Friday, March 13, 2020

Threat Roundup for March 6 to March 13


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 6 and March 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.


For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Malware.Nymaim-7615052-1 Malware Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Malware.Ursu-7610305-0 Malware Ursu is a generic malware that has numerous functions. It contacts a C2 server and performs code injection in the address space of legitimate processes. It is able to achieve persistence and collect confidential data. It is spread via email.
Win.Ransomware.Cerber-7613460-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Ransomware.Gandcrab-7615049-0 Ransomware Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB," ".CRAB" or ".KRAB". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.

Threat Breakdown

Win.Malware.Nymaim-7615052-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 25
<HKCU>\SOFTWARE\MICROSOFT\KPQL 25
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
25
<HKCU>\SOFTWARE\MICROSOFT\KPQL
Value Name: efp
25
Mutexes Occurrences
Local\{2D6DB911-C222-9814-3135-344B99BBA4BA} 25
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1} 25
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A} 25
Local\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606} 25
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5} 25
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368} 25
Local\{445DE72D-9B60-6571-D392-6925F65F5FE7} 25
Local\{E41B13B6-7B07-8560-4026-41A66FCE339D} 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
qssnxj[.]net 24
zotsvo[.]pw 24
ifgkwqmqhph[.]net 24
dhlvdxugyo[.]com 24
hkeucj[.]pw 24
dyhrvl[.]net 24
uwmbqu[.]com 24
pzerd[.]in 24
sdyhxawrvxae[.]in 24
satdu[.]in 24
gqmaztf[.]in 24
iirandx[.]net 24
nkjed[.]in 24
qouatnrg[.]net 24
qshwuerhzuaz[.]in 24
nfaqzajrpxj[.]com 24
iobmasbcd[.]pw 24
qmotexhwaj[.]net 24
knhausn[.]net 24
towufmzxq[.]in 24
kzdvq[.]in 24
orukxxgc[.]in 24
lnibjvv[.]net 24
bvlgsvhj[.]net 24
dnhlpemupjc[.]net 24
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramData%\ph 25
%ProgramData%\ph\eqdw.dbc 25
%ProgramData%\ph\fktiipx.ftf 25
%TEMP%\gocf.ksv 25
%TEMP%\kpqlnn.iuy 25

File Hashes

029369003b1fb6b4b0191a54b330673685e059d390b3393d4f58ebccb3fa0a04 043ae03261bd31cf86ca5c6c1910e4436d4b9f82e1bcecb8039d326ca271393b 0a99f500898952fcc6ac124ec1bdbe697ef2c9de93bd829f6d0ba8ce438236ff 0f85f19794584741038a9a8d51761315dce953aa2383ef92c4493f1fb02c7a1d 109bd3f040c9077b74e75416e4b133098143bc40ebba6456624e8869cf1619cf 18c22cdb43d3095d980b31a98c069f5511648b447d65834a1a004be6587e4062 1dc86f9ff40d164a384ee34879dbe58ee1717f51e7316bac351cae3b60cbf509 2524bf4a82f9eb9a2acdd291ef82068667566c54155f3669b5fdef61ad0c859e 2cac77ac4a68039f57b6da94ff827ccf592d6b391762a010ba1d798461ad780c 3f2e085857d5c5b94e2adcdf7a9d199e4105439fe2f55dfe53ec8428297bedf4 42a971335515a1ed31e629c0faf85b5d2cd51eada6e1c0c4659c0d0322b62a27 4da003af544afeb34668f0a1343632a7953a6219ff2ad62b8d391e1b4bb305db 4e7045fa64fc0de40a22f9bddbbe7f4f2b9ce531f17b009378c7b8eb26bd1a2f 6057c88112b275c6d47589fd10f863987010804dd01be8b2c8b449a7ed08d9da 6283c33ad5cb1fa29ccef34b58b6cf84ed3b5fb5d69940abc7cf88b2d5091937 63011ace1ebac398e71d65bb5a0d0c4896a41d64c462f46a8c1380594cdfabfc 683d2ec46c5bf2a8cb5a18e807283e23eeff66af8e6274fddee6058c170da90a 68a44b6a3401677da55c3a42713bcaab7ef02b2f54bac56c2a8d671157d6e228 69848c2d721dc6e96085bd8d2e7f0a9e9b34c5d00a9dbd71e5823272c55da027 7560cadc3a05dc897e5d6e512a35325cad6142458cbab6bb4d2b5ba0387bbd4f 7a081e847f783ca398362fb4172a266e8387fef4d860ce25c4bc2986a25ce690 7d9e94ccc83b6b3c3c12761047df64368321fa103aedeab18d57489305af2058 813a531f48400ae896114791fdb0dc1f5783da5824311f5ea6bce8593213e393 836f598e59d30233a42d0ec25f4ac237f3d7d12f52646ed400244d4539fbb3c3 88ef4262d2cb80330e3aced7a7bf6409668333f42c41915f2e64f334ea25693c
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


MITRE ATT&CK




Win.Malware.Ursu-7610305-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples
Mutexes Occurrences
3749282D282E1E80C56CAE5A 2
3BA87BBD1CC40F3583D46680 2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]27[.]158[.]211 1
104[.]28[.]8[.]228 1
104[.]27[.]183[.]17 1
104[.]24[.]113[.]102 1
104[.]31[.]77[.]13 1
104[.]28[.]2[.]54 1
104[.]28[.]5[.]52 1
104[.]31[.]83[.]86 1
104[.]27[.]183[.]246 1
104[.]18[.]55[.]178 1
104[.]27[.]184[.]69 1
104[.]18[.]52[.]132 1
104[.]31[.]95[.]137 1
104[.]24[.]102[.]152 1
104[.]24[.]118[.]237 1
104[.]24[.]103[.]126 1
104[.]28[.]3[.]54 1
104[.]28[.]4[.]52 1
104[.]18[.]54[.]178 1
104[.]31[.]82[.]86 1
104[.]18[.]53[.]132 1
104[.]24[.]103[.]152 1
104[.]31[.]94[.]137 1
104[.]24[.]119[.]237 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]cloudflare[.]com 10
forzamaguire[.]tk 1
nomnyz[.]ga 1
yanguz[.]cf 1
nomnyz[.]cf 1
forza-lindelof[.]cf 1
forza-maguire[.]cf 1
abizima[.]gq 1
forzamaguire[.]ml 1
forzalindelof[.]ml 1
radiomar[.]cf 1
forzamaguire[.]ga 1
global-solution[.]gq 1
mabelis[.]cf 1
forza-lindelof[.]ga 1
somaplast[.]cf 1
somaplast[.]ga 1
Files and or directories created Occurrences
%APPDATA%\D1CC40\0F3583.hdb 2
%APPDATA%\D1CC40\0F3583.lck 2
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1258710499-2222286471-4214075941-500\a18ca4003deb042bbee7a40f15e1970b_8f793a96-da80-4751-83f9-b23d8b735fb1 2
%APPDATA%\D282E1 2
%APPDATA%\D282E1\1E80C5.lck 2
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 2

File Hashes

0540a6fd5a8d8b711724dd99e9dbd29896684503ae458094ac77caa0a3191841 1c54ab51ea01e775972504739fe8d1a6af74c3c342027a0f731f66cf3d63e01d 2a0cb867ebb8e219fd317f3602812b7e3d2b73aa10b52f434266379861709d09 373f0152bfa9d4489b824883dbb7d33d9d3df334400f7c235afe83e0268db0d6 5732fe839b0157b0e1da1c03eea1bab091e04899a3bc7b70a23dcb97467fe0fc 5795d3b441fba24cd5eea9d63283363cc301c947fc9c1490e8c342eaaabcfa2f 6d5c50c1be5dd9c3b83c39f4a0d7cdd20026cccb5c1c86a067f35f3896cb160d 6f9126661fc692a55b8a1511d90646b550f0dd4d083c06cb1d8759516ce0e80f 728475baa6296537c166911468e3b22068e016a9e51171b1d9ab3e5426c60f41 8e8c18e99f0f891984fc158ed482a000b760290f3f4f020a4dfa42a32321a279 95e153e75af1f9fcf7d255863b5ce7aa77536e5a4d4b007f594c2ea47a39e7a1 982bcdf19c39c6125771d12a007e9a723d3ea651f0cde4ee03777bd177e5792c c57c12e9658458a407392b510316bc134946a2af1a6bc8720f1a8f785a8e15c5 d72cc73cfd39751bddc1156be01d42b7882f5f0f647b7d3282ab6f66108ca6b6

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


MITRE ATT&CK




Win.Ransomware.Cerber-7613460-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 54 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 54
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
54
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 54
shell.{<random GUID>} 22
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
91[.]239[.]24[.]0/25 54
58[.]43[.]12[.]0/27 54
91[.]1[.]48[.]0/27 54
178[.]128[.]255[.]179 15
104[.]20[.]21[.]251 11
104[.]24[.]104[.]254 10
104[.]20[.]20[.]251 9
104[.]24[.]105[.]254 7
34[.]196[.]236[.]57 4
104[.]16[.]149[.]172 3
104[.]16[.]148[.]172 3
104[.]16[.]151[.]172 3
34[.]196[.]207[.]101 3
104[.]25[.]47[.]99 2
104[.]25[.]48[.]99 2
104[.]16[.]150[.]172 2
104[.]16[.]152[.]172 2
198[.]211[.]122[.]103 2
54[.]152[.]114[.]154 2
192[.]169[.]7[.]201 2
185[.]183[.]98[.]78 1
83[.]243[.]41[.]162 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]blockcypher[.]com 21
btc[.]blockr[.]io 18
chain[.]so 17
bitaps[.]com 17
bc-prod-web-lb-430045627[.]us-east-1[.]elb[.]amazonaws[.]com 6
p27dokhpz2n7nvgr[.]1c4zie[.]top 2
p27dokhpz2n7nvgr[.]1pbu64[.]top 1
p27dokhpz2n7nvgr[.]12gzrv[.]top 1
Files and or directories created Occurrences
%TEMP%\d19ab989 54
%TEMP%\d19ab989\4710.tmp 54
%TEMP%\d19ab989\a35f.tmp 54
%System32%\wbem\Logs\wbemprox.log 22
%APPDATA%\Adobe\Acrobat\9.0\UserCache.bin 22
%APPDATA%\Adobe\Acrobat\10.0\rdrmessage.zip 22
%APPDATA%\Adobe\Acrobat\7.0\UserCache.bin 22
%APPDATA%\Adobe\Acrobat\8.0\UserCache.bin 22
%APPDATA%\FileZilla\filezilla.xml 22
%APPDATA%\FileZilla\queue.sqlite3 22
%APPDATA%\HNC\User\Fonts\PrivateFont90.dat 22
%APPDATA%\Microsoft\Address Book\Administrator.wab 22
%APPDATA%\Microsoft\Document Building Blocks\1033\Building Blocks.dotx 22
%APPDATA%\Microsoft\HTML Help\hh.dat 22
%APPDATA%\Microsoft\Internet Explorer\brndlog.txt 22
%APPDATA%\Microsoft\Templates\Normal.dotm 22
%APPDATA%\Mozilla\Firefox\Profiles\iv5rtgu3.default\addons.sqlite 22
%APPDATA%\Mozilla\Firefox\Profiles\iv5rtgu3.default\blocklist.xml 22
%APPDATA%\Mozilla\Firefox\Profiles\iv5rtgu3.default\bookmarkbackups\bookmarks-2013-04-01.json 22
%APPDATA%\Mozilla\Firefox\Profiles\iv5rtgu3.default\bookmarkbackups\bookmarks-2013-05-28.json 22
%APPDATA%\Mozilla\Firefox\Profiles\iv5rtgu3.default\bookmarkbackups\bookmarks-2013-05-29.json 22
%APPDATA%\Mozilla\Firefox\Profiles\iv5rtgu3.default\bookmarkbackups\bookmarks-2013-06-10.json 22
%APPDATA%\Mozilla\Firefox\Profiles\iv5rtgu3.default\bookmarkbackups\bookmarks-2013-09-27.json 22
%APPDATA%\Mozilla\Firefox\Profiles\iv5rtgu3.default\bookmarkbackups\bookmarks-2013-10-03.json 22
%APPDATA%\Mozilla\Firefox\Profiles\iv5rtgu3.default\bookmarkbackups\bookmarks-2013-10-04.json 22
*See JSON for more IOCs

File Hashes

05f26fd753356cfc5d545eb01e79baf53445a601ea1569878fb1c63b52f5e6d4 0abd1a84723a6597fb2c3478e1a83033a5aba2891c964ab5737fe7910d80e28c 0ee72b0840ce97cb8b5a37084fc43fa7c27686e4e8f4bf09c0c0b7d88b810d1a 10819f12f84257e20d23fadf371e42e4e6521c60146472a23cafab73c9516234 10a5ac7ce80bb6970ca50a271ce35133cd92a56080369b0c4b42bb918b0e3026 1435f8e106ffee6f5ada5ffd4cb0828f81f0e58071e9b3872878e50c0273b8d2 147065190d82fbf0df3a182e87139edef847443b0ee0bb8456fcbab4774b2f5b 147b376c58e4089ebc217b859068d113faaf691a7e5c96b974beef6c792f4f10 2517618db9f32379899d9eab1e6a1336b883fe98301f1486f6a0dccc7ebb4078 2619700ad7f26a19504e6362ef53d0c140c40d9f704de62bc5c46170139e35d9 2d58499468790c62970006e7e2498776a4a3502461f31d2d240ba69c4d97f0ad 2e454bfbce9129ef89ce883ea2ad6f1373cd92b4d902d38534442bf1c7dfb627 301417411755886089f7d037b89405bf84611e5f7d99f8c02afc30a763beca53 33c0a8a15cd7cf1b069a4568b9da60a32070f63df5520080c7fda84ac07446b3 46f1f3a5569df1fa4ebc3f9838018760761f01547c86cf8114a9f41e444ac65c 48b36eca72cd50b9f026fa1715d0b3566a7c4554625f40a36cf159de684563d5 5bef0909ef45b328e051c6ee7f6ea0103d0ec538f0d9db877c5bae26aeb0bc1e 635d3910ce962f06530c70fb81cb2d388f95d07d53423cb88cefd2e5c254c72b 6936663f05a2eb0a714d9a8fb83bcb42158fb75d91ed99130f560628be770309 6ac61263ed29a92913576e3cee15305e2999907b56334573d6bc0a8f35cf34ea 6ddd63c3bd61e7c10d9a873114d6c014fb67e3f0d968ecc5bcbb337fb9c6bcbd 7626e74dff3e39f5dc7468c6a3b9da48e4957572ff7e382a6b6c1ce05befc0c2 76f4a0d9a8bf4c0610f8b56296be4d0bc0e2261fab5ef472776070101a7e3adf 785dd8bad5de7e38a96fa9e5c4985023b0f9b9ceb898e7610d2862abbe7b1ba8 7b2ead6084f7b6a18b756f18b2000967584630ef072debe38f8868cb750e3e0f
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Ransomware.Gandcrab-7615049-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
5
<HKCU>\SOFTWARE\KEYS_DATA 5
<HKCU>\SOFTWARE\KEYS_DATA\DATA 5
<HKCU>\SOFTWARE\KEYS_DATA\DATA
Value Name: public
5
<HKCU>\SOFTWARE\KEYS_DATA\DATA
Value Name: private
5
<HKCU>\Software\Microsoft\<random, matching '[A-Z][a-z]{3,11}'> 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: profiles.exe
1
<HKCU>\SOFTWARE\MICROSOFT\SPELLING
Value Name: Ucberexy
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: container.exe
1
<HKCU>\SOFTWARE\MICROSOFT\USMEFY
Value Name: Zeis
1
Mutexes Occurrences
Global\8B5BAAB9E36E4507C5F5.lock 5
A16467FA-7343A2EC-6F235135-4B9A74AC-F1DC8406A 4
Frz_State 2
Sandboxie_SingleInstanceMutex_Control 2
<32 random hex characters> 2
Global\FF5BACBED3692507E5F5.lock 1
Global\785161C887200 1
D88B4D3CAE375DED14F392DBA85F311F98B68E3C 1
A238FB80-2231ABE6-BF235135-4B410C86-7EA16E3EA 1
A238FB80-2231ABE6-BF235135-4509F56E-58AA53269 1
A238FB80-2231ABE6-BF235135-42BEEFE7-165F4D9F5 1
Global\fce1c3e1-636e-11ea-a007-00501e3ae7b5 1
Global\fa617201-636e-11ea-a007-00501e3ae7b5 1
A238FB80-2231ABE6-BF235135-49B1803B-0D11E1F34 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]27[.]163[.]241 5
213[.]186[.]33[.]19 5
213[.]186[.]33[.]3 5
149[.]56[.]154[.]141 5
69[.]73[.]180[.]151 5
179[.]188[.]11[.]34 5
50[.]87[.]58[.]165 5
217[.]160[.]0[.]234 5
89[.]252[.]187[.]72 5
202[.]43[.]45[.]181 5
87[.]236[.]16[.]31 5
77[.]104[.]144[.]25 5
171[.]244[.]34[.]167 5
217[.]174[.]149[.]130 5
217[.]160[.]0[.]27 4
104[.]31[.]74[.]227 4
104[.]28[.]30[.]160 4
104[.]24[.]102[.]153 4
104[.]31[.]78[.]102 4
104[.]28[.]31[.]160 3
178[.]210[.]89[.]119 3
213[.]186[.]33[.]5 3
204[.]11[.]56[.]48 3
23[.]236[.]62[.]147 3
217[.]70[.]184[.]50 3
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
perovaphoto[.]ru 5
koloritplus[.]ru 5
pp-panda74[.]ru 5
dna-cp[.]com 5
boatshowradio[.]com 5
www[.]mimid[.]cz 5
tommarmores[.]com[.]br 5
cevent[.]net 5
www[.]lagouttedelixir[.]com 5
alem[.]be 5
h5s[.]vn 5
marketisleri[.]com 5
wpakademi[.]com 5
www[.]rment[.]in 5
www[.]fabbfoundation[.]gm 5
6chen[.]cn 5
zaeba[.]co[.]uk 5
www[.]krishnagrp[.]com 5
www[.]poketeg[.]com 5
www[.]n2plus[.]co[.]th 5
bellytobabyphotographyseattle[.]com 5
www[.]cakav[.]hu 5
www[.]toflyaviacao[.]com[.]br 5
www[.]perfectfunnelblueprint[.]com 5
www[.]wash-wear[.]com 5
*See JSON for more IOCs
Files and or directories created Occurrences
%HOMEPATH%\ntuser.ini 5
%APPDATA%\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Credentials\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Internet Explorer\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Media Player\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Templates\LiveContent\Managed\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\1033\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Templates\LiveContent\User\Document Themes\1033\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Templates\LiveContent\User\Document Themes\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Templates\LiveContent\User\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Templates\LiveContent\User\SmartArt Graphics\1033\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Templates\LiveContent\User\SmartArt Graphics\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\UProof\KRAB-DECRYPT.txt 5
%APPDATA%\Microsoft\Word\KRAB-DECRYPT.txt 5
%APPDATA%\Mozilla\Extensions\KRAB-DECRYPT.txt 5
%APPDATA%\Mozilla\Firefox\Crash Reports\KRAB-DECRYPT.txt 5
%APPDATA%\Mozilla\Firefox\KRAB-DECRYPT.txt 5
*See JSON for more IOCs

File Hashes

034e94dc5839acb2ef70783767ec570621deaf0ca8e7f2e00556854d89804104 087ba528971fd407e356e8b33ed0592ca03f2e438804bef6e306a8f7b547834d 0db58143b95364b1c6216bedf0c05a7c0bcc192099d87ebd650b3ae862e2218d 1a4c33569668cf9140464aab8e4b1de812a1e62a5eacd57af90fbc3fb6765db3 29b1853d6568683011f9e1c23d7a0dc80899bb87911045e3914e9064fa591881 366345c09b7ee53c672ba6a2c0715d3f68b80463d4acea77500f20063884d486 5f3a6664b198819b13b7692dce049c6e2d421db7ddaaf190118e5d7639bf3f0f 63b8f4160a35bf105f3213154cb66083c59a2f7693a67eb3f6f6526ca0e5c795 6fd4984d90b6924d145c572138f86a3a6f8e06fe6a03172861f148d947d68429 715f5c292f719cf496dc97ab92115d71d0e02421a61d409db2e2e4d1098c1167 7e9fab6d29c822c9190b5971507d2722a97a7d6605580d0e1ef8dbec691e673f 877c6debcbf51a302ac977a44bf8c55edf3cb341e559bbf4f33a937fc463f76c ad7f9eeecb0ce7e6b214ba0bc17e753413a3b94dcd779dc47d4d66f633898357 f215e1d482b46e6413cd86a2ca63816a011f37b1ed81d872571d0e8f82f5a78c

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


MITRE ATT&CK




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (4171)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Excessively long PowerShell command detected - (1148)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Dealply adware detected - (295)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Process hollowing detected - (191)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Gamarue malware detected - (164)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Kovter injection detected - (122)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Installcore adware detected - (62)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
PowerShell file-less infection detected - (25)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
Reverse http payload detected - (20)
An exploit payload intended to connect back to an attacker controlled host using http has been detected.
Possible fileless malware download - (18)
A site commonly used by fileless malware to download additional data has been detected. Several different families of malware have been observed using these sites to download additional stages to inject into other processes.

No comments:

Post a Comment