Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 27 and April 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Dropper.DarkComet-7641266-0
Dropper
DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Malware.Nymaim-7641270-0
Malware
Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Dropper.Emotet-7641280-0
Dropper
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Kuluoz-7641284-0
Dropper
Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Ransomware.Cerber-7641285-0
Ransomware
Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Malware.Ursnif-7641287-1
Malware
Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Dropper.Qakbot-7641289-0
Dropper
Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Malware.njRAT-7644450-1
Malware
njRAT, also known as Bladabindi, is a RAT that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. Some of the largest attacks using this malware date back to 2014.
Win.Virus.Xpiro-7641430-0
Virus
Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Threat Breakdown Win.Dropper.DarkComet-7641266-0 Indicators of Compromise IOCs collected from dynamic analysis of 11 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Credential® Backup® and Restore® Wizard®
11
Mutexes Occurrences Administrator1
11
Administrator4
11
Administrator5
11
Files and or directories created Occurrences %APPDATA%\Adobe\PrintBrmPs.exe
11
%APPDATA%\Adobe\credwiz.exe
11
File Hashes 044c5e9b5f465b5af4937478ab3cc98507420f52d0e0df34b167110e93d3e025
1cfbf9db099aef57002e466434db5f5bf36add2f197ce96f2d59e10b0e762434
22ad20f44028a76ae83852da412a48419485b9fc8954c7e6ab1963e7ff48dc90
53e1172d7a7def646259464f14a860f505369719ea2b1d062ab4c6c039a826f8
82001ae3ba8395813066c774b0bf1bb88fdb8764f0ba409d5e75b4161cfa3b3e
93579e858f498c3b2f752b5d1981fa7ffb131324acd80cd54a2eb5509d3ea55a
bf4bbc990a73116713366a468cc3ef8b7a19ae218c2e23c4630ce2fe3ab84ed9
cb75ab4a4cb9c2a54a89de91b1d402e8ca1969623fdc902d82d495fecf5bd09b
e78a4f3d578c62357da1b16ba413edfd2ee698a01d67f1cce890405f5c46ba95
f70ca20c1b7e5e818ef4f8633c470feb8f336b306abfb32d9796877095c91e20
fb95b36465546d875823546c355ec7d02c2436d13f05aaf3ec0996c60ef5807f
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Win.Malware.Nymaim-7641270-0 Indicators of Compromise IOCs collected from dynamic analysis of 23 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\GOCFK
23
<HKCU>\SOFTWARE\MICROSOFT\KPQL
23
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
23
<HKCU>\SOFTWARE\MICROSOFT\KPQL
Value Name: efp
23
Mutexes Occurrences Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1}
23
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}
23
Local\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606}
23
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5}
23
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368}
23
Local\{9AF4643E-0898-BB80-6A14-0133AB3F8A5C}
23
Local\{AC7E1B07-D66B-D6D7-68B8-F1D274B98185}
23
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ouksqgh[.]net
23
tkegtqmqz[.]pw
23
nsglg[.]pw
23
qzepi[.]pw
22
gkaruil[.]in
22
udaqndimrbq[.]com
22
qklojedx[.]in
22
fejdgb[.]net
22
ldipwmsiagjz[.]pw
22
fruujwytgt[.]in
22
djqhml[.]com
22
kukpofdgbro[.]pw
22
gmwsgcts[.]com
22
flbesem[.]net
22
bxcjvnzlbp[.]net
22
pafzzf[.]net
22
siayzmgvi[.]com
22
nyfmbsagdy[.]com
22
rchyfiw[.]net
22
ajljbppf[.]net
22
axpriqtir[.]net
22
oaeicag[.]com
22
laodzbcfxzup[.]net
22
mglelytvhbsf[.]com
22
lleyspfgwrj[.]net
22
*See JSON for more IOCs
Files and or directories created Occurrences %TEMP%\fro.dfx
23
%TEMP%\npsosm.pan
23
\Documents and Settings\All Users\pxs\dvf.evp
23
\Documents and Settings\All Users\pxs\pil.ohu
23
%ProgramData%\ph
23
%ProgramData%\ph\eqdw.dbc
23
%ProgramData%\ph\fktiipx.ftf
23
%TEMP%\gocf.ksv
23
%TEMP%\kpqlnn.iuy
23
File Hashes 1d432dacf94c583b33dd731805b7fa17a48eb2b502a27bb7e3e8a4b2b628f76e
24ae836cb50df689445134109b7f21a0ad84084f93a0d40d3dcad1dc45d2c06a
2dbbeb3b61a8a66a0fec60308f96ba6db3c92934906e9212452ad1d70a49b2d5
2fd2800eec70dc6aac878c75826cbd14d969d941ece211bc10637177fab4eec2
57acffaecdb6f542521022bea60d9852bbb0cee210dbc9e69a73cb003c06c674
59483926c32febda1700d83dd3122a2e1b3faa36cb1739f95f2d13ba20526e00
62262957de7046d9e2c7116db2a5c8fb1404cd6cb8e5e0de98c06e61329ad440
6256c7f7fba33b9a56c1fbc2440dd688821a994b62f020a70f386ad1f503be9f
91521893f705e3460fb94662ed8c04cd2f746c85f0e99d570c9f18df987118ee
93d2910a14bf95f717a0f03d5d6219de48e6f6354fd35c8031790319cd32982d
a3bd9a719f0459a7c4900a2934d68f936dd5ee84db73acd8134b57aeaa494963
b0603112e2b68a6da48c33c346b54bc550ba901ad60277f6421b6a742c31243c
bd9ef0cf669ada0bbd561b4b7605390b75fa53d5829e9c3b7888fceba4402323
c6847600af4a2c8fe34007d37bc29a00e7afe11a55119a4e6f0ba0e8403ae2cd
d11c7d96a964a1fe23c2ea783ee8c270e1d654fbe4f37c5fd49390449d4b3694
d54c0b288876cc51f97bdd539c0cbd11419745e29afd20d89d67afe21048a02e
d61e3432b3b424d732a8be2c4a47111d11ddf51ced1562dbee76dcabbb8d2dee
de8954dac1f06ebd39d898b60b22a51997006f810e6572f725acfa74cc361ea4
e4b1fb522cb9471ac74596ba5aa128719ccda977cce21e725211673bf8669743
e4c221f3dbbff2327a111f0e6987131773c9563c35b484c72bfd0edd844c0201
ef6849a11f96a39007ee440230709cf3da8dc3557fa39bc35cafc20482720d9b
fc23f00d91b331dd300dd30fd7cc98380cd345f664557bf863b762422d9ed012
fde60db468b2b5fe5e4023ed2a3b958ef3ebdf84fe9d4cfe67669be3f81f08d3
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid Umbrella MITRE ATT&CK Win.Dropper.Emotet-7641280-0 Indicators of Compromise IOCs collected from dynamic analysis of 75 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFC140JPN
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFC140JPN
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFC140JPN
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFC140JPN
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFC140JPN
Value Name: ImagePath
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFC140JPN
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFC140JPN
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFC140JPN
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MTXOCI
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MTXOCI
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\D3D10CORE
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\D3D10CORE
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\D3D10CORE
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\D3D10CORE
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\D3D10CORE
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\D3D10CORE
Value Name: DisplayName
1
Mutexes Occurrences Global\I98B68E3C
75
Global\M98B68E3C
75
Global\M3C28B0E4
48
Global\I3C28B0E4
48
Global\Nx534F51BC
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 124[.]150[.]175[.]133
32
178[.]33[.]167[.]120
32
118[.]167[.]155[.]233
32
110[.]37[.]226[.]196
32
149[.]135[.]10[.]19
25
91[.]231[.]166[.]124
22
103[.]31[.]232[.]93
18
113[.]190[.]254[.]245
18
177[.]103[.]159[.]44
18
45[.]55[.]179[.]121
3
75[.]127[.]14[.]170
3
87[.]252[.]100[.]28
3
190[.]247[.]9[.]40
3
181[.]225[.]24[.]251
3
154[.]120[.]227[.]190
3
239[.]255[.]255[.]250
1
91[.]83[.]93[.]103
1
153[.]137[.]36[.]142
1
104[.]236[.]52[.]89
1
190[.]251[.]235[.]239
1
181[.]228[.]91[.]247
1
122[.]116[.]104[.]238
1
180[.]222[.]165[.]169
1
201[.]214[.]229[.]79
1
61[.]197[.]37[.]169
1
Files and or directories created Occurrences %TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt
48
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp
48
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>
15
%SystemRoot%\SysWOW64\mfc140jpn
2
%SystemRoot%\SysWOW64\w32tm
1
%SystemRoot%\SysWOW64\imapi2
1
%SystemRoot%\SysWOW64\xpsservices
1
%SystemRoot%\SysWOW64\SyncInfrastructureps
1
%SystemRoot%\SysWOW64\msctfui
1
%SystemRoot%\SysWOW64\KBDLA
1
%SystemRoot%\SysWOW64\oleaut32
1
%SystemRoot%\SysWOW64\tapisrv
1
%SystemRoot%\SysWOW64\mfc140rus
1
%SystemRoot%\SysWOW64\EAPQEC
1
%SystemRoot%\SysWOW64\RMActivate
1
%SystemRoot%\SysWOW64\wfapigp
1
%SystemRoot%\SysWOW64\hid
1
%SystemRoot%\SysWOW64\rasgcw
1
%SystemRoot%\SysWOW64\ole2
1
%SystemRoot%\SysWOW64\NlsLexicons0013
1
%SystemRoot%\SysWOW64\msxml6
1
%SystemRoot%\SysWOW64\txfw32
1
%SystemRoot%\SysWOW64\wwapi
1
%SystemRoot%\SysWOW64\PSHED
1
%SystemRoot%\SysWOW64\olethk32
1
*See JSON for more IOCs
File Hashes 033fb41b5619559ee7843d51f5329b250f42ce2a180bcaf9c2ed4057d48c200a
03831cfd34ebcb1a2598723cdd8fcd3a531868a550ed82c4132edf40af16fa72
0c6f232077f464b2da7eb205def2acbe27257582bba4da993637f3d0137f2f7f
0df57f7a6721e814e0b82bea9b5702d1422a34a1d20ced73e183a4c2d77695d1
107575f48da1dfd1da6ba96681be4abc6e6c53e8e11040eb7466820bde437711
12f7384e889549a85c6d2f2af5bf392b70c95a4c4159b398cd8a4a574f8bb6f7
1690e906d3bc71ae452ac010c1fee831dd9f3c3dbdec737d641e229c8ecb0417
181cc103c942b3e450cb0e1fc7c7a71f7e514ff8d13eae8db6740df6f0c0e057
18565a7cc2ca7e55dbc04c2cc0682c1d751cc04b381e37c03ea61038d95d99d8
22760bb58ac7bf5ef218b5ee0df6ee223fbc9cede59c0dacf030e1ff72f1f1f6
271260f0020b6e4740ce2d7b72ec37057c3892a2ba8fbcfb920ceee58d2627f1
286e1371de4020038567bdf81279d4ce46848a8b72b3e1a33b2ec98a20e0425c
2aaff8f53c126529704e6f7770e97f257e964707647f812639313f7cb57afd0a
2da31ace48797f738936375053c8bfb82546d49333b1a02f7030a329fdcf9f06
35a58ddfafc7797fc92c8f50a5085d33455c0f45f989bc82545a8a59f0de2f41
3792261c4555c0bd5750bbf7924e2ee9a3dfd1e5c735bccbff9b8f08ddb097c7
3b7c56626fc6e1e9bac007ea0f9fd710f935bb0dfab3928906e91d695d098136
3cc60a0462b9cab1a85a098be0f014566a6cc98cee51453291f0e739105e9db9
3e1b5c059cdc0f8961160c7a0ab1732ae15260d5d0cb40c1dc3b97d558fa1b0f
3e2beac007711f7449019edf11fd54e51bfe8df0942e12bace39a5b363c0609e
40182af8e0b47173cff2d7c31e54ab3a8fe4050a8e32347b597836792eda8cfa
40561efd4002477ee01f1ac54bbfef5e501c1cf0a774b7d77a57642aec32aa00
408aba772aa82d5da9ae744fae5dd9bf2ff09d865393b9627f4626e6c7836334
47358c7fce547be3ac16cc2478d5e38d6d810b995fcb123d4487eca7702e0fc1
4c10d182d11e23b1ccb202ddcdee253a0e96d19af72280edf1609b20328e43ea
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Win.Dropper.Kuluoz-7641284-0 Indicators of Compromise IOCs collected from dynamic analysis of 26 samples Registry Keys Occurrences <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fpufpoxx
1
<HKCU>\SOFTWARE\DNNTLGMC
Value Name: cfrdlmxa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ickctfqb
1
<HKCU>\SOFTWARE\BOELHFQC
Value Name: kbjnitbf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lpdphbks
1
<HKCU>\SOFTWARE\EOWWUNTE
Value Name: tdnufqua
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dvmhkbfh
1
<HKCU>\SOFTWARE\JSHUOVLD
Value Name: xchsitmi
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nqxblvca
1
<HKCU>\SOFTWARE\HEFXEODF
Value Name: buubcqbc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: gaiwrars
1
<HKCU>\SOFTWARE\JUCDTHUG
Value Name: sjnpjwkm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fvgflepr
1
<HKCU>\SOFTWARE\QSVHHWLJ
Value Name: bewwbqme
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mwvkkbow
1
<HKCU>\SOFTWARE\RIMTRUCN
Value Name: jcodkule
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jxliqlfd
1
<HKCU>\SOFTWARE\USREQEVS
Value Name: siraovgm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wouqnomw
1
<HKCU>\SOFTWARE\DBOTOJCG
Value Name: qftusapj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qtdbsckp
1
<HKCU>\SOFTWARE\ATWGBSFO
Value Name: vhhupeqr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vwvpwbci
1
<HKCU>\SOFTWARE\VOLXMNIH
Value Name: tsaisice
1
Mutexes Occurrences aaAdministrator
26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 176[.]123[.]0[.]160
20
46[.]105[.]117[.]13
16
162[.]209[.]14[.]32
16
195[.]65[.]173[.]133
14
222[.]124[.]143[.]12
14
173[.]255[.]197[.]31
12
64[.]128[.]16[.]144
11
195[.]5[.]208[.]87
8
Files and or directories created Occurrences %LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe
26
%HOMEPATH%\Local Settings\Application Data\kdxddmcb.exe
1
%HOMEPATH%\Local Settings\Application Data\epcgjgep.exe
1
%HOMEPATH%\Local Settings\Application Data\sqslklnf.exe
1
%HOMEPATH%\Local Settings\Application Data\ehcfvidd.exe
1
%HOMEPATH%\Local Settings\Application Data\lpofndtq.exe
1
%HOMEPATH%\Local Settings\Application Data\wgloxfmp.exe
1
%HOMEPATH%\Local Settings\Application Data\iiiopgdm.exe
1
%HOMEPATH%\Local Settings\Application Data\cpvcuhov.exe
1
%HOMEPATH%\Local Settings\Application Data\ohfkuuji.exe
1
%HOMEPATH%\Local Settings\Application Data\mflapebj.exe
1
%HOMEPATH%\Local Settings\Application Data\pkrwhrsp.exe
1
%HOMEPATH%\Local Settings\Application Data\aoomiict.exe
1
%HOMEPATH%\Local Settings\Application Data\cskciudx.exe
1
%HOMEPATH%\Local Settings\Application Data\jtprtduu.exe
1
%HOMEPATH%\Local Settings\Application Data\wtqssshn.exe
1
%HOMEPATH%\Local Settings\Application Data\wsumdkah.exe
1
%HOMEPATH%\Local Settings\Application Data\aqqwklte.exe
1
%HOMEPATH%\Local Settings\Application Data\nvqixljn.exe
1
%HOMEPATH%\Local Settings\Application Data\ablkdmkf.exe
1
%HOMEPATH%\Local Settings\Application Data\cmpvfksc.exe
1
%HOMEPATH%\Local Settings\Application Data\lpwfxitq.exe
1
%HOMEPATH%\Local Settings\Application Data\foaejjgn.exe
1
%HOMEPATH%\Local Settings\Application Data\evvlnbmm.exe
1
%HOMEPATH%\Local Settings\Application Data\jkmdnuno.exe
1
*See JSON for more IOCs
File Hashes 00e21648fa1bda81b6b37ce8e4ae1c1cc8511f5d4a185d8c6504d09885e74bc6
01e5d6d17f47209d9ab025ea6d9fc76fab6db7a789ae7e0012e053518592483e
021801898d4aa508ee85f53fe4e4a28e06ce91795fc0073eae241c0c34c7babb
02a8287d7190e0fce91f58073c57d3637b7f1a79a5de300cc9cabfc11e0e6530
054616f5a58998b56fd74c244b3403b750f850f51be74ffca96f85fda28d097e
05a92024686eeb71a6999750925231cbe3771816df8220a42cf665e686e55549
05cfe7a11dd83fb71d7197b7ce06a484a60a7e0e87295c67345d57ee99c44eb7
061608e7d36b4a319eaab7a8690ced8a911b74c703eebffe896879ba2542f513
063fd1f568e4e29c08cfdc2f811467fda5c04f50bdce08942f4b606750de1183
07d3e4aa9819dd1bec9a9a5f80e1defb3cad07e2827fceae2fff3fe2c5474389
0836030e21f3bfc2a9be077295b7e3bd1dba6d0492ee1be28d50893e34b9afc1
091cd8e0f5e0a113493a9d62e063066ba2e5974b432100272454f7170d14be5b
09b064b27cba3d8229d703bbe70c91be7b5dced5ffd953b4826bb9d17725fafe
0bc668db27503131656da06c8a4263f0c6a2e986ce16f9a3cdfa21478c903369
0c5728446d49cf4b34a02020fcf909f5c14e1b7db2adabc5aa92da7d196bf85c
0cbd4967ca139aba6ebd08e9ba3532cefbe1be59d479ec2f79c56497e4ca4908
0d866b232bbc685700e356440283a98d71ed84fa0b3bedca5d7cf5d72b68a903
0f13a52c4037425fcf3597c0d5e2904b437cb5a5bb8710be853a2af38e4650ab
10f71eb066e8340bcdd742d714d4a67278073c7f30e61f4bdc3f4747b3442116
111c3fcca78f38d3e6e040e6508e63e912e357b525ffe4ddbae79ef9a462bdf4
112f8fc35b1f24a8b44d75350db81f0fe1cd394d2d144aafec7aa497449d8db1
11f515b2c3e828864f0067242ffc9f27439c3f978f9a5a21303c44942946aa65
1233484d1a7d2cd2ca7118ab42c7a60e77490536ad8304c148a0721ff22ab005
1363243f57bc04ff383387c358785d8f43e2ec0765f7bc1676c1de820ac618d1
13c78ebcfe7cb52b9a3dd8324b761585e99a96761ecf1f70d4f7370163597384
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Win.Ransomware.Cerber-7641285-0 Indicators of Compromise IOCs collected from dynamic analysis of 60 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
48
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
37
Mutexes Occurrences shell.{381828AA-8B28-3374-1B67-35680555C5EF}
60
shell.{<random GUID>}
31
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 91[.]119[.]216[.]0/27
60
91[.]120[.]216[.]0/27
60
91[.]121[.]216[.]0/25
60
104[.]20[.]20[.]251
30
104[.]20[.]21[.]251
26
178[.]128[.]255[.]179
25
104[.]24[.]104[.]254
21
104[.]24[.]105[.]254
12
Domain Names contacted by malware. Does not indicate maliciousness Occurrences api[.]blockcypher[.]com
60
hjhqmbxyinislkkt[.]1j9r76[.]top
35
bitaps[.]com
25
chain[.]so
25
btc[.]blockr[.]io
25
Files and or directories created Occurrences %TEMP%\d19ab989
60
%TEMP%\d19ab989\4710.tmp
60
%TEMP%\d19ab989\a35f.tmp
60
%TEMP%\~PI<random, matching [A-F0-9]{2,4}>.tmp
60
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp
60
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp
60
%TEMP%\8f793a96\4751.tmp
31
%TEMP%\8f793a96\da80.tmp
31
%TEMP%\tmp1.bmp
31
<dir>\<random, matching [A-Z0-9\-]{10}.[A-F0-9]{4}> (copy)
31
%HOMEPATH%\documents\onenote notebooks\personal\_HELP_HELP_HELP_PTYBYT3_.png
1
%HOMEPATH%\documents\onenote notebooks\personal\_HELP_HELP_HELP_XOU9_.hta
1
%HOMEPATH%\documents\outlook files\_HELP_HELP_HELP_5KP80L7_.png
1
%HOMEPATH%\documents\outlook files\_HELP_HELP_HELP_D6UOS0QV_.hta
1
File Hashes 037cea8cb6c226180c2cb5ae3e7ae7e099340c5a8392373300832dafefbec345
063c5111ca5877790c5d30caa57f96e8940ddc987ebe93cac7eff48f5299bca6
13dd5000384644f0d9d47e1856d21e4e11d5709fe047b461142f8f2bb25498a1
14ad27715881fcb4c03150e6f43f009df6a3b8fed7b08dfce96b375c10c49114
14b7e243462ddb2d147c8b3e262b85638129f8272dacc3da3ecec101cebf56eb
182411e64d6fc32d50c24b75a4891474323ecf41f4950356dadb47871c061236
188a10de82ef84aaf6b61e30e0cb16d5689764f273f275e76fe846c22231275a
192385242e592f40b469ae0366f697cf5684496ede5c39cd6c727bd2260125a8
2091aa6b0aa17c7aeaddd3dfe43963e251c6e75ef884ab9297ab3293d65565fd
2270947c45c99b79fecac2cae938e9d65dc7c4475ddbd5183a3bccbf9f1140e8
32d3c6c4e5f8440e72a143c98388a3030b019499fe2c788bf1886af900ea4181
35f7c450964e90ee08c4ca411c816d2c518acc11e60cf96c9314b61b6251ea45
38c4616b4c510bd33e382df986227a2962faad563621d940599008b0bd01562a
3d086a6711d6cb1d03fdfa341d709b50daca73f3550f0d09ee570cd91817af2b
41d01fc785abc0c41b9ac5d4a245cfecc632cd7fe72e228ce1870ced7ca7cdaf
4abca6a94b8c3eec71ad3be24afea249421baac1925e476fe594ccb8c2bed52f
4c5483fb8e548d2905c706645ff8f6b1c76e40e51661238697a903f6240c0ed0
4d62840fbdface83a04a6a0a6ddff9f76b8d1f8367e48f09aaee0ae22f1709dc
4f11c7b3c1f65e5257798dd5440528e85a748f2e3fc2b906b4a2343b4d8ff74e
51c6f6a9c1658fb6fd29cb08e80876acd9b48509525dabc3392c6f59f75cf2d0
54a32981e816d602175f2ec18117482c7a23a4aa0408f66f6df7d687b788486c
5568b61ee70692533b0faad0810b0c2c20a8ce033a19d4ed65794c04aa5a886f
58f9c991b40cdace0bc52b8b22354e5ac94954d1ed6e00b78a283f75fb06a80f
5a4f2ac060738e3b427efe8c88704acd6b3304ed4dda8be37f6606912b004a4f
5e5d1bc6ab7b5204502bb70138d83a622609c3ce4c2f61a0ec340693ddc97055
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP ThreatGrid Malware MITRE ATT&CK Win.Malware.Ursnif-7641287-1 Indicators of Compromise IOCs collected from dynamic analysis of 11 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: api-PQEC
11
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
11
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client
6
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: {F50EA47E-D053-EF14-82F9-0493D63D7877}
6
Mutexes Occurrences Local\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269}
6
Local\{7FD07DA6-D223-0971-D423-264D4807BAD1}
6
Local\{B1443895-5CF6-0B1E-EE75-506F02798413}
6
{<random GUID>}
6
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 192[.]42[.]119[.]41
5
192[.]42[.]116[.]41
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences groupcreatedt[.]at
6
Files and or directories created Occurrences %APPDATA%\Microsoft\Dmlogpui
11
%APPDATA%\Microsoft\Dmlogpui\datat3hc.exe
11
%TEMP%\<random, matching [A-F0-9]{3,4}>
11
%TEMP%\<random, matching [A-F0-9]{3,4}\[A-F0-9]{2,4}>.bat
11
File Hashes 3f4d76b36ddc412265aee0319baf2b5d0af9912cb18f96f5c1d6c8d31823e4ce
44c8521c0d4d03c8d40060329b536a150da1d088ec72b925e8bedeee33091560
470662c40cb6ae679c0bbce3746e36540206dd4f859377833632edaede93dc01
4ed7df37299dd6ac23facca8773ae462180b2fe8afd6fc6d277123a44c3cce6b
69af053959ff36ecca8c34c7d96bd556aeabb94a4d55a533250951706ae48a87
794074a37b9e634fcd41251f3ff3f5103fb32d31abbd94b87f96e41631aee95d
a177e74bbbd9937c0fc626b2e06e388f538b5538007385e64e66ede18220f73c
b8c10d5d4e0caa3f29301cee52e452a44f8790dd595b631cf18c92d7ac11188b
c2af9ae4163dc7273edc7f825ad8274196ac8c1f3ea213ea204c5852d15b6b42
ce74c822429572309b48445e2ae8dc7c9ec2999d204a4522f4e946ecee7c55c2
f240f57a4290d77807acdcbec3871666e5af2e77e833f768e8c52cf76cba9aa8
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid Umbrella MITRE ATT&CK Win.Dropper.Qakbot-7641289-0 Indicators of Compromise IOCs collected from dynamic analysis of 38 samples Mutexes Occurrences ocmwn
38
<random, matching [a-zA-Z0-9]{5,9}>
25
Files and or directories created Occurrences \TEMP\f7d0d716fed617b7423cf7ab02db1819.exe
1
File Hashes 060e2bbfecfe76f922fd6ff92e2f732ea728e834512f5772a03e58478dec7770
0e36680e4e848ae33c030add635d62298edffc8525a59d45292a0da41184349f
177c4b51efa825b394d6939b54fcbe2da1065b86e05b24a8d35125bd1542f757
2cd1d4ee8b23aec9374d87ca3c7f98826d243db0f4bcf02434858d436d4481d7
2cdc9bc92cf3ba7aacfa983bea2a7ca62f57fde3fdb1e7e465e435d38344bf67
2cf8a17c06c0b3e1d7797a3e0739ac60791504806face84cbef0fc551cd4e56d
32e68d7f3849176ec4fca41150ca30a338699c1ead0a774ace872ff7cd5b5e83
3c6c9951436e5edf6d3c0b1940e8bfb4f19a73642378c3761a49d361c889af50
3ea2d9a13d6d9c8f0a6e6569ee25be67354ce7217ddd43b8224d66981b011b41
434afad3d9c4a50c9604a314f88ae511efd0e240239bcf86b700d1203cc13d4c
46c0a6032e1815f55a09d7042757d121678ea1d3dd597819206af99cd8deba5a
47298efd4042171a076cd56b0c5916e41990df12a312c81258c3c7ec88645b28
55b6023845e5b39a911db3fee89ff4725c0d8eb9d4b11d839e1f8cc62bd488b6
58639544bde0eca496f348335169c8cc9b7fbdc347f65e60ec24cdbae5f5ea01
5958dc1b077a38b476ecf2293462307e6dd8d29a3bcad5f915f45e08c880974d
596784ea479a4c5ef1ed8c7cd04b70f06c890f9c1cc39d048bfea3fa137dd7a6
5c167d3c7e46a16fed50f09462be999ca160ec79d11f7d993cad4f7eecd9c1ff
64947ffb71ebe6dcb9bc3ca9629d271e23bd01add86c3a3c2f9082741ad4f7fa
6556774b66f5b963244768bef45cf74e6d36e8ff7d41be560e10f38d78c3318a
65e9aca3321cc3b85772298bfa8fe6cbf9c5532879183fb8c369aefd92e91e1f
671a66225f390bbdf8dc20947a38c139c9e070c2263f621679e2cd34561da011
6ab95a6345fc46cb486d22244899992edd90a57c45119d0fc9d6410d9536fb40
6caa3b4c27f2dfeebedb4874a2c9b80b172a880ada3908146545bf9068c352f0
6e9caa6b8e31360aa3668367e37eee95be5e254b08e0c43a5448909159195870
6eeed4b8dc0a2819581ff20b7f5655f9da19ee6b3701207a9cdfbd02009c030e
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Win.Malware.njRAT-7644450-1 Indicators of Compromise IOCs collected from dynamic analysis of 14 samples Registry Keys Occurrences <HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
9
<HKCU>\SOFTWARE\DAE31C02CB06222E776B9CCB9207EDB1
6
<HKCU>\SOFTWARE\DAE31C02CB06222E776B9CCB9207EDB1
Value Name: US
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dae31c02cb06222e776b9ccb9207edb1
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dae31c02cb06222e776b9ccb9207edb1
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 5cd8f17f4086744065eb0992a09e05a2
2
<HKCU>\SOFTWARE\5CD8F17F4086744065EB0992A09E05A2
Value Name: US
2
<HKCU>\SOFTWARE\5CD8F17F4086744065EB0992A09E05A2
2
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 5cd8f17f4086744065eb0992a09e05a2
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 5cd8f17f4086744065eb0992a09e05a2
1
<HKCU>\SOFTWARE\495A7A6EEA7C524B0131AE9992F41835
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 495a7a6eea7c524b0131ae9992f41835
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 495a7a6eea7c524b0131ae9992f41835
1
<HKCU>\SOFTWARE\495A7A6EEA7C524B0131AE9992F41835
Value Name: [kl]
1
Mutexes Occurrences dae31c02cb06222e776b9ccb9207edb1
6
5cd8f17f4086744065eb0992a09e05a2
2
495a7a6eea7c524b0131ae9992f41835
1
Global\52108960-73d1-11ea-a007-00501e3ae7b5
1
Global\8c1aef60-73d1-11ea-a007-00501e3ae7b5
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 204[.]95[.]99[.]26
6
Domain Names contacted by malware. Does not indicate maliciousness Occurrences kurdsh[.]zapto[.]org
6
kandamm[.]no-ip[.]biz
2
ramzuus[.]no-ip[.]biz
1
Files and or directories created Occurrences \TEMP\.tmp
8
%APPDATA%\system.exe
6
%HOMEPATH%\Start Menu\Programs\Startup\dae31c02cb06222e776b9ccb9207edb1.exe
6
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\dae31c02cb06222e776b9ccb9207edb1.exe
6
%TEMP%\dw.log
4
%TEMP%\Trojan.exe
2
%HOMEPATH%\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe
2
\5cd8f17f4086744065eb0992a09e05a2.exe
2
E:\5cd8f17f4086744065eb0992a09e05a2.exe
2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe
2
%TEMP%\facebookhack.exe
1
File Hashes 09d1504b42c0f3734730bb200926afd53f8f547e6fffe60855a2e864c9217638
0bce4bde64c65ffda21384b0e112d463cbd385633533d7c9a4350b434d2d93f8
1d05c62dbabb27bfe7d106666283375710116df379dc082eb0f3f802e394ab54
486263226b8801db5ab8ad7a109be1dcf53fe804dc1bc2633de26d28b4ba12a1
4eedcb1d6fbd94e13a883c60798d95544620acc88ef1376f73d10b0d4e1eaca9
5906e1a09dc1d0d48f21469285df61f2acf55093834c0433842ac6c28944b5e2
658b84e34bd347026e28136ed1b2648c3e5588d86d0661855a25f53c848cc8dc
690d4bac7ad5977dd5a65518797a519406344dbf83081ae93e32bebb75a35e9e
77bca1b885cf492ca7f23c9e496c0bb3bba1e2daa9c34f11335bb94b1f1c4933
85e423f5c3e9722cec48359cd258d971985aa26423360ec731741e130d957236
8e44c09b0c179f6695de598184f2828bbb245f602a5617048a9c409d616b6295
999cb0a36d2fe437cac57dc54c6686f5bdb768ce260e3c5e4cb17544b296c784
9c7e41e38959e878d81a9525dcb0147206c9bbd9c40a4bab2a7696808f1a0efd
ebee3e0e356cdb4c60645046f9b310aec18295f1efb7f0b3b5f39bded7d1521b
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Win.Virus.Xpiro-7641430-0 Indicators of Compromise IOCs collected from dynamic analysis of 24 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WBENGINE
Value Name: Type
24
Mutexes Occurrences kkq-vx_mtx1
24
kkq-vx_mtx66
24
kkq-vx_mtx67
24
kkq-vx_mtx68
24
kkq-vx_mtx69
24
kkq-vx_mtx70
24
kkq-vx_mtx71
24
kkq-vx_mtx72
24
kkq-vx_mtx73
24
kkq-vx_mtx74
24
kkq-vx_mtx75
24
kkq-vx_mtx76
24
kkq-vx_mtx77
24
kkq-vx_mtx78
24
kkq-vx_mtx79
24
kkq-vx_mtx80
24
kkq-vx_mtx81
24
kkq-vx_mtx82
24
kkq-vx_mtx83
24
kkq-vx_mtx84
24
kkq-vx_mtx85
24
kkq-vx_mtx86
24
kkq-vx_mtx87
24
kkq-vx_mtx88
24
kkq-vx_mtx89
24
*See JSON for more IOCs
Files and or directories created Occurrences %CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
24
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
24
%System32%\VSSVC.exe
24
%System32%\alg.exe
24
%System32%\msiexec.exe
24
%System32%\wbem\WmiApSrv.exe
24
%SystemRoot%\ehome\ehsched.exe
24
%SystemRoot%\SysWOW64\dllhost.exe
24
%SystemRoot%\SysWOW64\msiexec.exe
24
%SystemRoot%\SysWOW64\svchost.exe
24
%SystemRoot%\SysWOW64\dllhost.vir
24
%SystemRoot%\SysWOW64\msiexec.vir
24
%SystemRoot%\SysWOW64\svchost.vir
24
%SystemRoot%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D181BC64-A806-4079-A778-7CD8233C69DB}.crmlog
24
%CommonProgramFiles%\Microsoft Shared\ink\ConvertInkStore.vir
24
%CommonProgramFiles%\Microsoft Shared\ink\InputPersonalization.vir
24
%CommonProgramFiles%\Microsoft Shared\ink\ShapeCollector.vir
24
%CommonProgramFiles%\Microsoft Shared\ink\TabTip.vir
24
%CommonProgramFiles%\Microsoft Shared\ink\mip.vir
24
%ProgramFiles%\Internet Explorer\iexplore.vir
24
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome.manifest
24
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\chrome\content.jar
24
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\components\red.js
24
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\extensions\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\install.rdf
24
%CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir
24
*See JSON for more IOCs
File Hashes 077722e4ea86e5bfa93bda2b1f8c6ec6865dd2a68d2234825e3c001eaf89b79d
085ba147535f0c570b35940ebe03970ae84d36d4780325f0fe9a0f655440483c
0fa80ba4044dc0780677436758ef704e2ead95602c1c79e357d18299a5266674
1bc51f5317beadabe7afe577cf0d6d8641f51bb2143bdd4e532d62e6db4ccfce
2716eb06608756c76f2bf9984d088f16e079e8a5b98647efb745fe2660e202c4
339a29d578be254dd98af19a900fd1b1cca3417c1830a4fca0342a87dd1d4336
35e62066e3581ffa504eb1a2a66a8f5e0cbb2e189ca6274e8fe759eb32a8ac0f
3703b1bea852b8a8df8c4b6e82b855db37fbb32d9885a7e43c5d27f204a34071
3d69bd570660b1ab121237283ca2409e12c40674330b3bb224e3078950d6247e
3e20cf0e55229558aedae4400cb8429ae561c531d640df82c33e28edb13feaf3
3ea22f8ad2d694a9d6b68e0631f535dfa9c8316ef830ccbe2ecb3d7b409247e8
5d4f6709fb1ff6205e81f9f2f1fbdf09b568227f6012176890f2c24e29bc8b90
63f62e9a1c8a51ecc7b48d97475a12b44dbb89e2c5e184ba9e58d2ac2f1b8038
6df2a6a3986f925d10198cbb9ab8ca2189d389139b12f5fff5d6c4e609dfeb3c
7de61c07cac78c2007946035be9a9c8e7ebab4e209199e9996c15bfd6961cf8a
884c3f8d0bc7c44e4dfb295fbabe30f58a2f1cbe108fe4cdfe1eb064fd4a95e2
8e5d39fb05c85821c17d1f7024a1b89e4af4d16f648f282653134978cad54eeb
a3c3513c8abd798f523d1009c0729d356b8034fe1d53ffa9c286e6d5807f3d96
b5c299522bb8be336328579d39e9528be721e838314cea9cc329ec5ad2b3f542
c0e3889d1edea939865d4faf986d13db9f0f9ffc17e191024ae5219ba03fd719
c86c40be73fb24b7ec5fdf77f813e846e7f59d215e857e0da3cdad3cd10e41f2
daf79cda32bacdcfbde156917fa341d6deac3b179d26ed608623beb2cb6f54d7
e6708d6e22cd5e522d222736e684a285dcbd523b6852dcf7385d2262670b0be1
fbb06657de07566d87917aa53d794022ad358869bd0043efb437ecf378651204
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. Excessively long PowerShell command detected - (6749)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Dealply adware detected - (4940)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (2301)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (670)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Kovter injection detected - (124)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Gamarue malware detected - (72)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Installcore adware detected - (61)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
PowerShell file-less infection detected - (17)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
Corebot malware detected - (13)
Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.
Palikan browser hijacker detected - (9)
Palikan is a potentially unwanted application (PUA), browser hijacker, a type of malware that most of the time does not explicitly or completely state its function or purpose. When is present on the system, it may change the default homepage, change the search engine, redirect traffic to malicious sites, install add-ons, extensions, or plug-ins, open unwanted windows or show advertising. Palikan commonly arrives as a file dropped by other malware or as a file downloaded
unknowingly from a malicious site. It has also been closely associated with DealPly.