Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 3 and Jan. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Trojan.Razy-7505643-0
Trojan
Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, and sends it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.Tofsee-7492214-1
Dropper
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet.
Win.Packed.Ursnif-7489213-0
Packed
Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Packed.ZeroAccess-7489468-1
Packed
ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.
Win.Ransomware.TeslaCrypt-7501245-1
Ransomware
TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Dropper.Upatre-7491797-0
Dropper
Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Dropper.TrickBot-7490964-0
Dropper
Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Packed.Formbook-7491272-1
Packed
Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Threat Breakdown Win.Trojan.Razy-7505643-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
11
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\SETTINGS\LEAKDIAGNOSISATTEMPTED
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
3
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0748AF3992DE6E3AA7B386B7F6C08EF2.EXE
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\1C3DDA8020173A5B45A7C80CFC8B0298.EXE
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0748AF3992DE6E3AA7B386B7F6C08EF2.EXE
Value Name: LastDetectionTime
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\B4F3AEA9F95879ABBE9B311B5AB9FC30.EXE
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\2AA87EE2B7BAA7D413CC747537A867A2.EXE
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\1C3DDA8020173A5B45A7C80CFC8B0298.EXE
Value Name: LastDetectionTime
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\EB9064AF85850CF7B3485B2A911798D7.EXE
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\B4F3AEA9F95879ABBE9B311B5AB9FC30.EXE
Value Name: LastDetectionTime
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\2AA87EE2B7BAA7D413CC747537A867A2.EXE
Value Name: LastDetectionTime
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\EB9064AF85850CF7B3485B2A911798D7.EXE
Value Name: LastDetectionTime
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: goodsStartup key
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\6035E0F59A5169E7C59129A3CDBD076E.EXE
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\6035E0F59A5169E7C59129A3CDBD076E.EXE
Value Name: LastDetectionTime
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: goods
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0786B90DA12B29B5CC97621DCC78FA3E.EXE
1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0786B90DA12B29B5CC97621DCC78FA3E.EXE
Value Name: LastDetectionTime
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: mrke
1
Mutexes Occurrences Global\14c64321-2d62-11ea-a007-00501e3ae7b5
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 172[.]217[.]12[.]206
10
172[.]217[.]9[.]225
7
172[.]217[.]5[.]238
6
104[.]16[.]155[.]36
3
77[.]88[.]21[.]158
3
172[.]217[.]10[.]46
1
172[.]217[.]10[.]33
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences smtp[.]yandex[.]com
3
whatismyipaddress[.]com
3
doc-00-6c-docs[.]googleusercontent[.]com
1
doc-0s-9s-docs[.]googleusercontent[.]com
1
doc-14-60-docs[.]googleusercontent[.]com
1
doc-0k-c8-docs[.]googleusercontent[.]com
1
doc-00-5o-docs[.]googleusercontent[.]com
1
doc-10-6c-docs[.]googleusercontent[.]com
1
doc-04-bg-docs[.]googleusercontent[.]com
1
doc-04-6c-docs[.]googleusercontent[.]com
1
Files and or directories created Occurrences %APPDATA%\pid.txt
3
%APPDATA%\pidloc.txt
3
%TEMP%\holdermail.txt
3
%TEMP%\holderwb.txt
3
%HOMEPATH%\desktop\product.pif
2
%TEMP%\bhv61AB.tmp
1
%TEMP%\bhv8DF6.tmp
1
%HOMEPATH%\Orkende
1
%HOMEPATH%\Orkende\Recomm.pif
1
%TEMP%\bhv5953.tmp
1
File Hashes 3031363a67eca33c68892ed7529803bbaa926a6f371204eeaa8ca205501d8cac
34b978969d994134de71dd45996dc5d10516e534e23a2abb8537a1c548ac1c93
51e97032af43de44947d564ee43a9b43278312873caaa4bbd7d3e4f7ec00eb89
58962a9133651591f2d4df22589d1cdd4f7cee175f70c7d47c5a854a5264ec98
5be87b343f2d3af80883ed4deb795c0ae8f7e0ae4ba08a6bbac5b3e4659d0341
6bd1baae5ba600ff4ece4523e53bf9818bcc381a56664e3104c1c317d6f5a3bc
6dfdb201ddd46c8f2ded273f3c8ed6c5beca63196b5428fe388f59faaac79597
731aa2659852eb9b98d573b3f59436b49c15492d8df94e18da5a8f4c41f48fbe
79acdd5ea559b2e7e29fa6b47ca1053e11dbaadf540fc2b140aca89d1539d17e
8fa302841d886e0198c96d76d93399f5905844f424b255e6707a74ea610c55ce
cdaef1b003e82f8994dd616103781125fca98ec097ee79830c2262f41158237a
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP ThreatGrid Win.Dropper.Tofsee-7492214-1 Indicators of Compromise Registry Keys Occurrences <HKU>\.DEFAULT\CONTROL PANEL\BUSES
192
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
175
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
158
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
68
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wpdjiqwl
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: Type
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: Start
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: ErrorControl
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: DisplayName
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: WOW64
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: ObjectName
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL
Value Name: Description
11
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\lesyxfla
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA
Value Name: Type
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA
Value Name: Start
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA
Value Name: ErrorControl
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA
Value Name: DisplayName
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA
Value Name: WOW64
11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 69[.]55[.]5[.]250
192
43[.]231[.]4[.]6/31
192
85[.]114[.]134[.]88
192
239[.]255[.]255[.]250
175
46[.]4[.]52[.]109
175
46[.]28[.]66[.]2
175
78[.]31[.]67[.]23
175
188[.]165[.]238[.]150
175
93[.]179[.]69[.]109
175
176[.]9[.]114[.]177
175
192[.]0[.]47[.]59
174
172[.]217[.]12[.]164
159
74[.]125[.]192[.]26/31
140
67[.]195[.]204[.]72/30
135
168[.]95[.]5[.]116/31
134
172[.]217[.]197[.]26/31
122
172[.]217[.]10[.]67
116
216[.]146[.]35[.]35
110
212[.]227[.]15[.]40/31
104
104[.]47[.]54[.]36
102
208[.]76[.]51[.]51
101
168[.]95[.]6[.]60/30
97
98[.]136[.]96[.]92/31
95
31[.]13[.]66[.]174
93
98[.]136[.]96[.]74/31
91
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences 250[.]5[.]55[.]69[.]in-addr[.]arpa
192
microsoft-com[.]mail[.]protection[.]outlook[.]com
192
schema[.]org
175
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
175
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org
175
mta5[.]am0[.]yahoodns[.]net
175
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
175
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net
175
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
175
whois[.]iana[.]org
174
whois[.]arin[.]net
173
coolsex-finders6[.]com
173
bestladies[.]cn
173
bestdates[.]cn
173
bestgirlsdates[.]cn
173
hotmail-com[.]olc[.]protection[.]outlook[.]com
171
eur[.]olc[.]protection[.]outlook[.]com
127
mx-eu[.]mail[.]am0[.]yahoodns[.]net
125
ipinfo[.]io
118
nam[.]olc[.]protection[.]outlook[.]com
93
mx6[.]earthlink[.]net
91
pkvw-mx[.]msg[.]pkvw[.]co[.]charter[.]net
88
charter[.]net
87
mx0[.]charter[.]net
87
msn-com[.]olc[.]protection[.]outlook[.]com
72
*See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%\SysWOW64\config\systemprofile
192
%SystemRoot%\SysWOW64\config\systemprofile:.repos
192
%TEMP%\<random, matching '[a-z]{8}'>.exe
188
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>
158
%HOMEPATH%
59
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy)
59
%SystemRoot%\SysWOW64\wpdjiqwl
11
%SystemRoot%\SysWOW64\lesyxfla
11
%SystemRoot%\SysWOW64\mftzygmb
10
%SystemRoot%\SysWOW64\piwcbjpe
10
%SystemRoot%\SysWOW64\zsgmltzo
10
%SystemRoot%\SysWOW64\yrflksyn
10
%TEMP%\<random, matching '[a-z]{4,9}'>.exe
9
File Hashes 03dfa2a7b5722d6fa2f2f85287c8bea67b2ae1c8be2d9de90b33c2b4dd3c0f42
07314be6c87366f215030d7a2af42440f8a2a187e782ad975a476a84aa389fe1
0862506904a93aba08781be3d9b5189c8cc01bc5fd86d9a4881bd114449502b7
088fe0b34e1db5b9010adb26a2380aa6faf53165f9e2d7d986fd0bc6be614f9e
0ad21f45614d3112c1201ff8a5b3fe702b4943e39ab9d8bc4f38362565c373d5
0b2c1eebcd3f136c556a8568541d589f691dbe6fb450fa708e9774f4ca72fb67
10d2a79f8c199a6ce16b0e3fd4a911524cc2ece755daf67c04f0d3118dfb3498
11e2d71f1dab632b58c9ab60a48c51854d59df47456a97ff9ef59c72b607229c
136e082449131aae0a3e28c21c99aaef24a9d1709cae71daee0e154bf2b45d9f
144d2f639c9dafd40f48b72980609cb018ca83a360b7e24fede6023e0e742397
16f778581e678fdd5e21442d3d55bcc4415271ac94ed0d31c2efd40c772f26ec
1733e36d0e55b369c97e387fa74da22462fbf1858b09befb5de125d9523e3d41
1756a1f4ce0593f80b857ed9a654c656dac96d3405a566dc38737e0a79bc194d
188389b2163b98dbb96edf4000496dacc062f2a6ae2dd021a3f49742d36a2e0b
189f32c3d78e9b129d62bb4e40b3693da216cc371018d5ce4ef2356a94ca4f6e
18f25a4e071f993b9ceac935a3814d7667e42c46d22ea9e8ccd7c4a3f0087f7b
1a747af4f485eb3c8c475c9dcd9cac9d7fe279f3f45777d793572c4927e07ffa
1af4c3359d224c2ad2006db3c9786afdeeb90404ab91ec7c63467092264e2183
1c1d1c939fd6d3e6a77c2fa342f2c39433eea8f9d3c749ecee42e287734bd330
1c69825459d03fb13956e1a0f40e485731fbe96e48efe1abc765db537fec77ba
1d3aecb8b67bd70634fbffcf15b5e21ef0ee95627d296e78caf3f07842820d9a
1d9d2d4000df6baadc93db56dbdc783c9db35a047be86bed8d4bfaacb33b6a9c
1f42ceba5e533e7aeb5395e1db11ef780b02e44c8cde237394b663b816da69b4
1ff0ce00b3cc5e3223e31501e16302b44ae24981b4b61f3500bdba2f671a057f
20f52e7aa1ee2e27dffcb75eb1e207681dbe2f72d44b0f4d2f66498102d8cf8e
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid Umbrella Win.Packed.Ursnif-7489213-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
18
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
18
Mutexes Occurrences Local\https://vars.hotjar.com/
18
Local\https://www.avast.com/
18
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 23[.]221[.]50[.]122
18
152[.]199[.]4[.]33
18
23[.]221[.]49[.]75
18
23[.]221[.]50[.]102
18
104[.]107[.]26[.]214
18
13[.]109[.]156[.]118
18
65[.]55[.]44[.]109
17
157[.]240[.]18[.]35
15
104[.]107[.]18[.]91
15
38[.]126[.]130[.]202
15
192[.]42[.]119[.]41
14
13[.]107[.]21[.]200
13
172[.]217[.]164[.]136
13
23[.]196[.]81[.]176
13
204[.]79[.]197[.]200
12
204[.]2[.]197[.]202
12
72[.]22[.]185[.]200/31
12
172[.]217[.]197[.]156/31
12
172[.]217[.]6[.]206
11
172[.]217[.]12[.]136
11
172[.]217[.]11[.]36
11
172[.]217[.]10[.]14
11
169[.]54[.]251[.]164
11
23[.]201[.]42[.]247
11
23[.]201[.]42[.]161
11
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences googleads[.]g[.]doubleclick[.]net
18
www[.]googletagmanager[.]com
18
www[.]google-analytics[.]com
18
stats[.]g[.]doubleclick[.]net
18
connect[.]facebook[.]net
18
www[.]googleadservices[.]com
18
ib[.]adnxs[.]com
18
avast[.]com
18
static[.]avast[.]com
18
secure[.]adnxs[.]com
18
mc[.]yandex[.]ru
18
dev[.]visualwebsiteoptimizer[.]com
18
amplifypixel[.]outbrain[.]com
18
pixel[.]mathtag[.]com
18
tr[.]outbrain[.]com
18
amplify[.]outbrain[.]com
18
ajax[.]aspnetcdn[.]com
18
img-prod-cms-rt-microsoft-com[.]akamaized[.]net
18
az725175[.]vo[.]msecnd[.]net
18
script[.]hotjar[.]com
18
static[.]hotjar[.]com
18
c[.]s-microsoft[.]com
18
assets[.]onestore[.]ms
18
a[.]tribalfusion[.]com
18
www[.]avast[.]com
18
*See JSON for more IOCs
Files and or directories created Occurrences %TEMP%\www2.tmp
13
%TEMP%\www3.tmp
13
%TEMP%\www4.tmp
13
%HOMEPATH%\Favorites\Links\Suggested Sites.url
13
%HOMEPATH%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms
13
%HOMEPATH%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
13
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}
2
\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B40C43F1-F039-44D2-AEB7-87F5AF8ABC3D}\ProxyStubClsid32
2
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\Instance\PropertySetStorage
2
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1FE6762-FC48-11D0-883A-3C8B00C10000}
2
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3CCEDF7-2DE2-11D0-86F4-00A0C913F750}
1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}
1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A7EE7F34-3BD1-427f-9231-F941E9B7E1FE}
1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\14
1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\2
1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6f237df9-9ddb-47ad-b218-400d54c286ad}
1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32
1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81397204-F51A-4571-8D7B-DC030521AABD}\InprocServer32
1
File Hashes 0ad051eb62410a3fe8d776a69f29a46fe609ea59c2adfe061811dc9ace3e40e9
17cfe796a3b8017bf83d2c302ec9507317abac0191cdf835d2d0d1a75d33b991
18b5f4e21612aadfed4e72cdef1356009fb1614535b62a4e39463f8cea9ace03
2013ff55ccdd16e36eccebe50b0587b6f2f37e333442be1552b50c41cbfe48d4
241ab82dccad5b9670c445509841c6aebf69de45815c3d9951f15be158b8ece5
270f970f0cfda8e8c61a73b2aab71fd51755ad911b8173f5aac4cdb5961ba8a5
3016c699d4c8c7affedc18f5cb4aadb30676a9c3081dee913b43b84737949708
31a02187883766f2eec0edc6479b8cd793c8e8eec658fe56b33581a76d9953f8
365acef54f3733520717314466c86aa978cbf08c37d1f9f0a90bbbea42b3f8f3
5ba3ea5868ddef74a57fff2c5ded68f17b08458876881161a7af9eb32438779d
5c486b96a5f273819baa9a010700f088ce3f707c87088a50e699ee6dedd0b117
611e95e1a1a352d6cb1a6106b0e69565b065de6d68dbe5c41d49c2ebfa637dd6
7a8b53746144a903954535791ef7c5038834af3cd1eec8c0dae8b28f609859bf
7fd6f59c5c23ea12adf5975e56730a52558799ae7a330ef40e552a4353a8d6e3
8220634b1969f5a06e3b5adff2dbae0356608a91e5162fccdd247f1571a2a4b2
9a20d2755608e7cf98a090f30b166779318f0a08747631fccc9393de15ed33cc
9b6503731468ce3922f5aec73e22a81489ddcf6124d86eeb2fc05cb7c2f4527f
b062f5f376af3972c8386343b27fb1e5947afb66c5c0741cced2d317f5261158
b2c7bc0dece9bed221c3fe88b9dce2313b036b9a3f5982b5bfa91961efb7bdaf
bb8d733fa6ca4ef01d8b44d098902e781359cdd36a4418538a504082b3b95fe6
cecc5dd05c51a6740730b775dc4af3d579b498880de7899b272d6225fb96cb44
e6bd801ae1e976ff76409d2b28d00d15f50e5819c3c5bbc54eb4ac9752f87435
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP Win.Packed.ZeroAccess-7489468-1 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\TRACING\KMDDSP
Value Name: FileTracingMask
55
<HKLM>\SOFTWARE\MICROSOFT\TRACING\KMDDSP
Value Name: ConsoleTracingMask
55
<HKLM>\SOFTWARE\MICROSOFT\TRACING\KMDDSP
Value Name: MaxFileSize
55
<HKLM>\SOFTWARE\MICROSOFT\TRACING\KMDDSP
Value Name: FileDirectory
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
55
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000010
Value Name: PackedCatalogItem
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000009
Value Name: PackedCatalogItem
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000008
Value Name: PackedCatalogItem
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000007
Value Name: PackedCatalogItem
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000006
Value Name: PackedCatalogItem
55
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000005
Value Name: PackedCatalogItem
55
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 94[.]242[.]250[.]64
116
64[.]210[.]151[.]32
55
178[.]32[.]190[.]142
55
91[.]207[.]60[.]22
15
71[.]229[.]165[.]75
15
201[.]231[.]100[.]117
15
71[.]239[.]117[.]142
9
66[.]41[.]70[.]14
8
71[.]63[.]0[.]235
7
98[.]224[.]77[.]3
7
83[.]15[.]111[.]38
7
76[.]180[.]80[.]134
7
24[.]73[.]24[.]191
7
46[.]45[.]5[.]240
7
67[.]185[.]179[.]4
6
98[.]230[.]137[.]123
6
69[.]80[.]173[.]91
6
75[.]66[.]129[.]205
6
69[.]117[.]29[.]163
6
190[.]36[.]183[.]136
6
77[.]126[.]70[.]166
6
98[.]203[.]164[.]253
6
67[.]240[.]46[.]208
5
72[.]200[.]101[.]79
5
68[.]97[.]172[.]87
5
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences promos[.]fling[.]com
55
Files and or directories created Occurrences \@
116
\L\eexoxfxs
116
\cfg.ini
116
\systemroot\assembly\GAC_32\Desktop.ini
55
\systemroot\assembly\GAC_64\Desktop.ini
55
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8
55
%SystemRoot%\assembly\GAC_32\Desktop.ini
55
%SystemRoot%\assembly\GAC_64\Desktop.ini
55
\systemroot\assembly\temp\@
55
\systemroot\assembly\temp\U
55
\systemroot\assembly\temp\cfg.ini
55
\systemroot\system32\consrv.dll
55
%System32%\consrv.dll
55
%SystemRoot%\assembly\temp\@
55
%SystemRoot%\assembly\temp\cfg.ini
55
\systemroot\system64
55
File Hashes 024be6e3a83461f6084ade9ef26da705de0e7eeceebbd55ca5289a7396dcf280
02a6714aebbfef68f0528f10414a2fd8a8338243e05992d0c28d68383e1dc1a1
05597af5ff2dd97b20b7c57e4c3cd48cae1a4d2c7cd1c4ac920a6f1185a65900
0712314c985a7cc479d0cbcdcf06c886ba2d7fc79d89cf4efc56a137235eb379
0808ec44505b3130a5dde6e81c75f473f44a288d1134fff680394534283fce87
08b18f2eb8b1fb422adfb52d482f9d9bb3f4a24d18f89a186ed2865181f6b551
0b675bae551f40fe43934915324927652e35fa3089dcc911345478fc96338a3c
0d6aea5357e88970db6f5c226a2a888e1c7f1c5f20146087952612c06d064b4e
15d09a26dec6c151966a24bfebd38fb67c8397a06c3bf1702eb4702a871a9e2c
1744dd32bcf9cd45cfec1f4334de1df340129a555e12f73c740e02f7fe7b469c
1ac467786827d37bc69e30617fa2b14fa8903f68f73022e727caa634379490b2
1c9dc1eb7cb0191101faa393854592a440d6df736f07a767138df22c1f809c8d
1d34f5231571a20d3229e850bb786f6148dab477ca4a0169a0af3acf2d2ce71d
243ccb0ec0007367fc4e21dea982be68d6f32e6cdcafbd11e10768cb912a914b
2460096ab6403840c5de8a19dc1706cf2dc416cc9e3ab701275853d66eb7e142
24ec81e3c8a7247c0fa2292906afccc1d47b81412cfaf021dc22be067530e944
2b275de3b1d0f2786c58f17a0d2607a47dade5151046f255eea2f9da20a03c9c
311c8b6b2d2150fff040363e23fdca221be64cae3ad34d9b3dfacd396ed48fc6
330719fd8491c5abc9fd90c7e27310cb72d331222c5caaf4671525d48e4b1026
35ba7b85dd5146c275b74b7b09ef62985ba9db0d1e1f2771b6990d53ed965d52
37240db16c496c45552715904b84ce5cc2c1e01ebbcf519a7e0bee4cc73f08bd
39bf409ea1d861dfed811fa6c0aee2767aff44d96fffb4f3e552db1add1ed7fc
3b3d6c01a983c835152e169e092be6193bce78c22b41cda5e573e5330235aac6
3e6c74185843c930a9b5ea041a5a3eef7d9ae80a31e3a67e0c235b5090e64afb
3fcf02116eab251a35b6a9dba981edb13ba59701f0b52ca1521fd2dbff350477
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP Win.Ransomware.TeslaCrypt-7501245-1 Indicators of Compromise Registry Keys Occurrences <HKCU>\SOFTWARE\XXXSYS
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: addon_v57
15
<HKCU>\SOFTWARE\XXXSYS
Value Name: ID
15
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
15
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data
15
Mutexes Occurrences z_a_skh495ldfsgjl2935345
15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 23[.]20[.]239[.]12
15
64[.]140[.]157[.]157
15
157[.]119[.]94[.]202
15
104[.]27[.]31[.]89
9
104[.]27[.]30[.]89
6
3[.]225[.]189[.]10
5
3[.]229[.]167[.]115
4
54[.]83[.]91[.]42
3
34[.]195[.]145[.]145
2
3[.]93[.]124[.]54
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences en[.]wikipedia[.]org
15
www[.]torproject[.]org
15
www[.]hugedomains[.]com
15
vostorgspa[.]kz
15
p4fhmjnsdfbm4w4fdsc[.]avowvoice[.]com
15
bledisloeenergy[.]com[.]au
15
polyhedrusgroup[.]com
15
todayinbermuda[.]co
15
nn54djhfnrnm4dnjnerfsd[.]replylaten[.]at
15
www[.]buildenergyefficienthomes[.]com
15
mosaudit[.]com
15
buildenergyefficienthomes[.]com
15
akdfrefdkm45tf33fsdfsdf[.]yamenswash[.]com
15
Files and or directories created Occurrences \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I0ZU5JT.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I478AKJ.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4FI238.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4FKVBH.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4QK3KJ.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QX7W9.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I77RW1L.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I7J37KF.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I9NSD58.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IANXEE8.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IC5NB1M.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ID60W3E.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IIUTK07.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJE160U.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKAVPAE.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IL2NS3P.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$INKC8CM.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IP8M1EE.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IPDP9E0.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISIYA4I.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IV54ALI.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IWK2JPN.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IWYYKMD.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXC3P46.txt
15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ7KADN.txt
15
*See JSON for more IOCs
File Hashes 00de6704e49ec7e8b570b95410704c0d3d81c727c688d06afe68e4f8f4e4b8e6
079ab9339f5b1ccf429dbf4426350c311adc6bdeeb3a003970d052088dcdaabf
4b7a8b7ffac89faa52034d12821a9e20bfd987adcdcbdba29d6daaca44ef9325
6352e2794884e3c090f6ec14ec8c870fdc6d4cde61f518c44ed5bae2916e67c8
69a0539a87e7a9fe382cf4c504c3d02bf6ee4cd6a5e20098ed619da8975480ee
70311b0da413a17ed6c5f300adcd7757301346300693823ba4e1e7845901c1b8
7f1a0f921a5132b1329dbdbfadc83eec6568ad151d1c33da89a4aaf0a5e5c0c2
a7ba5bb407c401764b9af3e22b005962431d5446f1c8ba468ab71a7ed1033299
b8dd6020265dc28fa74d1708e2238cc227791dace690699db22cbb3ba6c1d64c
bd9a8d8d2c8e1d426959e7022ecd26b7001998aba2617e13deac573d16208916
c7a8125f64e0c8d4133263f901855d1ef0ecea2e083c10782e4cfbbe8b334e79
dca1535c72840c4a47886ee0e23437fc560a4fea29c9c62f63a58726d21a565b
e010d87d8cb503b316a2dc3e064b99178b7040a213251ce49e58fd0d23c6cef5
eb6259dd5f1ed9540edc3e0e9944e08145b9514320cd65c26612b32b92fa6885
f347dc8de7cefff44e6127fcfd035c08d31439a6f4951dd92549bdd6400b60aa
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid Umbrella Win.Dropper.Upatre-7491797-0 Indicators of Compromise IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 93[.]185[.]4[.]90
25
104[.]20[.]17[.]242
10
98[.]214[.]11[.]253
6
66[.]196[.]61[.]218
6
98[.]246[.]210[.]27
6
81[.]90[.]175[.]7
5
216[.]16[.]93[.]250
5
76[.]84[.]81[.]120
4
217[.]168[.]210[.]122
4
84[.]246[.]161[.]47
4
85[.]135[.]104[.]170
3
24[.]148[.]217[.]188
3
81[.]93[.]205[.]251
3
81[.]93[.]205[.]218
3
62[.]204[.]250[.]26
3
173[.]248[.]31[.]1
3
87[.]249[.]142[.]189
2
98[.]209[.]75[.]164
2
194[.]228[.]203[.]19
2
24[.]220[.]92[.]193
2
176[.]36[.]251[.]208
2
109[.]86[.]226[.]85
2
95[.]143[.]141[.]50
2
68[.]55[.]59[.]145
2
188[.]255[.]239[.]34
2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences icanhazip[.]com
25
Files and or directories created Occurrences %TEMP%\tywy22.txt
24
%TEMP%\tywyaven.exe
24
%TEMP%\t4930.tmp
1
%TEMP%\vimazet.exe
1
File Hashes 01152de6c7c348fa9716c3d760744689eb85386303593e6100f6532bd3fc2cb3
01cb3cbad05c3b0b186b604f32cb00a3ceced74ead26affe5b4fb1867d48be01
02f4933753d850d1774b56cbd35c994b6b7dd9b971fd45c34f5677f90b281b6a
062720c82d1bef7558b0a4675b9539a23afddf252ede24b5d54edfba2a758ca5
06f92e4b684161224f68388d8d4ca35d113682fadeb2e100072dfa8d43413101
09589d82d2f9460fe3d33b726794d41a93b672dbaed8e5f397350b7714649cd7
09f38837949bbee74dd5da5fce7a92d7f21168f7e43345bbd19f5cbfde8f6f69
0c45c58eab16df4d5bff14dad957f91d5785a09836560bc3bd681c27e012b1b8
0d774c5ac17521abec32a11e81317fed5f7c163d82ec7f9e1065c86834458cfe
0d90667089d17e2924b00e5207a357156e9076dfa3dab3f2e7dc5737135053a9
0e36b813e84b27ff1c1b770fffbf4175c7c39bbe499804c9c27565ed4a9518fa
0fa25c7c007f337ab5ba699a2611c47ff41a8ba74cb83fa1ffde097e7408f8ed
10c863059e4910501e1deea44279a5402e93796098230511c65be09f8f47eb82
1356d0345699b8766d5c8de5d61cb47fd63dc3f42fe2280a2c413a8d7f97c1c8
13f7895a32eb09a5016a408819dce9c95a4149888ad708c0232e0659e2ca06e3
14178c54d283e6579242e90df7c4dae8af71ff4594c834e3cc7a275588f561b7
14e727de9a56e79b9dcaf48cc9751d4cb447f16d839d705c628640857d0e6e13
1535d470effa0af601719b9ef64e615f321e4db52ee4b7bb05def6d501884fbc
16b232d226ca18447e1f1671538607fe5be412e935b930bcde73ff46e0b2890f
186a59f2954d3d213a26308386be80f2b503e08882324ab559490330700fc24a
1d2374db5ee92385e49fbaef9ef694361877cdffa4b51d8fd8d37e6272dfad57
1e1bdd6ddb3c256c79024eccdb2de6b0861a2a86e13f3f03cf1f378e2cdc9d36
1fcbef293371203729eca2c9491641a03b2330c9be11b438f84db0e996e5b78c
2119922518bc437c7d5fd7d7205929089a9ed9333cdff97bb214808f37e86dd7
211bdc6613fc3e691ac70d215a8a9edd5f0ebb85bb4f24d6e293fb21894a0b1b
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
Screenshots of Detection AMP ThreatGrid Win.Dropper.TrickBot-7490964-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: RefCount
1
Mutexes Occurrences Global\316D1C7871E10
22
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 181[.]113[.]28[.]146
5
188[.]120[.]254[.]68
5
195[.]123[.]220[.]178
5
198[.]23[.]209[.]201
4
104[.]20[.]17[.]242
3
119[.]252[.]165[.]75
3
78[.]24[.]223[.]88
3
188[.]165[.]62[.]34
3
164[.]68[.]120[.]60
3
69[.]195[.]159[.]158
2
190[.]214[.]13[.]2
2
5[.]2[.]70[.]145
2
185[.]213[.]20[.]246
2
185[.]141[.]27[.]190
2
185[.]177[.]59[.]163
2
216[.]239[.]38[.]21
1
200[.]21[.]51[.]38
1
200[.]127[.]121[.]99
1
181[.]129[.]104[.]139
1
18[.]213[.]79[.]189
1
45[.]125[.]1[.]34
1
23[.]20[.]220[.]174
1
45[.]137[.]151[.]198
1
5[.]182[.]210[.]109
1
51[.]89[.]115[.]124
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences icanhazip[.]com
3
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
2
checkip[.]amazonaws[.]com
2
wtfismyip[.]com
2
api[.]ip[.]sb
1
ipinfo[.]io
1
Files and or directories created Occurrences %System32%\Tasks\System Network Extensions
22
%APPDATA%\adirecttools
22
%APPDATA%\adirecttools\data
22
%APPDATA%\adirecttools\settings.ini
22
%APPDATA%\ADIRECTTOOLS\<original file name>.exe
22
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt
21
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp
21
%APPDATA%\adirecttools\Data\pwgrab64
1
%APPDATA%\adirecttools\data\pwgrab64_configs\dpost
1
%APPDATA%\adirecttools\69ab1bb7084669cf84cc43537b700264.exe
1
%SystemRoot%\TEMP\~DF8EC46E2629511EB8.TMP
1
%APPDATA%\adirecttools\runme.exe
1
%SystemRoot%\TEMP\~DF5EC233074AA93A3C.TMP
1
%SystemRoot%\TEMP\~DF4BEDA5BB57A455AF.TMP
1
%SystemRoot%\TEMP\~DFCE2B4CA7595FDB1F.TMP
1
%SystemRoot%\TEMP\~DF771B5AE6CE965D7A.TMP
1
%SystemRoot%\TEMP\~DF21C4C13A90F8FECB.TMP
1
%SystemRoot%\TEMP\~DF2EDE8F31D379304B.TMP
1
%SystemRoot%\TEMP\~DF887620F0BF482816.TMP
1
%SystemRoot%\TEMP\~DF6B5F6A59497674CC.TMP
1
%SystemRoot%\TEMP\~DFA8D4CB1355CC2A5F.TMP
1
%SystemRoot%\TEMP\~DF326643DA3623EF2B.TMP
1
%SystemRoot%\TEMP\~DF2334856A166D2B71.TMP
1
%SystemRoot%\TEMP\~DF862A67F04082D9B3.TMP
1
%SystemRoot%\TEMP\~DFC53480C7F7651844.TMP
1
*See JSON for more IOCs
File Hashes 0245c1658f2c7d9989431954aeeae75907cd70d94d45137c6d03d1c77463779f
11a8ffc0df227cb681971a11904bf83d3a72a52aefd1335df4202115ccabe4a1
17db3888319bac8bdc2fa0c33c3125dca7f8b2f9ff39dfe8b16882c3babd5273
26e223b88abca88510d861698e8468675e7fc8fac1199a554d4fdd2cff91197d
4517232ad858b209e6a6fb873e2a8665a85c91506b1ded4c518e751fc7adacb2
65371d42ff1b2db3b211c5f180f411a2621679225dab602ed0d47a496287ff4c
691f1b9988bde02160172a8ed8d0e242cc25d8fd205839887140330ebff862f5
6b4f93bb3fc3aeb71591f7fd237367905898b62f3a08580d8ed691fa06f6734d
6e2ab21ca9e1bb545bee1a66190cd9786d9d2d376b47864715b121ed8ccb3d33
7055bef3d19a836529109b5037e4ce63e9f3c8d8f9e5b8daba57880b9ca5cb5e
7996ea4f4f2a2d9e2152eaefba2fc9077c33fc5a1848b2ec4e6a69e54ef7fba3
82aef9ea980b0fd2fb268be8fc8ebdf14b9150df5c167aa29ddcd464afc2014c
8d9c8ef971a707651456e085f7420e45463d77dbefeab733d381685500f4a027
9363001b83b189a7ebdefcebe844bbbe29e1db03e49fa642bc9530f345d65283
9971b48ee31acc1d33d3a28b3527f3039c5a633d0f0cb6b3422d3b1d219221f0
9e1d70348303b0480a64a03d82b2d011d1a51a5f106024e670f12acc64478b44
a6068b4a752629e61dff03d86cf8bf9141f52e22a8267c0de469fe5d2e5b65de
ae0e55999d7f5ae1be0a7132b2e972fc04c95c653f214f3f59ce30fc4e2f57af
b4c41107cda5716a098e22be19101e15e3e577e3d6cc8570a4e81e0f6cf24ae1
c693ddb405dcc6831f489f499ece83aae83d27226694bfc390b5059f0849bc2e
e0d95256f1587f75b9e0e632e92b88561d4441cb559d7b3944e3152669a28f92
ea15e0fd9d3c825cd2c2217ab150fb7cee86cf5b0a3e411c6c621084199bbb10
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
Screenshots of Detection AMP ThreatGrid Indicators of Compromise Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000001
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000002
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9375CFF0413111D3B88A00104B2A6676\00000003
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\0A0D020000000000C000000000000046
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\13DBB0C8AA05101A9BB000AA002FC45A
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\33FD244257221B4AA4A1D9E6CACF8474
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\3517490D76624C419A828607E2A54604
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\4C8F4917D8AB2943A2B2D4227B0585BF
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\5309EDC19DC6C14CBAD5BA06BDBDABD9
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\82FA2A40D311B5469A626349C16CE09B
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\8503020000000000C000000000000046
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9207F3E0A3B11019908B08002B2A56C2
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\9E71065376EE7F459F30EA2534981B83
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\A88F7DCF2E30234E8288283D75A65EFB
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\C02EBC5353D9CD11975200AA004AE40E
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\D33FC3B19A738142B2FC0C56BD56AD8C
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\DDB0922FC50B8D42BE5A821EDE840761
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\DF18513432D1694F96E6423201804111
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\ECD15244C3E90A4FBD0588A41AB27C55
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\F86ED2903A4A11CFB57E524153480001
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\{D9734F19-8CFB-411D-BC59-833E334FCB5E}
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS MESSAGING SUBSYSTEM\PROFILES\OUTLOOK\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\CALENDAR SUMMARY
27
Mutexes Occurrences 8-3503835SZBFHHZ
29
Startup_shellcode_006
29
KN7MSAA2BUECxyHz
29
S-1-5-21-2580483-10603632762720
21
S-1-5-21-2580483-2008626601611
2
S-1-5-21-2580483-1148626601611
1
S-1-5-21-2580483-1464626601611
1
S-1-5-21-2580483-2116626601611
1
S-1-5-21-2580483-1392626601611
1
S-1-5-21-2580483-1992626601611
1
S-1-5-21-2580483-1380626601611
1
S-1-5-21-2580483-584626601611
1
S-1-5-21-2580483-1120626601611
1
S-1-5-21-2580483-2100626601611
1
S-1-5-21-2580483-1616626601611
1
S-1-5-21-2580483-1012626601611
1
S-1-5-21-2580483-972626601611
1
S-1-5-21-2580483-1440626601611
1
S-1-5-21-2580483-1460626601611
1
S-1-5-21-2580483-956626601611
1
S-1-5-21-2580483-1808626601611
1
S-1-5-21-2580483-888626601611
1
S-1-5-21-2580483-10203632762720
1
S-1-5-21-2580483-2036626601611
1
S-1-5-21-2580483-10843632762720
1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 162[.]213[.]250[.]169
10
173[.]0[.]50[.]210
6
217[.]160[.]0[.]55
4
192[.]155[.]190[.]84
3
172[.]247[.]92[.]19
3
199[.]59[.]136[.]230
3
184[.]168[.]221[.]32
2
198[.]54[.]117[.]216
2
198[.]54[.]117[.]211
2
23[.]20[.]239[.]12
2
184[.]168[.]131[.]241
2
217[.]160[.]0[.]154
2
74[.]208[.]236[.]114
2
199[.]59[.]138[.]230
2
74[.]117[.]219[.]198
2
198[.]54[.]117[.]218
1
198[.]54[.]117[.]212
1
198[.]54[.]117[.]215
1
184[.]168[.]221[.]36
1
185[.]230[.]60[.]195
1
85[.]159[.]66[.]62
1
97[.]74[.]42[.]79
1
172[.]217[.]5[.]243
1
208[.]100[.]26[.]245
1
3[.]234[.]181[.]234
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]allixanes[.]com
10
www[.]travelcards[.]site
6
www[.]orlandohouston[.]com
5
www[.]xn--4qw729d[.]com
5
www[.]davekachman[.]com
5
www[.]iqama[.]info
5
www[.]reserveforcespolicy[.]com
5
www[.]enjoquotes[.]com
4
www[.]online-rfs-billing[.]info
4
www[.]imtrainee[.]net
4
www[.]ildolce[.]store
4
www[.]elgranretodeseve[.]com
4
www[.]arnaud4k[.]com
4
www[.]digital-spot[.]net
4
www[.]casalukre-co[.]com
3
www[.]jingrunxuan[.]com
3
www[.]hzwhedu[.]com
3
www[.]zxhckj[.]com
3
www[.]thehouseofthedrone[.]com
3
www[.]24hourautolocksmith[.]company
3
www[.]kingofthenorth[.]tech
3
www[.]aurora-health-ua[.]com
3
www[.]prokat[.]site
3
www[.]riicko[.]com
3
www[.]hugedomains[.]com
2
*See JSON for more IOCs
Files and or directories created Occurrences %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
29
%APPDATA%\KN7MSAA2
27
%APPDATA%\KN7MSAA2\KN7log.ini
27
%APPDATA%\KN7MSAA2\KN7logrc.ini
27
%APPDATA%\KN7MSAA2\KN7logri.ini
27
%APPDATA%\KN7MSAA2\KN7logim.jpeg
26
%APPDATA%\KN7MSAA2\KN7logrv.ini
26
%ProgramFiles(x86)%\Ygl8drb
1
%ProgramFiles(x86)%\Ygl8drb\config9rs4ano.exe
1
%TEMP%\Ygl8drb
1
%TEMP%\Ygl8drb\config9rs4ano.exe
1
%ProgramFiles(x86)%\Ymnlhitch
1
%ProgramFiles(x86)%\Ymnlhitch\helpcfsd4ho.exe
1
%TEMP%\Ymnlhitch
1
%TEMP%\Ymnlhitch\helpcfsd4ho.exe
1
%ProgramFiles(x86)%\Kpfyl
1
%ProgramFiles(x86)%\Kpfyl\helpex9l_rep.exe
1
%TEMP%\Kpfyl
1
%TEMP%\Kpfyl\helpex9l_rep.exe
1
%ProgramFiles(x86)%\Gbbcdufw
1
%ProgramFiles(x86)%\Gbbcdufw\vgaxjwtjt.exe
1
%TEMP%\Gbbcdufw
1
%TEMP%\Gbbcdufw\vgaxjwtjt.exe
1
%ProgramFiles(x86)%\L1b6h
1
%ProgramFiles(x86)%\L1b6h\systrayybihc.exe
1
*See JSON for more IOCs
File Hashes 0146d4a89836ecc12759c33a85d60c3867a35b7ee468041fb26b0610ef76e54f
046bebb1052d11ee3db2b5c8cbf3e2f1dd509a2aa73e53f4ffb18d39985165cf
049fa135806899faa44ce50ba918331d0ea0aeb8aa6db5012117bfc794f57759
058392f97319e50bbd2172ab46255c892e12ee0b7948e6ce0420012eb85e7e35
07387a7c05fcaf63b03673bd92d634fcd13e1784fb6adcc6c2b8cf7154c07e55
07c11047e72c8f52c1f5c422fc5b7ed49225259012c813c2bc5a8827bcf5f752
0d49120f2ce8cc77ea769c79a1ab5c7669cb58c07de1a95f08549d2665529df1
0d8e415c487a6ced2680bcb31834fe282b914f09ac167dfb4f1685af0b529c35
0da9443c8aacb9e4757b81deeaeedc7b96766020522ed9992d7b9ce3e0eb5130
0de2930e0fd1d971aa98b219ce6dc3f36b07d8441b7abd0d663a63dd77cfbf37
163d07cf0a756800c6ce5be998331fdffa75081f5f669bbb6149eb0e89744043
1c64787e6ef766f7d9b8cc99deb128d45b89d02accacb3dac1e2ad076f5139eb
208a5ebc7af4b8d15e157e9115f4617a2b3e021a868367b3e7bb0bde69170911
2655a1ee89ed4101f552ce1b75b9d711ee5c6217e63cf6ce8e23086844c839e9
2a13033c3b6b7299bd795ce5c34bbba17a8de80d4d957e4d547ef1ae2ba728b4
2e98ffc7f5bab8e3f2085beba2ecc912f038c9a66a5f6b9ec7d8e0f2eca2fcbc
2fb1d73ee16fea837612ff0d9c89a934e5520310f9a06397f7e2c1a0c1604694
30545b09c38a284d95310d71822427e0bc0b69dcaeb3d316f2fe39decfb8c006
3064e41052d6dfa7c354a6e8c405ae2c1d09e48fa9e82dc4e8faee1f4bebdd4d
352c218b502f9db9eb8a56d8d6515c3fbe51298e29fe3878731a037885dc7f7b
356aa1a0e39cd24ed61ca8c1d6658a91c9dd8dbd2663ce90b5db2b793fe12e01
36fd577a0a6354cae84ff7a6bc3b21159f24cd0b8eff3482ba7c8278b4a89b27
3a14a285394c39842beaf312d02de42ab02c679e47cb6a40c3b900f196ba4e2d
3aa7710feab8dd35997e03ad650a5bae2f19de1d82e2a7fef032815d946e21ee
3d2f8ca93b256a27067969eda8d4fca7559e38b8af59a79c40c40c55f06b53d2
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid Umbrella Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. CVE-2019-0708 detected - (17518)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (353)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Kovter injection detected - (269)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Gamarue malware detected - (158)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Installcore adware detected - (90)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Dealply adware detected - (88)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Excessively long PowerShell command detected - (87)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Corebot malware detected - (23)
Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.
Reverse http payload detected - (19)
An exploit payload intended to connect back to an attacker controlled host using http has been detected.
Fusion adware detected - (11)
Fusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware.