Threat Roundup for February 14 to February 21

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 14 and Feb. 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Win.Dropper.Gandcrab-7586670-0	Dropper	Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB," ".CRAB" or ".KRAB". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
Win.Packed.Mikey-7586709-0	Packed	Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. This threat can also receive additional commands and perform other malicious actions on the system, such as installing additional malware upon request.
Win.Malware.Qakbot-7586710-1	Malware	Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Malware.Razy-7588195-0	Malware	Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, then sends it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Packed.Generickdz-7586813-0	Packed	This is a BobSoft Delphi application that wraps malware. In the current campaign, the HawkEye spyware is installed. The malware uses process hollowing to hide from detection and achieves persistence across reboots by leveraging an Autostart key in the Windows registry.
Win.Packed.Tofsee-7586819-1	Packed	Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Malware.Nymaim-7586870-1	Malware	Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain-generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Ransomware.Remcos-7586925-1	Ransomware	Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Autoit-7586956-0	Malware	This signature covers malware leveraging the well-known AutoIT automation tool, widely used by system administrators. AutoIT exposes a rich scripting language that allows adversaries to write fully functional malicious software. This family will install itself on the system and contact a C2 server to receive additional instructions or download follow-on payloads.

Threat Breakdown

Win.Dropper.Gandcrab-7586670-0

Indicators of Compromise

IOCs collected from dynamic analysis of 48 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: eegsjfdkqvr`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: ythjobixtnr`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: yeelxnznvki`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: umwdlwwsaaz`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: piveskqvesb`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: ispyjcnalox`	1
`<HKCU>\SOFTWARE\MICROSOFT\OFAGAS`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Diokydyb`	1
`<HKCU>\SOFTWARE\MICROSOFT\SYSTEM Value Name: Panda`	1
`<HKCU>\SOFTWARE\MICROSOFT\OFAGAS Value Name: Ydcyuxos`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: pkmkandzsro`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: ejmsgaummxr`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: hujteforzto`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: jcrillrkibx`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: hrsalhxnejd`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: dctzafzqnkl`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: cuzlcuudbwx`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: sxzpjghkvsd`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: wriuvpwacau`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: duivayvsjqx`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: xbxpanidwht`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: uethoblisdu`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: sarblkidckc`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: sujhhdohjjr`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: yfvdvhnadpu`	1

Mutexes	Occurrences
`Global\pc_group=WORKGROUP&ransom_id=4a6a799098b68e3c`	46
`GLOBAL\{<random GUID>}`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`66[.]171[.]248[.]178`	46

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`ipv4bot[.]whatismyipaddress[.]com`	46
`1[.]1[.]168[.]192[.]in-addr[.]arpa`	46
`dns1[.]soprodns[.]ru`	46
`nomoreransom[.]bit`	46
`gandcrab[.]bit`	46
`nomoreransom[.]coin`	46
`bon[.]aungercote[.]org`	1
`ver[.]sceinsheru[.]org`	1

Files and or directories created	Occurrences
`%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5`	46
`%APPDATA%\Microsoft\<random, matching '[a-z]{6}'>.exe`	46
`%APPDATA%\Enylf\vyku.exe`	1
`%APPDATA%\Guibc`	1
`%APPDATA%\Guibc\hyka.irp`	1
`%APPDATA%\Gyun`	1
`%APPDATA%\Gyun\vaxac.qae`	1
`%APPDATA%\Nozuo`	1
`%APPDATA%\Nozuo\quzui.exe`	1

File Hashes

099c47434a97a9bcd0c6bb5f0291bb69d70dd05ab002fa83487d63b997b90f96
09eeafacfe79c4fc87c45dab72ce88aa1e234e668e2535e209beaa4a8181610f
0d293a8759d4bae6aa5d8587108a508f6d40efb449dbc239800efebb7a2bf2d7
10ae8e44b98f0255ba8e6d819d804e8379336500f3e27a14bb5b8ea72a07eb80
134e8947ef2f684d816c6c1da588fba3f9f0c08c24533adc02cbcb93d9e1494a
145bcff3aca6ba04f241e0d5ced04e2781c8a0f225ebf51dcddfb238fdbc63ea
18213dfc3c25be525312f6ff70e4ea8861233bc562d1442a501a0ae7c7bd93f4
187591cccfe3eb0c7bea183e03a735be581f704866b2bf2f82c2f57c759f5fde
1a2e00ce828da6130592178bd3b0bf47f2b3edefafffe7e6371622aae1ceb9af
1a99329960098a5414c2fac1bad96ef143878fb5435bcdc6cef9d288081e8b4b
1d2d031f33ce5adea4a45c700e29e99903d55850481fb17deb479fe47d367a18
1e4294a2b465e27903582116b12d5db2a6999116e27c698b5b98ae52035649b7
1ee6e03bfe259cf4a95c093e85056ae9807fa53f83f465b8878d74a114f148fd
2164d2a4c1a861298c8003118855be9ae68614c5e557638830038658b2e6e47c
22d18aa907e4750c7fce359140c44db444c644e8576c8609ca54c2e85afa0ac7
234bcafc5700b9f59d30bbcd0b7ba4694e49ffe6621ed63a5a6f0464a6aba447
25a297586142486627a765200bfc30658cdb4500949c581a83d1be262c60c4c6
25ae0f8e3b3938131d098ff7832167a5b6629e6cb8972827b7f1175b69e063c9
2651e9bbd4004b56eefa43f4f7ffd982d16d07df2980423cb54b1ee585172ae5
274d2074201aabff30008390fbc34087fc9aead9ec924d18708a0d6670bb6995
276f56271a9b3e3fcce07ccd2e4dab2a4316b90e8e715e2657b572da0109c801
2a7ad044e7f131e71e794cc8dd31ce746f455d9c53e45b88c3696891f4f11b35
2bb8a6eae8695c55070f5f78371609052f73826a2df29a9e2ab82c7c89603369
2cecccc835e1485e21cc45c86571f82f06223e422f59410228c140e77862ef3a
2d239ffa8b5e13e8c19de06e5d5825e24df4c52f31741ab7373b2b74b612ab2f

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Packed.Mikey-7586709-0

Indicators of Compromise

IOCs collected from dynamic analysis of 16 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DEFAULTICON`	4
`<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Value Name: Blob`	4
`<HKCU>\SOFTWARE\NEMTY`	4
`<HKCU>\SOFTWARE\NEMTY Value Name: fid`	4
`<HKCU>\SOFTWARE\NEMTY Value Name: pbkey`	4
`<HKCU>\SOFTWARE\NEMTY Value Name: cfg`	4
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\unbhgouj`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ Value Name: Type`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ Value Name: Start`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ Value Name: ErrorControl`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ Value Name: DisplayName`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ Value Name: WOW64`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ Value Name: ObjectName`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ Value Name: Description`	1
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config3`	1
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ`	1
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config1`	1
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config2`	1
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config0`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UNBHGOUJ Value Name: ImagePath`	1

Mutexes	Occurrences
`Global\<random guid>`	7
`Vremya tik-tak... Odinochestvo moi simvol...`	4
`A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A`	3
`A238FB802-231ABE6B-F2351354-CF072D6D-090D08F1`	1
`chv8VoF8462A240TQszdiFeaRyFs610A`	1
`A238FB802-231ABE6B-F2351354-7FCA0C5B-B9CFE7DF`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`172[.]217[.]164[.]179`	3
`172[.]217[.]7[.]243`	2
`104[.]26[.]4[.]15`	2
`46[.]29[.]160[.]26`	2
`104[.]26[.]5[.]15`	2
`194[.]116[.]162[.]29`	2
`91[.]215[.]170[.]234`	2
`46[.]4[.]52[.]109`	1
`104[.]47[.]36[.]33`	1
`43[.]231[.]4[.]7`	1
`93[.]171[.]200[.]64`	1
`67[.]195[.]228[.]110/31`	1
`168[.]95[.]5[.]112/31`	1
`168[.]95[.]5[.]216/30`	1
`168[.]95[.]5[.]118/31`	1
`172[.]217[.]197[.]26/31`	1
`98[.]136[.]96[.]76/31`	1
`203[.]15[.]169[.]11`	1
`67[.]195[.]204[.]73`	1
`85[.]114[.]134[.]88`	1
`67[.]195[.]204[.]75`	1
`67[.]195[.]204[.]80`	1
`98[.]136[.]96[.]92/31`	1
`134[.]0[.]12[.]89`	1
`198[.]35[.]20[.]31`	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`www[.]myexternalip[.]com`	4
`nemty10[.]hk`	4
`api[.]db-ip[.]com`	4
`0300ssm0300[.]xyz`	3
`ghs[.]googlehosted[.]com`	2
`smtp[.]secureserver[.]net`	1
`ipinfo[.]io`	1
`api[.]pr-cy[.]ru`	1
`mx-aol[.]mail[.]gm0[.]yahoodns[.]net`	1
`hotmail-com[.]olc[.]protection[.]outlook[.]com`	1
`centrum[.]sk`	1
`post[.]sk`	1
`msx-smtp-mx1[.]hinet[.]net`	1
`www[.]google[.]no`	1
`damstein[.]no`	1
`clayvard[.]com`	1
`oppdal-booking[.]no`	1
`luthgruppen[.]no`	1
`gjestal[.]no`	1
`claytonwright[.]co[.]uk`	1
`hxqk[.]sk`	1
`lovetts[.]com`	1
`upkm[.]sanet[.]sk`	1
`loveumail[.]com`	1
`vae[.]sk`	1

*See JSON for more IOCs

Files and or directories created	Occurrences
`%TEMP%\CC4F.tmp`	7
`%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt`	6
`%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp`	6
`%HOMEPATH%`	5
`%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\01\0119C23D88292A0E4FEC04D5CF8629005A44E37C`	4
`%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\17\17542707A3D9FA13C569450FD978272EF7070A77`	4
`%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\1A\1A141DBFA4083406630DD9A81AD35C416F604800`	4
`%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\47\47267F943F060E36604D56C8895A6EECE063D9A1`	4
`%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\95\954D59EAEADC36CB19A224A5DDDFA1EDCFDC49CE`	4
`%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\A2\A2C4E53F8E58DC61E337D4CFBBDFBF5BA2825852`	4
`%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\A5\A5B16A7D28D2BA79A9CCFC16ED480AD75A757166`	4
`%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\AF\AF210C8748D77C2FF93966299D4CD49A8C722EF6`	4
`%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\B0\B066A9B35AE0BB605431AC8740DEA2A659EED4C4`	4
`%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\Resources\D3\D34ED774F9FDCBA938A7807BD8FB1B398C51BC81`	4
`%ProgramData%\Microsoft\Windows Defender\Scans\History\Results\Quick\{69EB062C-C99C-4979-B7E6-36430B258597}`	4
`%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\518e2bc94bc324e5e6f82437175ae1af_d19ab989-a35f-4710-83df-7b2db7efe7c5`	4
`%ProgramData%\Microsoft\User Account Pictures\Administrator.dat`	4
`%ProgramData%\Microsoft\Windows Defender\Scans\CleanStore\LastBld.dat`	4
`%APPDATA%\NEMTY_GBF756G-DECRYPT.txt`	1
`%HOMEPATH%\Desktop\NEMTY_GBF756G-DECRYPT.txt`	1
`%HOMEPATH%\Documents\NEMTY_GBF756G-DECRYPT.txt`	1
`%HOMEPATH%\Downloads\NEMTY_GBF756G-DECRYPT.txt`	1
`%HOMEPATH%\Favorites\NEMTY_GBF756G-DECRYPT.txt`	1
`%HOMEPATH%\Links\NEMTY_GBF756G-DECRYPT.txt`	1
`%HOMEPATH%\NEMTY_GBF756G-DECRYPT.txt`	1

*See JSON for more IOCs

File Hashes

0b02eb48cb0b7e88d3c5c6d6b6366dedc8d29f13e8ef252d768ce5f0acf3e6b7
2d2c2363a77afa2a914cf77e684cd279150bef2e5f5c27ba45e2be26b094d6e9
31145485a77c5167d0b01834793203c7f03e4298e532712773700f853bf494d5
4ed113b1e3967eea8beec9ac8b23017a25938dda53822c51c21d30c71a946660
53279dd8f9c45b2e213d4925c5a59cc0297a3446d566cb4eb2825b5042d912a9
7475233e2a3836d3a8b69fc76450cda8770beb5e61da095fb108898ef9bca0fb
7f944fc983d8100caf59f4918239e6d83f0cb2a498ea3f48e8623b3cebcc3250
944006ef7abb2e02f87ddafd0e50f8e3c600d3914462d6216027f5c5dd8db475
9f2a258a72368901ac1f99e7d0eadf62a85a2d33c56d3dca3d1406244dd0713a
a30e02134af6767d48793d1ac857d428b11380fa6c2f4898918b1b3ed2012700
a969b88015cf14ae1b50cc903e82b75d754deddbca2a2bb1a39db4c6cf447c12
a9f6d5ad40d5b073be92fc46666ce1f96e30c50494a018d472cfee56ff2b8c65
cbe96c19bc6246b4c85242e87b74481be23ac7bebe61aea6b34ff7deb8f17275
d74cc221d6ab6e29b7049ab7f49a6ac80c9cde20ca7f4db31e128037f1bf9d4d
dba02f5167986887ab29070b468c15bbc15d79942d62c8f9bcf95546c461d128
f15065bb9747e1c9a7f2bb41e80efdc2ef0435ac1f5b649d11c7537fa9095eba

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Qakbot-7586710-1

Indicators of Compromise

IOCs collected from dynamic analysis of 17 samples

Mutexes	Occurrences
`ocmwn`	17

Files and or directories created	Occurrences
`\TEMP\7dcd176143285b60a9dda1499593d0e2.exe`	1
`\TEMP\7119a1ba9e8866f9aca5360c337aa099.exe`	1
`\TEMP\8d6ac636eb8758ef5c1820e457f6f4c3.exe`	1

File Hashes

16e98279914ef3280950a2cba389e0aced7bc38d45db4f4e3b516bab17de41b2
2194ff71108712b66905dc46155aada3b0c5e56986e7db97f50b1dc5055aa41f
279be64e1b80827ebc2187f76914b57d8ce6fc14aa70ee908c8e29c1a6177f8a
2b8c204a35189a6937aa9740820a4ac6caf7ca372656d20d8bfc9f8583f02081
3cb499f2bb1838ad8066bae7254fa012a2b7ba4270ae284774537093898beda2
44b234565a5590957845f1c4e14e7c81ab5be8a9ae0d19a1f4e04ebcf67be907
46ab34a52c0e0f8a6cfb302d38085924f55e7a0d37c5bf8cd6b503ea83a2055e
58225241e8f436355e2cc739127490ad8a88d6d47620c727a26e56c5c1e786e0
5afa22c50fd430fed4f06437dcdb74248bc40917dd6a4f4844137528ae186aaa
8c17ae11559298aa36b6837b9e6a2f4fcee5a083004ea6463aa9384c04d016f3
abe179259e363dad7ab393685c3dd711550a9f8aa7fe5344de8141723352b0de
b053b3570129f906cf09d2a63d034f724fd3d561d991fec761133c1cfe568ef6
b8a80038ab33b7a556f3b1e47cadfddc417d7301ee62c0a87610ab635e60360a
bf052b65100259f2a13c98a20aad8f8bd8688a07639530aa12159200fb39c504
d6b4f5ce244ce922fbed636528ad6deb7ca306f543400657b5e07dc0ffd6521f
db037e58c1bc214b4853bff0aedd8ba22a5ab60e37b127178fb36547b2124051
dc01374a8e4b46e82f3efc130065b8e7a93bdb537ece13e02ac303a881b138ac

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Razy-7588195-0

Indicators of Compromise

IOCs collected from dynamic analysis of 54 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR Value Name: Locked`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\HOMEGROUP\UISTATUSCACHE Value Name: OnlyMember`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER Value Name: CleanShutdown`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{509D0DCA-5840-11E6-A51E-806E6F6E6963} Value Name: Generation`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5} Value Name: Data`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5} Value Name: Generation`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963} Value Name: Data`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963} Value Name: Generation`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} Value Name: Data`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} Value Name: Generation`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPLETS\SYSTRAY Value Name: Services`	1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963} Value Name: Drive Type`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963} Value Name: IsImapiDataBurnSupported`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\STAGINGINFO\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963} Value Name: DriveNumber`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\STAGINGINFO\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963} Value Name: StagingPath`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\STAGINGINFO\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963} Value Name: Active`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING Value Name: CD Recorder Drive`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA Value Name: FreeBytes`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA Value Name: Blank Disc`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA Value Name: Can Close`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA Value Name: Live FS`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA Value Name: Disc Label`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA Value Name: Set`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\HOMEGROUP\UISTATUSCACHE Value Name: UIStatus`	1

Mutexes	Occurrences
`B4BBD0F7883AF46401A8F944D11D8E1698B68E3C`	40
`Global\<random guid>`	7
`opera_shared_counter64`	2
`opera_shared_counter`	2
`<32 random hex characters>`	2
`{C20CD437-BA6D-4ebb-B190-70B43DE3B0F3}`	1
	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`104[.]129[.]67[.]170`	22
`104[.]129[.]67[.]168`	18
`72[.]22[.]185[.]198/31`	2
`185[.]53[.]179[.]7`	1
`185[.]222[.]202[.]91`	1
`62[.]149[.]210[.]9`	1
`185[.]35[.]137[.]147`	1
`185[.]61[.]148[.]224`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`www[.]msftncsi[.]com`	40
`ligue1[.]shop`	2
`klub11n[.]us`	2
`jong37[.]pw`	2
`klub046[.]co`	2
`ijust1fy[.]pw`	2
`ktfr34ks[.]pw`	2
`son0fman[.]pw`	2
`jsbook[.]info`	2
`js0c892[.]se`	2
`iyfsearch[.]com`	1
`ligue1[.]fun`	1
`www[.]mac-pro[.]it`	1
`j5cool[.]xyz`	1
`sm0osh[.]xyz`	1
`jo1b9[.]co`	1
`lip616[.]co`	1
`lip4u5[.]se`	1
`jsoc8492[.]us`	1
`jo15y[.]xyz`	1
`l0vew1n5[.]xyz`	1
`snd616[.]co`	1
`dill10n1[.]pw`	1
`j0011y[.]pw`	1
`j0nhy[.]pw`	1

*See JSON for more IOCs

Files and or directories created	Occurrences
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sessuawh.lnk`	40
`%APPDATA%\Microsoft\Windows\sessuawh`	40
`%APPDATA%\Microsoft\Windows\sessuawh\jisgivdt.exe`	40
`%System32%\Tasks\Opera scheduled Autoupdate 3131961357`	4
`%System32%\Tasks\Opera scheduled Autoupdate 3115184141`	4
`%System32%\Tasks\Opera scheduled Autoupdate 2980966669`	4
`%System32%\Tasks\Opera scheduled Autoupdate 3130913037`	3
`%System32%\Tasks\Opera scheduled Autoupdate 3130912781`	3
`%System32%\Tasks\Opera scheduled Autoupdate 3131961405`	2
`%APPDATA%\Microsoft\Windows\sessuawh\sessuawh`	2
`%System32%\Tasks\Opera scheduled Autoupdate 3004035085`	2
`%System32%\Tasks\Opera scheduled Autoupdate 3131109389`	2
`%System32%\Tasks\Opera scheduled Autoupdate 3131962125`	2
`%System32%\Tasks\Opera scheduled Autoupdate 3131961349`	2
`%System32%\Tasks\Opera scheduled Autoupdate 3127767149`	2
`%System32%\Tasks\Opera scheduled Autoupdate 3007180813`	2
`%TEMP%\7CE0.dmp`	1
`%TEMP%\WPDNSE`	1
`%LOCALAPPDATA%\Microsoft\Windows\WER\ERC\statecache.lock`	1
`%System32%\Tasks\Opera scheduled Autoupdate 2989355021`	1
`%System32%\Tasks\Opera scheduled Autoupdate 1044487932`	1
`%System32%\Tasks\Opera scheduled Autoupdate 3131961552`	1
`%System32%\Tasks\Opera scheduled Autoupdate 3131963261`	1
`%System32%\Tasks\Opera scheduled Autoupdate 2980966925`	1
`%System32%\Tasks\Opera scheduled Autoupdate 2989726024`	1

*See JSON for more IOCs

File Hashes

002f27cf7d9185bd0c0ee1c363a221be80e797db81f25e1abb9898de6906c6b6
00de50e39e76fe23df42f435dfe0c0571b41c06a4337f15dc0c70ef28182c332
03759da14ffcd558e1b492286a1f04cce519995b591a848ee4e76b1a00f9bfbd
038a84e68adbb095a8ad39ced3de6407f977113fee99c46c6e87dc7c2c66d739
070ef4de5fe79fe29dfb5d3db253ec2c4b6e20797116b608cbbadb110afc54d1
07ed129012419a5c63e2987883653f7781ccc214f2abe3580b3baac5df397b88
08f442c4d7bcbbfbed9cf39ed382529fdb1368f2cd8e8d88d39a987b566b705a
096add794410c4bc72ef29cebfba05db27ca895f9136eba710cf45ad3492e37d
0c260a56652727b6dd9e280cb741870e61b9c1a8fe54dad0e12b42b2163eb391
0ec389eaa5253a5477aff5a36b5af41a76430cc41a4231dba9dab9587650e36b
11c15bc5878e34eb98b320aa9d7dbe6fb71987603cec86d39c1d7a902e3b5eef
198501a9810da38bb19dc1e0f4dd3a669a86fa57165075485cebf6e7662600e7
1ac2a34d85e02dc74dc1f612d06634d160fd29e359d45b8a50ccc3bbd78c3975
20dd29c3c7271b2d44600e7896dc3e351e8d53b583f9535104fe9cca3077d219
21633fd3deaa6b4a8bb9095f3d396c894a0a8648edbd85919d4589068327c3b0
2c6a0eb320df561009681342b3ccb1dd8a585968ec0932716553389f19d0b620
2fa0184c94b5220ec52d03e99eaa43b00ee78ef956f4c3a5b09bb7dca8270f47
3563013bf168f3021b42950648dd8175e51baeea1f9b6f1a9c8dfe2fb28b0187
383dede6a6d363e97a2d34a002aca69378da4b6769b13976b0344a20272a7d9d
3d51cff2d7fe5c108b765525081c3c0ec62811d6fd8f6d1e8f7ccb23ce1b5160
40c184b47b2d4d52ab39aab7c81b9e80b85948e6321989eed2e071a2346c836e
41e87e94d52d08cd7d82e052a72b598421dbd469d676cfb58640521a15ec0eed
533418f5d648f0a9855adbea0b6001531d8ea6687db27e1ddc0a157174cbc605
560df0484842e569cf4ec7a3c9b6942fbab8a5e5ef1bf8516baa6317841aa4bf
586303e0a91cd70a44b2311a081462b396f0e57cd948edf0fa97a4896eb830a4

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Packed.Generickdz-7586813-0

Indicators of Compromise

IOCs collected from dynamic analysis of 37 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\REMCOS-ZUXZLQ`	4
`<HKCU>\SOFTWARE\REMCOS-ZUXZLQ Value Name: licence`	4
`<HKCU>\SOFTWARE\REMCOS-ZUXZLQ Value Name: exepath`	4
`<HKCU>\SOFTWARE\REMCOS-V1R5VH`	2
`<HKCU>\SOFTWARE\REMCOS-V1R5VH Value Name: exepath`	2
`<HKCU>\SOFTWARE\REMCOS-V1R5VH Value Name: licence`	2
`<HKCU>\SOFTWARE\REMCOS-6PU1BX`	1
`<HKCU>\SOFTWARE\REMCOS-6PU1BX Value Name: exepath`	1
`<HKCU>\SOFTWARE\REMCOS-6PU1BX Value Name: licence`	1

Mutexes	Occurrences
`QSR_MUTEX_ayVRCIIhAhYn6ZIdtI`	17
`Remcos_Mutex_Inj`	7
`Remcos-ZUXZLQ`	4
`3749282D282E1E80C56CAE5A`	2
`Global\{b1324b26-be01-4620-bf4b-b68b0ae0f95b}`	2
`Remcos-V1R5VH`	2
`57926c4f-8f06-4a2d-a8d5-a3428f4894fd`	1
`Global\8e50a541-4f19-11ea-a007-00501e3ae7b5`	1
`Remcos-6PU1BX`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`208[.]95[.]112[.]1`	17
`46[.]105[.]98[.]53`	17
`79[.]134[.]225[.]123`	2
`209[.]127[.]19[.]34`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`ip-api[.]com`	17
`variakeburne[.]ddns[.]net`	4
`randydidier2468[.]ddns[.]net`	2
`renaj2[.]ddns[.]net`	2
`worldatdoor[.]in`	1
`kitchenraja[.]in`	1
`sixteen147[.]ddns[.]net`	1

Files and or directories created	Occurrences
`%APPDATA%\Logs`	17
`%APPDATA%\Microsoft\System32.exe`	17
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\System32.vbs`	17
`%APPDATA%\Logs\02-14-2020`	17
`%APPDATA%\<random, matching '[a-z0-9]{3,7}'>`	13
`%APPDATA%\remcos\logs.dat`	7
`%TEMP%\96f91905-b339-4638-bd86-c6a77cf058d3`	4
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\appsdatas.exe.vbs`	4
`%APPDATA%\appsdatas`	4
`%APPDATA%\appsdatas\appsdatas.exe.exe`	4
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\yfgr.exe.vbs`	4
`%APPDATA%\jnxc\yfgr.exe.exe`	4
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\lmwq.exe.vbs`	3
`%APPDATA%\hcek\lmwq.exe.exe`	3
`%APPDATA%\D282E1\1E80C5.lck`	2
`%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5`	2
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5`	2
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs`	2
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator`	2
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat`	2
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\daxp.exe.vbs`	2
`%APPDATA%\gnwk\daxp.exe.exe`	2
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.vbs`	1
`%APPDATA%\appdata\update.exe`	1
`%TEMP%\637172179772244000_d1934800-c529-4e3b-afff-37bcc71b45d4.db`	1

*See JSON for more IOCs

File Hashes

08ce5d7fc0de04906c1c24dc0d72d279dbd125b61d4ff3361e5f960d3441e421
0a603c32a8e16c81e314e9030a6e6d45055ae5f93ca819121ba6538660fe3072
0c4b27461dbd294c5a6a3851051ab5ff3ecf6b6aa72b7588ba59a7381632f06e
12a2568481ee9eca1ccb7a522f5853a7b0aa30ed56abfa5d3f1a2168865f390a
13ac030d6a53c594e08ffb80140b43fcad93841e170be5d8043e9f4b1512ea7e
1514b3e4e3c01eae8d55693255f12c5efd68549491c007425b6cac2465ec07b2
16a94d5de704b8166684143480c0c93c522751eba3acc8a79d468d0e7b579a9e
17309647cddb67ae9146b2746461e0152240808f88231c790dfcf923a7b717a2
1fbc7923dbc28f31aed3114f6ae66cd7431b78639b0998af963f606dd430dd41
1fde04dd38b0e62c6e39c9cf83d946052d665ab43be1aad712c665d4f216becf
2766c878553e8b7fae74b133be1880b6a345ade8284d919717d0ca6427e85a38
2ae7fe445fcc08eb3179519a41aea3fb7310e33973af114efd17dfa8653cbc5d
2b70abdaf78867285774c432c365ad6a7ab5777f0eda50d9c202205fcfe576d5
30b44cab6a839ae845647b0d608f645cc44bf01af6d5a9b53aae92e46bc12159
312915777632ef010f7a3bb2c60c274ea7c6d3f195349efac5e1057f6ec8a46a
3328f4ca20a50c85d8ddb77e20b54822bb44c7fc7dfbaab279fcf39389a50355
35ed04364daa9a21e306204ea27f1d7186248a8ab6bbc03ab202fb8d6f998a05
38f23b5da8cba1044efabbf1bbdb29d0fc748206ff5709a9c8c0fc553c21418c
3e50718cfffca7db327d35011301206ce21a7103f6a68bd78859a666e5781f42
4124aa54761859ab9d92cb3d50a64e461c5fe76b70b0839e933117fdb91391f0
48a1f2cf546a630bc763375052b734d4d1bd8d121e440a1718ec2c09d1605f57
4b388553f1b23e229fed441a7ada1afd2a87dfb1e77dc43d86f86b4028c2d46a
553e69e62475f74dcf2762e5499167539ae77df7692f0967cc1f9408d0bd8ae4
557e52d63114622d6adec38238bdf81d944d66389b07ddbe542fb8799b8d0b3e
5d3a4d8448e8af881bb3f82ed0d34735491c076c7c7f1f642431ec2777f4dec9

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Packed.Tofsee-7586819-1

Indicators of Compromise

IOCs collected from dynamic analysis of 18 samples

Registry Keys	Occurrences
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Type`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Start`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ErrorControl`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: DisplayName`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: WOW64`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ObjectName`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Description`	18
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config0`	18
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config1`	18
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config3`	17
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config2`	17
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ImagePath`	13
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\haoutbhw`	3
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\fymsrzfu`	3
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\nguazhnc`	2
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\unbhgouj`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\ibpvucix`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\exlrqyet`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\wpdjiqwl`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\tmagfnti`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\zsgmltzo`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\slzfemsh`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\mftzygmb`	1

Mutexes	Occurrences
`sejavpsfushosuk`	7
`None`	4

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`69[.]55[.]5[.]252`	18
`85[.]114[.]134[.]88`	18
`239[.]255[.]255[.]250`	17
`192[.]0[.]47[.]59`	17
`46[.]28[.]66[.]2`	17
`78[.]31[.]67[.]23`	17
`188[.]165[.]238[.]150`	17
`93[.]179[.]69[.]109`	17
`176[.]9[.]114[.]177`	17
`172[.]217[.]197[.]26/31`	16
`172[.]217[.]7[.]132`	16
`168[.]95[.]5[.]112/31`	15
`46[.]4[.]52[.]109`	14
`43[.]231[.]4[.]7`	14
`209[.]85[.]202[.]26/31`	13
`98[.]136[.]96[.]92/31`	13
`67[.]195[.]204[.]72/30`	13
`216[.]146[.]35[.]35`	12
`211[.]231[.]108[.]46/31`	12
`12[.]167[.]151[.]116/30`	12
`67[.]195[.]228[.]86/31`	12
`168[.]95[.]6[.]56/29`	12
`64[.]233[.]186[.]26/31`	11
`192[.]0[.]56[.]69`	11
`96[.]114[.]157[.]80`	10

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`microsoft-com[.]mail[.]protection[.]outlook[.]com`	18
`252[.]5[.]55[.]69[.]in-addr[.]arpa`	18
`schema[.]org`	17
`whois[.]iana[.]org`	17
`whois[.]arin[.]net`	17
`252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org`	17
`252[.]5[.]55[.]69[.]bl[.]spamcop[.]net`	17
`252[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org`	17
`252[.]5[.]55[.]69[.]cbl[.]abuseat[.]org`	17
`252[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net`	17
`bestladies[.]cn`	16
`bestdates[.]cn`	16
`bestgirlsdates[.]cn`	16
`sex-finder4you1[.]com`	16
`eur[.]olc[.]protection[.]outlook[.]com`	14
`aol[.]com`	13
`mx-aol[.]mail[.]gm0[.]yahoodns[.]net`	13
`hotmail-com[.]olc[.]protection[.]outlook[.]com`	13
`smtp[.]secureserver[.]net`	12
`mx-eu[.]mail[.]am0[.]yahoodns[.]net`	11
`msa[.]hinet[.]net`	11
`myibc[.]com`	11
`ipinfo[.]io`	10
`hotmail[.]fr`	10
`mx1[.]comcast[.]net`	10

*See JSON for more IOCs

Files and or directories created	Occurrences
`%SystemRoot%\SysWOW64\config\systemprofile`	18
`%SystemRoot%\SysWOW64\config\systemprofile:.repos`	18
`%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>`	18
`%TEMP%\<random, matching '[a-z]{8}'>.exe`	18
`%HOMEPATH%`	14
`%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy)`	14
`%TEMP%\kjzvcyd.exe`	1

File Hashes

005ac256dddc3a368386cf19e2c8ff4ff897453e13d31c2a002389b1b8f6f0e6
0225cfc00d03fb8135dab6acdbb2165f678c8693927dd4e8180b7ddfa8bdcbae
2ecaa4a4541645f3d329b65981f97403c3a3cc2bf77feeecef4cc5108e5eb649
357ed9b86a1c594596641c650bce143f7d58f42c6c67fd508168389805eb2739
3ce3671481b73bf71782605b8e6429753a3c7a253b6ff8dd0c80af28eb881633
53210cdce3d628a61c5aed9fcad723d30634f6df74a8118183f9bfa8ba0b643e
53b68915686769a14855c37ad232b86f7d982d7c88e74ff641f1046612e04011
57917ee62c89309f3ac65a67ef6b3e983c2b882a9770e43b0095edb348ae9cb4
7e8a5dedb5852ba8f9f3970c0204657611bb7b3e8009c019e7105b7528111403
8f1d942a42022e2ad2c7ea175e742fc83785883df3e32e2f696cccb1785f9b04
9f23b12abc917fd84e47626f4695a2f811352dcf100224623dbb1343c2503bd2
a55ef46691eeebb5afe92223a87d8fa1332dc8406d5933d6dbadfebbea6708cc
b833f9b5e15ceb0e9553dba19386e5f9420795251c499aee1f4dde3c19ae5571
bae92bcf28992f8a71f9216af418f3a38ca58435b0be6e9e998ba30680a9aa49
cf5208d9d87f44c5adc6cb07f050fa11693654384840cbf3f8ef6c7bcb299c39
d8cb668abbc88169df7393ef917f8214b53192c1cac6e372f46f048416fffe89
e29f7b44dbc846b438af94610b75f5d091ea15308536dfa337bf8c27bc80acdd
e60fa6d29dcbac234244922ed994abff1e02a63ca62bdd7efb1393a1c22052c5

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Nymaim-7586870-1

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\GOCFK`	25
`<HKCU>\SOFTWARE\MICROSOFT\KPQL`	25
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER Value Name: GlobalAssocChangedCounter`	25
`<HKCU>\SOFTWARE\MICROSOFT\GOCFK Value Name: mbijg`	25
`<HKCU>\SOFTWARE\MICROSOFT\KPQL Value Name: efp`	25

Mutexes	Occurrences
`Local\{2D6DB911-C222-9814-3135-344B99BBA4BA}`	25
`Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1}`	25
`Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}`	25
`Local\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606}`	25
`Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5}`	25
`Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368}`	25
`Local\{445DE72D-9B60-6571-D392-6925F65F5FE7}`	25
`Local\{E41B13B6-7B07-8560-4026-41A66FCE339D}`	25

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`46[.]4[.]52[.]109`	1
`93[.]179[.]69[.]109`	1
`78[.]31[.]67[.]23`	1
`176[.]9[.]114[.]177`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`neawce[.]in`	24
`cawugh[.]pw`	24
`bfjtkee[.]in`	24
`xnexvlnlm[.]in`	24
`xirvjdkza[.]pw`	24
`njzcxk[.]in`	24
`ozbpuhdibrq[.]in`	24
`kniqbngezi[.]net`	24
`pbgtihnv[.]com`	24
`gxdawu[.]net`	24
`gxvim[.]com`	19
`nkkzhqqslod[.]com`	19
`tiuzomycjp[.]com`	19
`wzfhxytur[.]net`	19
`cdnnoeem[.]net`	19
`qlqywqinnnof[.]net`	19
`upfqangse[.]net`	19
`cxtuswfapphv[.]net`	19
`vgazbwj[.]net`	19
`apdkokb[.]net`	19
`xknfwgwvcut[.]net`	19
`jwieiuggex[.]com`	19
`rpwecn[.]net`	19
`wcafbjwj[.]com`	19
`bjeuewe[.]pw`	19

*See JSON for more IOCs

Files and or directories created	Occurrences
`%ProgramData%\ph`	25
`%ProgramData%\ph\eqdw.dbc`	25
`%ProgramData%\ph\fktiipx.ftf`	25
`%TEMP%\gocf.ksv`	25
`%TEMP%\kpqlnn.iuy`	25
`%TEMP%\fro.dfx`	19
`%TEMP%\npsosm.pan`	19
`\Documents and Settings\All Users\pxs\dvf.evp`	19
`\Documents and Settings\All Users\pxs\pil.ohu`	19

File Hashes

0218e9c2cf3ca8f6201331e44bfa7d8a5448b1b5b08d8b14d85aebb65671e1a2
0454d49281ad2a9f99228f543428338353da11fbf78e36b7f5b31479c121bf6b
056dc90528fe0b52da0e2810dfecc00a33ecb3fb055d4b1887b06ab042dbae1e
09136689c46634da3d89dc3609bc2db9582cf70992b9ef92ef6c7dfb3416bee2
0a58ad96a90964d56735bf61afa86fa7c6a2a3e15092b66154c6418465bb3a00
0cbed52d77571cb00e68ca65ed017272b69c2b90b548f5a3354dec2fd4da677c
1725392d15f6eeee49ba8222c595faeb59a5434b9136b137dc03a9b61e084087
17f077b3721d13d89bfe4d84b297620ff8590b9949e0b3a90e754cd147808695
201591910712d7b75f17831436b9c2c7a5bc95e6009d7a744de0fd2fe34a1dc6
20b70cb79a5bef35145254e2c456da2d2d90f7e2de2f72d413ce0fbf844af66f
2696cc5afb7daf7e9acfa6b48e9c925961c8b3675d4dba20fcd840879695f8dd
287f5e0b40f6341f7f9b09a97d2efbb00b9c389053b76976ccade63027f02425
2b0b69fcba2279c7c731adc17ce5e395739a4d957afe75b4dffe79a911d06834
3343d61a8a5e8f19686995852ac47dec453da1a61f0544a2b6cc75b404ac40c1
37c3c75c995da210c09a6b6e258af839386c4a8661d16395ef179065326ebbd7
39c08d0ebe20734e86539503b615716ef692aa37ba6a490e0265d1560dbae71c
3cfc8edcb512891aeb4241df6a800981d83c329883eaeeb265f5b555be7c85a4
43983a108eee5452032f21f6895cb9d930af372f4fbbf51e217a58f68412c9c4
44033bd26650bac58f19414b2f937a3d0aebd819a145738d4d9e77a087d1b2e2
446952c8181f0736647c99e3d4160fafcf272c885a62b19e4028a41183227292
473e6d64b9b5d33250f89781d2d7d0b7a763563e6703907953ae226e078b2a49
589b303963958d48a6d5aa9a506955ed04242994f1f7e36b8819463200970b21
5b186038f17adbde16e02e1e29513354112ecdc9b3a8be5fe2978696ce9541ec
5d95754de0c3bda4841e7122b0b24bd5d949adc647735582d4e6af72274950d7
6123859235132aed86f0520e20d623e8d5d0438e082db32caf310d1b77aa9ec3

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Ransomware.Remcos-7586925-1

Indicators of Compromise

IOCs collected from dynamic analysis of 12 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\OSRS18HD-UKGZDR`	12
`<HKCU>\SOFTWARE\OSRS18HD-UKGZDR Value Name: EXEpath`	12
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS Value Name: Path`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS Value Name: Hash`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS Value Name: Triggers`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS Value Name: DynamicInfo`	1

Mutexes	Occurrences
`Remcos_Mutex_Inj`	12
`OSRS18hd-UKGZDR`	12

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`secure[.]jagexlaucher[.]top`	12

Files and or directories created	Occurrences
`%SystemRoot%\win.ini`	12
`%APPDATA%\ErrorLogs`	12
`%APPDATA%\ErrorLogs\logs.dat`	12
`%System32%\Tasks\SearchUI`	12
`%APPDATA%\SearchUI.exe`	12
`%SystemRoot%\Tasks\SearchUI.job`	9

File Hashes

08606543b261293be2c91acebdd4100b77471a2cb2f29b8f558f2d12dd01c954
2d5275f0deb740be06001aa53d8719db88d08426f2e5f1b44bc4626fcc9b0258
46835bd196f40e56dfeb8fbdbf1e328358e545649ce10aa580575874ffeba5b1
778608ebdb66b22322989f6889668d11a5c243f540d094f834743651f847f6d3
b1edb734e012c5b941e7e7190b23c472937b5332b9af826e5eb07a807c7f0e80
c0a687a74845e57c671768eac45588576a194f36165279f19edb22d45a595904
cd9d9e7f425fbc41e1c6e12e7e9ffd0d9800aa703e690802a260f5f29837967a
dc789666026dacfc446d3559c0aebeab538608668fac6645ba73591d9a4ced58
dda31fb5d2659b268d9f12541f26042e626d6162c442362b362f0eb80011c741
e6d0a9641a275e95ed0835cc1c65f861f03e6643b99ef24bb1b1e6711fe6b31e
ec8cc8dd06095a94275b3e3f7564dfddbcb20ce78b84da301768b0e8484482a5
f21bb31466c5f318f41c021fc459caf0e413f580ade991087bc499bb5fa2ffa7

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Autoit-7586956-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

Registry Keys	Occurrences
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyEnable`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyServer`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: ProxyOverride`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: AutoConfigURL`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS Value Name: AutoDetect`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS Value Name: SavedLegacySettings`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} Value Name: WpadDecisionReason`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} Value Name: WpadDecision`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} Value Name: WpadNetworkName`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} Value Name: WpadDetectedUrl`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT Value Name: CachePrefix`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES Value Name: CachePrefix`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY Value Name: CachePrefix`	25
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE Value Name: NextAtJobId`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP Value Name: ProxyBypass`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP Value Name: IntranetName`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP Value Name: UNCAsIntranet`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP Value Name: AutoDetect`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD`	25
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\C8-B0-99-0A-48-DD`	1
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\C8-B0-99-0A-48-DD`	1
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\C8-B0-99-0A-48-DD Value Name: WpadDecisionReason`	1
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\C8-B0-99-0A-48-DD Value Name: WpadDecisionTime`	1
`<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\C8-B0-99-0A-48-DD Value Name: WpadDecision`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`199[.]59[.]242[.]153`	25

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`infikuje[.]freevnn[.]com`	25
`11776[.]bodis[.]com`	20

Files and or directories created	Occurrences
`\atsvc`	25
`%System32%\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx`	25
`%System32%\Tasks\At1`	25
`%SystemRoot%\Tasks\At1.job`	25
`%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat`	25
`%SystemRoot%.exe`	25
`\Documents and Settings.exe`	25
`\MSOCache.exe`	25
`\PerfLogs.exe`	25
`%ProgramFiles(x86)%.exe`	25
`%ProgramFiles%.exe`	25
`%ProgramData%.exe`	25
`\Recovery.exe`	25
`\TEMP.exe`	25
`\Users.exe`	25
`%SystemRoot%\svhost.exe`	25
`\$Recycle.Bin.exe`	25
`%SystemRoot%\Driver.db`	25
`e:\System Volume Information.exe`	25
`e:\$RECYCLE.BIN.exe`	25
`\starup.exe`	25
`\System Volume Information.exe`	25
`%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\list[1].htm`	25
`%SystemRoot%\list.txt`	25
`%HOMEPATH%\Local Settings\History\History.IE5\desktop.ini`	20

*See JSON for more IOCs

File Hashes

0cfd5fcfbe7dcb0ca5d046e97815d68b7afec7562255c591efaf6e6ddff04dc3
176e3815db0582a528559fcd4ac5d556d8b44354470ef7000246a7dd70e02042
188fb9f78f7b0ec6ef4ddac9d5c3e246563a9d5e4689b49c5b4be343be805be6
1e401c8be910e4f07af2e40c1c20b25be23e896e3aef6c887bc505b4ffee805a
25290bd54de5289d9ea3cbcbf59fefa0a7efa1743196043989029d3b1a3aa23f
2c52210a40af62a33415f9d5fc31cf4ed0c9d60d87dc97fa53db86c028b4a486
2db7594e73018d54e9dca34869eed6fa7e523fd519e2cdc74a32a91d31c6a945
30226cf05067f4906bec842742691778bfe2f277a3ee3ebf82ebc5a2d313806c
32f9cec632967d84f191d9bb514409dcff9f4d8e59097e98fa72e74cbfd32ce9
3909a29ead2eb2248f107c1352e5259d244b3eda0c971b136fab7e671f63a7e2
3b2f4a185951364a131c6ece1b282f7442045063f0d00562bd1c462ddc45e8e5
433b74fd6206dcc64cdc96141263cf1fc5720f087e15ddb581b2084ba0604c1c
4544acce7aad2dc7f8ffc93815eaea59f714552a21863a70132a742e4938a852
478d53130c7b549c54401d4d1c8501a310e99a350846e0515ef8d416822d4ada
4872d9c8e75aa6ad18a1272b17c617811eff6c411f181cc450a52be747fc4d20
48d8d3219b405e7a7ac7e53dac401be58e50cc582d4d5a2c96eb3edab10a8920
4e0b6052c58992f28138a28c281c4bca93f3f90c6c14ef3b88ff697c821e3f34
520f5cfd75870100df9da88875a9d6aef2dae064901acf35695c7ea0d8f36410
56641ea2594a21e5aa25475b295b5130e49c94c78ec42d45b1aed9cf929ea300
65e7b497cebcd23ceb769656cc011a3cadfdd618657a0d66e14a63f94a113fcd
6b1821395bbba2f70b42f963dd63772d4dc97b9dcfeb13ea592ead01587c36d2
6f416a86789e81f95138751a71006189bf6e1215d8ea2063c370862738a996a3
75c38fa29ebe45c102663815d76491a566e34e404dd99088fb4257744539ed6e
78f0240b6e9c1a74546845b3d0ddfc84aecc388f8ff7d794cf80e33ae0de4c31
7f2e6da85f7ebb3dd066315504735c8dbcc4cdbc9c24d7d944cdeeb09df1c869

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

CVE-2019-0708 detected - (3408)

An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.

Excessively long PowerShell command detected - (414)

A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

Process hollowing detected - (210)

Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.

Kovter injection detected - (143)

A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

Gamarue malware detected - (114)

Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

Installcore adware detected - (97)

Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.

Dealply adware detected - (90)

DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

Atom Bombing code injection technique detected - (21)

A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.

Corebot malware detected - (12)

Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.

IcedID malware detected - (9)

IcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections.

Cisco Talos Blog

Threat Roundup for February 14 to February 21

Threat Breakdown

Win.Dropper.Gandcrab-7586670-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Packed.Mikey-7586709-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Qakbot-7586710-1

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Razy-7588195-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Packed.Generickdz-7586813-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Packed.Tofsee-7586819-1

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Nymaim-7586870-1

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Ransomware.Remcos-7586925-1

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Autoit-7586956-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

AMP

ThreatGrid

Share this post

Related Content

Threat Roundup for November 3 to November 10

Threat Roundup for October 27 to November 3

Threat Roundup for October 13 to October 20