Friday, August 14, 2020

Threat Roundup for August 7 to August 14


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 7 and Aug. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Doc.Malware.Emotet-9238710-0 Malware Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver several types of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.LokiBot-9243098-0 Dropper Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from many popular applications. It is commonly pushed via malicious documents attached to spam emails.
Win.Packed.Zusy-9228639-0 Packed Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Trojan.ZeroAccess-9227749-0 Trojan ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.
Win.Dropper.HawkEye-9235013-0 Dropper HawkEye is an information-stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can propagate through removable media.
Win.Dropper.Razy-9229720-0 Dropper Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and sends it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.Tofsee-9234606-0 Dropper Tofsee is multi-purpose malware that features several modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet under the operator's control.

Threat Breakdown

Doc.Malware.Emotet-9238710-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VCRUNTIME140
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VCRUNTIME140
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDIBO
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDIBO
Value Name: Description
1
Mutexes Occurrences
Global\<random guid> 7
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
219[.]240[.]39[.]215 26
47[.]146[.]32[.]175 19
192[.]35[.]177[.]64 13
182[.]50[.]132[.]85 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
mersia[.]com 26
apps[.]digsigtrust[.]com 13
apps[.]identrust[.]com 13
e13678[.]dspb[.]akamaiedge[.]net 7
Files and or directories created Occurrences
%HOMEPATH%\322.exe 26
%System32%\NlsLexicons0009\comdlg32.exe (copy) 1
%System32%\tzsync\wininet.exe (copy) 1
%System32%\AuthHostProxy\wifitask.exe (copy) 1
%System32%\SensorsCpl\win32spl.exe (copy) 1
%System32%\RDSAppXHelper\WcnApi.exe (copy) 1
%System32%\hnetcfg\sdiageng.exe (copy) 1
%System32%\nlasvc\ucsvc.exe (copy) 1
%System32%\PrintDialogs3D\FWPUCLNT.exe (copy) 1
%System32%\mscoree\kbdgeoer.exe (copy) 1

File Hashes

0ca447b6394e50491f40aa154744522e0dd0fced72b2f35856f46e9a1e61f1a0 0f5733a324ef602d162d0c1a8fe6cab82f3848a60bcc0d4d85c31df5ba56196b 129a59ef23cad9fdb25fa5b1a912c88a0856c5718576d8a158d54748dcde7b57 14df5a4c49d31640d9608852d16eb2683e5d89fae28185fb7faf8eaf9c1eed54 1b100cbd09ceab749cbc7deb60199b0b523825d21070721d7e9e05710defe8fc 1c2a9ba9266c11988601952ecaab5025c71be658f11c96591947c7825cc50096 1c854aac6c58c6f6ea00c98ac569e1ca25382e1b7a898bccc4e069807180fcb4 2252d8b27672143e02cea56c104d962796148d2fdafa1317333e7d62901770e6 22de9efc9a264f18a04c05c903c23a85af864de3f1d8206dfc6c9380e7a67094 2397cf0a40939d9baa70257dbd6765c8f716bdfb1ea502d672b160e16303d6bd 24a1c8543ee15e53767ca11f5274dd6a646a4296c8f2442b7e6c81ab0049e3df 25f71cd8da80b0578f815cb507f84098e34c42bfdc970373984de42334c07339 26c00d468f7203957661f1f7802a750742ad5f9d0d1ed546ef4d899eba2c93b7 28adcb176b0934aab520b0fd053603cb03739e87fd532ac6ca1336aaaa545877 2b8dc93006be9257340097a6dfda27571aa3c37c12f1eddc49c2b9f73565ab09 2c17edda28946385a72063e4f5e5863e001a72f9a4805e210d95fa57b61a7651 31811807e5cc16857a85bc0d69b6af5d4ca29c4ffb5ace9cecc0cf9245660236 318b3cfee300a1da8fa190f063365fa0bb0fcc5e908ce2a2eeef6f4673bb0c9e 37d8814119dd6a3cd0f807537e681a4b2b1d571e8c1d4ddf3c8d852e2e0bd155 391ce14153952b5334532f0ac319f2060a8e5e52abfd4c0375db58043bbe800d 39510fcfca5aae3eed6aa0bf191aa1483b406aa8ba6962f88433080da726e302 3dbf0bb636c2358964e5c9ae2cb3f68572ccea34dc1b20e79491674a12a275c2 482ef11eba89f570466c5e7d1b54083410c8a6a12b84f0f45ecbe10375b21e10 4b4574331de7a4583c2a0d5eed8d114453c864e40643f51ed2a5f0547bb936a9 4c8e9e97e9893824d3a93a3cde32020070765f30490bab39874bda1d6cfbd1cd
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP

ThreatGrid



Malware



MITRE ATT&CK




Win.Dropper.LokiBot-9243098-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 42 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Registry Key Name
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update
2
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A4_7
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A3_8
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A4_8
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A3_9
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A4_9
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A3_10
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A4_10
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A3_11
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A4_11
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A1_10
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A2_10
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A1_0
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A2_0
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ\-993627007
Value Name: 1768776769
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ\-993627007
Value Name: 253949253
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ\-993627007
Value Name: 2022726022
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ\-993627007
Value Name: -503464505
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A2_2
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A2_7
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A1_1
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A2_1
1
<HKCU>\SOFTWARE\FOBVEXLLMTQKQ
Value Name: A1_2
1
Mutexes Occurrences
3749282D282E1E80C56CAE5A 23
Remcos_Mutex_Inj 3
uxJLpe1m 1
Paint 1
remcos_dciilklkbxnrgct 1
Global\81fe4700-da30-11ea-887e-00501e3ae7b6 1
Global\832a3441-da30-11ea-887e-00501e3ae7b6 1
49d2e74c38f4d5c05ed95ab726d0967a74194e1f03b0ef76e3f9ea7f5306390M_1632_ 1
remcos_eipufbkewpsixta 1
remcos_rxrontrtepflpgg 1
<process name>.exeM_<pid>_ 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]16[.]154[.]36 10
77[.]88[.]21[.]158 9
104[.]16[.]155[.]36 6
46[.]101[.]46[.]83 3
143[.]215[.]215[.]205 2
208[.]91[.]199[.]224 1
172[.]217[.]7[.]238 1
23[.]111[.]168[.]182 1
195[.]20[.]46[.]117 1
45[.]80[.]132[.]70 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
whatismyipaddress[.]com 16
smtp[.]yandex[.]com 8
hmcrogenics[.]com 7
www[.]macniica[.]com 4
global-dahuatech[.]com 2
ragasgki[.]tk 2
smtp[.]yandex[.]ru 1
us2[.]smtp[.]mailhostbox[.]com 1
handrass[.]co[.]rs 1
mail[.]elcarmelohotelhacienda[.]com 1
ymams[.]cf 1
boquils[.]ga 1
u17094677[.]hopto[.]org 1
4cbe38387ffe0773c605cef59e77417a[.]f378aa487b16a643ff99d3805fb1cb93[.]sink1[.]doombringer[.]pw 1
2755bfd9789361d8110422ee5c5a43c6[.]56e519622a486cc557b926f3be681509[.]sink1[.]doombringer[.]pw 1
smtp[.]badlogs101[.]com 1
sigawd[.]gq 1
be6e1ac5f9ee667e5ff4b59b40d35785[.]8cb19bb1aa8bccccd2f7c502f9b3befe[.]sink1[.]doombringer[.]pw 1
3569149a17a7613073c10f03a2339622[.]5cea3029ac4b8432302cb569497d4012[.]sink1[.]doombringer[.]pw 1
d519f69ddb567ebfcc9865f11eab6203[.]bf93d4e6ca6a7b55757fdcbbbcd68359[.]sink1[.]doombringer[.]pw 1
ugo123[.]hopto[.]org 1
92b2eeaf1c756181519866a1837f0f65[.]d7ab16dc15f57e0b073d8b6cbe1db25d[.]sink1[.]doombringer[.]pw 1
zibind[.]tk 1
fav121[.]hopto[.]org 1
smtp[.]chidilogs[.]com 1
Files and or directories created Occurrences
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 23
%APPDATA%\pid.txt 16
%APPDATA%\pidloc.txt 16
%TEMP%\holdermail.txt 13
%TEMP%\holderwb.txt 13
%TEMP%\SysInfo.txt 11
%APPDATA%\Windows Update.exe 11
\Sys.exe 10
\autorun.inf 10
E:\autorun.inf 10
E:\Sys.exe 10
%TEMP%\subfolder 4
%TEMP%\subfolder\filename.exe 4
%TEMP%\subfolder\filename.vbs 4
%APPDATA%\WindowsUpdate.exe 2
%TEMP%\0E697DA4_Rar\49d2e74c38f4d5c05ed95ab726d0967a74194e1f03b0ef76e3f9ea7f5306390e.exe 1
%TEMP%\winfduto.exe 1
%TEMP%\winvtibk.exe 1
%APPDATA%\logs\logs.dat 1

File Hashes

057796b76454e439da35d7a8c655561c907d44c626fd58fee544f35278db4ce3 07152dd6093a4ff27e60fce4d44435a0dd18c4fc5fc3e15b1717216ea83c3ef1 0f28ecc4396a455536419237a6f31507e2e6dddc495ed6f19ef3d01da6b31f79 12d840728aa253f08afaa9eef0f40a6bd362d073ef50ece71b15fb27752f0a33 18f6abcd0c4e10008eb20f92c458eb205dcd34c547a98e1579e45a87691035ee 26cf0752e3d93ddb16646e585a560ad35849afe31302064972d1227344394343 307371dfafdd0584d0925d12c1d1d956c97d262f33f7956cebdab40916152178 30bb667f4f0f09051e223416d343ba052f482695147aa81f9a5d28b768e48d87 42fa0bf6cce7090ccfcd62626de0f39cb4b9216d896a01729e81029597eb8b83 4336224c9bfcd2ac539a10b7ad1373afef581ab234b58c28fb6ddb41f9fa0793 49d2e74c38f4d5c05ed95ab726d0967a74194e1f03b0ef76e3f9ea7f5306390e 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42 50e795161b6b450e9b7750b62273d993d96b522e64fd3e752b25bfd8a94be178 52a29709f63cf9eb6f51ddfab1be327afdf6479bf85e8389b74a708b1dcfc93a 5815c611c2a00da248c7d040b6c34defb22787a51601f43533079589a330f239 5a43129a036e2c78d7a5a1af207cf1b9c27f7e87dd491905c46ab5840cf861b1 5b8b9dbb0645e115417dadefb4145e8110a6e52d7d1511346a4e9f3c5742954a 5b9d98d7b4c2c777702d933fbd4d98276a28fd2a883e71fe905a20b186cfebce 65347787e5eba1f87de97c782ac4b7f5736df8810ee9c2820a85f3025658e7a3 6b79c1e0b316c3e0bb6451fabef51e0eaee4d66c6e0274282e0fde649f2abd1e 6f7795742f1c360dd43d2a814607da31639afa96ae1636b51df382b9bd727623 757b1b380cbf84dfb55a5cd9649759b646806f1c73a1c59da9522f3da66bf3be 7d3bababa5df16815edfd580fe572ce130165b4b69b4a65f43de96b385b973ab 7fc4e594db6b7588aa97406a0b2f2658ebbf8b72c9989fe772a50b2716c09869 83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


MITRE ATT&CK




Win.Packed.Zusy-9228639-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 31 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A} 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\PUBLICPROFILE
Value Name: EnableFirewall
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDPSRV
Value Name: Start
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0B5E1E5E 5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0B5E1E5E\CG1
Value Name: HAL
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0B5E1E5E\CG1
Value Name: WAVK
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0B5E1E5E\CG1
Value Name: IOBPL
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0B5E1E5E\CG1
Value Name: IOBSL
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0B5E1E5E\CG1
Value Name: IOBAL
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0B5E1E5E\CG1
Value Name: IOBGL
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0B5E1E5E\CG1
Value Name: IOBDL
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 911k1e97
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: 911k1e97
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0B5E1E5E\CG1
Value Name: GLA
5
<HKCU>\SOFTWARE\APPDATALOW\TOOLKIT
Value Name: Favorites
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE 5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MYMAILCLIENT 5
<HKCU>\SOFTWARE\APPDATALOW\TOOLKIT 5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0B5E1E5E\CG1 5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0B5E1E5E\CW1 5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0B5E1E5E\VU2 5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0B5E1E5E\CG1
Value Name: BID
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
4
Mutexes Occurrences
UVJlWVxU 11
c731200 4
-9caf4c3fMutex 4
FvLQ49I›¬{Ljj6m 4
SSLOADasdasc000900 4
SVCHOST_MUTEX_OBJECT_RELEASED_c0009X00GOAL 4
FvLQ49I {Ljj6m 4
alFSVWJB 1
ZBR-JNSEXOBM 1
Global\59b463c1-d7ff-11ea-887e-00501e3ae7b6 1
abg1c11vee 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
184[.]105[.]192[.]2 7
172[.]217[.]13[.]78 5
212[.]83[.]168[.]196 4
204[.]95[.]99[.]243 4
162[.]217[.]99[.]134 4
20[.]41[.]46[.]145 3
209[.]85[.]144[.]100/31 3
194[.]165[.]16[.]68 2
194[.]165[.]16[.]15 2
40[.]67[.]189[.]14 2
20[.]45[.]1[.]107 2
208[.]100[.]26[.]245 2
104[.]215[.]148[.]63 1
204[.]79[.]197[.]200 1
40[.]90[.]247[.]210 1
40[.]91[.]124[.]111 1
109[.]120[.]180[.]29 1
91[.]232[.]105[.]127 1
81[.]128[.]218[.]110 1
176[.]9[.]1[.]211 1
90[.]155[.]73[.]34 1
178[.]33[.]203[.]115 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
connect-support-server[.]ru 7
bestbrightday[.]ru 7
paranormal-online-kino[.]ru 7
jabber001[.]nas[.]ru 7
www6[.]cdljussarago[.]com[.]br 5
www6[.]tamareirashotelmg[.]com[.]br 5
api[.]wipmania[.]com 4
n[.]ezjhyxxbf[.]ru 4
n[.]hmiblgoja[.]ru 4
n[.]lotys[.]ru 4
n[.]yxntnyrap[.]ru 4
n[.]vbemnggcj[.]ru 4
n[.]yqqufklho[.]ru 4
n[.]jntbxduhz[.]ru 4
n[.]oceardpku[.]ru 4
n[.]zhgcuntif[.]ru 4
europe[.]pool[.]ntp[.]org 4
n[.]jupoofsnc[.]ru 4
n[.]kvupdstwh[.]ru 4
n[.]aoyylwyxd[.]ru 4
n[.]spgpemwqk[.]ru 3
nutqauytva8azxd[.]com 1
nutqauytva100azxd[.]com 1
nutqauytva10azxd[.]com 1
nutqauytva6azxd[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%APPDATA%\UVJlWVxU 13
%SystemRoot%\Tasks\UVJlWVxU.job 13
%System32%\Tasks\UVJlWVxU 13
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 7
%ProgramData%\6b407430 5
%ProgramData%\6b407430\desktop.ini 5
\$RECYCLE.BIN.lnk 4
\System_Volume_Information.lnk 4
\jsdrpAj.exe 4
E:\$RECYCLE.BIN.lnk 4
%APPDATA%\Microsoft\Windows\themes\Eoawaa.exe 4
E:\System_Volume_Information.lnk 4
E:\c731200 4
E:\jsdrpAj.exe 4
%APPDATA%\Update 4
%APPDATA%\Update\Explorer.exe 4
%APPDATA%\Update\Update.exe 4
%APPDATA%\WindowsUpdate 4
%APPDATA%\WindowsUpdate\Updater.exe 4
%APPDATA%\c731200 4
%TEMP%\c731200 4
%System32%\Tasks\Windows Updater 4
%APPDATA%\UVJlWVxU\hh.exe 4
%System32%\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb 4
%System32%\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb 4
*See JSON for more IOCs

File Hashes

069e5ab9d19c9bb8857307eabfb6727d0ab44dceea02945ceef6108885612bed 0d6e7d16280cee4e9b3c21a1bda49445ac2fd359b92807700d1313b81b11845c 15eb00527b4da2a5b6b6bc1cf16dd20054f3a78dbdc0108c58d1d85c0f64725a 1c56fcb8d5422a88b3152489f17ab5626723472372c0b1059b609b5c6eaecaf5 1f3252d4e852defa721f006b8aca98b02a7d16b4995336ffecc0a838d7072bdd 22621844f9768fe3d89bda1205e13ff16e3753245d6cc16a42d64e04431d0cf5 249ea0cb4e56ffcc638826e0dd3910b5fc7efe3ea2b07eddd70df7651264d38d 2791bccaffb04cb2a65d03d0a6414af81a5b7e931873da2c5050ab4a6bce6bc5 28fe7c939ac540649304854c67f4b6237ab5f8f0d8065c071acdf423840451e7 2ac4a793ecfae3d3203c468173715b3a8026d0f76de9ea0613f8cd3465a78f40 2b4e145a7c93d039a486725200052752a2f26489830a73b48d2921b837dd2d69 39ed52271089bbdcd11aa6e5629db07bde8cf800819c1dcbc927c4fd51910fb4 3a4c68180728c2c9c381dcdd9061c6e2f9b49a2112be20089c34ae672b302f47 4025a3eeadff2c7ad9583af81ef3bc3f519b527899f5f257469f136c1fb7edcd 408640851beaad6fc9396d369fe92c3d4f56473848200a6b99822dcae0595633 4e5d8471486251f9d0ce06d5338798f7c02d072e6d8616411c55d49e4aca76ff 515e48b5d050988c94e1e6a27c9c1928123972270b8b7d51791bd7dbab16b192 52b2715d6e26891f089e9e877bad9342b2e62562b93cf422e210150c1135d533 589c9e24427d74d3bf561ab6fce690a4c5a64df3f9f28c70cb9481fc4ed77f64 613b5c863a65d30cbdaf52615b3037cfd5b9fd701b448f7bf504b33a696c10d4 6729ec8b5e8688a6af9e82b97fd94943f906ad537a60873eb167454398f04178 679b7ac531523e2799530300a34c11effdd1981829e0d4ad0f196ef1ba0c96b1 67cd689dc06444ca234cc91be71fb03c64d5a2d1918b761df009b52d81edf793 694edcea91cd602392e2e84d3d4b673d0488cfce36cdb59141418b3ee781a419 6d7d5b6be88e92c2faeb8d3797688dd9a6bdbd67834626e726cb7443ee7f0732
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


MITRE ATT&CK




Win.Trojan.ZeroAccess-9227749-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 29 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
28
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32
Value Name: ThreadingModel
28
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
28
<HKLM>\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32 28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000010
Value Name: PackedCatalogItem
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000009
Value Name: PackedCatalogItem
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000008
Value Name: PackedCatalogItem
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000007
Value Name: PackedCatalogItem
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000006
Value Name: PackedCatalogItem
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000005
Value Name: PackedCatalogItem
28
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
88[.]254[.]253[.]254 22
92[.]254[.]253[.]254 22
87[.]254[.]253[.]254 22
180[.]254[.]253[.]254 22
166[.]254[.]253[.]254 22
135[.]254[.]253[.]254 22
117[.]254[.]253[.]254 22
119[.]254[.]253[.]254 22
115[.]254[.]253[.]254 22
134[.]254[.]253[.]254 22
206[.]254[.]253[.]254 22
222[.]254[.]253[.]254 22
182[.]254[.]253[.]254 22
190[.]254[.]253[.]254 22
184[.]254[.]253[.]254 22
197[.]254[.]253[.]254 22
130[.]185[.]108[.]132 14
74[.]59[.]91[.]57 9
65[.]79[.]242[.]203 9
69[.]207[.]84[.]208 9
24[.]229[.]254[.]232 8
72[.]184[.]250[.]236 8
72[.]129[.]96[.]128 8
24[.]98[.]59[.]90 8
198[.]45[.]223[.]204 8
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
j[.]maxmind[.]com 28
Files and or directories created Occurrences
\$Recycle.Bin\S-1-5-18 28
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f 28
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@ 28
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L 28
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U 28
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n 28
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f 28
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@ 28
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L 28
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U 28
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n 28
\$Recycle.Bin\S-1-5-21-1160359183-2529320614-3255788068-500\$bc873181c718236380cd637b8be3cfa0\@ 24
\$Recycle.Bin\S-1-5-21-1160359183-2529320614-3255788068-500\$bc873181c718236380cd637b8be3cfa0\n 24

File Hashes

039f37371da4173924ee5fdaa33dd7429cd56bdc35045c42167f7eed9efb2005 05b4adf6c681db28bbef8e60349a6763df7be81bcd6e137f90ddbe0856f9cd4d 0613e2173bfb29e045412fa140712fcefd84c630544d3c56ecab662bc5fcd983 06b5a57ea7803b52eb7f6cec3af051dd37127327d060e5247f10f2f31a1a10f2 13459c39decf77e6570f70a4452ca88b44b890800970bff0ca8b4ccf168db12e 13c49095c22376a2ccb73ebc18e57b8ad8d8fd58997007115b70bb116244d763 15ec244569c18762a6a8e45c3b3ffed7fd9ec1081d67695a5f96c8a8d9f3f58b 1cbc12777b9265341a1bcb4a4897d875577a7c3dccefda23c0b7c30d78dda71a 1cce1a38e7ded5ab7d23928b730f514ac05c6c97107e89e293ac7590cc84b455 1d5d89235918c062861e244103fa8bc5717edae77286ee15d39c3e83890ff0a0 1d9ce6eedd04b81f61b96f3537214e290efef23a3aa2f31a55744a3feaadf4e1 1f261e7108e46792076ed1231596ad584c25f8bd72e000cda3359562f24cbcb6 264b224641e979ede2e2c2fdf41a29db5419184e1c589864193fbb373c1bb72b 282c84cd4ab3afc6cff3d5f6e980b6b6430b27c3768841aaf086edb69d98249f 2bf2b2f2b05ce861866ce6037f249676386d188a9167690cccc80ecc2bcc84c6 2f8ca4f09c3ae69627663fdcabaf70eb71d1860a6959e8a76c8c80f58690f727 3000d4944b8ddc0a992c63129028c40ea1639faf48abc2054e5ca11304fbf7b6 30748c87416d2c5f6a711a2f2f84d585062f709225ccf691f86ea498cdeacba3 31cecd5a427756b23d5fc757b7307df03157b53947dd737d345b8e7864ee44ca 32444739f82129df10cb9ec20b0efff24fde19415e4829edfad35d0eca9e37bf 32cc788c4b705b9bed78e2b60c1215276b064f1992781c0910e47804a1f75b51 3730b1bedfa415b29e894ec046500518632997a3891757b70bf3d78d2c4bc879 37762286cb02f4c93d6735764fc0c9c727f8886129a0b017f727c339b08cb39a 38346650fafdeb425ad7fd1bcffe6d2ecc88d55fccb8924b1d2133be11a05eab 39f354ab2ab87d5232a50faf54945c1d135bacda212cb3e21b8e3707eb5f8372
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.HawkEye-9235013-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svchost
14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
12
Mutexes Occurrences
Global\ Administrator1a8808fe0e67816dab6dbf80bebd224432b57c2f 1
Global\ Administrator1714d647f336841eca801b6d93f003e0bc0c1c8e 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
77[.]88[.]21[.]158 12
108[.]161[.]187[.]74 10
104[.]16[.]155[.]36 8
104[.]16[.]154[.]36 7
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
smtp[.]yandex[.]com 12
whatismyipaddress[.]com 12
repository[.]uzto[.]netdna-cdn[.]com 8
repository[.]certum[.]pl 8
smtp[.]yandex[.]ru 7
34[.]26[.]8[.]0[.]in-addr[.]arpa 1
247[.]13[.]11[.]0[.]in-addr[.]arpa 1
140[.]244[.]14[.]0[.]in-addr[.]arpa 1
57[.]122[.]6[.]0[.]in-addr[.]arpa 1
jonweek[.]hopto[.]org 1
Files and or directories created Occurrences
%APPDATA%\Windows Update 14
%APPDATA%\Windows Update\svchost.exe 14
%APPDATA%\pid.txt 12
%APPDATA%\pidloc.txt 12
%TEMP%\holdermail.txt 12
%TEMP%\holderwb.txt 12
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 12
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\136812.lnk 3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\148124.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\118330.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\186360.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\100077.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\172294.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\195023.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\138586.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\198362.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\100587.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\169618.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\135932.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\171744.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\114249.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\171798.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\193152.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\196978.lnk 1
%APPDATA%\Monitor\Screenshots\08-06-2020\9.01 PM 1
*See JSON for more IOCs

File Hashes

136da8040b3d50523033e3054cb4e7aa63a3055e0d8b03d40d7fe376dfb9d7f2 15b0c6331f2eff371e176e24c3fe3f30c40c56e56f19412e89718f5f6ad91eda 249eb266faaf08964a5da1f666a9f0ba2f2dd645a6fd3787c168d7a6e5d4d7b3 3997379d4c182f45f93e3d7172922a95b5d83de0611134f301760bf6be4cb1e0 4a3197916ff9e336d191baf4e284407d6774119b733bc194ddc89e649ec1db33 544f6d58158bbc5e36692c74722101571e167a65fe72c70a9d13522b5e72c18a 6f0f235b4b8977922739508a3cda37cb80662f5e3114e9aeb85ff61b60164a3d 705b0cc2a09c0e5c34ad6eb5940263bf281285cdd99078e8766690de3aa28f54 71986aa0789a34b51fc2c4c4170bcb93b0237820434f2b15a69ddbae17aeaa77 9830b084b68d05603ee40063017f69e4044897e2311d9bcaf11e1af6041ad93b aba452ab6580b4ec6182fc8a662c8197496792b5d19af680ccc155d56c36b465 be9dfabe29a6c6b8cbbfbac2d813eb30ced6d53e88d861eae595dd9d5bad03a6 cc967f71c2e3a2c54ce25312ed1087cc34a7e0d42606b4f0d401a7a391f47ecc e12d967791f4c0b92202edcb1ff79ded976b543e22df3f5dbeb8d552533474bb

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.Razy-9229720-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\PWRKXXZKWU
Value Name: License
12
<HKLM>\SOFTWARE\WOW6432NODE\PWRKXXZKWU
Value Name: License
12
<HKLM>\SOFTWARE\WOW6432NODE\PWRKXXZKWU 12
<HKCU>\SOFTWARE\PWRKXXZKWU 12
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
icepower[.]su 12
priple-red[.]su 12

File Hashes

1f2cda85711967b02c65c120a06851c4e205d0b7ae2e6de25fa7f61f0fffa996 46638c95ad892f34f352f2ff99347162c1d4728bf4d66338ea06096173cd2d9f 47d8174966e78d8aac7ed22260fdddbecd3d3a36d1d6240472db66fdc48f3a4f 5530c2c064403074012bc36f4a79868c46dfb6a23cd25f49130bc18c0566b099 5d399575647662a97a1ed98fc32f027fe94226a65a2996eeb4df06ba3cc95ce6 64603646e38d45c2babed67a8bc07164d860b6cb1a12d7887ca02756d0e2c171 6b634e523f675245f042945c29988087b01be1c848ccff5e7863d87271dc2715 70797d1de39870d87b8b31eb3406157490b9bb04b19e699975b1251a7472004c 951d9740be663613f53bf63f7d7caae8f8ecaf8b04be095ea4240a9f351d0504 b2c91856e402f2120c159ac6b122eb6266ba190cc7f715f854344179c3ca84fe d0cd5f75c21b424cdf361b7a9786008301a35228407fcf54a597153cfca1d2b2 d73a7f2a20481af196285dda4a7709e0d714a678cf87edd96717953f53e7c53f

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.Tofsee-9234606-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
20
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 20
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
20
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
20
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\buionvbq
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\gzntsagv
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\piwcbjpe
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\qjxdckqf
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ohvbaiod
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wpdjiqwl
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dwkqpxds
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vocihpvk
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
239[.]255[.]255[.]250 20
43[.]231[.]4[.]7 20
69[.]55[.]5[.]252 20
85[.]114[.]134[.]88 20
217[.]172[.]179[.]54 20
5[.]9[.]72[.]48 20
130[.]0[.]232[.]208 20
144[.]76[.]108[.]82 20
185[.]253[.]217[.]20 20
45[.]90[.]34[.]87 20
157[.]240[.]18[.]174 17
104[.]47[.]54[.]36 17
216[.]239[.]34[.]21 10
104[.]90[.]132[.]221 10
157[.]240[.]18[.]63 8
209[.]85[.]201[.]106 8
83[.]151[.]238[.]34 8
209[.]85[.]201[.]104/31 8
216[.]239[.]32[.]21 7
98[.]136[.]96[.]76/31 7
23[.]61[.]211[.]155 7
2[.]22[.]2[.]5 7
12[.]167[.]151[.]116 6
87[.]250[.]250[.]22 6
209[.]85[.]201[.]147 6
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
schema[.]org 20
microsoft-com[.]mail[.]protection[.]outlook[.]com 20
252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 20
252[.]5[.]55[.]69[.]in-addr[.]arpa 20
252[.]5[.]55[.]69[.]bl[.]spamcop[.]net 20
252[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 20
252[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 20
252[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 20
ip02[.]gntl[.]co[.]uk 8
msr[.]pool[.]gntl[.]co[.]uk 8
116[.]151[.]167[.]12[.]in-addr[.]arpa 6
market[.]yandex[.]ru 6
www[.]sendspace[.]com 6
api[.]sendspace[.]com 6
ip[.]pr-cy[.]hacklix[.]com 5
www[.]sneakersnstuff[.]com 5
www[.]offspring[.]co[.]uk 5
api2[.]endclothing[.]com 5
s2[.]ipinfo[.]pw 5
s1[.]ipinfo[.]pw 5
www[.]google[.]com[.]au 4
lh3[.]googleusercontent[.]com 4
epicgames[.]com 4
www[.]epicgames[.]com 4
static[.]ibsrv[.]net 3
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 20
%SystemRoot%\SysWOW64\config\systemprofile:.repos 20
%TEMP%\<random, matching '[a-z]{8}'>.exe 20
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 19
\Device\ConDrv 12
%System32%\config\systemprofile:.repos 12
%SystemRoot%\SERVIC~2\Local Settings\AppData\Local\Temp\MpCmdRun.log 12
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 8
%TEMP%\prmslyi.exe 1
%System32%\sxkvysd\qmeebqpd.exe (copy) 1
%System32%\xjrbzyk\kntncnye.exe (copy) 1
%System32%\cemihdo\hdvvshgu.exe (copy) 1
%System32%\lbfrdwo\sedrcmuo.exe (copy) 1

File Hashes

0162982feb9a89a229bb5ee30cac6e7c93ec09faa8f76b96e5537ff165e09ad7 05ff135072e0e313524bfe9e4f142cc11b17c691ebfb5117fe1d95fafabccbd0 2e1c0d5f56ce3facc62ddf95367f80d30536518dd2ac185a00cee2a0fc8ba42d 3bf28902ab33affea183db786d30e8d5484f4829da45a2de365d858106b99bdd 4d7725f07de457a3488dbd3584a51030073babf4b5de2041e6352ccef5211d55 50a1516c6fedc037b56c50ed314a92e854811a1aa5b92ab0ba1cc9102ea97ec2 6913602f33b7b4067250f561089037e736e528c3720d2534f8fc1bfa0706634d 79a9bb0b38e7a195a682cd53dc447c7e1c641d147586b447a6efc6a17607527a 8dd33de39aeb4eb9a10c92ccea4eeda8d81224348cf2ca2434735b66d9e6878a 8e518c0ad1180bf0ad6416d77501371a931349522e426c9414e684d085634ce0 9329327cf81fc5344a3cc07252cf2cb693d60f7b7569fda854b8f32ab9945f33 9b14ea7aaaf8c453001f9aeebf78bac5633161389a902b798872fa56b3d6dad8 9d146bbf7d220dd675e1a1f5e51ffa170d59b2b089ccd28d765a77d8e4326287 a0c597b74d27211665be240ee88ad869a72f3929baba3f734419cf7832ced500 a44c583addd5c5fc46dd4b453ffd8e0a4803bbe077054de15e2e3242169719f7 d08de16ac2883eaee64c9680574b2dda7d090a1c1020cd41da6edfc4c15e67a3 ecae67b06ad68ac335a60fd12e86fcc2ebc7ceff3fa972728db67fc49dee5249 ee488d3e80082a5cafbdfddbce834f69cdb38c9befec19edf558d0915f49f1e2 f204ba7ee95ec7ac4d2ba01db119824f80af6c591e00550fb3deec903303e790 fa60fb510c7482ed697c90faf7ed47a641e2cea70c849689041cd7fd7a157ded

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Dealply adware detected - (7239)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Excessively long PowerShell command detected - (2690)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Crystalbit-Apple DLL double hijack detected - (2564)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
CVE-2019-0708 detected - (2441)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (1490)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Squiblydoo application whitelist bypass attempt detected. - (593)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Trickbot malware detected - (576)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Certutil.exe is downloading a file - (310)
The certutil.exe utility has been detected downloading and executing a file. Upon execution, the downloaded file behaved suspiciously. The normal usage of certutil.exe involves retrieving certificate information. Attackers can use this utility to download additional malicious payloads.
Installcore adware detected - (290)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Kovter injection detected - (192)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

No comments:

Post a Comment