Friday, September 11, 2020

Threat Roundup for September 4 to September 11


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 4 and Sept. 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Downloader.Upatre-9645450-0 Downloader Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Malware.Razy-9645560-0 Malware Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Ransomware.Gandcrab-9645869-0 Ransomware Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB," ".CRAB" or ".KRAB". Gandcrab is spread through traditional spam campaigns and multiple exploit kits, including Rig and Grandsoft.
Doc.Malware.Emotet-9733384-0 Malware Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Kovter-9651488-0 Packed Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleared of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Packed.Dridex-9652753-1 Packed Dridex is a well-known banking trojan that steals credentials and other sensitive information from an infected machine.

Threat Breakdown

Win.Downloader.Upatre-9645450-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 35 samples
Mutexes Occurrences
Yd9dH99P 35
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
66[.]199[.]229[.]251 2
5[.]149[.]250[.]99 2
204[.]79[.]197[.]200 1
Files and or directories created Occurrences
%TEMP%\koekuky.exe 34

File Hashes

0b351d8c914dee0f6fb1a8cf0ee10d17be236a86d62b93cfa7e4cc9d85b7b2c6 0bcc5be9e99c87463dff135ad9640b63b6ef12b00dbfd249ab1f52b7ababb038 1b91505d7f8cdcfcd8d1a5fe9f8a137e30e32c5563e2d4e28b478a2a8544547d 20aa82756a50d2d679610d0b3de036af63130004aef468d5fb3c8ef8d6770fe9 24e566898e53fa0e1d8db97dc522536316e3d87ee7b20d181f9c609b64dbc42d 2c2d9e15397d88930e6f19711a26184b04ac220ae0c952d16bb31afdc3f7aca5 2cb0bd47f91f825c1ca8b683254c402c880b0585f6398c912014d1bc45511fc1 2d2b90f6ace963bff3c1d6b736c5527fc4f93b3284520a7af5bd730390913442 2e851c5fea4aeb1b55306f1927060b62824e1b0ab3fb718d865be211bb772b98 3007a189e7d2394543c28ddb48192360392de5cc63829440f7dfdcb60d0a4ec1 3118cd3730c90357f549a2dda628dd9a7ccf23aa54f114bb9a23dc6085bac67c 379886ffa241b44de789fef925e19fdf5c431262042bbe3e03bf7ae6f9a6075b 386aab31e8c041703f0685f7da22991fd95d0fdbf91f829bb4a77b34614b9b57 3a2242cc28737dbb7f4788534bb8955d1ecc69983ed383c6903d58829aabf173 442a477646f14b48686f312291d5563c8f1cd0819c4455ec335ce66787d52b59 486484fe9b4e09dc5e28515e8b82dafde6378b1183dff533fb993f40a1e1fe17 487b3185bce48ab372eb092a3d5b05aa46bdd29c70903aa2d62a266d325007c0 48f1d0d08d2a232a87d2d1920602286c6fc5dc2ee429dcf3b180d902613ed91e 4e89e98ccd8e42917cb584b7ddbaa8296838d4417bcb939d90c0510d632ee3b3 4fa982148d1ddd6f6bc6f945685961ed185894d376a063477d75b23fcb8c9c9c 53101f0852ad604e9c04d15e7c819e52143f664518c31a9dc18bb3c7dc6cb252 5ad26ec4ee285652118d79467ee394118b52105f7796f25b04fc44d3ac52002c 5b2fb62a9df91d1185074232003e89659d26069dae031a89ef83fbe7af083b67 6481edee40411b46abd8fed82445056d64fb67c6706c1b2c970e34b7206833b3 67eaa906b60fd7ea7e6ce1dfa9748a34e6ad8491b0dd003db57b378341329758
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid


MITRE ATT&CK





Win.Malware.Razy-9645560-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 28 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: ConsentPromptBehaviorAdmin
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: OYZjU6u8Rc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: OYZjU6u8Rc
1
Mutexes Occurrences
spvpyIpsg2 1
4GdICnbdq5 1
LDxHsmBU1N 1
GsTKnCbxU7 1
BB2m73C8zs 1
WSTPeFcwil 1
511tqY3pSn 1
Qz8D4ETOhK 1
h2OHDMYhwt 1
fQpMPyheMT 1
Pny6FPRzVh 1
fIZDnNsvtm 1
Nusumu 1
3XNdT7rAOS 1
p8WEjLEdHb 1
nKDnkxFhrc 1
Xi8dPxwoQm 1
lyDaCQ1qak 1
baJKfoFYh4 1
DQQNHbJyEg 1
i1W6c3RvFF 1
h1U0Ne3Pp3 1
x0AKpiZhiN 1
GCDQ72RHyr 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
199[.]232[.]36[.]133 6
204[.]79[.]197[.]200 2
151[.]101[.]248[.]133 2
151[.]101[.]0[.]133 1
151[.]101[.]64[.]133 1
136[.]144[.]56[.]255 1
104[.]27[.]142[.]46 1
104[.]27[.]143[.]46 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
github[.]map[.]fastly[.]net 5
raw[.]githubusercontent[.]com 5
icanhazip[.]com 1
nusumu[.]wtf 1
Files and or directories created Occurrences
%LOCALAPPDATA%\Pic1fPBkmq 26
%LOCALAPPDATA%\Pic1fPBkmq\LOHejsSdpL.exe 26
%TEMP%\ZoPfktG5xw.exe 3
%TEMP%\BbliSPgIP2.exe 2
%TEMP%\KLFx4t62Y4.exe 2
%TEMP%\VkLSKQ6v8h.exe 2
%TEMP%\tqVGagdD5V.exe 2
%TEMP%\GXu1FVrxi6.exe 2
%TEMP%\irNAIN6AiH.exe 2
%TEMP%\qkdr4XmHnT.exe 2
%TEMP%\rSaHiS4iK3.exe 2
%TEMP%\jgOR5DUgyk.exe 2
%TEMP%\uNUdA0UIIw.exe 2
%TEMP%\eFlPiZ0ELd.exe 1
%TEMP%\Q6YEYUhuvd.exe 1
%TEMP%\r8ONbZ3rHI.exe 1
%TEMP%\7dbRepYnC2.exe 1
%TEMP%\QVApcQPsSo.exe 1
%TEMP%\ZH2KPWAEOs.exe 1
%TEMP%\GowMr0xWU7.exe 1
%TEMP%\duGKQfPT2B.exe 1
%TEMP%\OYZjU6u8Rc.exe 1
%TEMP%\kQtlwarr8G.exe 1
%TEMP%\B0dcCmaQ1Z.exe 1
%TEMP%\b40Z3SufcC.exe 1
*See JSON for more IOCs

File Hashes

03e97e16c8724c33270953be58da27091a18725edfed7ebb596fa051b029329f 10544c9619839680f12a58ebf5f9b96468cd311bf05a27ada2362986ccd493e5 19c3adbed33a782424cb8c34372041780777699e460058601c8eb48001e1e278 2156087ece080c4ddf4b7b7fda1459ad52a270c06087f758b491da19294dff9a 225a8e97056d1f80ce1ff761b5826fdaa5f1e302ee6a1187cf0cd46298d7c37a 2770173b32bd4ea5e1a1557a6a7826a66a02945d3014696f150c27afbb3970cd 2af8f1dff3ccc5fa0be79b89473e08a3c30732770cb3c3e529ee6815dd6ad53e 2e6b3efabfe40946515c7f15659b2aa3590b330e36d7c858c5e3bb50f8493a64 3acc1733eaa1a48b027037573634328269d9ee198085495379fbde3d3561b7d2 3b72a6c6452e71e537e8d3aa4310d57abfb2a1bd39f3808ef222ccb4af2c35e4 47fc91290b2d99a471a62d5390e13369fcbde2d7820e08c209fb3a5cbb5713e4 48058f6425b28d82fec96109d9371a8c30bb2fdac8c448370ab455013da0edd3 4922012d4bb93a4b2944570f03d32ee064a1a9bb9d054f7497447207c70354cb 4f1c100d801f078a8f45fbe7c101bd8a13e6c3e49ea83bcce661be6338c631bf 4fd8ddd68b9f94eaf4b31f6c6cc77b47f3e48d5c0f14d84f2f7b1943ae221ff8 62554a0e84f24f6bcaf8e26aa0933338b16397f5af802859f0e847df18fd07a2 62ac5775145716be2f3799face7ac9c5229122b93b3839e03f63334f548f0cac 66c39ee8a38d1b91166e459fd655831dc3c0e41fc85a30827cf6c75a7ff28ccb 6cfb468f2acb470393e7a66f69ebee1f614e5437813c8a5445bd4f4d8c546387 714ecf13e9fa9ba377a692e78d31703215788cf7f64665e685f9006ab5a9f456 83725937f6608b3c4d90bb64a4d8c2b50e591eeb06ba68a4f9c8574f4847cc77 838a07670e92b7919a03d940142bfaca0daf8fd52b8c76e82861e65e05a37081 85e109b3b868a3ccd1e12cbeb6a5334e152b94e788b9a961f5b99745b7c96ac7 88f398002b7b629049adf26a9838bdaad15ab3d69f1cb44b6fd8c6db9a65d3d9 975b6e927fdf5f27d7babd84028863f2bf857fc3e5db9a0faaf080fc211d9409
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Ransomware.Gandcrab-9645869-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Mutexes Occurrences
Global\<random guid> 26
Global\pc_group=WORKGROUP&ransom_id=b40e575273bd4a 1
Global\pc_group=WORKGROUP&ransom_id=b6be0ccc3ffd920b 1
Global\pc_group=WORKGROUP&ransom_id=9ce43cac1686595e 1
Global\pc_group=WORKGROUP&ransom_id=f65cd88d6027eb87 1
Global\pc_group=WORKGROUP&ransom_id=1daed71857822bd9 1
Global\pc_group=WORKGROUP&ransom_id=8f630cdf7a9334 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
66[.]171[.]248[.]178 5
5[.]39[.]221[.]60 5
204[.]79[.]197[.]200 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ipv4bot[.]whatismyipaddress[.]com 5
Files and or directories created Occurrences
%APPDATA%\Microsoft\<random, matching '[a-z]{6}'>.exe 6

File Hashes

00451581501cd66ea636e8d06e01638b1a83176d47a7c047538616ded1438ba1 012404eb4006c06f055a1413d85fd0352fbad5cf142d998f8c33660fd12386d4 01a2f68f87c67104c3dff93db155290153d075887bbd66d332b224aebfa60e80 02e87ec6198f34cb3bda9acb77e970bdf652ac77f69cca8428585258c64f333d 04f861f111b022dd602c129bd946958f92120540ed06d62b5cbb94d0ca2b2cd2 058533b3a5d5eb1303bee5dc34e32cb9e8005a78cf9e403fd58ec29b541afb04 05b7d5e69c6b9f13319ad0f629e652923e67a399106d950ea6fea9c23b45fa33 05e18d1fead2605e36c089c4a2532f0d502a5894a8a15fb859837d0523cab73d 0688c46a4b2af21735fa90188a855212f9bf0e24d04a80150ed99afea80bd307 083e8676772511db5840e4d2e3582fac7bb869c82a7cb7b11af2791476345417 08db1e474efd740dcbf6a0fac4dc93ca77bc803eef8e5ebdf85ff5495800d007 08e8ac381eab35c6f8fedef1c921b3ca0c1fbc862cc8482aa817220fd1800c65 0a6b83a865695ba7a5baf6337c115cd06358085cd2c174806fbd75837ffb49d7 0ba338f0917356577dc6c00217ef973395e83f952031ca3df1bd2a1f14ffce89 0c80a368fc9d5320b676f065c7fe95d4b2560b7fc557c3b5cd2d52d6cbc107ef 0c80f42e2d6af784935e2804e124e5d5cee2ce62bf7bd19996fb81d3dc121b0e 0d6b3d50621831eb2ba716d92d91eed97fa6fb3d194175cb2fc59bb6e50b8d3b 0e5a46c96a9ddd3a61f68c19ffda0f9b12c76e1c3e7f2a4c4528d56c498f7828 1126e29cef58a90b4910003530ec5d4ff17f09a09b4912a75575306d848b5a65 119bd50529bb4cfefcf102346d4f14ec741f48c72ecab7b65417f76fbeae8bc1 11c7e045e19f6a53ff5e904d7250b3218a14431ed5c7ad299668f11717dce3d8 12cdd2a84ecd40578e34c33ba6530200e1fdd243e30bfc15e074251b0bbb5e03 13909277ca03cbd8231fa197f36486c7b12f9cc78e0a3cfffe735fb2ec0f2909 142ee3a78064f1c5da3798744113f522c0a95dc842a5cf1c1346c6d67cd54c0a 1598fbecd257a923af9074477c0439991ee8f88e62f2a9544a4f03cb692e9ea3
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Doc.Malware.Emotet-9733384-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 77 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDDIV1
Value Name: Description
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCKHC
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCKHC
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CHARMAP
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\HNETMON
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NDISCAPCFG
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NDISCAPCFG
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSRPC
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDCR
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WABSYNCPROVIDER
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WABSYNCPROVIDER
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SETIEINSTALLEDDATE
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WLANAPI
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WLANAPI
Value Name: Description
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
149[.]202[.]5[.]139 58
81[.]169[.]145[.]74 22
118[.]110[.]236[.]121 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
rueckert-online[.]de 22
e13678[.]dspb[.]akamaiedge[.]net 9
Files and or directories created Occurrences
%HOMEPATH%\PS29B6C 77
%HOMEPATH%\PS29B6C\LSq3B_L 77
%HOMEPATH%\PS29B6C\LSq3B_L\Zvh5eanv.exe 77
%SystemRoot%\SysWOW64\vbscript 2
%SystemRoot%\SysWOW64\mfcm100u 1
%SystemRoot%\SysWOW64\txflog 1
%SystemRoot%\SysWOW64\dbgeng 1
%SystemRoot%\SysWOW64\SystemPropertiesHardware 1
%SystemRoot%\SysWOW64\odbccp32 1
%SystemRoot%\SysWOW64\dpnaddr 1
%SystemRoot%\SysWOW64\msscp 1
%SystemRoot%\SysWOW64\sberes 1
%SystemRoot%\SysWOW64\cscript 1
%SystemRoot%\SysWOW64\eappcfg 1
%SystemRoot%\SysWOW64\msidcrl30 1
%SystemRoot%\SysWOW64\wups 1
%SystemRoot%\SysWOW64\XpsPrint 1
%SystemRoot%\SysWOW64\batmeter 1
%SystemRoot%\SysWOW64\d3d8 1
%SystemRoot%\SysWOW64\tsbyuv 1
%SystemRoot%\SysWOW64\KBDFI1 1
%SystemRoot%\SysWOW64\samlib 1
%SystemRoot%\SysWOW64\INETRES 1

File Hashes

006011ce9a1da57c2f754acf3ab3e336f82ef0454bf4ab4eb326c7201de49ca7 00dadb7eb648bbfff26bb4f0fbf97e0d27ff857ede9ac43d90173fd98f0e6860 0179543a5e5942fb43fa147e02ae2c1bc42664fb1dc2b090fb43fbd497a21e04 04f2dffeb9c1570452b3cc610f00a37f18a90a2cca47c97c94d2cd667da3d4ce 04f4ee593fb08de097d53ffdc2b4d24e7056414266b1c9dc74980fa93d44b024 0877c1b6beb53bb870d703f82e1cb3ee43ebc4417fe7e9031a2c7924d3d5b0b4 08edde777c87b40cd3c4f677b7d1f8a7ea9245219850bfe879e277909898211f 0d67c7dbea39eb2edb6e4a363ac8738c949c1a606e6ae77c56cce4c8b31560b3 0e69aa45acf780b51590e1e2eebf345dc9356469c52ad2fbd3540f0faec42bae 12131dd503457635828b54b6d1ad47041f1f1372a6edbad27cee5eadf5e7c234 129b85aaa1cb31320bf74ea541452331d8e7a6b5bec9a9e7a5f36d761f60b328 149a3d53f6065bd1885682a82148193582f678bc6bbeef4c27c0fc96a6112dd7 15deba69044594e12348428dccd3451e2b8c78df74daac11f16a6cd29a75874d 17922392a72894af5fc275928a401d843f296d08934821be606ef25268767162 17c72fae234cbcd5593919d234d5e5be0f10f357cb64076810efb0f0e41f9578 1aa92916074cf5c819de2ea8b9ca9b5f04e1afd1f6ccfeae0a8849c3e8153e46 200af4cf86eaf071d6dca59f9678feccf9f024da48ea982fe9ed3a230ae32fc0 209e9056d13fee66177c3a5afaf80a077875e5b59f0247cc0a6a024e6ae92bad 219d1f3a929f192d379292bea355e8f4dac85ab3802f603eb9509560fc845b5f 220732c38506e7c51e3f0c1f27a142052b52c1a5306c0991acf7de311b7c8e2a 2455308d12306b5b5ecb3c4de58a0cc1f09f1cfda7b69c936fe447b619e9cddb 24e66606dd42fb259e7ed01e81b054c21190a9ea60adc8b7be387e05b04b303b 274602404a722f0dc7b82c61d520573d1f9a010d174f4685b59899a4158cde5b 2a6a8755b93ac09b7aff0d03f2743c1bd9e01823dc6cd4811ba0ee492b2414c0 2de44ef1df4fcc293491c9c21c8c5a42a0f335f6383ae96e0ef06ea76ba13c6c
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



Malware



MITRE ATT&CK





Win.Packed.Kovter-9651488-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: svchost.exe
22
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: explorer.exe
22
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: svchost.exe
22
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: explorer.exe
22
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
Value Name: DisableConfig
22
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
Value Name: DisableSR
22
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\RATINGS
Value Name: .Default
22
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_AJAX_CONNECTIONEVENTS
Value Name: svchost.exe
22
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\WINDOWS
Value Name: รพ
22
<HKLM>\SOFTWARE\WOW6432NODE\07771B47 22
<HKCU>\SOFTWARE\07771B47 22
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: 3
22
<HKCU>\SOFTWARE\07771B47
Value Name: 3
22
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 22
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE 22
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_AJAX_CONNECTIONEVENTS 22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
22
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 22
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: pojuny
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: puxe
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: puxe
1
Mutexes Occurrences
07771B47C1 22
07771B47C2 22
07771B47E1 22
7B73D8BAAD8790CDB372AEC775125CF3 22
07771B47 22
7AC86DF7C1 19
7AC86DF7C2 19
7AC86DF7 19
1E30DD8379DF09B367ED09AA989CD32A 19
046815C817A4259E72C1D93D13A618E2 1
7DF04EDA 1
<random, matching [a-fA-F0-9]{10}> 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
130[.]137[.]199[.]150 22
174[.]29[.]43[.]171 22
38[.]186[.]206[.]106 22
13[.]165[.]21[.]12 22
23[.]28[.]96[.]141 22
120[.]82[.]102[.]76 22
37[.]43[.]2[.]233 22
196[.]255[.]146[.]252 22
133[.]70[.]46[.]47 22
209[.]93[.]161[.]21 22
58[.]89[.]233[.]69 22
9[.]218[.]236[.]60 22
114[.]161[.]61[.]148 22
222[.]149[.]243[.]221 22
132[.]248[.]180[.]7 22
129[.]27[.]118[.]179 22
19[.]4[.]19[.]84 22
31[.]182[.]109[.]21 22
26[.]128[.]193[.]14 22
156[.]202[.]179[.]22 22
190[.]85[.]72[.]92 22
37[.]34[.]87[.]162 22
57[.]217[.]247[.]71 22
82[.]18[.]227[.]22 22
183[.]5[.]71[.]181 22
*See JSON for more IOCs
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'> 22
%HOMEPATH%\Local Settings\Application Data\vamato\vamato.exe 1
%LOCALAPPDATA%\awany\awany.exe 1
%LOCALAPPDATA%\tiqy\tiqy.exe 1
%LOCALAPPDATA%\osihur\osihur.exe 1
%LOCALAPPDATA%\cedavo\cedavo.exe 1
%LOCALAPPDATA%\erikeh\erikeh.exe 1
%LOCALAPPDATA%\oxyn\oxyn.exe 1
%LOCALAPPDATA%\kohuly\kohuly.exe 1
%LOCALAPPDATA%\ryruz\ryruz.exe 1
%LOCALAPPDATA%\ziwo\ziwo.exe 1
%LOCALAPPDATA%\ybequs\ybequs.exe 1
%LOCALAPPDATA%\ewema\ewema.exe 1
%LOCALAPPDATA%\visy\visy.exe 1
%LOCALAPPDATA%\jegedy\jegedy.exe 1
%LOCALAPPDATA%\ykujas\ykujas.exe 1
%LOCALAPPDATA%\pojuny\pojuny.exe 1
%LOCALAPPDATA%\puxe\puxe.exe 1
%LOCALAPPDATA%\gyly\gyly.exe 1
%LOCALAPPDATA%\lycok\lycok.exe 1
%LOCALAPPDATA%\hele\hele.exe 1
%LOCALAPPDATA%\havoru\havoru.exe 1
%LOCALAPPDATA%\uhixu\uhixu.exe 1
%LOCALAPPDATA%\oxasi\oxasi.exe 1
%LOCALAPPDATA%\ulal\ulal.exe 1
*See JSON for more IOCs

File Hashes

010e4ad482c5914d3a78a61458488510b9ed8db046b2a6dcdddfe378735ef405 02765a2b33bf8f5df8e937a028a1c4ae0d657a92f12b0ec931dfa638bdb93262 078a2e6a56b950a0301584a562925ca45c50a8071d5e138fadfd6e4e9e35dad6 287ee3435de5c216b9630e1e691bf55038eb2522531654f1fac71aa3ac4d0a11 2fe72a30563a6b1645923e70cc425a4d9ab7575f238ce72b0b7582668998f99c 3bbf8d8c84dba7a5fefaedd45e3ff97e7bc8ddf33d09cc4f6179804e3ec74f1a 466f8347056ccf54ee9a6d00f61a72bf5d15c5d7b989fc24a8ba0fac492ffc44 4d52df67ad0b0a6b597d1ff65c3803ced9ee00fd14c350591bc3aeb70f189ab6 5444e29f2119d31a3c7a92cd951107ab73f88f40203b7795c610a2466b5b7cf0 61572486c7b85038dfb85b92c6668bce1b08699b864b4769868b69ff207f2d81 8e8b5c1bc0530762a0ce53b7147430318b99401d4f623e7c95f8ec5c1c23b3f1 925b759ad21254ec6a3d98a862e96d943b74cfc554e012eea4e79e86c9447930 b4ad2ba103801b84e0825f73fa72925d409d40a825c5ee618a12fee47e380fd6 b608131d552e5ebc2288dfce9917926bf77eb9305ddb39168f4b7af2269add0b b8e67efa119d7a93c7fcadf491f091ab192a3cae4edcae03067d5b503522e534 d2a0e6d676354bc724d9856aed8f7370a2ef299d803e765d4fa8c7651170fecc d45001ef3dfd6f248428068390a1a537f435667d4620fc259bce446bcfab33f9 d6d907f0adcc7b05156f8dbfbbc1999bc042b2615dbab339bd6ce554cf863a29 e57caf5025a27beb2a389bb57821860340840b7c174d859da77c89cf9bf580d2 eec997947b63ac01fdad67e2c607975bf818595ad118f4e8ce4ab996476435bc f464857f1d29796bacde5d0c048de6e1e8f6d78b1fce1d02551e47cc8abeecdc fa6467b1831023bd919fb8c644e7c713484a71a9ea42738a0d9f3aab8391badd

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Dridex-9652753-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
26
Mutexes Occurrences
PFj56iMKsJ 1
WkkBz3Qxyo 1
o8b7PtJR7M 1
1VBqqPzTVn 1
1uVylw4WXL 1
3IKz7YBSGu 1
7ethyspmbq 1
Vw6Hj3UYQA 1
e9HQx0cL3M 1
mgVq1nEhNd 1
xRyslxMLtc 1
9UynUufeFs 1
JmTvlT2i7D 1
dOv4T9KmIN 1
g55vuWrUEW 1
iWrMosQw6b 1
iZdYYuQKKL 1
sOicSOjXM2 1
upfbPmkgcR 1
1JFO5iykhY 1
EazZkhnQZG 1
8kvxNUrhUT 1
9eEHXzaXbm 1
Ee9GgmK94j 1
FOm9o6Abfo 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]12[.]238 26
104[.]23[.]99[.]190 15
104[.]23[.]98[.]190 9
172[.]217[.]197[.]100/31 8
204[.]79[.]197[.]200 6
172[.]217[.]197[.]138/31 6
72[.]21[.]81[.]240 5
172[.]217[.]197[.]113 5
172[.]217[.]197[.]102 2
205[.]185[.]216[.]42 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pastebin[.]com 26
ctldl[.]windowsupdate[.]com 8
cs11[.]wpc[.]v0cdn[.]net 5
cds[.]d2s7q6s2[.]hwcdn[.]net 2
www[.]5ca1q4uxfr[.]com 1
www[.]g3qnqsnndb[.]com 1
www[.]0zy8tpfx9n[.]com 1
www[.]dccknkv51k[.]com 1
www[.]hfmkewmqon[.]com 1
www[.]fjsa1xqgej[.]com 1
www[.]jojzzmo319[.]com 1
www[.]emrg6yhetm[.]com 1
www[.]foscyatdl8[.]com 1
www[.]m3bkwkifxg[.]com 1
www[.]hn2ynro0b0[.]com 1
www[.]fpee4m9t1e[.]com 1
www[.]nd1bbz4hub[.]com 1
www[.]ia94lhmrfy[.]com 1
www[.]kathbhnhnc[.]com 1
www[.]qnonh08dda[.]com 1
www[.]ibxt71xhza[.]com 1
www[.]kmtsdchhxe[.]com 1
www[.]s4ccwmw1cc[.]com 1
www[.]mkbrswn3vh[.]com 1
www[.]jbwrbvvykp[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 25
<malware cwd>\old_<malware exe name> (copy) 25

File Hashes

03dab5fe0779aac801d6285f17f490f8ae51183c1a2e7cbdb206b13111b3ae3f 0418f08a4fef13558c8f426eb7f961aa841b24032bbbe53655145ed3df690674 0c47a24ae823add156bca882fa300a92bff062ad31e97fe2d37a3831231b739c 16c744d983bca8696a6a7bfeb279b0e1830d305b0c43b7af19d66b4c3a01ee69 1a6b3e5dce5b54b9708ccb1f6266ff8d254552f772e36506fa232d449dd83467 1b7997a259eb5c4041f84d8324899a6f22f4f9abfd78c67bbd2012dd9f13e89b 1ebab68378aab36f0b69b87f9386e7a17824db8dbdd222d68e435630c0ca6b60 2134653bf6399c3c4f644f180f1cc25e1df06b23f4caf88f6564c05c63f3879f 24f042f2b48252826b737bab64e5c0ccc3bfc30bcf25d6ae20719857d693c2b7 25b2c1192071eb706b6f22bbd96787a18415a746aa5482fba7b4246ed73f73cd 2ac2bb4fba5129d9c726f55b8c334fcd28b74e27820980cc0b3d3cf2c710892c 2b6193ddc4e7f230319b6cf044b867408fbe0a591a8fb292a7dfdc0f95cfec70 2dacf810ab8caac316d8882ca7142401a62eb668c833b4d5c4553c8ef06771f5 362dd12f7551a5ddbb280c52d9a6c9cb7e6e0689e7faae9073494241d11e4c29 37f58d828b44f6a20ccab25724f7243bea2d264c3f1a720512ec226a1e40b710 38cc673d93ffb5fcfce8ef36b22768e02369221a477d8f2ba602ea83377c07b5 3902ec9ec69bebb5269e7af646bb053a54e5d09010380d5e4e8804e41cc55fc3 3ddbc499b16f5372280e171d168aa70f99fb7c2ae15cca838b7b94d86f1043b3 3e60fd2c329a08b104d6a72f595f9e33790bfbe47f9c267445bf0cbe6118d1a6 3ee33904464e8208330eb8a3ebf26710d62dd744582d9cb88edd5764db8ebb8e 3f0d5bcd9f5284d6c6c095adbd94f5b3bd5397c2ae1f0c2bd82ed9a0707fcf37 43e08a809c018f8daa64ca5ed2e75f6b26209fd4e10548d606b8b9151da988d5 47ad5299a4031f105472a0a49c06f0ed5c245e8efb4435284c61528d05b9f5e6 56cc11335752d4f9f20985c7a81280b9b6dacb858a93210691627a9049b5eac5 5d22395c67b000a845d93676cab780b9609a6d483b57a0fc8e25db98a8e392c8
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Dealply adware detected - (16731)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (2528)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (2393)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Squiblydoo application whitelist bypass attempt detected. - (834)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Crystalbit-Apple DLL double hijack detected - (637)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Excessively long PowerShell command detected - (619)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Installcore adware detected - (274)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Trickbot malware detected - (264)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Gamarue malware detected - (230)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Kovter injection detected - (203)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

No comments:

Post a Comment