Threat Roundup for January 31 to February 7

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 31 and Feb. 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Doc.Downloader.Emotet-7572697-1	Downloader	Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Nymaim-7569940-0	Malware	Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain-generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Dropper.Genkryptik-7572204-0	Dropper	Genkryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user's knowledge, including collecting system information, downloading/uploading files and dropping additional samples.
Win.Worm.Gh0stRAT-7571319-1	Worm	Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Ransomware.Cerber-7571364-0	Ransomware	Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although, in more recent campaigns, other file extensions are used.
Win.Malware.Kovter-7571676-0	Malware	Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Dropper.TrickBot-7577793-0	Dropper	Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Packed.Zusy-7572206-0	Packed	Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.

Threat Breakdown

Doc.Downloader.Emotet-7572697-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID`	24
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: Type`	24
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: Start`	24
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: ErrorControl`	24
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: ImagePath`	24
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: DisplayName`	24
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: WOW64`	24
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: ObjectName`	24

Mutexes	Occurrences
`Global\I98B68E3C`	24
`Global\M98B68E3C`	24
`Global\IC019706B`	1
`Global\MC019706B`	1
`Global\8032E0D6835932960`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`169[.]254[.]255[.]255`	1
`198[.]58[.]114[.]91`	1
`93[.]189[.]42[.]146`	1
`5[.]2[.]75[.]167`	1
`104[.]236[.]28[.]47`	25
`133[.]130[.]97[.]61`	25

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`252[.]5[.]55[.]69[.]spam[.]abuse[.]ch`	1
`252[.]5[.]55[.]69[.]spam[.]dnsbl[.]sorbs[.]net`	1
`252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org`	1
`252[.]5[.]55[.]69[.]b[.]barracudacentral[.]org`	1
`chonhangchuan[.]net`	25

Files and or directories created	Occurrences
`%SystemRoot%\SysWOW64\msgchannelb.exe`	1
`%SystemRoot%\SysWOW64\msgchannela.exe`	1
`%APPDATA%\windirect\settings.ini`	1
`%HOMEPATH%\532.exe`	25
`%ProgramData%\4Cs14qtyjWERecs90J.exe`	1
`%ProgramData%\8MoBR9ygNour.exe`	1

File Hashes

007fc647ae0f8639902f3c6ebae36e993f8b3fc08297118da2feb154df40740f
018ed3d6c7e96cb9010633c08acf5ddce16fccdaae299dfcf7d87e79eda6bd39
07e176a1c503e7a072f8a5f31b0871e961aae07fad606a3c3838b856442487eb
0860e692cd7444b9a85df9d15c46bfd707454cc8c1267d4de56260bf3d6cffa2
0de64e1664365414c3c529bb8dab306b995b61e34cb4d58b0d07ed6d716c715f
0f3358b0b2b1c8e74a38319daad492d7adcf2d130cc8dbd439c684c9c9e5153c
1a8fe6dd6c3cdf567f41bb6977a88c892473797acde8694ced39139640715bcb
1e835f85dc0631028c5bd4aaa75b166b8d9714642876339a4a86ef40973b6ace
220c8e32a0f771b62f01279391d3f93a40d3ce389b45d4ffff0699188792ea23
2cdc0e42a36a681175b5b3eeef29037709e43e7123aabc1f4bcee86fa06a4896
375eea419ae94249961ad625ce1dcd3502860bc1e6e396afb4570c735bf43803
3b89f52ac5385d9f8733f4ec6f3bb7721df689a5dd1c197bfcd3feffb9749dd4
62a2e813d32c179dfe3a565558a48fb0c5b9820b337458028a5232c5de9eaf42
8075bc50d7e867f0a255b9826f5c6bc35a0c82f1408ad3502b499055549c8e1f
85fbf7b289eaa61b99bcbe56e804abf3083cb14448b1ca8a9b20896989f27e9c
8f2d6be36b63d09c277df0cdf4788ed3c057cfaaa7d84e06e2e79ea9998d3dd6
93f972acfdb179a6ecdb35d1ff2602a197aaacb5039572bf5600ebc8186618c2
a892730b092202036e00e25cbdbd3464711db05ffa30c92d99eabeb8be5b6e1e
b1ec2a137410f27af98fba5d9da34af0583feead57d2328aa98ecc0cca490081
b4b51782bfcebdf89072029a92244cd4bf53dfebbeb9f125c3bd721b9bc7855a
b6160c8601befc7f62c4e3b274430b710c05e596d69d2c34e9710597336b35cb
c00797ecdd835144cf9183edd42e45c2e4b117a4d1fafd670f9c2a4f464eba9a
c50e5289d3bebdab1ba9b8d101d47596c8cc72e2616df6690189b1e99ce5268f
d00f4a6e014ec6f602d2dd0a99fc10084f111ccae25bde16dd4ee05c204ba7c1
d558d946a685c29cfab63009dba1b91c2a870a2e623d028d0a70b96a9cf12d6f

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Nymaim-7569940-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\GOCFK`	18
`<HKCU>\SOFTWARE\MICROSOFT\GOCFK Value Name: mbijg`	18

Mutexes	Occurrences
`Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1}`	18
`Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}`	18
`Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5}`	18
`Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368}`	18
`Local\{306BA354-8414-ABA3-77E9-7A7F347C71F4}`	18
`Local\{F58B5142-BC49-9662-B172-EA3D10CAA47A}`	18
`Local\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}`	18
`Local\{B888AC68-15DA-9362-2153-60CCDE3753D5}`	18
`Local\{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E}`	18

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`wfbimtogx[.]pw`	1
`icbwujv[.]pw`	1
`lcque[.]com`	1
`odouzwyaw[.]in`	1
`jknqnrpjgdgo[.]in`	1
`hgbcdxmjm[.]net`	1
`mnhtemsicp[.]in`	1
`hcozsjtscf[.]pw`	1
`vkerdawjo[.]in`	1
`upkbwykuchtb[.]net`	1
`adulvwixq[.]in`	1
`rnhrlupcs[.]com`	1
`ohxozfvoxg[.]com`	1
`gphvrtnt[.]in`	1
`zvsrc[.]pw`	1
`vlddqnhkoxei[.]com`	18
`elnqzs[.]net`	18
`sxrzdfil[.]net`	18
`papuzvj[.]net`	18
`ffincb[.]com`	18
`gnmhtaguavi[.]com`	18
`pvwdgii[.]pw`	18
`llrgmivfnqee[.]pw`	18
`nknbtl[.]pw`	18
`eeiheou[.]in`	18

*See JSON for more IOCs

Files and or directories created	Occurrences
`%TEMP%\fro.dfx`	18
`\Documents and Settings\All Users\pxs\pil.ohu`	18
`%ProgramData%\ph`	18
`%ProgramData%\ph\fktiipx.ftf`	18
`%TEMP%\gocf.ksv`	18
`%ProgramData%\<random, matching '[a-z0-9]{3,7}'>`	18
`%APPDATA%\<random, matching '[a-z0-9]{3,7}'>`	18
`%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'>`	18

File Hashes

0b4181b933a8d0d350a9df085ac98a27350d49cd8bdded69b0153d5ec6adda21
1224eeb04e14029eec5a711ea7b973954f272851d6f4b4d02fecd4b40ebbd3e5
134d474322c25989e1aa2b6c807473d8a099b06716afcc1904dcadadd74e14d9
20c0747e95843e9c09806f7ef954cfd35c94e2b67907617a3bc0299e00026198
3e5ad8831233e388f485cd6b99c4d6687f1d6e38623bf48d2270919aa4d9e000
59445c64816f7513250a3b49cf5a513c842098be8f3730b33056705ef5c1d624
80cb190082bd6b3e0ec0657a1fd76ae5a53e434e19363e93f6ae999135f99594
89adc81706b7dd975f63be1f1269f63add24f292f5c0d93c92b4b411eb6a9fbc
93fbb35c72feccabccdf4d903d10be4bf0090141cef91dfb0e34ab021138c4ba
9dae9cc1db48a1f31f54b1430f72b5a275c5b36afe274510ff25464d6f7f85a2
b43e324ed527c2d52660e31595b5f61c2151808d351ed80fc853e1345bbf6b5c
b828ad714533bdca9fbfd96e14bc8fdcb30f1687bade3025b6b1ddfcf46fb793
c90c69db988bc69ec5a6e82e0b71f006d3ad1309bb8f722a8361fdf2cd573f66
db35f03ab4fb2eff6dfa485e85433f4a61016fc2e18b17793e8e0b6c8afe5585
e3795c261bb84415e76175eee1b7d07aa335b690952116b84cc297a1bbd83001
e71d8f0a51ecf0d078930da518e6b7e8c4c001d42200e0e6965691e8fe1549ea
ec3b170ebe1a9a524091d5c46da9080f07a409fb11c51a841b695951f14062ba
f84a9b3bcfadbeca17b80922487f7632df91f8a1a4adfde04924c7b9f9b54cd0

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Genkryptik-7572204-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Value Name: Blob`	10
`<HKCU>\SOFTWARE\WINRAR`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: Startup key`	2
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9 Value Name: F`	2
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5 Value Name: F`	2
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC Value Name: F`	2
`<HKCU>\SOFTWARE\WINRAR Value Name: HWID`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: IpgKLBFV`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: enchantsf`	1

Mutexes	Occurrences
`3749282D282E1E80C56CAE5A`	1
`Global\{fb001475-4304-414b-b3c4-440bd0301e5f}`	1
`Global\{26af037d-c127-451a-807e-f8d8fcf61bd9}`	1
`Global\{a7ae8b72-b465-4a93-b481-e821d4114233}`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`172[.]217[.]11[.]46`	1
`172[.]217[.]10[.]238`	7
`172[.]217[.]7[.]14`	2
`172[.]217[.]164[.]174`	1
`172[.]217[.]7[.]1`	2
`172[.]217[.]10[.]225`	7
`198[.]251[.]81[.]30`	1
`88[.]233[.]219[.]188`	1
`185[.]61[.]154[.]20`	1
`193[.]142[.]59[.]98`	1
`79[.]134[.]225[.]125`	1
`79[.]134[.]225[.]5`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`parking[.]namesilo[.]com`	1
`labosan[.]hr`	1
`doc-14-b8-docs[.]googleusercontent[.]com`	1
`doc-0s-14-docs[.]googleusercontent[.]com`	1
`doc-0s-5o-docs[.]googleusercontent[.]com`	1
`doc-0c-80-docs[.]googleusercontent[.]com`	1
`steel500[.]duckdns[.]org`	1
`doc-08-bs-docs[.]googleusercontent[.]com`	1
`doc-04-2c-docs[.]googleusercontent[.]com`	1
`olodofries88[.]ddns[.]net`	1
`doc-0c-bo-docs[.]googleusercontent[.]com`	1
`doc-08-68-docs[.]googleusercontent[.]com`	1
`doc-0o-bo-docs[.]googleusercontent[.]com`	1
`www[.]habitactica[.]com`	1
`www[.]71kamahistreet[.]com`	1

Files and or directories created	Occurrences
`%APPDATA%\D282E1`	1
`%APPDATA%\D282E1\1E80C5.lck`	1
`%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5`	1
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5`	3
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs`	3
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator`	3
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat`	3
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat`	2
`%System32%\Tasks\AGP Manager`	2
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\catalog.dat`	1
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\settings.bin`	1
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\storage.dat`	1
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\settings.bak`	1
`%TEMP%\53d8a91c-2dcd-4297-b0e0-e83b641b15e1`	1
`%TEMP%\96d19517-693a-4d9b-b0bb-58fe0e73df6a`	2
`%HOMEPATH%\subfolder1`	2
`%APPDATA%\poblyXd`	1
`%APPDATA%\poblyXd\OeqyZ.exe`	1
`%TEMP%\tmp6C23.tmp`	1
`%TEMP%\tmpB4EC.tmp`	1
`%HOMEPATH%\subfolder1\filename1.exe`	1
`%HOMEPATH%\BENZOXYPHE`	1
`%HOMEPATH%\BENZOXYPHE\ARCSINEB.exe`	1
`%HOMEPATH%\subfolder1\filename1.bat`	1
`%TEMP%\2022119685.bat`	1

*See JSON for more IOCs

File Hashes

0b023aa63679132222f38f83cc5d068b64294f27378657a83d5a1e382a0f5f6a
1e25b0da80f232dd7736f1df2d02c06c5352468c2b28edd38a5325ad726f4318
311e0a1c78adebcb8f4557b7982add59176bf534575f372b15de89b350f043be
56acc6bbd93fa3697f5c18ce956bc9fed48780a62f2de0af0422edc832a59cd7
5a4ae15c7cfc24d8d051199a42438fb860630f20eaf1d860a57b4483a9b2a1e5
62183848f4eb2622fa3c83e80d47993b177654cfd514479af13b35ccda07a9e1
6d878ebe8f57192c2a5a30313d09dcfc0a5535369dbaf3df1853148e260c15b2
a06f1515117373a10440cfc5fabd3a4edaa6bad649aa51512da3c84b732737f2
a49994d715e1420a4aeda5a840281d6a502b9785f4e9c900f1528a862f4f459d
ba8781428af0e8996029c8c2a9ed858e67a1433123bf866459f112c6b1a4adb9
ec2b8daf0e06c86331993b6b47402bcfe64d7192860ff1fd9b12bf74c5412df5

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Worm.Gh0stRAT-7571319-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: TFM0N`	17

Mutexes	Occurrences
`pldofjxf`	17
`67.198.149.220:8590`	17

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`67[.]198[.]149[.]220`	17
`67[.]198[.]149[.]218`	17

Files and or directories created	Occurrences
`\M7LTT2PQLUU39779`	1
`\4E332EPXUP2T2UDD`	1
`\4E332EPXUP2T2UDD\setting.xml`	1
`\X1MEDE9U9MQ4Q1UV\setting.xml`	1
`\M7LTT2PQLUU39779\setting.xml`	1
`\PLT3XTU7P91P4DXM`	1
`\EVE2ML37TPT2MTQ3`	1
`\EVE2ML37TPT2MTQ3\setting.xml`	1
`\9T7UQELV1DED3E1U`	1
`\3X2MMX7MP34P213D`	1
`\9T7UQELV1DED3E1U\setting.xml`	1
`\3X2MMX7MP34P213D\setting.xml`	1
`\MM393UEXP3U1V39T`	1
`\MM393UEXP3U1V39T\setting.xml`	1
`\4D7913VVQ473ETLX`	1
`\4D7913VVQ473ETLX\setting.xml`	1
`\3M2QLV9D1LQD4DUM`	1
`\3M2QLV9D1LQD4DUM\setting.xml`	1
`\PLT3XTU7P91P4DXM\setting.xml`	1
`\L4DV7DE92PLT3L7V`	1
`\L4DV7DE92PLT3L7V\setting.xml`	1
`\PM9X2XM11XL7TP9P`	1
`\PM9X2XM11XL7TP9P\setting.xml`	1
`\TX19M1LQ22VD4X9P`	1
`\TX19M1LQ22VD4X9P\setting.xml`	1

*See JSON for more IOCs

File Hashes

10090eb3748f2ef4a3410b978df0dec22a0ca628beeaa090831617fb997526cb
3eb86dad7bb8868860f384dd24d16549667ce5b061b58cac1d347d91bc570c8f
44d6e2ae47ae32f07c538f8ddfccc317f75473292ab3b6c83a5ae89d57331917
4c4f1c451117fcf06c6c58ff1db2146cddac669c7c986056d3a544bc639bc81b
551f4de8915c4f2cacf24a47a6f2a8abf04d3013f6d1dcac046b4cd08a316511
5a088eff9314d8fa8c0c3bcde24054159770727d2df8bfd60fc514e14845e60d
8100dadd48d770942ab9ff1fe2e6c07693173d96300d2562703739948239294e
85ca5679a5ca406211e22f5f51498814b632b21bd72de5259eced8b95d981c86
8c8f0914a29cfe562457968af091c6b8696782b86fda717165e8ddca2ac35b83
a12c5d5090f35f8a9aedf9f159469e45a34d76fda6369a7116ca0d6fbc1abfe9
b78ebf81a32e57b134f39555a748823641723d6f42c7878a8115bc6f1363aa31
be31cb2aaaa019e1d3726f8c23705ccef08c64e674a4ff768f5fdc7fbc2f26bb
c0d07e09a2d35bcc63135595f0b5065e78adf3c292257e71a034348dd0d21123
cc440bfe8b21e8e03566e43eda8fbf78d5c1194dc9ae8d7228624bc1c17949af
dd7089ce8745289e0962fea5c8001c7e0bcb73921c25710a3730ed4fc0d8d8c7
f977796809ac7f7babc3b7e44b84b348bb4965f9d3a4b43a6ea81c3b38ab9101
fcd3bc1ab5b4c663c0365471e09685e01160e1f614423a2c6bafbc89e3dac392

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

Win.Ransomware.Cerber-7571364-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER Value Name: EnabledV8`	36
`<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER Value Name: EnabledV9`	36
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ozilixas`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: uzurnpuj`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: esalaluj`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: agovoryb`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ozekyzhf`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109A10090400000000000F01FEC Value Name: OutlookMAPI2Intl_1033`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ixilxvuv`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: yxazigov`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ewetesyl`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: abizynyw`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: amjsegsd`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: iqapasjj`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: jliwywoc`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: enowivic`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: isydipfb`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: elulyzod`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: yhyhohux`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ewpbizyd`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: orebujyj`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ojofukax`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: yrunyfeb`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: esfdozih`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: uqihevur`	1

Mutexes	Occurrences
`Global\epugepiqupupamyhatuxadu`	19
`Global\yladonexilyjabufyfetetawinipipi`	19
`Global\usysisexaqicuseteqisexe`	1
`Global\ysywiqujeqikevotevasowogajirube`	1
`Global\obegahatyqujehinunyfijewydopuva`	15
`Global\urohamiratototacykojumi`	15

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`216[.]239[.]32[.]21`	5
`216[.]239[.]38[.]21`	9
`128[.]31[.]0[.]39`	25
`216[.]239[.]36[.]21`	7
`216[.]239[.]34[.]21`	8
`86[.]59[.]21[.]38`	21
`193[.]23[.]244[.]244`	10
`208[.]83[.]223[.]34`	22
`194[.]109[.]206[.]212`	27
`154[.]35[.]32[.]5`	25
`171[.]25[.]193[.]9`	17

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`ipecho[.]net`	36
`ikit[.]blasters[.]biz`	2
`itud[.]jordaust[.]biz`	1
`icev[.]blasters[.]biz`	1
`eqak[.]blasters[.]biz`	1
`esykowyx[.]blasters[.]biz`	1
`ycyzacuk[.]blasters[.]biz`	1
`imivutymucu[.]blasters[.]biz`	1
`akiso[.]blasters[.]biz`	1
`overypubu[.]blasters[.]biz`	1
`yxaratdti[.]blasters[.]biz`	1
`iraqrlan[.]blasters[.]biz`	1
`ymex[.]blasters[.]biz`	1
`ajevareda[.]blasters[.]biz`	1
`ytosonyg[.]blasters[.]biz`	1
`inuxaqwken[.]blasters[.]biz`	1
`ydufujkse[.]blasters[.]biz`	1
`oxunynaduba[.]blasters[.]biz`	1
`ogylipympvy[.]blasters[.]biz`	1
`ikawysal[.]blasters[.]biz`	1
`asasexstab[.]blasters[.]biz`	1
`yslx[.]blasters[.]biz`	1
`ipel[.]blasters[.]biz`	1
`axsrf[.]blasters[.]biz`	1
`ixetehac[.]blasters[.]biz`	1

*See JSON for more IOCs

Files and or directories created	Occurrences
`%ProgramData%\igudikadilejogic\00000000`	20
`%ProgramData%\igudikadilejogic\01000000`	20
`%ProgramData%\igudikadilejogic\02000000`	20
`%ProgramData%\igudikadilejogic`	20
`%ProgramData%\owegidamivejedir`	1
`%ProgramData%\owegidamivejedir\otopevic`	1
`%ProgramData%\owegidamivejedir\acopaqic`	1
`%ProgramData%\owegidamivejedir\ykopapic`	1
`%ProgramData%\uciqelufyjyryluj`	15
`%ProgramData%\uciqelufyjyryluj\emugavat`	15
`%ProgramData%\uciqelufyjyryluj\atugolat`	15
`%ProgramData%\uciqelufyjyryluj\ifugupat`	15
`%SystemRoot%\<random, matching [a-z]{8}>.exe`	36

File Hashes

01966d2f6ffc32e55ae9cf61192b45d79c9dea2f83223c1ed91fac631408f82a
0d7ca73038b630871bf332e06fa6efcdd8be9bd78fa9be3d09561eb25ab13970
15cfebd8e3941b8079a277535c7cd7487e10d0e5068a7c14d9e2a3056408f419
1ae503736b88bac3f50e9b537483c77cfe320ff6af1164c330b6c2647a480703
1d140e68d59e321066c64b4b8aa17ba676bfaf0e27a658e33f6d20b1c14d7e15
21fa344b6cbba9265353a5b9d1581a377c93e3896d1bd958ba2afb3c292bd168
24836009269f540fde8aa4d74b967a22c390042a30a76a124614ea8e2689ab8d
2bc36dd8f4c9207dcd4e66f8355adaa9fdf9037a0b6b7905512430d46e721947
2d08575cc2db1913c3ca603d3e528ccca990ebde7282d2e259ab85d7c51346b2
3275ad7d7eca08eb0e7109ba1eae744ad07b934e2c35b222bf4f4cfd1601cc29
35bc364d8460264beaaf89237901a720b546fec6a22cbeb166c4e49db6b6e44a
3d197b4896788463b4ce031cc6bb2c5f5ec3b987ee4e83f205cafbcaab384149
3ed3efa6bfc3da524a75013b03985098309ff8871d87e50a6c9b5cad50a7a115
45fa0f900980addac5bf4a528c805355ec8f3edebdf4f36d74d6498beb2f9e90
4794db3d19d99b81c31ab65b06568dc782b52ff80e6aa55a351a89613c3db86f
4ae3784d564c4558e3ea99b80cea23a8373d5f3ada449de72c08b2e95835868b
50d2e30bd801d5bd806d9c85abff75614d9d8d592b322d8fe5f9df2455bc5b0b
53d3e642d001fb563a21b0f0a28748d6ae26ad59b100ee1ba8cf10ec9e390f1c
55124c96c858d5c8ce6d233487a8aa26e8138f7871033e679c59c1dc114d1eb9
58866f02555d41c0a8299275ca036fe7c47553a6615e955e935675e53b0f49af
59c1ad24e09414391265b638fa32b743cf3e2097013eead30e47db9e02f3fbc2
5dc00ea3e7d3b2b9a239ba77525cbf6dc5ecebd1f9d97c25f884dabf043c5134
5ff54a15b800aba735883b03ab68cede13dc0bfbfcc56501d9ac26e9f4d1275c
610027ff0e1826f4af1539ae7142cdb355f255a8e27b0705cbb4e96f3e727613
7305660e95ca3fdcce3b8be49e6d8a6c9f61aa1162ce4b77c1cd06e2fbad6b71

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Kovter-7571676-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE Value Name: DisableOSUpgrade`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE Value Name: ReservationsAllowed`	25
`<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1 Value Name: 656f27d6`	25
`<HKCU>\SOFTWARE\3A91C13AB1 Value Name: 656f27d6`	25
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE`	25
`<HKCU>\SOFTWARE\3A91C13AB1`	25
`<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE`	25
`<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1 Value Name: 01b2a448`	21
`<HKCU>\SOFTWARE\3A91C13AB1 Value Name: 01b2a448`	21
`<HKLM>\SOFTWARE\WOW6432NODE\K6TWCT Value Name: 6wRxA9ZQL`	1
`<HKLM>\SOFTWARE\WOW6432NODE\K6TWCT Value Name: cBr568g`	1
`<HKCR>\RAVIGL4M`	1
`<HKCR>\RAVIGL4M\SHELL`	1
`<HKCR>\RAVIGL4M\SHELL\OPEN`	1
`<HKCR>\RAVIGL4M\SHELL\OPEN\COMMAND`	1
`<HKCR>\.W5PHE`	1
`<HKLM>\SOFTWARE\WOW6432NODE\7OGGSL Value Name: itYx4Vw`	1
`<HKCR>\LH8Y07\SHELL\OPEN\COMMAND`	1
`<HKLM>\SOFTWARE\WOW6432NODE\7OGGSL Value Name: 4mXmspx53`	1
`<HKCR>\.JG2BV`	1
`<HKLM>\SOFTWARE\WOW6432NODE\6381BA49F616F0D299E6`	1
`<HKLM>\SOFTWARE\WOW6432NODE\GQSXMYCRDP`	1
`<HKLM>\SOFTWARE\WOW6432NODE\6381BA49F616F0D299E6 Value Name: 013E202B8A3B2DA1`	1

Mutexes	Occurrences
`B3E8F6F86CDD9D8B`	25
`A83BAA13F950654C`	25
`EA4EC370D1E573DA`	25
`Global\7A7146875A8CDE1E`	25
`Global\ServicePackOrHotfix`	4
`16194C57FC116A4A`	1
`Global\C50FA8B86824EC18`	1
`9A64C6027FF2B729`	1
`871D8E9395649C20`	1
`Global\FA5C6929342EC8E3`	1
`4BAFA1398EB6B247`	1
`D12FD5C5B231ABC9`	1
`BBBF5BD15C2A2B8B`	1
`Global\704022EE540B2F4C`	1
`67B0ADCC98BB6618`	1
`53DF59FF587E423B`	1
`Global\8F98C5D480837CFA`	1
`Global\DA02B03F2C04CB99`	1
`170B5BC07C6A1E73`	1
`E5F0E11301A9BCDE`	1
`Global\6B1242F27DA8C7C4`	1
`6154888E137CF66E`	1
`1744E94C489AE9C9`	1
`Global\3535E8BAFCF21A1D`	1
`7EB500E221ADC4FC`	1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`23[.]10[.]193[.]233`	6
`23[.]10[.]207[.]183`	7
`173[.]201[.]146[.]128`	7
`104[.]43[.]195[.]251`	3
`104[.]40[.]211[.]35`	2
`54[.]54[.]193[.]128`	1
`115[.]76[.]165[.]127`	1
`204[.]15[.]35[.]182`	1
`189[.]113[.]72[.]33`	1
`70[.]178[.]183[.]128`	1
`113[.]181[.]187[.]227`	1
`106[.]106[.]188[.]160`	1
`36[.]207[.]228[.]85`	1
`117[.]116[.]105[.]163`	1
`4[.]213[.]232[.]24`	1
`23[.]154[.]45[.]79`	1
`89[.]72[.]221[.]41`	1
`175[.]91[.]106[.]140`	1
`195[.]107[.]81[.]250`	1
`182[.]68[.]221[.]59`	1
`51[.]183[.]235[.]214`	1
`205[.]182[.]45[.]214`	1
`20[.]169[.]182[.]215`	1
`8[.]51[.]40[.]103`	1
`196[.]207[.]144[.]60`	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`find-dentalimplants[.]com`	25
`e10088[.]dspb[.]akamaiedge[.]net`	7
`e3673[.]dspg[.]akamaiedge[.]net`	7
`www[.]swsoft[.]com`	1
`rolfrosskopf[.]de`	1
`www[.]virtuozzo[.]com`	1
`littleauggie[.]com`	1

Files and or directories created	Occurrences
`%APPDATA%\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\runme.exe`	7
`%System32%\WindowsPowerShell\v1.0\about_special_characters.help.txt (copy)`	4
`%System32%\WindowsPowerShell\v1.0\about_split.help.txt (copy)`	4
`%System32%\WindowsPowerShell\v1.0\about_switch.help.txt (copy)`	4
`%System32%\WindowsPowerShell\v1.0\about_type_operators.help.txt (copy)`	4
`%System32%\WindowsPowerShell\v1.0\about_types.ps1xml.help.txt (copy)`	4
`%System32%\WindowsPowerShell\v1.0\about_variables.help.txt (copy)`	4
`%System32%\WindowsPowerShell\v1.0\about_while.help.txt (copy)`	4
`%System32%\WindowsPowerShell\v1.0\about_wildcards.help.txt (copy)`	4
`%System32%\WindowsPowerShell\v1.0\default.help.txt (copy)`	4
`%System32%\WindowsPowerShell\v1.0\getevent.types.ps1xml (copy)`	4
`%System32%\WindowsPowerShell\v1.0\powershell.exe (copy)`	4
`%System32%\WindowsPowerShell\v1.0\powershell.exe.mui (copy)`	4
`%System32%\WindowsPowerShell\v1.0\powershell_ise.exe (copy)`	4
`%System32%\WindowsPowerShell\v1.0\powershell_ise.resources.dll (copy)`	4
`%System32%\WindowsPowerShell\v1.0\pspluginwkr.dll (copy)`	4
`%System32%\WindowsPowerShell\v1.0\pwrshmsg.dll (copy)`	4
`%System32%\WindowsPowerShell\v1.0\pwrshsip.dll (copy)`	4
`%System32%\WindowsPowerShell\v1.0\types.ps1xml (copy)`	4
`%System32%\WsmAuto.dll (copy)`	4
`%System32%\WsmPty.xsl (copy)`	4
`%System32%\WsmRes.dll (copy)`	4
`%System32%\WsmSvc.dll (copy)`	4
`%System32%\WsmTxt.xsl (copy)`	4
`%System32%\WsmWmiPl.dll (copy)`	4

*See JSON for more IOCs

File Hashes

072035cc5fd36e5a21299e4c300311dfaed05b680f7b7e8ccb5d4212fd638712
080de2ac18189ab84019a22f5b7d5d49f087db70a4b52514961acf92ce302946
0a69ad9ef0cf4c9c908e70cc905836fb3e268f6971cc7b5f624f6fc3d895b9cf
1500979f9783b9f49dee8769874d5b23538323d2b483d9997304a619a527bae9
1fcfd76d6196ae6503fce812aff4b24fa498ee5d53090c74894881a057f05a2b
2563ce697e2da03842e74a292b82e2159ca18790e3921a9914a3383a35227fc9
2593888c917bccb77ef2b66467dce8ba0c17319a7f0e403fb5b6bff7be9f969f
262ca735f83655220d16258371d7d8ab50a84978185e7885a15d3cbc2b8c9d93
279ec147df4ab831ed8e3c9981647f21fa264544245c188d39bf3942e2907eba
2875a1bab3f9d8134995621a358fb158a1b254044177276fa6fd90e711c974b2
2bd029e950c1a626d5c979a1a1af238711da6af5cc84058ca8363ab4d5b0e9ba
2ca80804b8ec61c82e050c0eaf62166a0c313ee3adc1b28d03586a4a5227797a
2e42247fc678aa01b440958456b7f232e71775259c54bc9202b730d5a4e76bcc
2f08d47ecf5c2656ed75786d82b1d5a5388699f1533a9c8c91274dab6c085523
38c3aa03de00f8fc19121cd5ffb8fda9babecb621541d48cf4a3640e8f657e9f
3b4c1abc83f05a1a2167510a78b6e32027c69e0fca9d3dc31668b81ea9aff937
3b74d8005163c38c1c1187cc914632dda1fc530821d25839c4b41e08ee626641
3bb4032f62824b803bc6c63c0e92f7d1117699585375e879b24ed392754a1c6e
458f6e2b8a63b419b9f47ef20b1dd0e3a6652d06100c30a0f031b7e84e48e4b9
4b1977f5f8bd5108f8b30e827aea6f536417db02ba087698a44142f18c2307b0
50dfd29d9a7ca4f48e04c015b93fa05d28416fe84b9422669238e1b6089b9ca3
51df5522ddedb5bec493acc2c4ffb8642d3a9e8c6a0d7258454bf2ff8398697a
5a0ca2319596e3b4d353cc091d8d959eafae9eb0c4bf2116256e6bab2909d75e
5da7a9fd096ffe66991211b4556352e58d177e72dbe57cd84269c0bded5396ec
5ebd2eaa37527dafa68105ededbc8304472c0a25be6b7e5d606c0deab526b07c

*See JSON for more IOCs

Coverage

Product	Protection
AMP	N/A
Cloudlock	N/A
CWS	N/A
Email Security	N/A
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

ThreatGrid

Umbrella

Win.Dropper.TrickBot-7577793-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Value Name: Blob`	3
`<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Value Name: Blob`	2

Mutexes	Occurrences
`Global\316D1C7871E10`	47
`Global\785161C887210`	44

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`216[.]239[.]32[.]21`	4
`216[.]239[.]34[.]21`	4
`176[.]58[.]123[.]25`	3
`216[.]239[.]36[.]21`	4
`216[.]239[.]38[.]21`	3
`104[.]20[.]17[.]242`	2
`116[.]203[.]16[.]95`	2
`104[.]20[.]16[.]242`	2
`190[.]214[.]13[.]2`	28
`181[.]113[.]28[.]146`	7
`181[.]140[.]173[.]186`	24
`45[.]125[.]1[.]34`	5
`52[.]206[.]178[.]1`	1
`54[.]235[.]220[.]229`	2
`54[.]235[.]203[.]7`	1
`198[.]8[.]91[.]10`	7
`82[.]146[.]62[.]52`	8
`5[.]182[.]210[.]246`	6
`5[.]182[.]210[.]226`	4
`34[.]198[.]132[.]204`	1
`51[.]89[.]115[.]116`	5
`85[.]204[.]116[.]237`	10
`93[.]189[.]42[.]146`	3
`194[.]87[.]238[.]87`	3
`146[.]185[.]253[.]18`	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`www[.]myexternalip[.]com`	2
`ident[.]me`	3
`myexternalip[.]com`	6
`icanhazip[.]com`	4
`ip[.]anysrc[.]net`	2
`api[.]ip[.]sb`	5
`ipecho[.]net`	4
`checkip[.]amazonaws[.]com`	3
`wtfismyip[.]com`	1
`api[.]ipify[.]org`	4
`ipinfo[.]io`	5
`252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org`	32

Files and or directories created	Occurrences
`%APPDATA%\windirect`	8
`%APPDATA%\windirect\settings.ini`	8
`%System32%\Tasks\Windows .Net library core`	39
`%APPDATA%\netwinlib`	39
`%APPDATA%\netwinlib\data`	39
`%APPDATA%\netwinlib\settings.ini`	39
`%SystemRoot%\Tasks\Windows .Net library core.job`	25
`%APPDATA%\windirect\data`	8
`%System32%\Tasks\Windows Direct core tools`	8
`%SystemRoot%\Tasks\Windows Direct core tools.job`	8
`%APPDATA%\netwinlib\88f4d8d02c72f50d136c15678cf3be9e.exe`	1
`%APPDATA%\NETWINLIB\<original file name>.exe`	39
`%APPDATA%\WINDIRECT\<original file name>.exe`	8

File Hashes

0a9f9afb0da70420f5b3bb0122f8a3e61cefa5e3b46ba0b22105861ccb4c4731
0bb38dd296227bd17fab03f287075d6d88979d9a7c0f2260900d6c79be113ed6
0c7358921c14cf5e27e1cc7522379f53b114ada048304389e2fcdd821437dcfa
0eefd7ae0d678d8e9426a3f2344baea842b09d9f60f23564e9ca38b36a2c7866
15a808f1d972bd04819ce062bfca15af6a3defc7434a4cd1df0d0f557f0b9244
19038675ae06629f0d1c69226d079a8bab2781c0531175e80edef91a1ce9a80d
1c8919240e4882c3bb261ebe3a58b950e155ff022816dbcb1c1647413f7ac82d
1cc919c69b243005688f45f53418b58ea990a40e8527aa273b797c58a592f6ad
228e28941d69b5f2a1dc9607e91f2313e4843fe4fe77e8d246c9121271012f19
278605aa9843e8eabd5e7cdc83de8a7eeb76c29a19bb41f88bed78f844d94425
2fea0302c8ffa171845092e26e5d22d92eacaa2f32ef8e0149c5480b39eb567b
329f07a624ed34bda1aaabe0e867016862937b6f08bcfa3ae6d2eeee266df41b
3a77c6f027d54b14417be9380c0e190302d98a437f7fde23cc878b2cf62d7832
3e37550017efa6c92c0060a8a5733f8b3d110ecee14d5f5e8be9a66d9dc09af1
43dc628e385c2b79471a052fbe8ad0a011301b5f56231c01f1a8aa0422482721
46d3e013654582412c2b81b841d0b9cb9baa049e3b8e62a447ac656173fc964a
47b5bef23c6129244b84a4774785c48daad1591d253001723279b180ec828962
54b553f3ef10badaccb9ef6dff73c4c6f29a35685694e6afa8d90643acd78791
648dd27a4affa4eb955935a1b66a72000fd2035a1c1aff4e640339534b767e00
682df81e000e3e2bfc4fbdb6b9ff7bdb6020ee6b1388ab3bc95be66bae65ae4a
6d2788dfa3f6e5a054eda08200a97664368b9874350555b65f4319088f1d2e06
7364613d95319976a837e6b5df8bbcb8a9e94125b816253ff6ab523f55c98c77
74e990e02d30c7ddfddb15d7411124e46da01d486abc0f7439559bd19e56ad12
7747552af8960acf1fc3090d1812c19dc38d8cf015846dcefd88c12dec0afc9d
7eb312b1de92aff32d189eef03650ba2b9bd710ca337bf24c2ed46dcdedcedc7

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

AMP

ThreatGrid

Win.Packed.Zusy-7572206-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN`	7
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: 36412`	6
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN`	1
`<HKCU>\SOFTWARE\ATLTLCN`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{V0Y3JD1E-U88T-472J-2REI-16PSTS01I841}`	1
`<HKCU>\SOFTWARE\ATLTLCN Value Name: ServerStarted`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: WmiPrv`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{V0Y3JD1E-U88T-472J-2REI-16PSTS01I841} Value Name: StubPath`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: WmiPrv`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: WmiPrv`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: Load`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: Load`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: Shell`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: Shell`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: WmiPrv`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: WmiPrv`	1
`<HKCU>\SOFTWARE\ATLTLCN Value Name: InstalledServer`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: FIXMAPI 1.0 MAPI Repair Tool`	1

Mutexes	Occurrences
`XTREMEUPDATE`	1
`1009299684`	6
`2562100796`	6
`lol`	6
`mjwzCaJUioOZIIF`	2
`ATLtlcn`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`40[.]90[.]247[.]210`	3
`40[.]91[.]124[.]111`	2
`20[.]45[.]1[.]107`	1
`138[.]197[.]221[.]199`	1
`192[.]40[.]57[.]179`	2

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`www[.]update[.]microsoft[.]com[.]nsatc[.]net`	6
`infernushosting[.]net`	6
`bighecks[.]org`	1
`pen[.]is-certified[.]com`	1

Files and or directories created	Occurrences
`%TEMP%\x.html`	1
`%APPDATA%\Update`	1
`%ProgramData%\Local Settings`	6
`%ProgramData%\Local Settings\Temp`	6
`%ProgramData%\Local Settings\Temp\msuwavie.pif`	1
`%ProgramData%\Local Settings\Temp\msariiz.scr`	1
`%ProgramData%\Local Settings\Temp\msvbazez.scr`	1
`%ProgramData%\Local Settings\Temp\msvcais.com`	1
`%APPDATA%\Update\Javaupdate.exe`	1
`%APPDATA%\Mining`	1
`%ProgramData%\Local Settings\Temp\msabomu.com`	1
`%ProgramData%\Local Settings\Temp\msezizyf.exe`	1
`%APPDATA%\Mining\coin-miner.exe`	1
`%APPDATA%\Microsoft\Windows\ATLtlcn.cfg`	1
`%APPDATA%\WmiPrv`	1
`%APPDATA%\WmiPrv\WmiPrv.exe`	1
`%APPDATA%\Microsoft\Windows\ATLtlcn.dat`	1
`%HOMEPATH%\Music\fixmapi.exe`	1
`%HOMEPATH%\Music\wdmaud.exe`	1
`%TEMP%\msaaqinu.com`	1
`%TEMP%\msitezcn.scr`	1
`%TEMP%\msavoyauu.pif`	1
`%HOMEPATH%\My Documents\My Music\fixmapi.exe`	1
`%HOMEPATH%\My Documents\My Music\wdmaud.exe`	1
`%TEMP%\msqwwu.exe`	1

*See JSON for more IOCs

File Hashes

18226c65547a1de83f00028171b8948b5c9fb33d194afd1f3f92fa5c90fdaf45
298b5a668c186cdf8fde2dc29e38d0921734b3322fe6191dabd79a12ce3440bd
2a57280bffa1d45f7510ed16d397f568395d057f10c8de214e590f458f465682
412316ac563c1028acf3d41652c670f29e60636198a304f5e560ac87ab7b4aaa
4a8dfad4d821e5f74b9f11ff82131fd533b14d4039ab1d52164a73fe08b5f05a
66bec557cf492d9014a3be80c31d53b29bc78e98d9485ef4f78de853e194c57b
a71a598119ebb1598db7857d9619b71e21a447f5aec4de74fc112d4d09b90025
ba02e51162dd1ec07a955f706d09dcfe5a860adaae0e990fe1fc3809d28c0143
bbbfdd70c93b7728b38eb826b85c70e212d9ca355347fa61f10bc6488103f650
d499aaf6b7e484b7a5bf76df7a9fef3fc48e42a107020196b9c96e8637dab8db

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

CVE-2019-0708 detected - (5540)

An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.

Process hollowing detected - (252)

Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.

Gamarue malware detected - (177)

Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

Kovter injection detected - (142)

A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

Installcore adware detected - (103)

Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.

Excessively long PowerShell command detected - (100)

A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

Dealply adware detected - (58)

DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

Corebot malware detected - (15)

Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.

Trickbot malware detected - (9)

Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.

Reverse http payload detected - (6)

An exploit payload intended to connect back to an attacker controlled host using http has been detected.

Cisco Talos Blog

Threat Roundup for January 31 to February 7

Threat Breakdown

Doc.Downloader.Emotet-7572697-1

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Nymaim-7569940-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Genkryptik-7572204-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Worm.Gh0stRAT-7571319-1

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Ransomware.Cerber-7571364-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Kovter-7571676-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

ThreatGrid

Umbrella

Win.Dropper.TrickBot-7577793-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Packed.Zusy-7572206-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Share this post

Related Content

Threat Roundup for November 3 to November 10

Threat Roundup for October 27 to November 3

Threat Roundup for October 13 to October 20