825d6b06
45f55ec75fdc96afb4133334435b00ea598206c9f00094a8ac42bbc37ff64310
50ab0d77e4368f929287ef0fe486712cc615f9a9c3d74f7767a257d2a677e1ae
551411d65a597560b93c303fc3fd0bde366f4fd767a940a127bc35c0e188255f
56873d0e1082711b6e9f7c0dd230fd76963f5fe977002bba0fdd51d320d2480a
57260f19a6a615eba7325d454666b2a3cf05589e4ffd20eb34c67c4493b613d2
5b144acca2679ab8563e70e789ef0026b25dcc3e2f96e651a504ef35d7cfc1ae
6243725e2486608c0266f4b954487310e8b36f092e5172eacf967a37e12c49c1
6a836249f7f7cdaa5c796248b0684f0ca45bfa524148331b8de2e395d5b0b88a
8127c67786fa6bcf2ba3b891d1619f6b2589027d94d0f8b5f10a005a1dcc4df8
8b7e399b092922ae7972799f1d28d1f40bf2c463ec2ac90d332a816c1b307cbd
9b33901eb6a246891da01fba649a7ea058c10fc5865a6610b4627fa53d3c50cb
9db359f9c8d9e4960e5fb5475c4c873b386a522ef9340153966c841e594ea224

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


Win.Malware.Trickbot-7394707-1

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
3
MutexesOccurrences
Global\316D1C7871E10 26
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
117[.]196[.]233[.]100 10
94[.]156[.]144[.]74 5
78[.]24[.]219[.]9 5
45[.]224[.]214[.]34 4
103[.]219[.]213[.]102 3
212[.]80[.]218[.]144 3
216[.]239[.]32[.]21 2
62[.]109[.]22[.]2 2
107[.]173[.]240[.]221 2
144[.]91[.]80[.]253 2
51[.]89[.]115[.]110 2
176[.]58[.]123[.]25 1
116[.]203[.]16[.]95 1
52[.]55[.]255[.]113 1
69[.]195[.]159[.]158 1
177[.]154[.]86[.]145 1
66[.]85[.]173[.]57 1
5[.]182[.]210[.]254 1
117[.]255[.]221[.]135 1
185[.]222[.]202[.]25 1
195[.]123[.]220[.]155 1
117[.]206[.]149[.]29 1
170[.]84[.]78[.]224 1
91[.]108[.]150[.]213 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ident[.]me 1
myexternalip[.]com 1
ip[.]anysrc[.]net 1
ipecho[.]net 1
checkip[.]amazonaws[.]com 1
wtfismyip[.]com 1
Files and or directories createdOccurrences
%APPDATA%\cmdcache 26
%APPDATA%\cmdcache\счв.exe 26
%System32%\Tasks\Command cache application 26
%ProgramData%\счв.exe 26
%APPDATA%\cmdcache\data 26
%APPDATA%\cmdcache\settings.ini 26
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 25
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 25

File Hashes

031dba2decd40789db3851d1940275bab98d378ceb410eb661b463adf2410650
07553800c14fabbb3aca709a6d5d7af0b9936504fb3d1406825ba6034e22f97f
0d2da6104e039e429a4bb0f2a27744879a4551cbadb1e4a44de54343a6c0ac6c
218ba8f3d20fbab8eaa94aa7d3aa6ffe417d859bbf6bbd499c1e6211f0292a07
26616609c018bb2081c86a11b1567865a4ee63686eff17f4b7e88b6655ad93eb
2cd5c3baae45b92b8f39f808493a9805f94eed3847b94c853bfb160217225887
2da40b82795dff861dd4bf9025b4fd659e398d894df20ef399c1960fe92de323
334aafa1b9ac0f0d94f690a25ad5841e732de6c0609704e838e8c8ad8986a207
339c9866157b0f51d0fe6c644cd8b485672fdbf16ad5244ceaa7b4eab9d0fd56
33da9747569d5cfa3e42d8a98b8cb941829905cac809428de49e9d011372b3be
3476f50e527ab1558f8a12b20a6d0394045c98b7b352f9703499c54ac13b526a
38548798cfcc55fc8200d3f3482d9eb7eafc14feda2b88b22d143c4fec75a175
3d9bb460763687a31c360beb958abae1a5e10add4fad3b0a9e3fb70aa3803241
3e1762697fe5f1996a8cd224a97bfd47fc2578ac1950d5e177cc17edc4fa9094
4766ae5c1ffdbf142e5c7df792654f591c1ef4df1e7775484d458c2b8237312a
4793182f8a55a7d2df459ea2ef2ed27835bfe43648d78bbe540ecfe9185f4380
48f273faec8a9236fadadcd0b88cc416eab9c4c40b064742213c1e5ed24cc105
4b3ff0afe6f834a9c05354fd2089662e670e9203b864969e0d67bb957af37c43
4cfabac70d45aa70f7e129fcf234ebf84e0edb950380bacf0008616d8059601b
53677c31b06dbf686f019dad8465876ae4e757adf186d02d60a5194106ee20da
5441d28936218f078a094e4b03a60db5f06a890f02ebbbabbf2e4345ef3ed05a
5641e7f156339b3c2d624972d9eea74910e39f0620aed2eadff1fa0635137541
58d92ae7cacfadf7ca36fbabebfa721299c4a828f81707290416639919f0fb20
5953aba170deb68dde4ddd8132b51260167186cdb24a6b42d85edc28eaa49211
5b80b61034467babade5a004fab79adb3d9f18416345c1cdbe6ca0776c9c9513

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


Win.Worm.Vobfus-7395002-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU 26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU
Value Name: NoAutoUpdate
26
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ciiti
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: supej
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: zauuca
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: yxyom
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wznoid
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qousu
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jiigio
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bmjiif
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ryhiy
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: caodaap
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: viean
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: beoal
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fiiisep
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fuafoop
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: juuso
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: peaceit
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mbnur
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: zoelie
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: teuemar
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jomol
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: yiozaot
1
MutexesOccurrences
A 26
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]11[.]56[.]48 26
46[.]166[.]182[.]115 13
37[.]48[.]65[.]148 11
64[.]32[.]8[.]67 7
207[.]244[.]67[.]214/31 4
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ns1[.]anytime2[.]net 26
ns1[.]anytime3[.]net 26
ns1[.]anytime3[.]org 26
ns1[.]anytime2[.]com 26
ns1[.]anytime4[.]com 26
ns1[.]anytime2[.]org 26
ns1[.]anytime1[.]net 26
ns1[.]anytime1[.]org 26
ns1[.]anytime1[.]com 26
Files and or directories createdOccurrences
\autorun.inf 26
\System Volume Information.exe 26
\$RECYCLE.BIN.exe 26
\Secret.exe 26
\Passwords.exe 26
\Porn.exe 26
\Sexy.exe 26
E:\autorun.inf 26
E:\$RECYCLE.BIN.exe 26
E:\Passwords.exe 26
E:\Porn.exe 26
E:\Secret.exe 26
E:\Sexy.exe 26
E:\System Volume Information.exe 26
E:\x.mpeg 26
%HOMEPATH% 26
%HOMEPATH%\Passwords.exe 26
%HOMEPATH%\Porn.exe 26
%HOMEPATH%\Secret.exe 26
%HOMEPATH%\Sexy.exe 26
%HOMEPATH%\c 26
%HOMEPATH%\c\Passwords.exe 26
%HOMEPATH%\c\Porn.exe 26
%HOMEPATH%\c\Secret.exe 26
%HOMEPATH%\c\Sexy.exe 26

*See JSON for more IOCs

File Hashes

0114132de55fe3391d2ffe1eb2235af64538e704a5d39a7c12a5242b26feff60
024c44316844dd33ee87876a1acf6b823b30f97b8f9b2aa593289df21b0ec1d7
056bf3cca6f0cd4e41ad01e0eb4700bee0271c2bb3334642784920529e2554de
07ee7ffcf647257d1293ad9826c82fc09398f657092c25b21169f87fa5a7c9d4
08169078f447a9671714276fd75f906cd349fb720001a77d78bef56b9e35a233
081aabf461e76026a4b5ce622d7dea97bd5c69bd7f6291bc69325ee9e1b2478b
082ee719168ea7be341b1303d4e62fe30007af27470e269a63aa0b1098e7d488
084b2c416ebeb7c01a099604458bc0851f1e1e8b2f230522898cf4084c803f15
0a1e200b0c26beab5775cfa61c2639ea27157e46781e70cbd78a4b19232b632b
0ad7fb766799dd2f438ba70821e2c7f6b2e08c524fd750b34a6209ab8ac3d480
0b11ae767b606de45c93913ce84153b226eae42d035871a9955f19c4cbb46c7a
0bf91f7b0d81a825f042006243db69eb23d52726c19b335ad42e188c53616d99
0c5f7e0d447a0f9445888ba803a9c6bb223bdee7d982be2f833d6184e754b7b0
0e323827671fd25c7f89c594618623916a4dc60221f405a3f2bf7df0275e4e0d
0eb69de315990b07cdc4e6472f7b1a178412d9730766fddb596bddf5b2576ed1
1396cae157a806641cb34122f34c22b4dc995028686f6a082725e4e335e60aed
13a7e9c873e5e108d28acca607b1689f391c1036db6d977f8602908046ca4739
148a31211653eb50a050446b5556cf02846f957e210725c56cde63b8196384e5
156452ee7c520ac7ef66233c06b2d9bb8faa3c119e9ae697a53695a7f10c3fa3
15b5879a31b9e41872a13caefbff2bc7e4b672beb19a6fbc3c5b5a38774cc13d
16fa24d44c523e35c4c37fc149647d7e6c21d090a047127fc8d68fc6b9ad8a42
1713907f8ca3dc61f966a367d1d65a4dc13e525fc8ce091b2147d3665a3c0c23
193491d849129d8286edd480622bbe6da83f551d6cd8d3eb16c3cc38c21eeacb
1a59da8f0388e798d4ade89f7c880166b72ad576cc87a883568d614df2d0529d
1b1de63ef24f88d5350acd0909ed76b0ee71c7fa327a715bb1ae554feb33837b

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


Win.Malware.DarkComet-7395004-1

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\DC3_FEXEC 13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Driver
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: RealtekHD
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
2
MutexesOccurrences
DC_MUTEX-RL28VNV 3
DCMUTEX 1
DC_MUTEX-JG8JLJL 1
DC_MUTEX-M79BVMN 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
lolmands[.]chickenkiller[.]com 4
Files and or directories createdOccurrences
%APPDATA%\MSDCSC 7
%APPDATA%\MSDCSC\driver 7
%APPDATA%\dclogs 4
%ProgramData%\Microsoft\Windows\Start Menu\MSDCSC 3
%ProgramData%\Microsoft\Windows\Start Menu\MSDCSC\RealtekHD.exe 3
\Documents and Settings\All Users\Start Menu\MSDCSC\RealtekHD.exe 3
%HOMEPATH%\My Documents\MSDCSC\msdcsc.exe 2
%HOMEPATH%\Documents\MSDCSC 2
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 2
%TEMP%\RESIM 1.PNG 1
%TEMP%\~PI26.tmp 1
%TEMP%\~PI85.tmp 1

File Hashes

0316a484966a555a7e369cf49423da28c7cba45bb38d031386ad1e98c7730ed0
30d81a3c924535f64ebb60ffb7c96df278144ec422ea2f7b1905790d2c876619
3a44d9ae2b5508869df06bbf3dc0750f8e4cd8a7a827c95cd24f98966bbbfa38
48d15953b1c2f1e314a6ae3945ccbfd9b3e0fe2d40eea09c8d5f379b07f70866
5027bea06d7037f478ddcfd932cc82f682612e147f00d34d47cbf644453b74df
6289734ecf82dc9496402d9ceae7308819c4bbbb5d85642e8dc5108e8a08c32f
65e95281868c80b645d0276515b8b54fab52fe031a85b96c3e1d29148546bcb4
6c6483db05cbc3e863e3231405f66bc764930e5348800780d50bd1ccf1f869c4
74d2e08ab92859332efc3f97c0ef872979820527cc994c3d4160dd2da4add8e7
a44d66aebc02d8d612038c33bd397bf64097da98676b49315c74b79dd449b142
a7c7b756104d1a98a9daa80a7a591dab8cd210be1cf4a187363e42c23abc5856
be324c43b4b0a4f607e60db1926f4eca349fbb2fb6250da3337f7e94d1ea66c8
f43789df8769817412591e561390f06f9ae94b8047b0afd5b5c74170109729e8
f93f80520ccbba8fa35deb75f50ceba2f54b1ef52589b0c072248786bcef78b0
fa45ff72c498d1af84a96317ecb71a96bd608799d529ae8334d83928dff7b970

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


Win.Ransomware.Cerber-7395321-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 16
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: api-PQEC
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: {F50EA47E-D053-EF14-82F9-0493D63D7877}
3
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: {6A4DAFE8-C11D-2C5C-9B3E-8520FF528954}
3
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
2
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 16
shell.{<random GUID>} 11
{<random GUID>} 5
Local\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269} 3
Local\{7FD07DA6-D223-0971-D423-264D4807BAD1} 3
Local\{B1443895-5CF6-0B1E-EE75-506F02798413} 3
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
178[.]128[.]255[.]179 16
178[.]33[.]158[.]0/27 16
178[.]33[.]159[.]0/27 16
178[.]33[.]160[.]0/25 16
104[.]24[.]104[.]254 13
104[.]24[.]105[.]254 11
34[.]206[.]50[.]228 8
54[.]164[.]0[.]55 6
208[.]67[.]222[.]222 3
172[.]217[.]7[.]206 2
86[.]105[.]1[.]11 2
172[.]217[.]11[.]46 1
46[.]165[.]221[.]154 1
91[.]195[.]240[.]13 1
195[.]201[.]179[.]207 1
192[.]3[.]8[.]218 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]blockcypher[.]com 16
bitaps[.]com 16
chain[.]so 16
btc[.]blockr[.]io 16
bc-prod-web-lb-430045627[.]us-east-1[.]elb[.]amazonaws[.]com 11
resolver1[.]opendns[.]com 3
222[.]222[.]67[.]208[.]in-addr[.]arpa 3
myip[.]opendns[.]com 3
wdwefwefwwfewdefewfwefw[.]onion 2
ahrkvtgc[.]com 1
fhvkufnnrlyfvx[.]com 1
shebkucvrunporc[.]com 1
hd63ueor8473y[.]com 1
qegdtnvuanlyid[.]com 1
gcijrxipe[.]com 1
ogltynjmtfiu[.]com 1
rlkeqcsygmmglv[.]com 1
wglxvkpybhnxhfv[.]com 1
aynycxbgodmwi[.]com 1
uahvwkjphhklqigod[.]com 1
en[.]voltster12v[.]com 1
cloud[.]pathwaystopromise[.]info 1
Files and or directories createdOccurrences
%TEMP%\d19ab989 16
%TEMP%\d19ab989\4710.tmp 16
%TEMP%\d19ab989\a35f.tmp 16
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 16
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 16
<dir>\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.txt 16
<dir>\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.hta 16
<dir>\<random, matching [A-Z0-9\-]{10}.[A-F0-9]{4}> (copy) 11

File Hashes

00fd6d5030b6f36f2acef17f933bf87a5e83104e86edc18467318362fe41bda0
0db052f343bb2c323603fd34eea55262f5448450feaf0dbb03e77da1d1da204e
1beb4d8646023322d8eefba6bee5d899f375bd099050367e8af5321eda512db5
1e78866a82b6016b280f4935ab6aa8e6d59456c5fdb4900ef456cb6216fba878
2766aa41ce912acac61bc342873b1d016c016780600846b77ccee98eaea0a0c1
316c4f6ce0478622772c16aa1821297569a27d52a8ab65262bc1702e864d3cff
367afe107f332d7fd9676b75a76624a2378758104316278a28984ba1815073b2
36bee89b83bc3b628abb726b4530a7fda8b86448594543532ec303f659cd1c1d
36f70b90e9ef4c34440e13c064d05dc0996debd74a7361109532bfda65108ab6
382d8c432cf11339a41b6c0371a226b7567620c6440b0ebdf7dc1610db4ec3c4
38bc3877ec4f87307ccb3d23dc7ea58b117fccfa1ccba938fa9dcff4bb956fe2
4a2803f8ddf258eb4d41ff15f617307cc6eda54bd4e635b0314c9706cff9007e
4b9c203a3f4a7129d0701c5f3e8266d217c836b497c7acf762ad7f8eab508349
4bf2851749232054a7f08faa294520d3bf372b84eb5d20707add176acb1e9aa6
54852be80e90db1d2550128bdf82028befcdf1340da2a1add061e7f6027eb272
552a32a57b59b7498a79f187d2cbfdf7c797395024392b7f76d7b1fff94fea8b
576a3ddc924aea581818f397bca1fe1a3788f892d81b8a2287c03566bc7e6242
5d2e3adf40ec1ae0f6032213a8bb27be9eaf5ae99a6f09239088e8c47944ed02
7275da6b777a1c5c9392766d7fec3c4f0b07e93af161d11b7da000e6157178b0
73796be2c91ffba6b1981860fdc79f7862bbe4b5dd890a42f3d1f8cd38530001
7420f8c4f266ebd29b867ef980309bfe8a1d8845f7683e6f8db734c5812eb5e8
89fc2e256c70fb0235ebb0a9daa3f096ba7722fd06b7b0866a1e87b1ea003f79
a04e9bf2aed6eef853c5a5f2ce6131963cb7cd15971c02e6f2afa18846737e74
a508a738cc8d633613641680ca3a7df98be4fa3d6b8f28a16904ba7aa600b89c
ad4a8230c0a8d5deb3d8253ef0e2a9c41531eb1560e538ef8cb1a5ff56e7cb27

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


Umbrella


Malware



Win.Dropper.Remcos-7395733-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS 24
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\MYIMGAPP 24
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\MYIMGAPP\RECENT FILE LIST 24
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\MYIMGAPP\SETTINGS 24
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Snk
19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Snk
19
<HKCU>\SOFTWARE\XLR4615DFT-CRBSFT
Value Name: exepath
19
<HKCU>\SOFTWARE\XLR4615DFT-CRBSFT
Value Name: licence
19
<HKCU>\SOFTWARE\XLR4615DFT-CRBSFT 19
<HKCU>\SOFTWARE\NETWIRE 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MServices
1
<HKCU>\SOFTWARE\NETWIRE
Value Name: HostId
1
<HKCU>\SOFTWARE\NETWIRE
Value Name: Install Date
1
MutexesOccurrences
Remcos_Mutex_Inj 19
XLR4615DFT-CRBSFT 19
IMYGdLWM 1
Global\00430b21-08fc-11ea-a007-00501e3ae7b5 1
Global\006bff81-08fc-11ea-a007-00501e3ae7b5 1
Global\03cef101-08fc-11ea-a007-00501e3ae7b5 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
186[.]170[.]64[.]85 17
186[.]170[.]70[.]152 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
proyectobasevirtualcol[.]com 19
recuperaciondecartera[.]website 1
Files and or directories createdOccurrences
%TEMP%\install.vbs 19
%APPDATA%\System32 19
%APPDATA%\System32\Snk.exe 19
%APPDATA%\Runtime3 19
%APPDATA%\Runtime3\1627.dat 19
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 15
%TEMP%\8D6B.dmp 1
%TEMP%\8adb_appcompat.txt 1
%APPDATA%\Install 1
%APPDATA%\Install\MServicesNet.exe 1

File Hashes

01c3ab58c66605c68709c785147dc5be803235222cdbcf535e03ad312a2475bf
04ee0252ab6db7de6c8b774254265037413a9979ac9c492918ea66b45acedf5c
0ab93b4561aefbb2dbaccfcb8dc2a000ba14c10ca1bf8222da5125b948e5116f
1c6a3d4989760e577e07a238dfc81f511c23d1cc1840418af3fb01264cc8a54c
2ac0166d713688697266de2427af824786fd76d5f110e758108f1ae3a7eb6037
48097d2e7e7bb93c4319223a1829239031a1ebbb641a42dcee1b82ada6f8a179
482a3fe73c9fed841695232330c1316472f6f134a6ae65e1f7da61aea4a246bf
70c958e641eee241550a356c0bf81856e3087757471903ee26bb4751d900249d
72cbc8432180fdc6f242e3ce62b80e269d6ead62df1c054e475690c89e3de560
740f6504c165641c9460c853855a586bab05a92ef6d4d4f0435465ea000840b8
7b067dfdd9a77f27b8b16237027c7d159760fb7bbd7effc3663d1d883a50c086
7f5c18605851bc58ef1eba832d3c16f89492ddaeacabee5fa4ad5c8f7402e4bc
843aa842d5d0a8975e8320318960bac3c5356e6e13be3918358e6cb81395e410
8ddc6f9e1435f94e7f8d6aac4cceb7b751b4a70b7e9c11bc46ce81c2fc1efcf5
9808a934240773b0a1cd470d1d87c9f8f54f54bde5801ceae3113677e9378f52
baabcbcd2c97382f2ca9b5786d21f6ed781f5d91cbea916618c0c7aebfcb90b2
bf8938bb97fc959dfaa4fc13d1ca43106e3c0524a626d5778ff7d5d987d9f90e
c157967fafed0df923bfa887e443562d13e159eeb0391aa0e4243ec833aacce3
ca2c6609831dc62ed1560aa03b949a897203e62f3dcad833e6abebde6f15232d
d643273166b2e97bd4dff80e0f351404f14f2523d713e2f5691e530d94515327
d91f5a063d69697c887a8f0c495c88d699e118fe3367e1b22eb7cf2fcdcabbbe
d96399e30a6ae180e5c138453d7c74129e08ab40fa158cf85e0cf7663ed873dc
fbb1fed1b420443abadd4d7d091fd448c85a64d2cf8521aa4152277b7821bf0a
fc7f4839fea7be50cdb46251be9dbcc6f974232c8eb0e97f2959d99c629f197f

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


Win.Dropper.Tofsee-7402230-0

Indicators of Compromise

Registry KeysOccurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ibpvucix
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IBPVUCIX
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IBPVUCIX
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IBPVUCIX
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IBPVUCIX
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IBPVUCIX
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IBPVUCIX
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IBPVUCIX
Value Name: Description
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EXLRQYET
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EXLRQYET
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EXLRQYET
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EXLRQYET
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EXLRQYET
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EXLRQYET
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EXLRQYET
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NGUAZHNC
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NGUAZHNC
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NGUAZHNC
Value Name: ErrorControl
1
MutexesOccurrences
{37529D08-A67E-40B3-B0F2-EB87331B47F5} 9
Global\<random guid> 7
A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A 1
A238FB802-231ABE6B-F2351354-74D8EB40-AEDEC6C4 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
239[.]255[.]255[.]250 3
69[.]55[.]5[.]250 3
216[.]239[.]36[.]21 3
172[.]217[.]12[.]196 3
104[.]47[.]2[.]33 3
46[.]4[.]52[.]109 3
43[.]231[.]4[.]7 3
213[.]209[.]1[.]129 3
104[.]47[.]1[.]33 3
192[.]0[.]47[.]59 3
194[.]25[.]134[.]8 3
144[.]160[.]235[.]143 3
216[.]40[.]42[.]4 3
188[.]125[.]72[.]73 3
85[.]114[.]134[.]88 3
46[.]28[.]66[.]2 3
78[.]31[.]67[.]23 3
188[.]165[.]238[.]150 3
93[.]179[.]69[.]109 3
176[.]9[.]114[.]177 3
104[.]47[.]45[.]33 2
47[.]43[.]18[.]9 2
31[.]13[.]65[.]174 2
192[.]36[.]171[.]203 2
54[.]184[.]154[.]83 2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
250[.]5[.]55[.]69[.]in-addr[.]arpa 3
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 3
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 3
mta5[.]am0[.]yahoodns[.]net 3
mx-eu[.]mail[.]am0[.]yahoodns[.]net 3
t-online[.]de 3
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 3
smtp-in[.]libero[.]it 3
whois[.]iana[.]org 3
libero[.]it 3
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net 3
yahoo[.]co[.]uk 3
whois[.]arin[.]net 3
eur[.]olc[.]protection[.]outlook[.]com 3
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 3
hotmail-com[.]olc[.]protection[.]outlook[.]com 3
microsoft-com[.]mail[.]protection[.]outlook[.]com 3
al-ip4-mx-vip1[.]prodigy[.]net 3
mx00[.]t-online[.]de 3
msa[.]hinet[.]net 3
msa-smtp-mx1[.]hinet[.]net 3
irina94[.]rusgirls[.]cn 3
anastasiasweety[.]rugirls[.]cn 3
beautyrus[.]cn 3
ipinfo[.]io 2

*See JSON for more IOCs

Files and or directories createdOccurrences
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 13
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 13
%System32%\Tasks\Intel Rapid 9
%APPDATA%\Intel Rapid 9
%APPDATA%\Intel Rapid\IntelRapid.exe 9
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk 9
%HOMEPATH%\Start Menu\Programs\Startup\IntelRapid.lnk 7
%TEMP%\CC4F.tmp 7
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 3
%APPDATA%\Microsoft\Crypto\RyukReadMe.html 1
%APPDATA%\Microsoft\Document Building Blocks\1033\14\RyukReadMe.html 1
%APPDATA%\Microsoft\Document Building Blocks\1033\RyukReadMe.html 1
%APPDATA%\Microsoft\Document Building Blocks\RyukReadMe.html 1
%APPDATA%\Microsoft\Excel\RyukReadMe.html 1
%APPDATA%\Microsoft\HTML Help\RyukReadMe.html 1
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\RyukReadMe.html 1
%APPDATA%\Microsoft\Internet Explorer\RyukReadMe.html 1
%APPDATA%\Microsoft\Internet Explorer\UserData\RyukReadMe.html 1
%APPDATA%\Microsoft\MMC\RyukReadMe.html 1
%APPDATA%\Microsoft\Office\Recent\RyukReadMe.html 1
%APPDATA%\Microsoft\Office\RyukReadMe.html 1
%APPDATA%\Microsoft\Outlook\RyukReadMe.html 1
%APPDATA%\Microsoft\PowerPoint\RyukReadMe.html 1
%APPDATA%\Microsoft\Proof\RyukReadMe.html 1
%APPDATA%\Microsoft\Protect\RyukReadMe.html 1

*See JSON for more IOCs

File Hashes

4a893b16147c2cd5df11b1f4df08eddc5505f0aafa9f58747ad0f89d53e65492
4b667f73da0fd2cf8b54efa73239e377c10111fd00e08b9ddaa2adee2a873576
4ee405168c9283d73e2ee5913b2c817b824c02e62b8af2750865dc9a6b7e1f4a
75504fa32f3c2e6c56120a26f6af451dc0c688cf1a1dcfe3f656152326ac3584
7acf0435afa75bdc00575208f16f21c0dec8c101fbcefe96836af71c4c628158
8909eeaeb9edc9b01bfae72a64e84b4589c1d2161debee40dd2ab5f5f0ec3858
89678ea136df0b80c0bd0620836624ff785540801ca1f5beec5e7ee76755b684
981a0821cf4b4992d07b5d74ec24a490f4dee396f8e05d66e85cf87809676fe6
9cf0bfd67b4f99bf1ba21175ef3803b18dc774772187b6eb0e610cdacf759cad
b8068519f39fb924188bb343eead3b327604a5a09dd3f51fe2486b90b85ac17b
bc720a574efb5d1a1a14489ca4d970cfe9d430f6001c2be09e4dc53d2c80b5cb
c03e1affd3cb95c110e931d5571cd5d6c8464af36ca1ce1a0114cd9c1eeedb21
d0b333bb1d8c6c153f91a3a5116a1f989c7759dc31f09008288aa720c65371b8
d0c67d3e0edfe1e0d835dbe5d6676c906c418877500b60044f91305d8b4b43ca
da58160abd6e306350ecb6647095970ea0dcbcddc1a5b6671b8575885482a824
dd684a06a5d8f00f3e2efb903898d5311d844eb460b7a6a2531f05c69ac56cbe
eadaf620c2eb15ad86a06b25ec32533e44b011cad86c9c02f4bdfae7c2e76b7e
ec912191e42a253522747774e1de1db3a4e9ce30942b5924518599e3e87c94be
ee5a58e36602b2dc16dc0dfa3b3152721ae46e8d13efe436ab647fff0d612a63
ef419240c15389367b533f498b688382d14c57f8befdda8ea6cd5393529e1590
f2f7ced6ea5d6924fcff354da88b905fda434d24b9e2ad4c6f4b5bee5d98b448
fac2a73ee76ccc941ea723ebb1e559c194676a7b5663e948a25a31487ff0193a

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP

Umbrella


Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

CVE-2019-0708 detected - (15989)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Excessively long PowerShell command detected - (760)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Process hollowing detected - (407)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Kovter injection detected - (347)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
IcedID malware detected - (297)
IcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections.
Gamarue malware detected - (183)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Installcore adware detected - (104)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Dealply adware detected - (60)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Emotet malware detected - (45)
Emotet is a banking Trojan that first appeared in the summer of 2014. It uses Automatic Transfer System (ATS) to steal money from a victim's bank account. The Trojan is distributed through spam that includes a malicious attachment or a link that downloads the Trojan. Emotet uses modules, downloaded by the original Trojan to grab Microsoft Outlook information, modify HTTP/HTTPS traffic and distribute spam. Once executed, it checks for virtual machine processes and injects code into the "Explorer.exe" process. Then it reaches out to its command network to download its modules, each of which can be run without the original loader.
Special Search Offer adware - (31)
Special Search Offer adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware.