Friday, July 10, 2020

Threat Roundup for July 3 to July 10


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 3 and July 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Packed.njRAT-8479097-0 Packed njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Malware.NetWire-8479400-0 Malware NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Dridex-8486639-0 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Trojan.Fareit-8493652-0 Trojan The Fareit trojan is primarily an information stealer that can download and install other malware.
Win.Dropper.Generickdz-8494215-0 Dropper This is a BobSoft Delphi application that wraps malware. The malware uses process-hollowing to hide from detection and achieves persistence across reboots by leveraging an autostart key in the Windows registry.
Win.Packed.LokiBot-8568668-1 Packed Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from many popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Trojan.Razy-8568648-0 Trojan Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Malware.Emotet-8568701-0 Malware Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.

Threat Breakdown

Win.Packed.njRAT-8479097-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
25
<HKCU>\SOFTWARE\27B4710398AE0B763559DF62D775BA29 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 27b4710398ae0b763559df62d775ba29
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 27b4710398ae0b763559df62d775ba29
2
<HKCU>\SOFTWARE\27B4710398AE0B763559DF62D775BA29
Value Name: [kl]
2
<HKCU>\SOFTWARE\74FB347B3D36AFEEF9601FC49748F387 2
<HKCU>\SOFTWARE\74FB347B3D36AFEEF9601FC49748F387
Value Name: [kl]
2
<HKCU>\SOFTWARE\58340164489AFF059FE46AB17B861A07 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 58340164489aff059fe46ab17b861a07
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 58340164489aff059fe46ab17b861a07
2
<HKCU>\SOFTWARE\58340164489AFF059FE46AB17B861A07
Value Name: [kl]
2
<HKCU>\SOFTWARE\3073A267DD6BA57599509E1FC89383AB 2
<HKCU>\SOFTWARE\3073A267DD6BA57599509E1FC89383AB
Value Name: [kl]
2
<HKCU>\SOFTWARE\F53BD214B970381275BB6CE3C71B0345
Value Name: [kl]
1
<HKCU>\SOFTWARE\7D37CA2C4B7AFA2D4D222003A595ED82 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 7d37ca2c4b7afa2d4d222003a595ed82
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 7d37ca2c4b7afa2d4d222003a595ed82
1
<HKCU>\SOFTWARE\7D37CA2C4B7AFA2D4D222003A595ED82
Value Name: [kl]
1
<HKCU>\SOFTWARE\B8ECBB9B55BF8E520EA66CE3B1D1F053 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: b8ecbb9b55bf8e520ea66ce3b1d1f053
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: b8ecbb9b55bf8e520ea66ce3b1d1f053
1
<HKCU>\SOFTWARE\B8ECBB9B55BF8E520EA66CE3B1D1F053
Value Name: [kl]
1
<HKCU>\SOFTWARE\7003E42B55F54D8B8C83FCE037328D7A 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 7003e42b55f54d8b8c83fce037328d7a
1
Mutexes Occurrences
<32 random hex characters> 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
141[.]255[.]152[.]254 1
141[.]255[.]157[.]71 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
fatehtawba[.]hopto[.]org 7
babayalg[.]ddns[.]net 4
aze12rty0776370119[.]ddns[.]net 2
xxlxali[.]ddns[.]net 1
aali13212[.]ddns[.]net 1
lucifermorningstars[.]hopto[.]org 1
achrefforever[.]ddns[.]net 1
ahmed2016[.]ddns[.]net 1
abdoudara[.]ddns[.]net 1
camifer117[.]myq-see[.]com 1
omar323[.]ddns[.]net 1
Files and or directories created Occurrences
%APPDATA%\<random, matching [A-Fa-z0-9]{5,8}.exe 8
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 7
%APPDATA%\system.exe 5
%TEMP%\Google Chrome.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\27b4710398ae0b763559df62d775ba29.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\6de93533ddf06b44600c0f7d2cb3cef0.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\9eb21e5d1bf0f3ef5fed5349338ca44b.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\f53bd214b970381275bb6ce3c71b0345.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\7d37ca2c4b7afa2d4d222003a595ed82.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\7600563427a220b9ee6789067cee7247.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\0c9c7dec5ec41406f114cc14122868e6.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\b34230732a1fbeafb56e1f89b2c65110.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\d67b5eef929e2b8fe667b51fa445dda2.exe 1

File Hashes

012e909df9d0df5311c7197fe96d869ee2475f14785c36a2b63049392dcab08e 0d325f73d770a86a7dc2cea227c514f70ff209eb3cd9126cbd2f899ee33512f0 108b158a9336fe0a5a36747ab3a4e68c86bda13738b436ba1d61595f1bdb9d77 137de9f6ebf719f94067cfd75b5462282bd1b8a3fcacacc9d78bb29e46afd6a7 15d6f051b914fe71da5b7007fb0d29adee689591f3f352f15aebcb56a5969d76 2126da97bd3b0356c2525df5d91f38c62cd820b828b407d9ab035ff0984ea16b 31533a726bd8296da161f2b50617ba0643186468bc550e95b717374e32ca63dc 35a995675808686145eea0f21cc21499d2b8156e38d245b53549b6258d9754a3 3a0136e03cfcc1312d8a282608337adc38e71155fb0278257ec460f8c28c6a13 6d093f76871d78c3c2e4e0876ac9cb9164f5263c901e813aeb24c3321a9eb0c4 712bc4b4138cd9e4de8d31cef9254667cd247fb21d70746bccd8e7ee846492b7 759602d8ff40af581cd164bd9cfca99c25f1790c874d4a441b3a5ff533f721ca 920aed6efb480e8890dc16c5aff5a195516a8862a1f42dfe5b6e1ad06760dba4 92f0707572aa497bc1d86787b52503d1ce0fe51292be674e6f10b940a265dee3 9b10f90033a84ba079d50da7b90a5cb0c5e6f2427619d5c9425afd6df3e42243 9e2b29ad62ea3a13f27dc3de68f85bdf95f7dac97acc7fbe4d4833f66fbc4746 b183fe613c1eb93e221210f48a9d9b4a1a2aa3f898848168b3bf69677c4c4b0a c30a52e8084f877c22696411929de15930aae0fa132df0af40cd48535435a4ee c4cb8fda10c91ab40a8f5885ba2f4fc6e1702b9200f589ac1dfa1987c9206f72 cd79a03310096d7a20499257d987e634513c3d7bcc1bfadefe3bacb75f0fa3b7 d8806598bd19f7d1776c68a63d2cde0b8dbc6fe5f17e2bfcd06abbcabfca0ce0 e01c82be269f707b5479248ec72c0eac33846a5362a203e7de005441bc53bc59 e6627586f9c31258191da77dce84119be5b308e9f6c163ea5631a1f574fec736 ed1b8e246b88b984c595f2e1bd6cfac7c0cb4463abced2813fc1b88378e5f107 fb21e383d1092ea07228d6ab27d71e88f5e9384bfa2d2e25df05817ee9adc1a1

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Malware.NetWire-8479400-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 40 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\NETWIRE 38
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: NetWire
37
<HKCU>\SOFTWARE\NETWIRE
Value Name: HostId
37
<HKCU>\SOFTWARE\NETWIRE
Value Name: Install Date
37
Mutexes Occurrences
OqvAvPni 37
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
192[.]169[.]69[.]25 37
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
love82[.]duckdns[.]org 37
Files and or directories created Occurrences
%APPDATA%\Install\Host.exe 38
%APPDATA%\Install 37

File Hashes

005d4ba8835d3554bebf46c7910bbf3b8823c08abec4270b9096dd22ecf295a4 045ed6c11f72b1a11803a205abcd7ea82b2ad478a8a795984c322f540d159a79 11f841dcd0ffd44e32bbfaf6ee2e3e4c47efc0ae80ab95a4b4f6f0cd4f9fbb2a 1e7b37a04208f94239a05244352ae5bf45793f83bdcb4aaadbfa7ef4c48d805d 229d7221c71a16c1b2d8bd1f74dded37d27dec2dcc713150d7657837c6c67be0 22c07b60b192d882381a9e4e5c1cefff80c7bdcf12efa66d19765625b9ea7d00 255c6efe9551fd5b6381adb440b94af65aee2286465c76c8fdb596c6e7a90b1a 26fe99cf61903d3dd464b96e87bc8640dd1d1ba9df2c795e2f27db6dfb74522d 28181484a3ef4f4f3ab8fc07388aa109b49f2e02bcfe65b819a4341369e5b4fc 2e86be5c9c364bd944b4823b9191f217c181bb6c980e1708800be13dac953cd5 387109054b3a59071d6ca8af6656eaa223fa4d1825efbcc4213bd192c5d6e29e 400dc0e03ffdbe53b008300711d2490e94f7b9eab93ac16ae49b39abd28a48ac 44fd21ec687bfbecc1002f1a5e640f0d782b9aa9beff7e4822704fe1a09907b5 483b6c1fc090a248beb40574446a998c3af6a8f3c42df5f0e95a162fd4b9b534 492c1e4ae807107b8792e9e4a0c619f92dbb9f0a1fd457ac79fa0e07292354b0 4be38ea855bd9088282cd6afbb6b2698aa45fc1f507a609a66af4894a8a3eaf3 51164673a792e1f214b69b1f21bf714ce289ddf8d898f7499f07aafb7a692e9a 523e3d1fda9eb37098ae774b20f87e5552c5f38228dcf311298caf4bc5c2d086 542d5b4e9100882a16a6ce60c6ff8532b1f0a22a7bdcda84c35cd7a1b49df664 62b6d90b250056d556971b7066e827eb03bbe2cb0b70848a98cb21fadc27d500 79dbd028f2768d0874fce30c00b227e6af46080727503918bc09ef965949edc4 7e6898b47574bbdb8b7c27bc392eab836bcd810e048fdc6b880537e3c7fb701d 83ab262d766c76a413251c5b7f7598eac14e6a273580ef388be2f1856baed52c 9648d53a1276cdd0d3d170ba0c13a9c140b13c4ef3d3d4790164ca98f8f71a5d 9d163b8e00e7574fb1609b2ee8db2b07d3b6aafa233f3add788dda1baf5b3322
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Packed.Dridex-8486639-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
25
Mutexes Occurrences
aihe2c3Z3t 1
QlMdGnfFmZ 1
bVcCqyrBy2 1
S3DZABBUMK 1
lV9DFmxMu0 1
XgDKb6eMIc 1
l4FHApIW45 1
y9F3Xf34wx 1
lf7rGDvcoX 1
mBKG6gUKV8 1
2SpUmwMJdA 1
GaQ0LAm4uC 1
GgAH9JMQiC 1
P6CqDb3bn6 1
TnXrsSiZYY 1
gS97oxh4Ta 1
jV3cL4tBef 1
ufrMC2wkBC 1
6Li8AyR7ub 1
OogRI032Y1 1
UHktqcJ1Vt 1
fAzZZW7ieZ 1
kP1YBWPVfo 1
lovebEVaR5 1
oyCGR1A6FO 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]12[.]238 25
104[.]23[.]98[.]190 17
104[.]23[.]99[.]190 8
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pastebin[.]com 25
www[.]z9sgtyzd4n[.]com 1
www[.]smgwtryg5o[.]com 1
www[.]7trmhvo0lc[.]com 1
www[.]upsx9hbryb[.]com 1
www[.]dv3cqa0qfb[.]com 1
www[.]vdpfmxmrwl[.]com 1
www[.]rwetvae1y9[.]com 1
www[.]kwn21leqpf[.]com 1
www[.]bqjubcofqz[.]com 1
www[.]mnofmz3cat[.]com 1
www[.]0c6gsqsqja[.]com 1
www[.]v0hjik6pcs[.]com 1
www[.]ihzfwitsog[.]com 1
www[.]ottjfpzbbu[.]com 1
www[.]ouzhwi8crh[.]com 1
www[.]iyxil53gcw[.]com 1
www[.]xxa0ygavhz[.]com 1
www[.]dsbmq2nt82[.]com 1
www[.]hxpc8qy8q1[.]com 1
www[.]ueinwzcoah[.]com 1
www[.]zjzsuycij9[.]com 1
www[.]agoeoitflm[.]com 1
www[.]k5f7q3mh7t[.]com 1
www[.]q3ulbe6oda[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
<malware cwd>\old_<malware exe name> (copy) 25
\TEMP\b8a2331f2cea5833b8fe16d65c5bd8da.exe 1

File Hashes

01471374fcd6097dc0aae7e009c5e7f394c12e2a4167d41ea65e9907d2aadadc 039dcb0c7ad91af2bc6f85c31094c0af3f4e7d18132fc30e9835ec16ff5639bd 12f85ba586ab2a2244e98f9a5d332c8eac918bbefad4720290724a1656b811aa 164680200fa658cf68c2364fcefe4432f22a50c4bfe9522e2d471d1dc80cfd81 261dd4670a2059359cf034f30f07f623a831e7c35df753ace924ee4a73538361 2f0feed83faf1729bfaf899ce88e129f34fb1a7bf3336f5d69c1c9d084f81bed 32eaa521b84d6dafbe190f74c356c38301a995705c0ada2aa8f7a8018913e23d 3530771162e6e6b2f2d851043d89100e0e3a195b87e3c3ff8e16e43e03460047 37f8d15d81cd5a3ac969e3ebacc5de83348de5f6e5cccca7fbeebaea9530c45e 453f965bebdfd5f026d9bb79e35323846c020a174668635a2d354b3f3c506d0d 4ac34dd6930ade14f1c8f86e4c4887bf89cceee39a87653cf3c167ee3030f702 5837d744750ee27d21bc96c4c817128cfd8c4d9ef4e7f4cbdc367dd346038018 59ec343687f0191fdf59c813db7cf35ea2dbc6656116e0d699e902e8b66a9acc 6a36e9b8487b6e6b3a523c821681e9e18b449ee3867cb58a310f4b15b2d4bc42 7518758b89bfea4fbe212eddcd4cad8174da1133db95e9e5f3e5df4c226756e9 7885845e3a2c78a5f8c8148279ef73791762f6353b05abef1628e2a733ea7b3e 7d583ca25b9aa5606983198418c7707d3eda11481ac0dbb258e0319323e7fcde 7fb38fd748a22d1add21e5cdf392f31c541b257ce9e578a084fda8f0db9a7cf9 89627f94995fe9ff65a53dac89c4f0c34f3ccde4ec074e852e692a64de4456e0 9ec4b8395cd477573bc8d018abead8a364af97756e7613cd3715576c957561fe a7bc3abd06d7eecd14f6ace0434c6bbea31571e69a48161ed2fa07ff43895c9c a930e3c18a88724905b860619ded34cafbcf6e810e3df893fa26d25954c83f2b ab69eeaff679fe83a3000dde7696d63fef5686b12428ccf2ece997cc8c3e69d6 b5d5420d4796241d3f07c35b1887f71db4f2c7f826352787085b1d494d14bf4e bbc54b0340ccf681fa6acdb078bb854956d39430e01d7bdec12d4ea36e405739
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Trojan.Fareit-8493652-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
3
<HKCU>\SOFTWARE\MICROSOFT
Value Name: count
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWSUPDATER 1
<HKCU>\SOFTWARE\PICTURE 1
<HKCU>\SOFTWARE\PICTURE\PICTUREPROCESSINGTOOLSV1.0 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: arinze
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWSUPDATER
Value Name: installed
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kissq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWSUPDATER\FREEKZVIDEO 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWSUPDATER\FREEKZVIDEO
Value Name: Installed
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: arnold
1
Mutexes Occurrences
3749282D282E1E80C56CAE5A 6
3BA87BBD1CC40F3583D46680 5
dfthorbnjAdministrator 1
145nEVR515JsB8NB94DYmA4W8NDTNYhAQw4100115111536076clipperrorRER1233326FDSH123 1
9C71F883-5E43-41AA-85D0-5272784FB258 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
195[.]69[.]140[.]147 3
88[.]99[.]66[.]31 2
85[.]187[.]154[.]178 2
198[.]185[.]159[.]144 1
101[.]99[.]90[.]12 1
77[.]88[.]21[.]158 1
208[.]95[.]112[.]1 1
108[.]161[.]187[.]74 1
103[.]91[.]210[.]187 1
23[.]96[.]24[.]107 1
185[.]130[.]215[.]136 1
91[.]215[.]216[.]54 1
195[.]201[.]225[.]248 1
172[.]217[.]197[.]104 1
5[.]77[.]32[.]186 1
194[.]180[.]224[.]87 1
35[.]223[.]217[.]188 1
199[.]192[.]26[.]230 1
172[.]67[.]134[.]183 1
192[.]157[.]193[.]137 1
204[.]188[.]226[.]99 1
194[.]54[.]83[.]254 1
34[.]200[.]198[.]80 1
52[.]86[.]54[.]255 1
35[.]171[.]65[.]219 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
iplogger[.]org 2
flood-protection[.]org 2
mail[.]flood-protection[.]org 2
ip-api[.]com 1
repository[.]uzto[.]netdna-cdn[.]com 1
repository[.]certum[.]pl 1
smtp[.]yandex[.]ru 1
smtp[.]yandex[.]com 1
ext-sq[.]squarespace[.]com 1
google-analytics[.]com 1
osdsoft[.]com 1
s3-eu-west-1[.]amazonaws[.]com 1
pc[.]publicnewsetup[.]com 1
thebestoffersintheweb[.]com 1
kovachevpress[.]com 1
telete[.]in 1
dutchlogs[.]us 1
www[.]regulars5[.]info 1
www[.]getgoodvideo[.]com 1
mediadownloader25[.]tk 1
www[.]kitpicture[.]pw 1
freekzvideo[.]cloud 1
athrluckyday0003[.]top 1
jogaae[.]jfoaigh[.]com 1
admaris[.]ir 1
*See JSON for more IOCs
Files and or directories created Occurrences
%APPDATA%\D282E1 6
%APPDATA%\D282E1\1E80C5.lck 6
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 6
%APPDATA%\D1CC40\0F3583.lck 5
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1258710499-2222286471-4214075941-500\a18ca4003deb042bbee7a40f15e1970b_8f793a96-da80-4751-83f9-b23d8b735fb1 5
%APPDATA%\D1CC40\0F3583.hdb 4
%APPDATA%\Microsoft\Launcher.exe 1
%TEMP%\arinze\arinze.exe 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-process-l1-1-0.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-runtime-l1-1-0.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-stdio-l1-1-0.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-string-l1-1-0.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-time-l1-1-0.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\api-ms-win-crt-utility-l1-1-0.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\breakpadinjector.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\hv8745939v498h.zip 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\ldap60.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\ldif60.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\lgpllibs.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\libEGL.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\mozMapi32.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\mozMapi32_InUse.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll 1
%HOMEPATH%\AppData\LocalLow\3098htrhpen8ifg0\msvcp140.dll 1
*See JSON for more IOCs

File Hashes

0f59a101fdf55d72819e6b69917e5dc3c33cf7195e149c78afd4dde4e99514ea 10bfcfa243c262252f60c4b5480e1da37a205068135b5dad722a1d01ca871456 12a1af4ef81e1c6e71faac652ae0b27d26f7c0f8f03a1e5191e64efd85cf580a 337bd5db74ecb61abb14d01b9c938989a04ca4d7a8fb027a3895090147626abc 3547debd61e04a97aed10733ab27bed6b23956104d7b6932ace83605da1bc798 38c234dc0bd0297dc390529d3c11887b19219b76f5f279e8d3484856783f85eb 3afe57a6dfb27aa17a596f159a77288def98b130d84bb11ac9d283b0816a1347 56d1fab5493fe9fa6ba93f984469817c89ea607a63249bec6540d8a6f9147bef 75f614af5672c9dd40b750d6af0c34dc2f930deb72ad1c76aeba5ac932f57169 7927d24010f7ec25ea4026291036fbab975b5ff66398658e15c59165bb71e953 815c270a50913e47152329d92bfbda5d383faab8eeb43ba51f7afdc69624cf5a 98090f606cda48999384c614b1f92bb9d0e5f1541b86d8d62bf1e6639633a271 b92387f4ebd2401753c36f466db181a1624fde4cb23cac4f26f26bb2edacbd29 bb652f11edb625fade303e09bc8450276634f98aa050a7e6dd3c816f62edefab c208823b7b425a224dc28447ddddae1ebc5735b5dffd6f3858a70d384a96c4a1 d2e5fdfd013a4fd426b9455889c8cf4f9102d1e7d68a3f739c4f88353f3778ff e6185bd50b78a2280181337e32864577d4650b7923eb64e8e95f85d46be4ced0 ec26615a72d15a96ebc88ca8b3ef2eaef97894eb70347d25b66ed8453a8f4f77 f594a66f330e8f2f14a9d39c1195b76810248a7e326af586a945cb7b4d8bdeb5 f6bbefe21fdc48d34593b743d0eb995112db1d0f935da32085da3ec5314c8ff0

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.Generickdz-8494215-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
8
<HKCR>\LOCAL SETTINGS\MUICACHE\66\52C64B7E
Value Name: LanguageList
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONFS\INSTANCES\WINMONFS 3
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\22000011 3
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\16000009 3
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\12000002 3
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\14000006 3
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\16000048 3
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\25000020 3
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\22000002 3
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\21000001 3
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\11000001 3
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813} 3
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\DESCRIPTION 3
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS 3
<HKLM>\BCD00000000\OBJECTS\{71A3C7FC-F751-4982-AEC1-E958357E6813}\ELEMENTS\12000004 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMON 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMON\SECURITY 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONFS\SECURITY 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONPROCESSMONITOR 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONPROCESSMONITOR\SECURITY 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFENDER 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFENDER\SECURITY 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFENDER
Value Name: DisplayName
3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
3
Mutexes Occurrences
Global\SetupLog 3
Global\WdsSetupLogInit 3
Global\h48yorbq6rm87zot 3
Global\Mp6c3Ygukx29GbDk 3
Global\ewzy5hgt3x5sof4v 3
Global\xmrigMUTEX31337 3
1dc907539dc8fc57e6b3cbf1a276ccce 3
Global\1dc907539dc8fc57e6b3cbf1a276ccce 3
25ba6ebb3e470993540ebc62e98a51e2 3
Global\25ba6ebb3e470993540ebc62e98a51e2 3
7FD5DB439F901942779736 2
E6EE507B50F82876534592 2
Global\530D4C9F-32A8-6FCB-DFF6-A5DE7490E287 2
GJLAAZGJI156R 1
I-103-139-900557 1
J8OSEXAZLIYSQ8J 1
LXCV0IMGIXS0RTA1 1
MKS8IUMZ13NOZ 1
OLZTR-AFHK11 1
OPLXSDF19WRQ 1
PLAX7FASCI8AMNA 1
RGT70AXCNUUD3 1
TEKL1AFHJ3 1
TXA19EQZP13A6JTR 1
VSHBZL6SWAG0C 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
88[.]99[.]66[.]31 4
239[.]255[.]255[.]250 3
216[.]239[.]36[.]21 3
43[.]231[.]4[.]7 3
157[.]240[.]18[.]174 3
69[.]55[.]5[.]252 3
104[.]18[.]11[.]39 3
173[.]194[.]66[.]106 3
173[.]194[.]66[.]99 3
85[.]114[.]134[.]88 3
204[.]79[.]197[.]219 3
104[.]214[.]40[.]16 3
217[.]172[.]179[.]54 3
5[.]9[.]72[.]48 3
130[.]0[.]232[.]208 3
144[.]76[.]108[.]82 3
185[.]253[.]217[.]20 3
142[.]250[.]31[.]94 3
45[.]90[.]34[.]87 3
104[.]28[.]12[.]88 3
172[.]217[.]164[.]164 3
173[.]194[.]66[.]103 3
176[.]58[.]123[.]25 2
40[.]112[.]72[.]205 2
157[.]240[.]18[.]63 2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
iplogger[.]org 4
greenpalace[.]top 4
schema[.]org 3
microsoft-com[.]mail[.]protection[.]outlook[.]com 3
cacerts[.]digicert[.]com 3
cdn[.]digicertcdn[.]com 3
vsblobprodscussu5shard60[.]blob[.]core[.]windows[.]net 3
vsblobprodscussu5shard35[.]blob[.]core[.]windows[.]net 3
252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 3
252[.]5[.]55[.]69[.]in-addr[.]arpa 3
252[.]5[.]55[.]69[.]bl[.]spamcop[.]net 3
252[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 3
252[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 3
252[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 3
easywbdesign[.]com 3
gfixprice[.]space 3
ordinarygame[.]site 3
www[.]google[.]co[.]uk 2
iv0001-npxs01001-00[.]auth[.]np[.]ac[.]playstation[.]net 2
119[.]151[.]167[.]12[.]in-addr[.]arpa 2
ipinfo[.]io 1
www[.]google[.]be 1
115[.]151[.]167[.]12[.]in-addr[.]arpa 1
www[.]google[.]at 1
www[.]google[.]cz 1
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-z]{8}'>.exe 6
%HOMEPATH% 5
%SystemRoot%\Temp\scs1.tmp 4
%SystemRoot%\Temp\scs2.tmp 4
%SystemRoot%\Temp\scs3.tmp 4
%SystemRoot%\Temp\scs4.tmp 4
%APPDATA%\indepopede 4
%APPDATA%\indepopede\filingood.exe 4
%APPDATA%\indepopede\testoviyjuki.exe 4
%SystemRoot%\rss\csrss.exe 3
%TEMP%\csrss\dsefix.exe 3
%TEMP%\csrss\patch.exe 3
%System32%\drivers\Winmon.sys 3
%System32%\drivers\WinmonFS.sys 3
%System32%\drivers\WinmonProcessMonitor.sys 3
%SystemRoot%\windefender.exe 3
%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02\download.error 3
%TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361\download.error 3
%TEMP%\dbghelp.dll 3
%TEMP%\symsrv.dll 3
%TEMP%\csrss\DBG0.tmp 3
%System32%\Tasks\ScheduledUpdate 3
%System32%\Tasks\csrss 3
%HOMEPATH%\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 2
%HOMEPATH%\ntuser.dat.LOG1 2
*See JSON for more IOCs

File Hashes

107b613427237963579b4a064e7dfec414bae75662156fa111856f2c014444b2 1de678f3f72bc2158678e8022dff3bd4991e6044a71a37e40093f0c5cb83e969 34e2b61d9aa2f8ee0127290e4024d4035303b2b4ed8bc59c9cf314286e0f6aa0 3bd4968eb51d12a61c7546519362818eab6932cb842b746a8c0af05659d434f0 55aaa64d206257d4c3f4b8c4466f6dfc0097bb0f2f845a79170c88f0a2a33979 58eaf9fa794dc45dbf8fa6844a3be23e06bbf9d400e8e4b21ce33bdc0f253201 5ad38a0c3bb3ca5eb8e4f3ebb0965f798f426849ddf2f92bfa8d36edd97e7b84 81d3062394ed9845b9151312cf43d3a4396cb7c6ad430fcd5b6db1ccb513ce4c 92fc73572256b3db6b950610a001d3989d21894950098581e783b68ad3eeda4e a54053b27fcc354601ccaab7d34e6bc77ab9c56b1c2357ee75fb9cc89131d2a1 aa71a0eb1146acd09802a64d135e209779a1f1f284b68831f5515ff9fe225bba c741f7484f1284b300d5f20c007ccb4523ba5edafa70515041fb3ec818d12d08 cb5ccff7db063f01a06d9c1ad11bbcf4d0910099a4aa6c492733e17df4fc7812 d77421469e73a196d488154fc1555330685ee6f306c24f09173c678eea84a29d e3b133cf38c4960310aa7abc1f12f625dbe9768fb913cd2a5cb8f88175e6588e edc36f8ab61df8483a45ed5389fd65da034e6652f4b7e7bf7cd38a01e003e084 f5e1628a187af5b76c5a800cb9a364d88908401acbb9860f78f014d38940dd94 fbb5fd9232250955d2ffa6101f488df503dfa6c38cd3d976fe8e3de41ce7633d

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK




Win.Packed.LokiBot-8568668-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Mutexes Occurrences
3749282D282E1E80C56CAE5A 23
Global\c802fb61-bec9-11ea-887e-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
185[.]126[.]202[.]111 23
Files and or directories created Occurrences
%APPDATA%\D282E1 23
%APPDATA%\D282E1\1E80C5.lck 23

File Hashes

0c58b6aaacdc67cdbdd6afa96bc3d70ba9d3a2755e167d991c8bb9210f63245b 0cb0e47e0d7373e407d3634f13b3cf33ff777306190f899649b63c4ea7e31c53 0e72330c623d0807cf5688672d9f528c8df01a3673a687a2acd7bd1f20d50076 116bfb1907c96421e87d6a52d325a5ca56846eb9845e6b506b47b0439c1c0382 13d62dc6ab41d8f7c26b75aed160c82a0b49013f6f85822b71aef7d53bd566c2 14bbf2ba0482df800da11348223e4e737b5e6d993ce521fb80a75d008e21d4d7 16d203c535218e1640d10e8d06f7e9603494c27096c4e8b5ff242a63ce082dac 1b43d005d8c03d16ebaeed445cb2b489972aa5eec6fdf3bb74a8ae8713467dd0 1c362a6f0e3b3c27652597f3e29079f8f868697c7886d42c92b2c221fb4778f4 23edb899d71f2455ee832d0062f3ccb945b593243c8a345a630219c32d1047b7 247dc57ee61758d4dfdc4f72e7450c8625c92291a8206b5750f75b9adde9bba8 25b2d5dabf35a8b429fd6cfc36c205e35f172f2aae3898d36947dd72222b327f 28ac5e65db10b970473a62cf5c3d119883f633c1509a0ef90d3272ab72abbbf2 290a3944cec7e78bd2a11346e981389f1eb678347de6537761488bc895e111fc 2bad3d73cfc353d8a690e8cfd39a965eb01cf41a17c8757a6e1d0d08e9195710 311064c8b91b9acdaf3bd0bd668837eb27c69f3f5801009b8abc86a56832eefe 318a69413ab3f284f08835bc979a4f3867d01b60ea233cec05990ecce5f830af 3ba3b764ff8c55ebcb21593f17b277d5e0ae94d7eebde6211c9a55ca0e605fa2 412a0b8ba705fa6554a2c3711bfcb7ce6db8514c5f604608fbbaab36651ca01b 415e09f8d073b15e9faa1e55c713bf85026f822bd320491db87f2d02c8420ce6 433ae59e4addb3f61bca9c872f68293ec66561fe72bd7a46d58fceba134e0d34 483b3eeb73c79aecc9665fcfebef62c542ea0ec78e50bc7324151889dd0911d8 48c33340c542a2a93fe65baa9321430f0cc1585591c9d022896e00272f648417 4905ac6b7ab70a983ed9f72d47c41691c7542cbc8f49dc83e46da93b10696edc 49fed5487288af8e9dd83253954019ef15120656c109eb2197d4124c1809577b
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Trojan.Razy-8568648-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\IAM
Value Name: Server ID
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Sesion Manager
11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
77[.]88[.]21[.]158 11
108[.]161[.]187[.]74 6
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
smtp[.]yandex[.]ru 11
repository[.]uzto[.]netdna-cdn[.]com 6
repository[.]certum[.]pl 6
Files and or directories created Occurrences
%APPDATA%\Windows Sesion Manager.exe 11
%TEMP%\sHkSp.exe 11
%TEMP%\sHsif.hkp 11

File Hashes

4c032844405e25349854219c2e85b9487f518f1fbecc6f1ebf298c49638f724d 5f2ad668b87ae2deabe3af573e18f3d499bafc37f97cbc836834b8f5d4fd07aa 90dfebaaf2eeffbffd22a49c3741d5c8f74bd03944fe41b2ab8dcee709cf8705 9449e3553c696f3c7351592aa666ba2cd4e977ebdd633e9e7843ea38ef18bbed 954d421019084fe372327667e6661cdd234a4d732ad725167de50d4c098a60cb 9e98a80adc326eac448ae51ef2beee5c335bbef16ef094d7708e42ce2f0f8c61 a2b0de1e4e9915bf82820280817b5f90b86c980c7c5948a196842bf2e93ca1df bca44a84f91738ed84598b2f2c58c684c2f356af0c222bbfa52edb9542234997 ca25f4f2acd099f683414956183fa5f2251cee3138515a4cf5a756b3b2b419bd cd57456247564081c3f496cdb55a85594e8f890fc9c0bccddeb0d171a451983c d3d4c27b14d36a158981dbd6bc9840ad7fd88589a95f790cfe4e852390ada2fa

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Malware.Emotet-8568701-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\66\52C64B7E
Value Name: LanguageList
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ONLINEIDCPL
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ONLINEIDCPL
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FXSCOM
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FXSCOM
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NLSDATA0039
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSCLMD
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NLSDATA0039
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSCLMD
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDIR 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSVCIRT
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSVCIRT
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDIR
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDIR
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDIR
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDIR
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDIR
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDIR
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDIR
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDIR
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PKGMGR
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDTAT
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDTAT
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDLV 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDLV
Value Name: Type
1
Mutexes Occurrences
Global\I98B68E3C 6
Global\M98B68E3C 6
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
64[.]88[.]202[.]250 12
212[.]51[.]142[.]238 11
91[.]236[.]4[.]234 5
219[.]92[.]13[.]25 5
41[.]169[.]20[.]147 1
177[.]0[.]241[.]28 1
82[.]165[.]15[.]188 1
72[.]10[.]33[.]195 1
Files and or directories created Occurrences
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 18
%LOCALAPPDATA%\Microsoft\Windows\WebCache\WebCacheV01.tmp 18
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 18
%SystemRoot%\SysWOW64\wsnmp32 1
%SystemRoot%\SysWOW64\netfxperf 1
%SystemRoot%\SysWOW64\wzcdlg 1
%SystemRoot%\SysWOW64\cscobj 1
%SystemRoot%\SysWOW64\wlaninst 1
%SystemRoot%\SysWOW64\msasn1 1
%SystemRoot%\SysWOW64\mfc42 1
%SystemRoot%\SysWOW64\NlsData000a 1
%SystemRoot%\SysWOW64\KBDLT1 1
%SystemRoot%\SysWOW64\wiaacmgr 1
%SystemRoot%\SysWOW64\pdh 1
%SystemRoot%\SysWOW64\NlsData0000 1
%SystemRoot%\SysWOW64\user 1
%SystemRoot%\SysWOW64\eventvwr 1
%SystemRoot%\SysWOW64\dsrole 1
%SystemRoot%\SysWOW64\OnLineIDCpl 1
%SystemRoot%\SysWOW64\WMASF 1
%SystemRoot%\SysWOW64\KBDLV 1

File Hashes

019cb08d08f8512b3a6af74bf8f1f4c99c8a9691af2775183c95e67c10388e74 0622420430e3559c1a5175e77584feebbeac977922c0a5b72d52d996e8ba6707 1b1c8d35b6dff722f9439985f78da06098d5bad82e7d0b5d1fa41dcc6b3c432b 1d225e3a3c3f52cadbf07a4ed069b4467c4618310d2f41678584f3704f95d19c 1dafb532cac149ced3cb5f6bcaef801208d8de38c3f6b7a8a69ba2277d90e5fb 338b14380a84844b2e8773ba6846e2a8a23fe266b5d079dc3efbb17f9473a250 4b953167cdee60b1fda17ce2293590c05b26db580e93ce93fb0ffee08527ac2a 539f218904629efd90df998b1704cdfc101543b74c6d8afab2204e325d1e8bb0 633bed3b02759cc36b1e72c124d298607e68697a75f61f221b5b59decde14ecb 887226f61b841051a606edd1ced5ad1c1919e71fae4583afea1d995fd027ad08 ab87b202217c59a3d0346f4bdaa549813191ff25df57ad8a616b40647cb4c028 bdb054e3f565c5bf244417609322ccebcab26fdbc74c31516ce66ffd2aed2268 c4339507d79d74a6260ee7769b98c58d3b5289a470bee7c5a87f96c78efc3851 cb8a434442b33d664405f2191c9f57d7e04f97bb3a98116000d82a5967bd2868 d8e201ed2ca53622f1ca4cd4b794879ab2b6dc6d52e5e4e12540da1c3d588e0c dd5048f55ce7d16e2cce8ba707b66ae2c8c7ae64549b98fdcdb0f3ecf2874f17 e66da3958ee12be370fb6e1e429611f98d575b21b5e555d9f8dee58eb2481def f21aaec6dab4428d5462f0a917908556054093fa9b94f386c94abc572c9d9e0e

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Dealply adware detected - (16504)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (3320)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (1859)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (1573)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Squiblydoo application whitelist bypass attempt detected. - (933)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Installcore adware detected - (385)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Kovter injection detected - (206)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Palikan browser hijacker detected - (138)
Palikan is a potentially unwanted application (PUA), browser hijacker, a type of malware that most of the time does not explicitly or completely state its function or purpose. When is present on the system, it may change the default homepage, change the search engine, redirect traffic to malicious sites, install add-ons, extensions, or plug-ins, open unwanted windows or show advertising. Palikan commonly arrives as a file dropped by other malware or as a file downloaded unknowingly from a malicious site. It has also been closely associated with DealPly.
Gamarue malware detected - (118)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
IcedID malware detected - (71)
IcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections.

No comments:

Post a Comment