Friday, February 14, 2020

Threat Roundup for February 7 to February 14

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 7 and Feb. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Doc.Downloader.Emotet-7580217-0 Downloader Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.ZBot-7578445-1 Packed Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Dropper.Trickbot-7582953-1 Dropper Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Dropper.NetWire-7578556-0 Dropper NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Gamarue-7580018-0 Packed Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Trojan.Kovter-7581113-1 Trojan Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
PUA.Win.Trojan.Bladabindi-7581164-0 Trojan njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone.
Win.Packed.Ponystealer-7581286-0 Packed Ponystealer is known to be able to steal credentials from more than 100 different applications and may also install other malware such as a remote access tool (RAT).
Win.Ransomware.Cerber-7582361-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.

Threat Breakdown

Doc.Downloader.Emotet-7580217-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: c019706b
2
Mutexes Occurrences
Global\I98B68E3C 18
Global\M98B68E3C 18
Global\IC019706B 2
Global\MC019706B 2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
67[.]195[.]228[.]95 3
157[.]7[.]107[.]4 4
190[.]228[.]29[.]115 3
208[.]84[.]244[.]49 4
105[.]187[.]200[.]240 4
23[.]227[.]38[.]32 3
72[.]18[.]130[.]169 3
69[.]175[.]10[.]34 3
83[.]143[.]28[.]130 4
5[.]2[.]81[.]171 3
41[.]191[.]232[.]22 4
23[.]21[.]177[.]74 3
89[.]97[.]236[.]171 3
190[.]196[.]217[.]50 3
195[.]57[.]58[.]70 4
206[.]183[.]111[.]62 3
192[.]185[.]181[.]168 4
77[.]88[.]21[.]158 4
87[.]250[.]255[.]212 3
46[.]28[.]106[.]9 3
77[.]88[.]21[.]37 3
83[.]143[.]24[.]50 4
86[.]96[.]229[.]28/31 3
74[.]208[.]5[.]14/31 3
173[.]194[.]204[.]108/31 4
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
smtp[.]outlook[.]com 3
mail[.]outlook[.]com 3
smtp[.]secureserver[.]net 4
mailv[.]emirates[.]net[.]ae 3
pop-mail[.]outlook[.]com 3
pop[.]secureserver[.]net 3
mail[.]secureserver[.]net 3
secure[.]emailsrvr[.]com 3
pop[.]yandex[.]com[.]tr 3
smtp-mail[.]outlook[.]com 3
outlook[.]office365[.]com 3
mail[.]telkomsa[.]net 4
smtp[.]yandex[.]com[.]tr 4
mail[.]yandex[.]com 3
mail[.]municipiodeyaguachi[.]gob[.]ec 3
pop[.]vbn[.]co[.]bw 4
mail[.]in[.]cpm-int[.]com 3
mail[.]siajewellery[.]com 3
mail[.]firstgourmet[.]com 3
mail[.]lolipop[.]jp 3
pop3[.]lolipop[.]jp 3
mail[.]doves[.]co[.]za 3
mail[.]vbn[.]co[.]bw 4
smtp[.]vbn[.]co[.]bw 3
mail[.]domverconsultants[.]com 3
*See JSON for more IOCs
Files and or directories created Occurrences
%HOMEPATH%\298.exe 20
%SystemRoot%\SysWOW64\AppIdPolicyEngineApi 1
%SystemRoot%\SysWOW64\msctf 1
%SystemRoot%\SysWOW64\cipher 1
%SystemRoot%\SysWOW64\msftedit 1
%SystemRoot%\SysWOW64\iprtrmgr 1
%SystemRoot%\SysWOW64\xpsservices 1
%SystemRoot%\SysWOW64\uexfat 1
%ProgramData%\UmCbkT.exe 1
%SystemRoot%\SysWOW64\dhcpcmonitor 1
%SystemRoot%\SysWOW64\psbase 1
%SystemRoot%\SysWOW64\f3ahvoas 1
%SystemRoot%\SysWOW64\XpsRasterService 1
%SystemRoot%\SysWOW64\NlsData0414 1
%SystemRoot%\SysWOW64\rnr20 1
%SystemRoot%\SysWOW64\KBDIULAT 1
%SystemRoot%\SysWOW64\KBDHE 1
%TEMP%\1A19.tmp 1
%SystemRoot%\SysWOW64\dhcpcore 1
%TEMP%\2D63.tmp 1
%SystemRoot%\SysWOW64\mydocs 1
%SystemRoot%\SysWOW64\wininet 1
%SystemRoot%\SysWOW64\twinui 1
%SystemRoot%\SysWOW64\ureg 1

File Hashes

0031f41b3edde21592bc42365e01689f23a73a634d7c8ffc0807e60e1a189a38 006766d9879f75d74de2c385ce8418fb838989af2046d8d329ad6ae7dc6d26eb 00efa3f945cfd76037639b91f2fd9208525eb377235440544c29e2c0d93a1c19 012b10d254c825b01bb0ae5f604bc59de7c0cac54bdd17b7f7dcd3e63ce89c66 024b77f2ff26f37e132e450a1d9a04fb94be78ecb0459afc5a09638efbec7cc5 02f55988f95d388efd2da064560eb349eab243dfc8eb806273850d707d74cb07 05c41c7550b30e8074e29985b3d4a75c209156334b93647f1e5d56a77cffc4f2 06a35e532b1e957c8fc2d44c2c370769fcc829479d90cb342b59dd7be17f58a1 0b1c60e5511737fbed55e9ce90163e111d882ae5db69008c010e5cb42e79d81b 0b878e218014a87bc4674a3f8c7113b207cf3e3203ba565c9e3fcf62cb5f18d6 0d45faaf1c2a3cd60340c2d9436fa60571f024ce17cb29089a538b3294aa8a3f 15d9234eeea6f729bd2a36b17e5cc5de58baa05a3ce2258675dd2620e4c28fb1 18195f809af26a3950879186304039c5592a8514671bb32cd6d45d7bf3014e4a 18c98bca74464c6bbe992bcffa838b6224e42419eac19e69ca0da0514968ccd6 18d15aa6b4831299695ceb06dd8ad7398dc48729314ecc0219a75833cc693dd4 196e94c02598dfcfaaf2b62c410c7d64eea908cc19c3af922277e2f1c5f3320f 19c05a961a7babe4bf5ef5889e358ba0df4b790a0b73544d5961bfef2e7d3451 1e0452e2654c5fb4bd01ce92783004202dbc022604b52c54c81f93147005a6f1 21739583fe20050c9ea0aab5c23843a68b3d000a658b72f3148a98e4c0ba330d 2576c16870fedf186a782acae71056a381f01efbdd0c7df30a36daf526072368 26c3ffa34af8692430389b2132228ac0ad44b4a9cb2cf0a3c736468bf1ad1c1e 294233e4170042ad9ca33b8e5a227fc3e4033be090a25953a2d0e013f06e0a52 31522d4b3a684be27b58cddf1bf17be3f5cb34d5fc6fac0baba7b5d1aaf28e73 37cc6b1c356b5e15dd0fffc7ca4b58c760f02795ed47cff09e0b314951337a99 380fed9a967852beba37e632a51fce2a08f1c8b3b48330851a1fd40ac6dd1b84
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


Malware




Win.Packed.ZBot-7578445-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: LoadAppInit_DLLs
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: AppInit_DLLs
25
Files and or directories created Occurrences
%HOMEPATH%\APPLIC~1\Mozilla\kvlcuie.dll 21
%HOMEPATH%\APPLIC~1\Mozilla\tfbkpde.exe 21
%SystemRoot%\Tasks\kylaxsk.job 21
%System32%\Tasks\aybbmte 25
%ProgramData%\Mozilla\thfirxd.exe 25
%ProgramData%\Mozilla\lygbwac.dll 25

File Hashes

083229d33405150930a1d1cb416882532138571c5dc659afc9cd80c8770e62b8 0c3bd17a29727331d9381f47943c6950b9a01828a1f6337ba17ced510616fff6 156d95f97c320ce13dbbd675c1240447f207096eab813f0ca852c5bec63ee3b5 172985bcfe276d18762f3a0ac551d15f49885e956478bfcc08cf5524d326ea25 1965ff8d288665c76396b6029aeb1337972735a4610ba879cf7bd407fb2a8827 27fdacd8808b754d66dfafbff9e4fc2173a799a94c5251117fe17f3af1428c06 3dc7b1cc278e41b56b9cf23e4fc10a74ac2c62867beebdacaecb6ba8103f2679 3eb746e6a92be3a38280129157597eccdffa14b881667c4d42167d0fee7e9c36 41dbab1de30bba1ae12cd63c2fccee455f6ac304e8d8909b1e9a9c4df4894620 4e07f974bcd096ee7e4db358855054bad5de2d9f0ec7ab3e3ed4151a3be2f95c 59e9dfc13476d28583402405e503be73e433d16888c2485956634751b9ce525b 5a93627200929bd11b532a8ff6e1df06467af81e80a4aa967873c80cb7ed7c73 5ce641289dee052cf18a3b76b25d77a6fdfa11b794048d86ef31f32889cc8da5 633d2684a78baf37a289ba913060b65c06d47dbe96c91b79cfbf9042cf8353a5 67d7bd9279e73e5563afe27e0145ca66df510167af85cc56fe4172fb6da6f838 79e2d39c6357dc3a3b057f05d0f53bdbaf1e51db61dfde985bee7bc1e05ed33c 7b344ba74f11fe719b8321da501d86598ab43fdf6a662ee1aafe6cd829add6e1 7ceaa69cbffcffefdea99f110c7b031439b0ea8d9caa7f475f117c975989f65b 834fc5e70088fac0e7df245b20ca3319d692763ff28b6407e835cd38a8a4403b 84d61f9eecf8973c0f9815faaff6b676857d0c0065e584b48ba31f8985923317 87db422f9fdc1a6266e78fcf69d9339f5dd2a55288ccf35ad3239da5a6a22d0e 8c43aafc29a44c7b54f5b228961737018b65c949288e170c598810505658cac5 8c754e7edf8a2aecb6d3fec2cbe7e07135fc74beb7aed0e7f3544cdc67266c44 94211619fcc8304b7dabd5d683ee525774c3d9ac34ec7809da2ae27eeb62c49a a181e02fe416d5b81c24f4d046304f94da88252312befb623ae2c490cfa3e0d7
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

ThreatGrid




Win.Dropper.Trickbot-7582953-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
3
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
1
Mutexes Occurrences
Global\316D1C7871E10 29
Global\785161C887210 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
216[.]239[.]32[.]21 1
216[.]239[.]34[.]21 3
216[.]239[.]36[.]21 2
216[.]239[.]38[.]21 1
104[.]20[.]17[.]242 1
116[.]203[.]16[.]95 4
50[.]19[.]116[.]122 1
69[.]195[.]159[.]158 1
190[.]214[.]13[.]2 14
181[.]112[.]157[.]42 1
181[.]113[.]28[.]146 1
181[.]140[.]173[.]186 16
119[.]252[.]165[.]75 1
45[.]125[.]1[.]34 2
54[.]235[.]203[.]7 1
23[.]21[.]50[.]37 1
198[.]8[.]91[.]10 3
121[.]100[.]19[.]18 1
171[.]100[.]142[.]238 1
82[.]146[.]62[.]52 2
5[.]182[.]210[.]246 2
5[.]182[.]210[.]226 3
51[.]89[.]115[.]116 5
85[.]204[.]116[.]237 6
93[.]189[.]42[.]146 7
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]myexternalip[.]com 1
myexternalip[.]com 3
icanhazip[.]com 1
ip[.]anysrc[.]net 4
api[.]ip[.]sb 2
ipecho[.]net 2
wtfismyip[.]com 1
api[.]ipify[.]org 3
ipinfo[.]io 2
252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 9
Files and or directories created Occurrences
%APPDATA%\windirect 29
%APPDATA%\windirect\settings.ini 29
%APPDATA%\windirect\data 29
%System32%\Tasks\Windows Direct core tools 29
%SystemRoot%\Tasks\Windows Direct core tools.job 25
%APPDATA%\windirect\bc434c1a3bd87c0cb40c31a3caac7831.exe 1
%APPDATA%\windirect\7a2bd7d2423c2c83b3bc987c22da348c.exe 1
%APPDATA%\windirect\a073a92c82bdad2dbdcba4bd1b322bdc.exe 1
%APPDATA%\windirect\7baba02278378b0d739b212389d20c2c.exe 1
%APPDATA%\WINDIRECT\<original file name>.exe 25

File Hashes

007e9d94f91258cdc60ba3fd7df1ed56b00c7c08ecff19c484343ce95978c096 068f1532a0c7e9f564e92f9b093f4cf4a534ef9aa6ee0e6ec6b992beba9404f1 09edeec6283a7986081aeaa4715321a383d675dbfbd2486d01b7e5c9fd81dfc6 0a324fcc5e761067096e9f2161ce3da69c0836972cda72e8740532cc7e84866a 0b19441ced2510b94d977feac51406e3e2a9b9b68f6e8df7a8710c9df29ec8d9 0fe8b3586aa6098767690b4ee1b1fbb39d047fcd7a929d2726f634365eacc6a8 13a865d3702b86db5c13bf6190a03da070ca23c094f8d3c2818ef788655b695b 14fa94928f23ccdb90400c7628327649543d9fd9dae6e963b8c1d96e0ebf7699 184c8d777fe98828143da4f2d762d094475a5eaa9018f77a97e8aad7d5cc696d 1ee8f3dec5556746589f417e1553a7c5f63eca1bab55d5ec95a96feb5ceb7c20 24ce27efe076795d16b9530988cf7b66df89b1f5e1c170a43c509f19b7ca1f94 2870225c01ab904fc4c9a1c7130c88dc4269cb34ff1d3aa3a225d1a9ff53f6ac 29346d7f7895e449a9b09135e2c05deddfddbe9db62db4eb8d33f8f458b13e7a 2b30cd5e49572f0ec94855d7d64ebb4ccfb89c0e2ce0804010a36b892a0e2d3d 2bab0171d0bcbb1be86ef7ea26aa76a10155978a84c08214b156e837a024372a 34e46ae12096f2a6f3aa9ccc9d59cb94ff0ef151da405f056f43b3b2eb9781b5 3c4bad8514148748ac20c348ad75e47633ee2723db56fb993503719390eeca75 3d9acac16267698fb1f3ac47d0d05a2dda4c4758e9b36c9e1644f89e041556ba 42a29cd7a6ce5a5f864a99968f85e7cb4b8d22383b7e194cfd0d558e463c7b70 46cad7db43d81067d78055680a8434ccf1090e3afbc52654ba4dd905038c7a9a 492425d2ab26c3d88845c3d3ee8c13cd7bef8fc893ec71f61881bd1cde33f358 499a4b0530fcff51c3f8703e727ba8fee36c19229be9a650cd5b7dad1d184a79 4cca83ef698b44352c95dc6b05dbaa1eca0521454179932bb4d8094c01133bfb 4d2be228e84f31aade8e7be4c37e05921e3f94297b2a45fe7fa2ca61d5e8dfbd 4d678fc86bacc1f3c53f7b96c814710a5029306be44a90d32c482719ff308b45
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Dropper.NetWire-7578556-0

Indicators of Compromise

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
88[.]198[.]117[.]83 25

File Hashes

05848831206819b63dabd2116e673d28de675e62cf7d858fa4764bfc7a1e9b40 1504dfb0c30dd51fed5c8940d5103479ae565fba3d839f7d973925fa868a6097 17e436f6312f5cb021419beabb8985272593995ccc09110f27abfee1d1eed74e 18bb29e7f9fcc8410d0e613a4989d47b5f1b38023c26bb95a4fe5ae53c2f52ff 1a996582f6a9e60acc72d4266067c9e5ff48ac32bdb45fc8787cc366ff4bd790 27540988f360e65aa1ca42007c551fb73ab1b36ed5408ff098389b6ce3ac0f94 27fb4531c6056a49b297b20a24eafaceabb954aeb24dc00813e85884e2d0a5ce 2ace0152ad8eb298bcae92ebcf3c27c09ed25620c59642be684886bffee56ccb 3c1c1ccf871e10907e69945363ada929b5841d4d192a8422745c47731d33bcfd 3efa7242e48e0be611c350de170776f8537fec4e7c0105ec86e44a18e95db367 46988782ad1012c66e2de02140c2f5d4f210916b0ace64d5c29018336ba76668 4b8c0fcde33aedb55f6e087fd9526699f188f3e3030e33bd04cd8785b748ebe1 4e9562ec338b3e4dbaca5f30289881689f5e4ca5ef7fffb4afe73abe040213b2 5609f2f063ee870c77bfb1e2912d7d5080f85755e069a67c94a6258bebe5f367 5f446e1da31fd31ec83cb6fa2b26da3ae2821ca60273152079736006f498841e 610007b784ce5e7ffa2a2e646e60c72277a0222b2f18fb74eed55d25f1af37dc 6253c1a4ebbfba5de561219996ddc45af59f4ca3b35a3f95354f5ae91c78bbe0 68a0b82d1b3a21dcbd78de0bdb31f69e4afdb4c20750929d9959af168aa4457d 74a0bc89f2667f79264105d44c751d625fbc53ce5a12771134b9c32ca9e916c9 74b44c73bf6f45344bb4aef9f469b3ca92b76b6c0e479e126cab0e35f679c9ca 7caee05382db7f0819893217db61a70cb249d1de1530fedf80e56a9fabc445d6 7e00eca478b68881e4722e2aba2094e468b4b457515d4b8e247b624189ecfc65 8851b44b9e92689115050278bef0261926ecda761a19a566a73fa29de08bad69 89c33a22731e48e90417e2877e318c86a7ac57b5d9ba4c9a39bc65bf27191935 8a9130af590f32b807270517b61af5dbff8f3bc1e2114648f764d8180c22d5c2
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

ThreatGrid




Win.Packed.Gamarue-7580018-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: Load
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1081297374
11
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 1081297374
11
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 11
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Sidebars
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: twunk_16.exe
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Taskman
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Shell
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update Manager
1
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
1
<HKCU>\SOFTWARE\WINRAR 1
<HKCU>\SOFTWARE\MICROSOFT\MODULES 1
<HKCU>\SOFTWARE\MICROSOFT\MODULES
Value Name: Number
1
<HKCU>\SOFTWARE\MICROSOFT\NOTEPAD
Value Name: Body
1
Mutexes Occurrences
alFSVWJB 2
PuredairyBB9 1
PuredairyBB10 1
PuredairyBB2 1
PuredairyBB4 1
PuredairyBB8 1
PuredairyBB7 1
PuredairyBB6 1
PuredairyBB15 1
PuredairyBB14 1
PuredairyBB13 1
PuredairyBB12 1
PSPSndkvsdvd0199201 1
PuredairyBB1 1
PuredairyBB5 1
PuredairyBB3 1
PuredairyBB16 1
PuredairyBB17 1
PuredairyBB18 1
PuredairyBB22 1
PuredairyBB20 1
PuredairyBB21 1
PuredairyBB19 1
PuredairyBB29 1
PuredairyBB31 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
195[.]22[.]26[.]248 2
23[.]253[.]126[.]58 2
184[.]105[.]192[.]2 6
104[.]239[.]157[.]210 2
104[.]42[.]225[.]122 8
40[.]90[.]247[.]210 5
40[.]91[.]124[.]111 4
20[.]45[.]1[.]107 9
109[.]120[.]180[.]29 2
94[.]102[.]52[.]19 1
217[.]23[.]8[.]142 1
109[.]236[.]86[.]119 1
93[.]190[.]140[.]141 1
108[.]59[.]2[.]221 1
109[.]236[.]83[.]12 1
80[.]82[.]65[.]207 1
217[.]23[.]3[.]105 1
217[.]23[.]4[.]220 1
93[.]190[.]140[.]113 1
217[.]23[.]9[.]104 1
93[.]190[.]142[.]191 1
94[.]102[.]51[.]231 1
217[.]23[.]7[.]3 1
80[.]82[.]65[.]199 1
109[.]236[.]86[.]27 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
europe[.]pool[.]ntp[.]org 9
www[.]update[.]microsoft[.]com[.]nsatc[.]net 9
and10[.]uzuzuseubumaandro[.]com 1
powerrembo[.]ru 2
and4[.]junglebeariwtc1[.]com 1
faumoussuperstars[.]ru 2
martivitapoint[.]info 1
and10[.]uzuzuseubumaandro1[.]com 1
spotxte[.]com 1
nutqauytva8azxd[.]com 2
nutqauytva100azxd[.]com 2
nutqauytva2azxd[.]com 2
nutqauytva10azxd[.]com 2
nutqauytva6azxd[.]com 2
nutqauytva11azxd[.]com 2
nutqauytva3azxd[.]com 2
nutqauytva9azxd[.]com 2
nutqauytva7azxd[.]com 2
nutqauytva5azxd[.]com 2
nutqauytva4azxd[.]com 2
109[.]120[.]180[.]29 1
vedivenivici[.]ml 2
delvernet[.]info 2
otter[.]pw 2
oingee[.]pw 2
*See JSON for more IOCs
Files and or directories created Occurrences
\Documents and Settings\All Users\mslkrru.exe 9
%APPDATA%\WindowsUpdate 1
\RECYCLER 7
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771 5
\TEMP\C\UPDATE 1
%APPDATA%\WindowsUpdate\MSupdate.exe 1
%APPDATA%\alFSVWJB 2
%ProgramData%\msodtyzm.exe 11
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1861771 2
%ProgramData%\~ 11
%APPDATA%\alFSVWJB\twunk_16.exe 1
%APPDATA%\winamfes.exe 2
%APPDATA%\alFSVWJB\splwow64.exe 1
%TEMP%\-1631195624.bat 1
%TEMP%\115828.bat 1
%APPDATA%\alFSVWJB\winhlp32.exe 1

File Hashes

0e6f120bd1607731a34778c8d2f3a038414dd3d263ca25c5e5941558ece492ca 1237cef1686205e9854f84be62f474247279e72dedc0b5e871b7c07c9c5126e4 1d453682f2771631919717c54b95b6e90a1e4231c9c503ef4b5fa302e247d314 1f7c808b0fb82df3a2e27e4819224d176f1be5dca98752ca0545591e740112e6 20ba9da6df29a870a6826425b23b7508606bdaad662f0238da378091ed1067ef 2324b414e6300fab1abdc2d1e5bb128544c94419dcc6656b105bc69865480d88 36b578d5abac82fd7db98a77869112dbf7e0bfa8433febca08b1c16370f68a2f 3887f3a97e906d5bd9d94ba1117953c46ba0dd1cd5fbae4653f4cd1924ae258e 5f4293450ad2aca70c70bdc55bfa2db00bc500b73000814a9b995f940c4e8c41 68b13c4a8a9fe01bf0567627d099b1a6cb98eef7bd4762bbee5420efbcc8a470 693086bd9b704e5927f76f40a8b04136b1f7d94a482a9020126819a407d24aa8 6edddbf48f261ae99c5a7dfd3fc2c443a3674f68ca3076b391c89e7023dc4c54 70c203465f54113975e075563cf824ba3632a3227eddd38c651b8f5a58cf2bae 7b3c8d5208b4c9e1747e670c67d44a581c68e299a486eba6d7f96cbe527e6855 7b3efe2cf5dc30bf2329986bdcd680f4195a8f750f507e96a3395d8a4a9310fb 82687cd40932329348005bb61782e5b5493faae26389d7a3300e5ba40af04dce 87892d4d4693dc87d4195a0aa30bba294841580f2a4c81948c37018b69dc69d8 966eac6b067db2163c8e82669373c17ea335fff18280f848e6b8202e00a905d2 98788fbe094bd1260aaa7120fa02cf183ab09f7a32c0a4cba68074316c276ce6 aa6eea166b8cffd5763b79f47f6f8cbeea328a056e7a0152ceb104cc59c1e320 bec5979b7d191703cbce4a4c88171b89ab97b07fba0e0dd001ffe8dee9689049 d3f847257945d883bc02431f7561d661b56b7177941b5d7451528bdfc28b4ca6 d6f2570910b38e15acb876ced00d7f877fa9ded01a15c3e07710319a50adf8cb d7f4e9cab07e8c2826ee70b6a45d51b18892cfa5d4a92ce318c43eed2399fe54 da93ffcafad1569fd94cb5bae72a876bf6e021b7ad30b4d644a99ceb88651bc6

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Trojan.Kovter-7581113-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade
15
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed
15
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 656f27d6
15
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 656f27d6
15
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 96f717b3
15
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 96f717b3
15
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE 15
<HKCU>\SOFTWARE\3A91C13AB1 15
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1 15
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE 15
<HKCR>\.8CA9D7 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: eed5bf47
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: edfc5b63
15
<HKCR>\C3B61 15
<HKCR>\C3B61\SHELL 15
<HKCR>\C3B61\SHELL\OPEN 15
<HKCR>\C3B61\SHELL\OPEN\COMMAND 15
<HKCR>\.8CA9D7 15
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: ffcfae7b
15
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: ffcfae7b
15
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: 78758f10
15
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: 78758f10
15
<HKCU>\SOFTWARE\3A91C13AB1
Value Name: c3ab6058
15
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1
Value Name: c3ab6058
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 8567f942
15
Mutexes Occurrences
EA4EC370D1E573DA 15
A83BAA13F950654C 15
Global\7A7146875A8CDE1E 15
B3E8F6F86CDD9D8B 15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
162[.]59[.]22[.]216 1
203[.]220[.]231[.]209 1
35[.]30[.]2[.]211 1
65[.]168[.]33[.]91 1
65[.]23[.]68[.]193 1
8[.]111[.]224[.]146 1
190[.]95[.]112[.]80 1
17[.]163[.]64[.]9 1
75[.]177[.]69[.]90 1
166[.]105[.]213[.]36 1
214[.]63[.]237[.]80 1
36[.]91[.]76[.]70 1
106[.]70[.]177[.]221 1
16[.]191[.]214[.]15 1
58[.]13[.]27[.]49 1
192[.]86[.]250[.]64 1
126[.]167[.]218[.]58 1
15[.]150[.]185[.]79 1
136[.]59[.]133[.]35 1
14[.]24[.]198[.]67 1
60[.]255[.]136[.]37 1
35[.]118[.]226[.]214 1
39[.]29[.]235[.]49 1
154[.]111[.]27[.]104 1
166[.]82[.]242[.]42 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]litespeedtech[.]com 1
schema[.]org 1
api[.]w[.]org 1
gmpg[.]org 1
pinterest[.]com 1
httpd[.]apache[.]org 1
bugs[.]debian[.]org 1
www[.]anrdoezrs[.]net 1
shareasale[.]com 1
help[.]smartertools[.]com 1
www[.]smartertools[.]com 1
www[.]pntrs[.]com 1
cdn10[.]bigcommerce[.]com 1
cowgirldelight[.]com 1
lppool[.]catalogsites[.]net 1
www[.]rods[.]com 1
checkspressions[.]com 1
www[.]womensbootshop[.]com 1
www[.]cssigniter[.]com 1
passets-cdn[.]pinterest[.]com 1
www[.]pntra[.]com 1
Files and or directories created Occurrences
%LOCALAPPDATA%\4dd3c 15
%LOCALAPPDATA%\4dd3c\519d0.bat 15
%LOCALAPPDATA%\4dd3c\8e986.8ca9d7 15
%LOCALAPPDATA%\4dd3c\d95ad.lnk 15
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\91b4e.lnk 15
%APPDATA%\b08d6 15
%APPDATA%\b08d6\0b3c0.8ca9d7 15

File Hashes

0bc765c9bdad7dea5fee981fa1ea3e39d39b43110991be6767062b5b3e04f72c 127fb45d6030c7ccccee832b5ce576786dbaae5df9b56894b69257e5217e294a 2ae6974b7efe312d521686e6852eeb699f2a73775742736b85b597e0ef3aa431 2fc52ad46802099597893005722950b74ac8625908227d1127a00666c4b335b9 30814d58a34c1f93bca33a91dff01df3d51d79652e03ee1d4268d4f3731c32e2 37ead0eac4578acd43bca94f7c952ca0ba292501902f3c24e2867d4c76987394 7271bdf260d1c23f06c6900ae8627662ae10029d1807128307bdfdaf216ec717 797903efd668c3b3f81419f0f14ed2c1877f051b237ca186f17559a536334d5c 7acad96af327bcdb132c8050fc85323173ac58b1efe91cadb529d2f9b4d98b27 82a312a0219ad8597a6d23b707103bbc5e5ba5a8f05754bf2c4904d857cd4c17 ab0bd0ecb30c8097d5270d8f4a093587dc92ac8b129a169c0488d74ad8a67037 b0b20a68922dc981bf2a4dcdda0545c0f870331a6eef2dc474fefe4d2e7af806 b7e3127dc7f2729513628861b8ee60609a1c20eedcd9b6551314dd0eeedd817e beaa66c363f78e7bae7d9e16fdfaa2bad12a568db71f59a87ecfb675e8fef110 cef415b47d807cb26e0881d6d79ac1ab4cbb77e1671cdcb5804982309481a18d

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




PUA.Win.Trojan.Bladabindi-7581164-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
17
<HKCU>\SOFTWARE\7261D3F24AE2C8DCAF22FAF7FCF1CAFD 17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 7261d3f24ae2c8dcaf22faf7fcf1cafd
17
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 7261d3f24ae2c8dcaf22faf7fcf1cafd
17
<HKCU>\SOFTWARE\7261D3F24AE2C8DCAF22FAF7FCF1CAFD
Value Name: [kl]
17
Mutexes Occurrences
qazwsxedc 17
7261d3f24ae2c8dcaf22faf7fcf1cafd 17
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
shareefboy[.]ddns[.]net 17
Files and or directories created Occurrences
%HOMEPATH%\Start Menu\Programs\Startup\x.vbs 16
%TEMP%\server.exe 17
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs 16
\423002248.exex (copy) 1
%TEMP%\server.exex (copy) 17

File Hashes

00cf99575699bc66ebbb6420a94c31ed8acad4107031546e04f9576546c276e5 245938f3b18f371c90e5403b454cadfa791d97767d9aa05439d6b852fbffd714 285cb077ca516c336a1636182069e7cf9a8a057a267efa376ebede4c0a2cd0bf 29dba26459bba5b186f1bf1c0a0fffc0e393a6d4cc427c842a4aee0353518a2c 2de7a2aa518ea9e0fbc421761c85be589c27c88c3038fa4fa93bef51bacd67bd 344204f0902906b808c5f81ae62b455a3d0ded3034fca548230cd51c59f02ec4 388bfe746f61ade70292f8740d1c92c6eceaa21baa5e04de0ebc012dbed312e7 66d6a4049df4e8bc2fd9c615af0bc3d0ae715ea5b17c5222980f67bd6d57d75e 7d2e2395490ac37029cd98039afa8991f718c5121b1e6e326713e99c26aacb28 8e7ea6439f856525f2affc885f93a23e2f7ade71aecc69c8cd78e5460d4aa58b ae078923fc539c22a7eff4491301ae2c8f438e79a02226e6604b7035aff34ec5 aee215905b39a4a4cc85be54bda2ae9ded42e06fe0b3813a1794052a12e09757 c7a9a427985e84f296370c466eb675ff01b06992416ac9250c385cfaa5a9678d d2af08616f7d2dc0f68d75376d3164867732871348c8101aa0319c90062f999b d75a26758530f775943a9d16680ee4c37e913ab20d6953e965ae41f3e5fd3a88 d7ec97fb65437711f6dd0ce71e8cab70946d2c8f51566446a8fe8e8b64cbda62 fd05573a8360e8054c0ebc38c5cdd107e68b9694525829e832a3085c7d9a556b

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Packed.Ponystealer-7581286-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
17
<HKCU>\SOFTWARE\WINRAR 17
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
17
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
17
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
17
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
194[.]4[.]56[.]252 17
212[.]129[.]7[.]131 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
myp0nysite[.]ru 17
streetcode3[.]com 1
Files and or directories created Occurrences
%HOMEPATH%\Start Menu\Programs\Startup\filename.vbe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\filename.vbe 17
%APPDATA%\subfolder 17
%APPDATA%\subfolder\filename.bat 17
%TEMP%\811953.bat 1
%TEMP%\-1509909074.bat 1

File Hashes

13400f8d7c8a12d8958a46992e9eed2b2f1151ae33fcd0c248bc35e58cfb7ce5 182f6e283a097173aaedb18790a25cf8d923918e715568b88446a345d086fcc0 2c20c1f5d4995dcccf424f00ceb0ed472cb4565ee7b06c9cb70b08b478eaf2f1 2deca9e99719e851fd53cee5ac5dfbd07b119bc707b7aa81cb55c38c8883a772 3182728acec97bc151ebae0a6adfac92ab26acf0c5aa1ab5194926b5e36f4d43 5a4373916b36d08a40753dbcdac9f5a4463ce04e34c9d91370ed3eb26d9e02ee 73ef9e3fd88857d97750893acb03308bb1deb980ca8ca601087bb9a1f74362a6 8dfce3b2ccb67e4d7fe864898a1464f74a536e14bd4104dff9de8c399d42c2b7 8fe9aeaa722e13e842520e578ed099670bc59c882b59a6fb413dc6fcf590665a 955b6ea1a4087486a22b60ca2453343b04ac01e5c161615b13fd8bd22192c76d 9a10bb237ac45ffee5878cdfe094a0b0f6f81d9eba8ec21033b8020391c1324f bd4aa94a35201221e31df703e1140180c8f310ce7f08b81960185a2b784a98c0 ce3e0e36ac012f0f464181de7a21c87bfa1c5c334a11b7569ddb5dd4222c95e6 d07112d2911677ee1e1722bd168dff54d480c3ce8a9f78a84bf3339a885b0174 e2546be50a578b421d55de25bb7d7aff0ef84b5246d1d7d6f8ca8908da415ef4 e48083bef42265f0c16b3cb6fef65a4206f152b3cfdb28f517e15ca8a660ffed fe83421fb5c10e194127d3b3d02e4bf2d1d951291bd935641d80f19bbf6ba620

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Ransomware.Cerber-7582361-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\CONTROL PANEL\DESKTOP
Value Name: TileWallpaper
7
<HKCU>\CONTROL PANEL\DESKTOP
Value Name: WallpaperStyle
7
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\VOICES
Value Name: DefaultTokenId
6
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 6
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\VOICES 6
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {32382BC4-48A5-6DE8-F0EE-B8109DEC3228}
2
Mutexes Occurrences
shell.{<random GUID>} 8
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 2
204[.]79[.]197[.]200 3
15[.]49[.]2[.]0/27 8
122[.]1[.]13[.]0/27 8
194[.]165[.]17[.]0/25 8
95[.]213[.]195[.]123 2
91[.]142[.]90[.]61 7
31[.]41[.]47[.]50 5
31[.]41[.]47[.]31 1
195[.]19[.]192[.]99 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
maxcdn[.]bootstrapcdn[.]com 1
get[.]adobe[.]com 4
en[.]wikipedia[.]org 14
www[.]torproject[.]org 7
www[.]collectionscanada[.]ca 7
alpha3[.]suffolk[.]lib[.]ny[.]us 7
www[.]archives[.]gov 7
www[.]vitalrec[.]com 7
www[.]cdc[.]gov 7
hldsfuh[.]info 1
mmteenijjjuyoqju[.]info 1
ydgsjrjqotlffitfg[.]org 1
dxpmkdipp[.]info 1
cojkhmdxrwvxwxa[.]pw 1
qgilcuym[.]org 1
www[.]multicounter[.]de 9
pqhwfeeivtkxi[.]click 5
othcijmuhwb[.]pl 4
iconhrdqmeueg[.]su 2
cdwguymjxnyot[.]pl 3
veiqvqirdhmyis[.]org 4
qoaouhgwfy[.]biz 2
hkwyfnevdievebgjx[.]xyz 2
ligumssfsrtfpy[.]xyz 4
rqtcmltkurtev[.]pw 2
*See JSON for more IOCs
Files and or directories created Occurrences
%HOMEPATH%\Contacts\Administrator.contact 15
%TEMP%\d19ab989\4710.tmp 8
%TEMP%\d19ab989\a35f.tmp 8
\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\_14-INSTRUCTION.html 7
\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\_15-INSTRUCTION.html 7
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\_16-INSTRUCTION.html 7
\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\_17-INSTRUCTION.html 7
\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\_18-INSTRUCTION.html 7
\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\_19-INSTRUCTION.html 7
\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\_20-INSTRUCTION.html 7
%ProgramData%\Adobe\Updater6\_21-INSTRUCTION.html 7
%ProgramData%\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\_22-INSTRUCTION.html 7
%ProgramData%\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\_24-INSTRUCTION.html 7
%ProgramData%\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\_26-INSTRUCTION.html 7
%ProgramData%\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\_25-INSTRUCTION.html 7
%ProgramData%\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\_28-INSTRUCTION.html 7
%ProgramData%\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\_27-INSTRUCTION.html 7
%ProgramData%\Microsoft\IlsCache\_29-INSTRUCTION.html 7
%ProgramData%\Microsoft\Network\Downloader\_46-INSTRUCTION.html 7
%ProgramData%\Microsoft\OfficeSoftwareProtectionPlatform\Cache\_45-INSTRUCTION.html 7
%ProgramData%\Microsoft\OfficeSoftwareProtectionPlatform\_48-INSTRUCTION.html 7
%ProgramData%\Microsoft\RAC\PublishedData\_44-INSTRUCTION.html 7
%ProgramData%\Microsoft\RAC\StateData\_41-INSTRUCTION.html 7
%ProgramData%\Microsoft\User Account Pictures\Default Pictures\_33-INSTRUCTION.html 7
%ProgramData%\Microsoft\User Account Pictures\_34-INSTRUCTION.html 7
*See JSON for more IOCs

File Hashes

0670326e0572ca61e6a1f9b654088f5ac91fd3426dcba932377c801763fe5906 085198d732095e24f5165d61636930cb1012b833278d86565a66d23dd0ffce96 14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf 2f5776b368011a76db2c690252846d0e3a90ccd27d9575e015663cebaf58db23 5815f647ad348de649c3ebfb5f1987e305410855cc944d14b1284abaaa40d9e3 593ead1c717d2ca3ed32fa98da70f4df7e0a99431d0327fc08c363621afc1fbe a515545e6056e1a9f75a4f7d0afefb54bf7e1ffb1e5f7f6641cece38db7e6cf0 bebd3b1683b69a383af7689f70ad3e3992630e0fc07d98e2e014f4978136722a c11b9d1ba0badcc063eb6e60894b7f4f0932e4f73d037f05e06c80d72833b328 c4cfc1a33b5e956376c773674c1a8baa318832f2d75fac9efe53fbc895ace7da cb73396e304937a404c63ad696c6e2d269f38d8082d636e2c16e550f1f7cb118 cd8b407e19e2d93dfc939cd04e3a43100d2442128f42c226ac1dedeba0da4824 d2377ff809d7d65898523f10b38331edf20c11547776894343e926f6bddf1e39 d6e35e20d5b7fa3d0b5352b4953701cabb4ed2a83d94dc666ef9900b7c53394a d851e224dd46fbf74960d57bf29f8b60157e9b697e5132d5e97abe504f6038a2 d9ddfa571587bd55c75526b8f17e6dbbb8a4b6179bfc002575cdcbf446154e7a fd1e8a916fa218df73894c59784dc94cbd26c7c7a5e1c1ee37ce45b349e4cc2c

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


Malware




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (4662)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Excessively long PowerShell command detected - (749)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Kovter injection detected - (319)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Process hollowing detected - (206)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Gamarue malware detected - (188)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Atom Bombing code injection technique detected - (133)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Installcore adware detected - (105)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Dealply adware detected - (75)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Reverse http payload detected - (30)
An exploit payload intended to connect back to an attacker controlled host using http has been detected.
Corebot malware detected - (20)
Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.

No comments:

Post a Comment