Friday, January 10, 2020

Threat Roundup for January 3 to January 10


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 3 and Jan. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Trojan.Razy-7505643-0 Trojan Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, and sends it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.Tofsee-7492214-1 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet.
Win.Packed.Ursnif-7489213-0 Packed Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Packed.ZeroAccess-7489468-1 Packed ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.
Win.Ransomware.TeslaCrypt-7501245-1 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Dropper.Upatre-7491797-0 Dropper Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Dropper.TrickBot-7490964-0 Dropper Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Packed.Formbook-7491272-1 Packed Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.


Threat Breakdown

Win.Trojan.Razy-7505643-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
11
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\SETTINGS\LEAKDIAGNOSISATTEMPTED 7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
3
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0748AF3992DE6E3AA7B386B7F6C08EF2.EXE 1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\1C3DDA8020173A5B45A7C80CFC8B0298.EXE 1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0748AF3992DE6E3AA7B386B7F6C08EF2.EXE
Value Name: LastDetectionTime
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\B4F3AEA9F95879ABBE9B311B5AB9FC30.EXE 1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\2AA87EE2B7BAA7D413CC747537A867A2.EXE 1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\1C3DDA8020173A5B45A7C80CFC8B0298.EXE
Value Name: LastDetectionTime
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\EB9064AF85850CF7B3485B2A911798D7.EXE 1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\B4F3AEA9F95879ABBE9B311B5AB9FC30.EXE
Value Name: LastDetectionTime
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\2AA87EE2B7BAA7D413CC747537A867A2.EXE
Value Name: LastDetectionTime
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\EB9064AF85850CF7B3485B2A911798D7.EXE
Value Name: LastDetectionTime
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: goodsStartup key
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\6035E0F59A5169E7C59129A3CDBD076E.EXE 1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\6035E0F59A5169E7C59129A3CDBD076E.EXE
Value Name: LastDetectionTime
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: goods
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0786B90DA12B29B5CC97621DCC78FA3E.EXE 1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0786B90DA12B29B5CC97621DCC78FA3E.EXE
Value Name: LastDetectionTime
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: mrke
1
Mutexes Occurrences
Global\14c64321-2d62-11ea-a007-00501e3ae7b5 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]12[.]206 10
172[.]217[.]9[.]225 7
172[.]217[.]5[.]238 6
104[.]16[.]155[.]36 3
77[.]88[.]21[.]158 3
172[.]217[.]10[.]46 1
172[.]217[.]10[.]33 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
smtp[.]yandex[.]com 3
whatismyipaddress[.]com 3
doc-00-6c-docs[.]googleusercontent[.]com 1
doc-0s-9s-docs[.]googleusercontent[.]com 1
doc-14-60-docs[.]googleusercontent[.]com 1
doc-0k-c8-docs[.]googleusercontent[.]com 1
doc-00-5o-docs[.]googleusercontent[.]com 1
doc-10-6c-docs[.]googleusercontent[.]com 1
doc-04-bg-docs[.]googleusercontent[.]com 1
doc-04-6c-docs[.]googleusercontent[.]com 1
Files and or directories created Occurrences
%APPDATA%\pid.txt 3
%APPDATA%\pidloc.txt 3
%TEMP%\holdermail.txt 3
%TEMP%\holderwb.txt 3
%HOMEPATH%\desktop\product.pif 2
%TEMP%\bhv61AB.tmp 1
%TEMP%\bhv8DF6.tmp 1
%HOMEPATH%\Orkende 1
%HOMEPATH%\Orkende\Recomm.pif 1
%TEMP%\bhv5953.tmp 1

File Hashes

3031363a67eca33c68892ed7529803bbaa926a6f371204eeaa8ca205501d8cac 34b978969d994134de71dd45996dc5d10516e534e23a2abb8537a1c548ac1c93 51e97032af43de44947d564ee43a9b43278312873caaa4bbd7d3e4f7ec00eb89 58962a9133651591f2d4df22589d1cdd4f7cee175f70c7d47c5a854a5264ec98 5be87b343f2d3af80883ed4deb795c0ae8f7e0ae4ba08a6bbac5b3e4659d0341 6bd1baae5ba600ff4ece4523e53bf9818bcc381a56664e3104c1c317d6f5a3bc 6dfdb201ddd46c8f2ded273f3c8ed6c5beca63196b5428fe388f59faaac79597 731aa2659852eb9b98d573b3f59436b49c15492d8df94e18da5a8f4c41f48fbe 79acdd5ea559b2e7e29fa6b47ca1053e11dbaadf540fc2b140aca89d1539d17e 8fa302841d886e0198c96d76d93399f5905844f424b255e6707a74ea610c55ce cdaef1b003e82f8994dd616103781125fca98ec097ee79830c2262f41158237a

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Dropper.Tofsee-7492214-1

Indicators of Compromise

Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 192
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
175
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
68
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wpdjiqwl
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: Type
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: Start
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: ErrorControl
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: DisplayName
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: WOW64
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: ObjectName
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: Description
11
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\lesyxfla
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA
Value Name: Type
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA
Value Name: Start
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA
Value Name: ErrorControl
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA
Value Name: DisplayName
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA
Value Name: WOW64
11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
69[.]55[.]5[.]250 192
43[.]231[.]4[.]6/31 192
85[.]114[.]134[.]88 192
239[.]255[.]255[.]250 175
46[.]4[.]52[.]109 175
46[.]28[.]66[.]2 175
78[.]31[.]67[.]23 175
188[.]165[.]238[.]150 175
93[.]179[.]69[.]109 175
176[.]9[.]114[.]177 175
192[.]0[.]47[.]59 174
172[.]217[.]12[.]164 159
74[.]125[.]192[.]26/31 140
67[.]195[.]204[.]72/30 135
168[.]95[.]5[.]116/31 134
172[.]217[.]197[.]26/31 122
172[.]217[.]10[.]67 116
216[.]146[.]35[.]35 110
212[.]227[.]15[.]40/31 104
104[.]47[.]54[.]36 102
208[.]76[.]51[.]51 101
168[.]95[.]6[.]60/30 97
98[.]136[.]96[.]92/31 95
31[.]13[.]66[.]174 93
98[.]136[.]96[.]74/31 91
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
250[.]5[.]55[.]69[.]in-addr[.]arpa 192
microsoft-com[.]mail[.]protection[.]outlook[.]com 192
schema[.]org 175
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 175
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 175
mta5[.]am0[.]yahoodns[.]net 175
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 175
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net 175
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 175
whois[.]iana[.]org 174
whois[.]arin[.]net 173
coolsex-finders6[.]com 173
bestladies[.]cn 173
bestdates[.]cn 173
bestgirlsdates[.]cn 173
hotmail-com[.]olc[.]protection[.]outlook[.]com 171
eur[.]olc[.]protection[.]outlook[.]com 127
mx-eu[.]mail[.]am0[.]yahoodns[.]net 125
ipinfo[.]io 118
nam[.]olc[.]protection[.]outlook[.]com 93
mx6[.]earthlink[.]net 91
pkvw-mx[.]msg[.]pkvw[.]co[.]charter[.]net 88
charter[.]net 87
mx0[.]charter[.]net 87
msn-com[.]olc[.]protection[.]outlook[.]com 72
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 192
%SystemRoot%\SysWOW64\config\systemprofile:.repos 192
%TEMP%\<random, matching '[a-z]{8}'>.exe 188
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 158
%HOMEPATH% 59
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 59
%SystemRoot%\SysWOW64\wpdjiqwl 11
%SystemRoot%\SysWOW64\lesyxfla 11
%SystemRoot%\SysWOW64\mftzygmb 10
%SystemRoot%\SysWOW64\piwcbjpe 10
%SystemRoot%\SysWOW64\zsgmltzo 10
%SystemRoot%\SysWOW64\yrflksyn 10
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 9

File Hashes

03dfa2a7b5722d6fa2f2f85287c8bea67b2ae1c8be2d9de90b33c2b4dd3c0f42 07314be6c87366f215030d7a2af42440f8a2a187e782ad975a476a84aa389fe1 0862506904a93aba08781be3d9b5189c8cc01bc5fd86d9a4881bd114449502b7 088fe0b34e1db5b9010adb26a2380aa6faf53165f9e2d7d986fd0bc6be614f9e 0ad21f45614d3112c1201ff8a5b3fe702b4943e39ab9d8bc4f38362565c373d5 0b2c1eebcd3f136c556a8568541d589f691dbe6fb450fa708e9774f4ca72fb67 10d2a79f8c199a6ce16b0e3fd4a911524cc2ece755daf67c04f0d3118dfb3498 11e2d71f1dab632b58c9ab60a48c51854d59df47456a97ff9ef59c72b607229c 136e082449131aae0a3e28c21c99aaef24a9d1709cae71daee0e154bf2b45d9f 144d2f639c9dafd40f48b72980609cb018ca83a360b7e24fede6023e0e742397 16f778581e678fdd5e21442d3d55bcc4415271ac94ed0d31c2efd40c772f26ec 1733e36d0e55b369c97e387fa74da22462fbf1858b09befb5de125d9523e3d41 1756a1f4ce0593f80b857ed9a654c656dac96d3405a566dc38737e0a79bc194d 188389b2163b98dbb96edf4000496dacc062f2a6ae2dd021a3f49742d36a2e0b 189f32c3d78e9b129d62bb4e40b3693da216cc371018d5ce4ef2356a94ca4f6e 18f25a4e071f993b9ceac935a3814d7667e42c46d22ea9e8ccd7c4a3f0087f7b 1a747af4f485eb3c8c475c9dcd9cac9d7fe279f3f45777d793572c4927e07ffa 1af4c3359d224c2ad2006db3c9786afdeeb90404ab91ec7c63467092264e2183 1c1d1c939fd6d3e6a77c2fa342f2c39433eea8f9d3c749ecee42e287734bd330 1c69825459d03fb13956e1a0f40e485731fbe96e48efe1abc765db537fec77ba 1d3aecb8b67bd70634fbffcf15b5e21ef0ee95627d296e78caf3f07842820d9a 1d9d2d4000df6baadc93db56dbdc783c9db35a047be86bed8d4bfaacb33b6a9c 1f42ceba5e533e7aeb5395e1db11ef780b02e44c8cde237394b663b816da69b4 1ff0ce00b3cc5e3223e31501e16302b44ae24981b4b61f3500bdba2f671a057f 20f52e7aa1ee2e27dffcb75eb1e207681dbe2f72d44b0f4d2f66498102d8cf8e
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella



Win.Packed.Ursnif-7489213-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
18
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
18
Mutexes Occurrences
Local\https://vars.hotjar.com/ 18
Local\https://www.avast.com/ 18
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]221[.]50[.]122 18
152[.]199[.]4[.]33 18
23[.]221[.]49[.]75 18
23[.]221[.]50[.]102 18
104[.]107[.]26[.]214 18
13[.]109[.]156[.]118 18
65[.]55[.]44[.]109 17
157[.]240[.]18[.]35 15
104[.]107[.]18[.]91 15
38[.]126[.]130[.]202 15
192[.]42[.]119[.]41 14
13[.]107[.]21[.]200 13
172[.]217[.]164[.]136 13
23[.]196[.]81[.]176 13
204[.]79[.]197[.]200 12
204[.]2[.]197[.]202 12
72[.]22[.]185[.]200/31 12
172[.]217[.]197[.]156/31 12
172[.]217[.]6[.]206 11
172[.]217[.]12[.]136 11
172[.]217[.]11[.]36 11
172[.]217[.]10[.]14 11
169[.]54[.]251[.]164 11
23[.]201[.]42[.]247 11
23[.]201[.]42[.]161 11
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
googleads[.]g[.]doubleclick[.]net 18
www[.]googletagmanager[.]com 18
www[.]google-analytics[.]com 18
stats[.]g[.]doubleclick[.]net 18
connect[.]facebook[.]net 18
www[.]googleadservices[.]com 18
ib[.]adnxs[.]com 18
avast[.]com 18
static[.]avast[.]com 18
secure[.]adnxs[.]com 18
mc[.]yandex[.]ru 18
dev[.]visualwebsiteoptimizer[.]com 18
amplifypixel[.]outbrain[.]com 18
pixel[.]mathtag[.]com 18
tr[.]outbrain[.]com 18
amplify[.]outbrain[.]com 18
ajax[.]aspnetcdn[.]com 18
img-prod-cms-rt-microsoft-com[.]akamaized[.]net 18
az725175[.]vo[.]msecnd[.]net 18
script[.]hotjar[.]com 18
static[.]hotjar[.]com 18
c[.]s-microsoft[.]com 18
assets[.]onestore[.]ms 18
a[.]tribalfusion[.]com 18
www[.]avast[.]com 18
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\www2.tmp 13
%TEMP%\www3.tmp 13
%TEMP%\www4.tmp 13
%HOMEPATH%\Favorites\Links\Suggested Sites.url 13
%HOMEPATH%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms 13
%HOMEPATH%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms 13
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA} 2
\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B40C43F1-F039-44D2-AEB7-87F5AF8ABC3D}\ProxyStubClsid32 2
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\Instance\PropertySetStorage 2
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1FE6762-FC48-11D0-883A-3C8B00C10000} 2
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3CCEDF7-2DE2-11D0-86F4-00A0C913F750} 1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046} 1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A7EE7F34-3BD1-427f-9231-F941E9B7E1FE} 1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\14 1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\2 1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6f237df9-9ddb-47ad-b218-400d54c286ad} 1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32 1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81397204-F51A-4571-8D7B-DC030521AABD}\InprocServer32 1

File Hashes

0ad051eb62410a3fe8d776a69f29a46fe609ea59c2adfe061811dc9ace3e40e9 17cfe796a3b8017bf83d2c302ec9507317abac0191cdf835d2d0d1a75d33b991 18b5f4e21612aadfed4e72cdef1356009fb1614535b62a4e39463f8cea9ace03 2013ff55ccdd16e36eccebe50b0587b6f2f37e333442be1552b50c41cbfe48d4 241ab82dccad5b9670c445509841c6aebf69de45815c3d9951f15be158b8ece5 270f970f0cfda8e8c61a73b2aab71fd51755ad911b8173f5aac4cdb5961ba8a5 3016c699d4c8c7affedc18f5cb4aadb30676a9c3081dee913b43b84737949708 31a02187883766f2eec0edc6479b8cd793c8e8eec658fe56b33581a76d9953f8 365acef54f3733520717314466c86aa978cbf08c37d1f9f0a90bbbea42b3f8f3 5ba3ea5868ddef74a57fff2c5ded68f17b08458876881161a7af9eb32438779d 5c486b96a5f273819baa9a010700f088ce3f707c87088a50e699ee6dedd0b117 611e95e1a1a352d6cb1a6106b0e69565b065de6d68dbe5c41d49c2ebfa637dd6 7a8b53746144a903954535791ef7c5038834af3cd1eec8c0dae8b28f609859bf 7fd6f59c5c23ea12adf5975e56730a52558799ae7a330ef40e552a4353a8d6e3 8220634b1969f5a06e3b5adff2dbae0356608a91e5162fccdd247f1571a2a4b2 9a20d2755608e7cf98a090f30b166779318f0a08747631fccc9393de15ed33cc 9b6503731468ce3922f5aec73e22a81489ddcf6124d86eeb2fc05cb7c2f4527f b062f5f376af3972c8386343b27fb1e5947afb66c5c0741cced2d317f5261158 b2c7bc0dece9bed221c3fe88b9dce2313b036b9a3f5982b5bfa91961efb7bdaf bb8d733fa6ca4ef01d8b44d098902e781359cdd36a4418538a504082b3b95fe6 cecc5dd05c51a6740730b775dc4af3d579b498880de7899b272d6225fb96cb44 e6bd801ae1e976ff76409d2b28d00d15f50e5819c3c5bbc54eb4ac9752f87435

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP




Win.Packed.ZeroAccess-7489468-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\TRACING\KMDDSP
Value Name: FileTracingMask
55
<HKLM>\SOFTWARE\MICROSOFT\TRACING\KMDDSP
Value Name: ConsoleTracingMask
55
<HKLM>\SOFTWARE\MICROSOFT\TRACING\KMDDSP
Value Name: MaxFileSize
55
<HKLM>\SOFTWARE\MICROSOFT\TRACING\KMDDSP
Value Name: FileDirectory
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
55
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000010
Value Name: PackedCatalogItem
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000009
Value Name: PackedCatalogItem
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000008
Value Name: PackedCatalogItem
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000007
Value Name: PackedCatalogItem
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000006
Value Name: PackedCatalogItem
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000005
Value Name: PackedCatalogItem
55
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
94[.]242[.]250[.]64 116
64[.]210[.]151[.]32 55
178[.]32[.]190[.]142 55
91[.]207[.]60[.]22 15
71[.]229[.]165[.]75 15
201[.]231[.]100[.]117 15
71[.]239[.]117[.]142 9
66[.]41[.]70[.]14 8
71[.]63[.]0[.]235 7
98[.]224[.]77[.]3 7
83[.]15[.]111[.]38 7
76[.]180[.]80[.]134 7
24[.]73[.]24[.]191 7
46[.]45[.]5[.]240 7
67[.]185[.]179[.]4 6
98[.]230[.]137[.]123 6
69[.]80[.]173[.]91 6
75[.]66[.]129[.]205 6
69[.]117[.]29[.]163 6
190[.]36[.]183[.]136 6
77[.]126[.]70[.]166 6
98[.]203[.]164[.]253 6
67[.]240[.]46[.]208 5
72[.]200[.]101[.]79 5
68[.]97[.]172[.]87 5
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
promos[.]fling[.]com 55
Files and or directories created Occurrences
\@ 116
\L\eexoxfxs 116
\cfg.ini 116
\systemroot\assembly\GAC_32\Desktop.ini 55
\systemroot\assembly\GAC_64\Desktop.ini 55
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8 55
%SystemRoot%\assembly\GAC_32\Desktop.ini 55
%SystemRoot%\assembly\GAC_64\Desktop.ini 55
\systemroot\assembly\temp\@ 55
\systemroot\assembly\temp\U 55
\systemroot\assembly\temp\cfg.ini 55
\systemroot\system32\consrv.dll 55
%System32%\consrv.dll 55
%SystemRoot%\assembly\temp\@ 55
%SystemRoot%\assembly\temp\cfg.ini 55
\systemroot\system64 55

File Hashes

024be6e3a83461f6084ade9ef26da705de0e7eeceebbd55ca5289a7396dcf280 02a6714aebbfef68f0528f10414a2fd8a8338243e05992d0c28d68383e1dc1a1 05597af5ff2dd97b20b7c57e4c3cd48cae1a4d2c7cd1c4ac920a6f1185a65900 0712314c985a7cc479d0cbcdcf06c886ba2d7fc79d89cf4efc56a137235eb379 0808ec44505b3130a5dde6e81c75f473f44a288d1134fff680394534283fce87 08b18f2eb8b1fb422adfb52d482f9d9bb3f4a24d18f89a186ed2865181f6b551 0b675bae551f40fe43934915324927652e35fa3089dcc911345478fc96338a3c 0d6aea5357e88970db6f5c226a2a888e1c7f1c5f20146087952612c06d064b4e 15d09a26dec6c151966a24bfebd38fb67c8397a06c3bf1702eb4702a871a9e2c 1744dd32bcf9cd45cfec1f4334de1df340129a555e12f73c740e02f7fe7b469c 1ac467786827d37bc69e30617fa2b14fa8903f68f73022e727caa634379490b2 1c9dc1eb7cb0191101faa393854592a440d6df736f07a767138df22c1f809c8d 1d34f5231571a20d3229e850bb786f6148dab477ca4a0169a0af3acf2d2ce71d 243ccb0ec0007367fc4e21dea982be68d6f32e6cdcafbd11e10768cb912a914b 2460096ab6403840c5de8a19dc1706cf2dc416cc9e3ab701275853d66eb7e142 24ec81e3c8a7247c0fa2292906afccc1d47b81412cfaf021dc22be067530e944 2b275de3b1d0f2786c58f17a0d2607a47dade5151046f255eea2f9da20a03c9c 311c8b6b2d2150fff040363e23fdca221be64cae3ad34d9b3dfacd396ed48fc6 330719fd8491c5abc9fd90c7e27310cb72d331222c5caaf4671525d48e4b1026 35ba7b85dd5146c275b74b7b09ef62985ba9db0d1e1f2771b6990d53ed965d52 37240db16c496c45552715904b84ce5cc2c1e01ebbcf519a7e0bee4cc73f08bd 39bf409ea1d861dfed811fa6c0aee2767aff44d96fffb4f3e552db1add1ed7fc 3b3d6c01a983c835152e169e092be6193bce78c22b41cda5e573e5330235aac6 3e6c74185843c930a9b5ea041a5a3eef7d9ae80a31e3a67e0c235b5090e64afb 3fcf02116eab251a35b6a9dba981edb13ba59701f0b52ca1521fd2dbff350477
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP




Win.Ransomware.TeslaCrypt-7501245-1

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\XXXSYS 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: addon_v57
15
<HKCU>\SOFTWARE\XXXSYS
Value Name: ID
15
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> 15
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data
15
Mutexes Occurrences
z_a_skh495ldfsgjl2935345 15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]20[.]239[.]12 15
64[.]140[.]157[.]157 15
157[.]119[.]94[.]202 15
104[.]27[.]31[.]89 9
104[.]27[.]30[.]89 6
3[.]225[.]189[.]10 5
3[.]229[.]167[.]115 4
54[.]83[.]91[.]42 3
34[.]195[.]145[.]145 2
3[.]93[.]124[.]54 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
en[.]wikipedia[.]org 15
www[.]torproject[.]org 15
www[.]hugedomains[.]com 15
vostorgspa[.]kz 15
p4fhmjnsdfbm4w4fdsc[.]avowvoice[.]com 15
bledisloeenergy[.]com[.]au 15
polyhedrusgroup[.]com 15
todayinbermuda[.]co 15
nn54djhfnrnm4dnjnerfsd[.]replylaten[.]at 15
www[.]buildenergyefficienthomes[.]com 15
mosaudit[.]com 15
buildenergyefficienthomes[.]com 15
akdfrefdkm45tf33fsdfsdf[.]yamenswash[.]com 15
Files and or directories created Occurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I0ZU5JT.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I478AKJ.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4FI238.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4FKVBH.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4QK3KJ.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QX7W9.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I77RW1L.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I7J37KF.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I9NSD58.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IANXEE8.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IC5NB1M.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ID60W3E.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IIUTK07.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJE160U.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKAVPAE.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IL2NS3P.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$INKC8CM.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IP8M1EE.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IPDP9E0.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISIYA4I.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IV54ALI.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IWK2JPN.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IWYYKMD.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXC3P46.txt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ7KADN.txt 15
*See JSON for more IOCs

File Hashes

00de6704e49ec7e8b570b95410704c0d3d81c727c688d06afe68e4f8f4e4b8e6 079ab9339f5b1ccf429dbf4426350c311adc6bdeeb3a003970d052088dcdaabf 4b7a8b7ffac89faa52034d12821a9e20bfd987adcdcbdba29d6daaca44ef9325 6352e2794884e3c090f6ec14ec8c870fdc6d4cde61f518c44ed5bae2916e67c8 69a0539a87e7a9fe382cf4c504c3d02bf6ee4cd6a5e20098ed619da8975480ee 70311b0da413a17ed6c5f300adcd7757301346300693823ba4e1e7845901c1b8 7f1a0f921a5132b1329dbdbfadc83eec6568ad151d1c33da89a4aaf0a5e5c0c2 a7ba5bb407c401764b9af3e22b005962431d5446f1c8ba468ab71a7ed1033299 b8dd6020265dc28fa74d1708e2238cc227791dace690699db22cbb3ba6c1d64c bd9a8d8d2c8e1d426959e7022ecd26b7001998aba2617e13deac573d16208916 c7a8125f64e0c8d4133263f901855d1ef0ecea2e083c10782e4cfbbe8b334e79 dca1535c72840c4a47886ee0e23437fc560a4fea29c9c62f63a58726d21a565b e010d87d8cb503b316a2dc3e064b99178b7040a213251ce49e58fd0d23c6cef5 eb6259dd5f1ed9540edc3e0e9944e08145b9514320cd65c26612b32b92fa6885 f347dc8de7cefff44e6127fcfd035c08d31439a6f4951dd92549bdd6400b60aa

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Dropper.Upatre-7491797-0

Indicators of Compromise

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
93[.]185[.]4[.]90 25
104[.]20[.]17[.]242 10
98[.]214[.]11[.]253 6
66[.]196[.]61[.]218 6
98[.]246[.]210[.]27 6
81[.]90[.]175[.]7 5
216[.]16[.]93[.]250 5
76[.]84[.]81[.]120 4
217[.]168[.]210[.]122 4
84[.]246[.]161[.]47 4
85[.]135[.]104[.]170 3
24[.]148[.]217[.]188 3
81[.]93[.]205[.]251 3
81[.]93[.]205[.]218 3
62[.]204[.]250[.]26 3
173[.]248[.]31[.]1 3
87[.]249[.]142[.]189 2
98[.]209[.]75[.]164 2
194[.]228[.]203[.]19 2
24[.]220[.]92[.]193 2
176[.]36[.]251[.]208 2
109[.]86[.]226[.]85 2
95[.]143[.]141[.]50 2
68[.]55[.]59[.]145 2
188[.]255[.]239[.]34 2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
icanhazip[.]com 25
Files and or directories created Occurrences
%TEMP%\tywy22.txt 24
%TEMP%\tywyaven.exe 24
%TEMP%\t4930.tmp 1
%TEMP%\vimazet.exe 1

File Hashes

01152de6c7c348fa9716c3d760744689eb85386303593e6100f6532bd3fc2cb3 01cb3cbad05c3b0b186b604f32cb00a3ceced74ead26affe5b4fb1867d48be01 02f4933753d850d1774b56cbd35c994b6b7dd9b971fd45c34f5677f90b281b6a 062720c82d1bef7558b0a4675b9539a23afddf252ede24b5d54edfba2a758ca5 06f92e4b684161224f68388d8d4ca35d113682fadeb2e100072dfa8d43413101 09589d82d2f9460fe3d33b726794d41a93b672dbaed8e5f397350b7714649cd7 09f38837949bbee74dd5da5fce7a92d7f21168f7e43345bbd19f5cbfde8f6f69 0c45c58eab16df4d5bff14dad957f91d5785a09836560bc3bd681c27e012b1b8 0d774c5ac17521abec32a11e81317fed5f7c163d82ec7f9e1065c86834458cfe 0d90667089d17e2924b00e5207a357156e9076dfa3dab3f2e7dc5737135053a9 0e36b813e84b27ff1c1b770fffbf4175c7c39bbe499804c9c27565ed4a9518fa 0fa25c7c007f337ab5ba699a2611c47ff41a8ba74cb83fa1ffde097e7408f8ed 10c863059e4910501e1deea44279a5402e93796098230511c65be09f8f47eb82 1356d0345699b8766d5c8de5d61cb47fd63dc3f42fe2280a2c413a8d7f97c1c8 13f7895a32eb09a5016a408819dce9c95a4149888ad708c0232e0659e2ca06e3 14178c54d283e6579242e90df7c4dae8af71ff4594c834e3cc7a275588f561b7 14e727de9a56e79b9dcaf48cc9751d4cb447f16d839d705c628640857d0e6e13 1535d470effa0af601719b9ef64e615f321e4db52ee4b7bb05def6d501884fbc 16b232d226ca18447e1f1671538607fe5be412e935b930bcde73ff46e0b2890f 186a59f2954d3d213a26308386be80f2b503e08882324ab559490330700fc24a 1d2374db5ee92385e49fbaef9ef694361877cdffa4b51d8fd8d37e6272dfad57 1e1bdd6ddb3c256c79024eccdb2de6b0861a2a86e13f3f03cf1f378e2cdc9d36 1fcbef293371203729eca2c9491641a03b2330c9be11b438f84db0e996e5b78c 2119922518bc437c7d5fd7d7205929089a9ed9333cdff97bb214808f37e86dd7 211bdc6613fc3e691ac70d215a8a9edd5f0ebb85bb4f24d6e293fb21894a0b1b
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Dropper.TrickBot-7490964-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: RefCount
1
Mutexes Occurrences
Global\316D1C7871E10 22
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
181[.]113[.]28[.]146 5
188[.]120[.]254[.]68 5
195[.]123[.]220[.]178 5
198[.]23[.]209[.]201 4
104[.]20[.]17[.]242 3
119[.]252[.]165[.]75 3
78[.]24[.]223[.]88 3
188[.]165[.]62[.]34 3
164[.]68[.]120[.]60 3
69[.]195[.]159[.]158 2
190[.]214[.]13[.]2 2
5[.]2[.]70[.]145 2
185[.]213[.]20[.]246 2
185[.]141[.]27[.]190 2
185[.]177[.]59[.]163 2
216[.]239[.]38[.]21 1
200[.]21[.]51[.]38 1
200[.]127[.]121[.]99 1
181[.]129[.]104[.]139 1
18[.]213[.]79[.]189 1
45[.]125[.]1[.]34 1
23[.]20[.]220[.]174 1
45[.]137[.]151[.]198 1
5[.]182[.]210[.]109 1
51[.]89[.]115[.]124 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
icanhazip[.]com 3
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 2
checkip[.]amazonaws[.]com 2
wtfismyip[.]com 2
api[.]ip[.]sb 1
ipinfo[.]io 1
Files and or directories created Occurrences
%System32%\Tasks\System Network Extensions 22
%APPDATA%\adirecttools 22
%APPDATA%\adirecttools\data 22
%APPDATA%\adirecttools\settings.ini 22
%APPDATA%\ADIRECTTOOLS\<original file name>.exe 22
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 21
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 21
%APPDATA%\adirecttools\Data\pwgrab64 1
%APPDATA%\adirecttools\data\pwgrab64_configs\dpost 1
%APPDATA%\adirecttools\69ab1bb7084669cf84cc43537b700264.exe 1
%SystemRoot%\TEMP\~DF8EC46E2629511EB8.TMP 1
%APPDATA%\adirecttools\runme.exe 1
%SystemRoot%\TEMP\~DF5EC233074AA93A3C.TMP 1
%SystemRoot%\TEMP\~DF4BEDA5BB57A455AF.TMP 1
%SystemRoot%\TEMP\~DFCE2B4CA7595FDB1F.TMP 1
%SystemRoot%\TEMP\~DF771B5AE6CE965D7A.TMP 1
%SystemRoot%\TEMP\~DF21C4C13A90F8FECB.TMP 1
%SystemRoot%\TEMP\~DF2EDE8F31D379304B.TMP 1
%SystemRoot%\TEMP\~DF887620F0BF482816.TMP 1
%SystemRoot%\TEMP\~DF6B5F6A59497674CC.TMP 1
%SystemRoot%\TEMP\~DFA8D4CB1355CC2A5F.TMP 1
%SystemRoot%\TEMP\~DF326643DA3623EF2B.TMP 1
%SystemRoot%\TEMP\~DF2334856A166D2B71.TMP 1
%SystemRoot%\TEMP\~DF862A67F04082D9B3.TMP 1
%SystemRoot%\TEMP\~DFC53480C7F7651844.TMP 1
*See JSON for more IOCs

File Hashes

0245c1658f2c7d9989431954aeeae75907cd70d94d45137c6d03d1c77463779f 11a8ffc0df227cb681971a11904bf83d3a72a52aefd1335df4202115ccabe4a1 17db3888319bac8bdc2fa0c33c3125dca7f8b2f9ff39dfe8b16882c3babd5273 26e223b88abca88510d861698e8468675e7fc8fac1199a554d4fdd2cff91197d 4517232ad858b209e6a6fb873e2a8665a85c91506b1ded4c518e751fc7adacb2 65371d42ff1b2db3b211c5f180f411a2621679225dab602ed0d47a496287ff4c 691f1b9988bde02160172a8ed8d0e242cc25d8fd205839887140330ebff862f5 6b4f93bb3fc3aeb71591f7fd237367905898b62f3a08580d8ed691fa06f6734d 6e2ab21ca9e1bb545bee1a66190cd9786d9d2d376b47864715b121ed8ccb3d33 7055bef3d19a836529109b5037e4ce63e9f3c8d8f9e5b8daba57880b9ca5cb5e 7996ea4f4f2a2d9e2152eaefba2fc9077c33fc5a1848b2ec4e6a69e54ef7fba3 82aef9ea980b0fd2fb268be8fc8ebdf14b9150df5c167aa29ddcd464afc2014c 8d9c8ef971a707651456e085f7420e45463d77dbefeab733d381685500f4a027 9363001b83b189a7ebdefcebe844bbbe29e1db03e49fa642bc9530f345d65283 9971b48ee31acc1d33d3a28b3527f3039c5a633d0f0cb6b3422d3b1d219221f0 9e1d70348303b0480a64a03d82b2d011d1a51a5f106024e670f12acc64478b44 a6068b4a752629e61dff03d86cf8bf9141f52e22a8267c0de469fe5d2e5b65de ae0e55999d7f5ae1be0a7132b2e972fc04c95c653f214f3f59ce30fc4e2f57af b4c41107cda5716a098e22be19101e15e3e577e3d6cc8570a4e81e0f6cf24ae1 c693ddb405dcc6831f489f499ece83aae83d27226694bfc390b5059f0849bc2e e0d95256f1587f75b9e0e632e92b88561d4441cb559d7b3944e3152669a28f92 ea15e0fd9d3c825cd2c2217ab150fb7cee86cf5b0a3e411c6c621084199bbb10

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Packed.Formbook-7491272-1

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000001 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000002 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000003 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\0A0D020000000000C000000000000046 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\13DBB0C8AA05101A9BB000AA002FC45A 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\33FD244257221B4AA4A1D9E6CACF8474 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\3517490D76624C419A828607E2A54604 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\4C8F4917D8AB2943A2B2D4227B0585BF 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\5309EDC19DC6C14CBAD5BA06BDBDABD9 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\82FA2A40D311B5469A626349C16CE09B 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\8503020000000000C000000000000046 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9207F3E0A3B11019908B08002B2A56C2 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9E71065376EE7F459F30EA2534981B83 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\A88F7DCF2E30234E8288283D75A65EFB 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\C02EBC5353D9CD11975200AA004AE40E 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\D33FC3B19A738142B2FC0C56BD56AD8C 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\DDB0922FC50B8D42BE5A821EDE840761 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\DF18513432D1694F96E6423201804111 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\ECD15244C3E90A4FBD0588A41AB27C55 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\F86ED2903A4A11CFB57E524153480001 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\{D9734F19-8CFB-411D-BC59-833E334FCB5E} 27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\CALENDAR SUMMARY 27
Mutexes Occurrences
8-3503835SZBFHHZ 29
Startup_shellcode_006 29
KN7MSAA2BUECxyHz 29
S-1-5-21-2580483-10603632762720 21
S-1-5-21-2580483-2008626601611 2
S-1-5-21-2580483-1148626601611 1
S-1-5-21-2580483-1464626601611 1
S-1-5-21-2580483-2116626601611 1
S-1-5-21-2580483-1392626601611 1
S-1-5-21-2580483-1992626601611 1
S-1-5-21-2580483-1380626601611 1
S-1-5-21-2580483-584626601611 1
S-1-5-21-2580483-1120626601611 1
S-1-5-21-2580483-2100626601611 1
S-1-5-21-2580483-1616626601611 1
S-1-5-21-2580483-1012626601611 1
S-1-5-21-2580483-972626601611 1
S-1-5-21-2580483-1440626601611 1
S-1-5-21-2580483-1460626601611 1
S-1-5-21-2580483-956626601611 1
S-1-5-21-2580483-1808626601611 1
S-1-5-21-2580483-888626601611 1
S-1-5-21-2580483-10203632762720 1
S-1-5-21-2580483-2036626601611 1
S-1-5-21-2580483-10843632762720 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
162[.]213[.]250[.]169 10
173[.]0[.]50[.]210 6
217[.]160[.]0[.]55 4
192[.]155[.]190[.]84 3
172[.]247[.]92[.]19 3
199[.]59[.]136[.]230 3
184[.]168[.]221[.]32 2
198[.]54[.]117[.]216 2
198[.]54[.]117[.]211 2
23[.]20[.]239[.]12 2
184[.]168[.]131[.]241 2
217[.]160[.]0[.]154 2
74[.]208[.]236[.]114 2
199[.]59[.]138[.]230 2
74[.]117[.]219[.]198 2
198[.]54[.]117[.]218 1
198[.]54[.]117[.]212 1
198[.]54[.]117[.]215 1
184[.]168[.]221[.]36 1
185[.]230[.]60[.]195 1
85[.]159[.]66[.]62 1
97[.]74[.]42[.]79 1
172[.]217[.]5[.]243 1
208[.]100[.]26[.]245 1
3[.]234[.]181[.]234 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]allixanes[.]com 10
www[.]travelcards[.]site 6
www[.]orlandohouston[.]com 5
www[.]xn--4qw729d[.]com 5
www[.]davekachman[.]com 5
www[.]iqama[.]info 5
www[.]reserveforcespolicy[.]com 5
www[.]enjoquotes[.]com 4
www[.]online-rfs-billing[.]info 4
www[.]imtrainee[.]net 4
www[.]ildolce[.]store 4
www[.]elgranretodeseve[.]com 4
www[.]arnaud4k[.]com 4
www[.]digital-spot[.]net 4
www[.]casalukre-co[.]com 3
www[.]jingrunxuan[.]com 3
www[.]hzwhedu[.]com 3
www[.]zxhckj[.]com 3
www[.]thehouseofthedrone[.]com 3
www[.]24hourautolocksmith[.]company 3
www[.]kingofthenorth[.]tech 3
www[.]aurora-health-ua[.]com 3
www[.]prokat[.]site 3
www[.]riicko[.]com 3
www[.]hugedomains[.]com 2
*See JSON for more IOCs
Files and or directories created Occurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe 29
%APPDATA%\KN7MSAA2 27
%APPDATA%\KN7MSAA2\KN7log.ini 27
%APPDATA%\KN7MSAA2\KN7logrc.ini 27
%APPDATA%\KN7MSAA2\KN7logri.ini 27
%APPDATA%\KN7MSAA2\KN7logim.jpeg 26
%APPDATA%\KN7MSAA2\KN7logrv.ini 26
%ProgramFiles(x86)%\Ygl8drb 1
%ProgramFiles(x86)%\Ygl8drb\config9rs4ano.exe 1
%TEMP%\Ygl8drb 1
%TEMP%\Ygl8drb\config9rs4ano.exe 1
%ProgramFiles(x86)%\Ymnlhitch 1
%ProgramFiles(x86)%\Ymnlhitch\helpcfsd4ho.exe 1
%TEMP%\Ymnlhitch 1
%TEMP%\Ymnlhitch\helpcfsd4ho.exe 1
%ProgramFiles(x86)%\Kpfyl 1
%ProgramFiles(x86)%\Kpfyl\helpex9l_rep.exe 1
%TEMP%\Kpfyl 1
%TEMP%\Kpfyl\helpex9l_rep.exe 1
%ProgramFiles(x86)%\Gbbcdufw 1
%ProgramFiles(x86)%\Gbbcdufw\vgaxjwtjt.exe 1
%TEMP%\Gbbcdufw 1
%TEMP%\Gbbcdufw\vgaxjwtjt.exe 1
%ProgramFiles(x86)%\L1b6h 1
%ProgramFiles(x86)%\L1b6h\systrayybihc.exe 1
*See JSON for more IOCs

File Hashes

0146d4a89836ecc12759c33a85d60c3867a35b7ee468041fb26b0610ef76e54f 046bebb1052d11ee3db2b5c8cbf3e2f1dd509a2aa73e53f4ffb18d39985165cf 049fa135806899faa44ce50ba918331d0ea0aeb8aa6db5012117bfc794f57759 058392f97319e50bbd2172ab46255c892e12ee0b7948e6ce0420012eb85e7e35 07387a7c05fcaf63b03673bd92d634fcd13e1784fb6adcc6c2b8cf7154c07e55 07c11047e72c8f52c1f5c422fc5b7ed49225259012c813c2bc5a8827bcf5f752 0d49120f2ce8cc77ea769c79a1ab5c7669cb58c07de1a95f08549d2665529df1 0d8e415c487a6ced2680bcb31834fe282b914f09ac167dfb4f1685af0b529c35 0da9443c8aacb9e4757b81deeaeedc7b96766020522ed9992d7b9ce3e0eb5130 0de2930e0fd1d971aa98b219ce6dc3f36b07d8441b7abd0d663a63dd77cfbf37 163d07cf0a756800c6ce5be998331fdffa75081f5f669bbb6149eb0e89744043 1c64787e6ef766f7d9b8cc99deb128d45b89d02accacb3dac1e2ad076f5139eb 208a5ebc7af4b8d15e157e9115f4617a2b3e021a868367b3e7bb0bde69170911 2655a1ee89ed4101f552ce1b75b9d711ee5c6217e63cf6ce8e23086844c839e9 2a13033c3b6b7299bd795ce5c34bbba17a8de80d4d957e4d547ef1ae2ba728b4 2e98ffc7f5bab8e3f2085beba2ecc912f038c9a66a5f6b9ec7d8e0f2eca2fcbc 2fb1d73ee16fea837612ff0d9c89a934e5520310f9a06397f7e2c1a0c1604694 30545b09c38a284d95310d71822427e0bc0b69dcaeb3d316f2fe39decfb8c006 3064e41052d6dfa7c354a6e8c405ae2c1d09e48fa9e82dc4e8faee1f4bebdd4d 352c218b502f9db9eb8a56d8d6515c3fbe51298e29fe3878731a037885dc7f7b 356aa1a0e39cd24ed61ca8c1d6658a91c9dd8dbd2663ce90b5db2b793fe12e01 36fd577a0a6354cae84ff7a6bc3b21159f24cd0b8eff3482ba7c8278b4a89b27 3a14a285394c39842beaf312d02de42ab02c679e47cb6a40c3b900f196ba4e2d 3aa7710feab8dd35997e03ad650a5bae2f19de1d82e2a7fef032815d946e21ee 3d2f8ca93b256a27067969eda8d4fca7559e38b8af59a79c40c40c55f06b53d2
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (17518)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (353)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Kovter injection detected - (269)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Gamarue malware detected - (158)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Installcore adware detected - (90)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Dealply adware detected - (88)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Excessively long PowerShell command detected - (87)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Corebot malware detected - (23)
Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.
Reverse http payload detected - (19)
An exploit payload intended to connect back to an attacker controlled host using http has been detected.
Fusion adware detected - (11)
Fusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware.

No comments:

Post a Comment