Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 11 and Sept. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Packed.Dridex-9751859-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Packed.Emotet-9754668-0 Packed Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Arkei-9753125-1 Malware Arkei is an information-stealing malware that collects sensitive information such as application passwords, credit card information and web browser cookies. It shares code with several other infostealers, including Oski and Vidar.
Win.Dropper.DarkComet-9755620-0 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware can download files from a user's machine, contains mechanisms for persistence and hiding, and has the ability to send back usernames and passwords from the infected system.
Win.Dropper.Gandcrab-9752130-0 Dropper Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB," ".CRAB" or ".KRAB." Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
Win.Dropper.Shiz-9755163-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
Win.Virus.Xpiro-9752316-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Trojan.Remcos-9753190-0 Trojan Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.

Threat Breakdown

Win.Packed.Dridex-9751859-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
MutexesOccurrences
W8bT3oLapY 2
WpU89ohRmJ 2
XVWVRr0eLu 2
Xxn2a8ygYe 2
ZjqpofEZfc 2
ZrS1btYKZq 2
aAxVNiOJF0 2
aYfJQwDXY3 2
accIRfjKDU 2
d8kqQ0maDf 2
dYQ7et0ZhO 2
eJnnB8BJYH 2
fGeEp5mIxk 2
fpNjknXLM7 2
gPn1tSCTnQ 2
gjIc0j8UOb 2
hExr6TOoEf 2
hwy76ZMHFD 2
ilAKVjaHfj 2
j2GX2jiUCz 2
j3TWsRxeBl 2
jNgBdg50Pu 2
jfIOY8o3fu 2
kjmszMkz40 2
kx6o49zmuZ 2

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]79[.]197[.]200 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]l1dfgxkxax[.]com 2
www[.]l7ecrq8sqi[.]com 2
www[.]lfhpqzgo47[.]com 2
www[.]llf0iomjpr[.]com 2
www[.]ln2udj8aqa[.]com 2
www[.]m1lqaikjzv[.]com 2
www[.]n1xsj0frsj[.]com 2
www[.]njxkze3mfk[.]com 2
www[.]nlyyo2zioj[.]com 2
www[.]nmzcstsr4r[.]com 2
www[.]nusgibnqbu[.]com 2
www[.]o54gx35m8a[.]com 2
www[.]oe7opfnkwi[.]com 2
www[.]ol62yuibbo[.]com 2
www[.]oq7rtb10n3[.]com 2
www[.]p9f105wnqf[.]com 2
www[.]pyl9ctbal8[.]com 2
www[.]q4vx8y8ntz[.]com 2
www[.]q8mqxjeksc[.]com 2
www[.]qbgtvoyl3d[.]com 2
www[.]qbo2uxpz3f[.]com 2
www[.]ql8rwcy0ax[.]com 2
www[.]qnbzxolou4[.]com 2
www[.]qpzo2ewgpv[.]com 2
www[.]qustnblctg[.]com 2

*See JSON for more IOCs

Files and or directories createdOccurrences
\Device\ConDrv 25
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 25
<malware cwd>\old_<malware exe name> (copy) 25

File Hashes

0591963bdc8a1d1c3c2f681608c777c8d378d6188d4c46eb95d817f2ff4ffaaf
080d3c469cee1b5c0b754ee06af13d74b806daadfc41880e5e56ddb11238e81a
08d92d0b47502ab6c4ee2ba9a3c6c2af1d18c551b22d9a82493f40b1806f5632
0ad8b4ac3287cd5919c5f1503e003c2f7a6137211f3c34c25ba32918ddeb96c2
117aecd7faab205043b82d2ae53555bb09f6f524e177b0586ac43e876e32a4a1
1498df550409a5ce6ac5feff3c55f4be4f6da6a5139ee990c5e5b595c6c65a59
16e155fcbdcd35cee206f8ce69b66fac7025493f9c788c135bd84e6eb617a25f
1a23d80d5d0c705f0523c1fb0b70d514e57e10f5d8ac587778d0fb388a361d18
1ae238b93956e5892bf1a93ed51664badbac58bbe29f6e8443b8b9965aa2e24f
22351498c586b2c1d17f6be262fa29190d08ec4b0f9cb2b89f46c5d81b6afd9b
23cfac48a78747379dc12c12062b327732fb7652db2ddf6fc37b6506494d107f
294bbe84b6d22f076473e78dd0a2ee05be046dcef2f29f5502e8b01403b909e6
2a4c65ddbbb81d41346d9b637d437adc8f823a8544a9e069644055431b6d5261
2abd1b19cf257412dd8ae25cd5d10235ed3b5d93e4ee33edccc0d66e00aac959
2ae0b7a2708e56b5ba4b548dede2e6688b4d4c0be7b4aa165493e23ba21d3cfb
2e5aa16772cf1ec1158d71f056ce9e4783626f2a6e6bae67238bd8ab9115d39e
2e7b45b65f15756357bebecd3388c5cc5c9e863cd9dc172e99643cfb4543095b
32397fe9b3cb30f46e0f53b1f107f50b599d5188ebf2a225a5168f533df28ff7
331f5f0a196ed77b67e5f347b95dc5aa72fa2bfe3bbeab03d264954cccf3e1f8
33385ef0198f6b6e2f48356e9cecbe2d45f90dc841f4fb31071a03c4f3d016bd
3522fb2daef2b26cfbe966d6d343f6f5a5b10f2c7f56b7bf3d42c7f25f913115
35d3ba26284bd63a347ddf3211075b8ec41d785bad6262ee55fc21e1ffb9a602
373a45dcfafcf653e8756b23512c22d50e30a1e11eef7ff776d2411adea66c8a
3e64558f2a588d3a5bfcc08baf8180439892dc9b4d12e722d570a535e49f0583
3f32cedb1c6dd76d6714d8ade744f477223200971a24bf074d64746ef6ce9f1a

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Emotet-9754668-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: msdb11871887.exe
9
<HKCU>\SOFTWARE\MICROSOFT\MULTIMEDIA\AUDIO\BOX 9
<HKCU>\SOFTWARE\MICROSOFT\MULTIMEDIA\AUDIO\BOX\379C74EC6 9
<HKCU>\SOFTWARE\MICROSOFT\MULTIMEDIA\AUDIO\BOX\379C74EC7 9
<HKCU>\SOFTWARE\MICROSOFT\MULTIMEDIA\AUDIO\BOX\379C74EC8 9
MutexesOccurrences
379c74ec4 9
log$ 9
4041 9
4042 9
44c1 9
44c2 9
15c1 9
15c2 9
ae9c3d884 7
48c2 2
48c1 2
3f42 2
3f41 2
8602 1
8042 1
8041 1
87c2 1
61c2 1
6f82 1
87c1 1
6f81 1
61c1 1
8681 1
8682 1
5f81 1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
119[.]59[.]124[.]163 9
200[.]159[.]128[.]132 9
158[.]255[.]238[.]209 9
202[.]44[.]54[.]3 9
162[.]144[.]88[.]73 9
88[.]208[.]228[.]111 9
158[.]255[.]238[.]18 9
200[.]159[.]128[.]6 9
162[.]144[.]35[.]78 9
197[.]85[.]182[.]110 9
103[.]228[.]200[.]37 9
198[.]1[.]122[.]176 9
103[.]228[.]200[.]47 9
103[.]245[.]153[.]70 9
Files and or directories createdOccurrences
%APPDATA%\Microsoft\msdb11871887.exe 9
%TEMP%\12e041cd~ 9
%TEMP%\13040a63~ 7
%APPDATA%\Microsoft\msdb11a852c9.exe 7
%TEMP%\8539723~.bat 2
%TEMP%\WAX755A.tmp 1
%TEMP%\7989841~.bat 1
%TEMP%\3518204~.bat 1
%TEMP%\478354~.bat 1
%TEMP%\2428093~.bat 1
%TEMP%\4895754~.bat 1
%TEMP%\9004503~.bat 1
%TEMP%\2162358~.bat 1
%TEMP%\8347923~.bat 1
%TEMP%\5894354~.bat 1
%TEMP%\3398296~.bat 1
%TEMP%\3830542~.bat 1
%TEMP%\1336681~.bat 1
%TEMP%\2165319~.bat 1
%TEMP%\8514319~.bat 1
%TEMP%\WAX2D32.tmp 1

File Hashes

0b061250e0882688b23620c647d2b68c70f1b96c593325e2b193e7ab3688645c
22c76d1edc3d7f38e66d099e68554017b687e81025e7f479bbf644f6ed201f50
48cc6b435dbc208e9c59b55d9310ec9784d0ff7ad05a0828ea9acd169f8e4420
4bebf0eb705fdb3d522a5b362a149d6d6051264e82f8ed1ddfac134941b48428
53f591f092df5de1b4a2eb84890c11700b0dc88fb6a913cf7b592ef8b796eb06
5c9111b3cacaba0c5cd6d8abfb8f382d2c6726c4d1c002a5a74ff750efdfdb35
74456839650dba9a859f068c08323c303a884fd2a50aaa07f2b7ce5a76558f8e
cca874d7374c025c3e1a38c3b6e259a2004a474c061aec1414e8bc9e314a33de
dbc29110a5aa7b13435284d7543864a10ce9f9f7e5e617f576dcd755eb76be01
e81e015e3de623878eb910fc68ace45810055f8f8351b11fcd2e2796c0915809
eb1586c87ee7e840cb76001e7602d7124279ccca72f31b571d4fbcc3e1e1944e
eca5a447dd02974fb85f07eb7a75efc1a5817008fcbc3d9800eb3ad955d1faca

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Arkei-9753125-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 40 samples
MutexesOccurrences
Global\<random guid> 40
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
208[.]95[.]112[.]1 24
5[.]79[.]66[.]145 5
195[.]24[.]68[.]22 3
23[.]3[.]13[.]154 2
204[.]79[.]197[.]200 1
72[.]21[.]81[.]240 1
173[.]194[.]68[.]94 1
172[.]217[.]197[.]113 1
172[.]217[.]197[.]101 1
199[.]59[.]242[.]150 1
92[.]119[.]113[.]254 1
172[.]217[.]197[.]84 1
209[.]85[.]232[.]94 1
172[.]217[.]222[.]94 1
173[.]194[.]7[.]107 1
173[.]194[.]184[.]233 1
173[.]194[.]53[.]199 1
74[.]125[.]155[.]202 1
74[.]125[.]155[.]216 1
173[.]194[.]66[.]95 1
173[.]194[.]7[.]60 1
173[.]194[.]184[.]169 1
173[.]194[.]184[.]42 1
142[.]250[.]64[.]100 1
194[.]135[.]85[.]231 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ip-api[.]com 24
oz-n[.]ru 16
www[.]zzz[.]com[.]ua 7
www[.]mintme[.]com 7
minerbtcoin[.]ru 7
api[.]w[.]org 3
gmpg[.]org 3
adminpc[.]ru 3
ctldl[.]windowsupdate[.]com 2
a767[.]dscg3[.]akamai[.]net 2
mega-anal[.]site 2
webbserfer[.]ru 2
ispsystem[.]com 1
11776[.]bodis[.]com 1
whxami[.]h1n[.]ru 1
azller[.]zzz[.]com[.]ua 1
brostospher[.]online 1
logover[.]info 1
fastloads[.]ru 1
ark[.]bsdfksbdfj[.]pw 1
cracking[.]zzz[.]com[.]ua 1
mistpark[.]ga 1
zews[.]tech 1
68[.]zzz[.]com[.]ua 1
1[.]ak1ba[.]pro 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%APPDATA%\Arkei-d19ab989-a35f-4710-83df-7b2db7efe7c5\files 40
%APPDATA%\Arkei-d19ab989-a35f-4710-83df-7b2db7efe7c5\files\autofill.log 40
%APPDATA%\Arkei-d19ab989-a35f-4710-83df-7b2db7efe7c5\files\cookies.log 40
%APPDATA%\Arkei-d19ab989-a35f-4710-83df-7b2db7efe7c5\files\cvv.log 40
%APPDATA%\Arkei-d19ab989-a35f-4710-83df-7b2db7efe7c5\files\passwords.log 40
%APPDATA%\Arkei-d19ab989-a35f-4710-83df-7b2db7efe7c5 40
%APPDATA%\ARKEI-D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\<original file name>.exe 40
%APPDATA%\Arkei-24e2b309-1719-4436-b195-573e7cb0f5b1\files\Administrator24e2b309-1719-4436-b195-573e7cb0f5b1.zip 33
%APPDATA%\Arkei-24e2b309-1719-4436-b195-573e7cb0f5b1\files\Desktop.zip 33
%APPDATA%\Arkei-24e2b309-1719-4436-b195-573e7cb0f5b1\files\autofill.log 33
%APPDATA%\Arkei-24e2b309-1719-4436-b195-573e7cb0f5b1\files\cookies.log 33
%APPDATA%\Arkei-24e2b309-1719-4436-b195-573e7cb0f5b1\files\cvv.log 33
%APPDATA%\Arkei-24e2b309-1719-4436-b195-573e7cb0f5b1\files\information.log 33
%APPDATA%\Arkei-24e2b309-1719-4436-b195-573e7cb0f5b1\files\passwords.log 33
%APPDATA%\Arkei-24e2b309-1719-4436-b195-573e7cb0f5b1\files\screenshot.bmp 33
%APPDATA%\Arkei-24e2b309-1719-4436-b195-573e7cb0f5b1\ipconfig.txt 33
%APPDATA%\ARKEI-24E2B309-1719-4436-B195-573E7CB0F5B1\<original file name>.exe 33
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 15
%APPDATA%\Arkei-d19ab989-a35f-4710-83df-7b2db7efe7c5\sqlite3.dll 13
%APPDATA%\Arkei-24e2b309-1719-4436-b195-573e7cb0f5b1\sqlite3.dll 11
%APPDATA%\Arkei-8f793a96-da80-4751-83f9-b23d8b735fb1\files\autofill.log 3
%APPDATA%\Arkei-8f793a96-da80-4751-83f9-b23d8b735fb1\files\cookies.log 3
%APPDATA%\Arkei-8f793a96-da80-4751-83f9-b23d8b735fb1\files\cvv.log 3
%APPDATA%\Arkei-8f793a96-da80-4751-83f9-b23d8b735fb1\files\passwords.log 3
%APPDATA%\ARKEI-8F793A96-DA80-4751-83F9-B23D8B735FB1\<original file name>.exe 3

*See JSON for more IOCs

File Hashes

0326b99dda47fc88657187ce3856b023fefe52051e84d833a768cb84790bb401
039d7013364ec66261347c7f055ced54bf256ea3f5a018d31b066449bf4b014b
075c993e56b48fe87c24c0b58b21c8f8b45213073c32606b222b0e5c60854d21
08641de04bd051e43e72527006a3cf1d799ff394d5a5a75b219b3171c4666a11
0c7aabd1a63fe9d74b77819c9f0ed4a05309c062ed4ebe7591cf309d593c0e5e
0f1dc323161ce0b22e510945d2b69f3d4bde2cbbf892761d426ff61735ab8177
0f29e3c9e5d0d3440649e9f742081b278be83c5b9f76cb65bf06049f180d09ae
0fd077d6c5fa7bc948c64262b0f277bc7152b6ca9b05958af7f059a6a9bf1f35
121a41530bcd85d027a3b3a9f5f011b2d79de054ba8589041de21385b480af81
132e2edbf9a97eb30b59d2fa9dde82d8e8d80440e35b23dee73b8df6db748ddc
1610453727cf82bf981deb05041c2a0655cac62aa9bbf341bbb1b0a46d83b059
1938b6b25d156b4dbbe9a114dac6cf5d53d7309bff37215898ffb3d1227f441d
1bf99f63bb8bba5e8d3c7338e0c9338fcf0d170bb567f0c6ce8dc063c6c0c72a
201cc587859c40b56250f600b450274d9e7a083f35391d863cd579e9e4fc378c
2142340e89a65b04e4468f22bb096a58004a9932d02b7bdccc3d1e3c94c617e2
2296a27b28562b0f72ac638106fa1cbdee429c7261412afcf8ce1820a6bc8e73
26d2ebaa52fa0042dac17c6c29d6a530b70c2b82166df16a62aad1295c124562
272d4ca5a9e6bf8647e8ac6cb0d426f1f8fdbed0fdb8cf5ceadfe351517d3364
27525c2b89b8d25f36e1603e469931961284f617281c7456eff2badddab7cc90
27a35d3565bf6bef2ec1f80a8604456458d306dbee60bb0dc727e0297002f972
29f2fc13f37a5d7d9acd4819b0e87158b3ffa897d5e3e211e1a251d0334c3332
2cb29b407451530fbf07c2afb72eab72a937df43563073f566a8fcbf6342c8de
30522dedbbb52e22c5a663bd9754ba14aaf0f7130a05660566f96f1475611f2a
320db045e26e92c51af8e3620b17b3b0e902f097b49d5078bb1443de41616513
33965321082bfc45696ef27b8aa84b58d0b35cb62bfd6f2d9b499696bd447484

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.DarkComet-9755620-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 28 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\DC3_FEXEC 28
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WinShield
28
MutexesOccurrences
DC_MUTEX-LC5Y2B3 28
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]79[.]197[.]200 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
kangawallafox[.]no-ip[.]biz 28
Files and or directories createdOccurrences
%APPDATA%\dclogs 28
%APPDATA%\Windows Shield 28
%APPDATA%\Windows Shield\WinSh.exe 28
%TEMP%\URQUH.bat 2
%TEMP%\URQUH.txt 2
%TEMP%\CTKIT.txt 1
%TEMP%\MXUAS.bat 1
%TEMP%\SFGCA.txt 1
%TEMP%\MXUAS.txt 1
%TEMP%\KPMAM.bat 1
%TEMP%\OSNUJ.bat 1
%TEMP%\WCUYT.bat 1
%TEMP%\HYUVI.bat 1
%TEMP%\UGOGX.bat 1
%TEMP%\KPMAM.txt 1
%TEMP%\MLTKU.bat 1
%TEMP%\MLTKU.txt 1
%TEMP%\LHGTA.bat 1
%TEMP%\OSNUJ.txt 1
%TEMP%\HYUVI.txt 1
%TEMP%\WCUYT.txt 1
%TEMP%\UGOGX.txt 1
%TEMP%\LHGTA.txt 1
%TEMP%\EAOUN.bat 1
%TEMP%\SAGDR.bat 1

*See JSON for more IOCs

File Hashes

1413fef08d05c3d90139063300cb4fdf7805d8e31e3cb3c409929be6ddf0e6bd
14bf404ed2f9d5884b1dd4acc0c4f87fa15f23886932d43bd37457951031f00e
18014f591e6b4866cee9f74f2fcd5fae2b5b5786ad263eee60b9646dcdb4b471
1aa0fcc0821b71bbb7b2bd76b279f6dd2214950d2add3ceb0c5ed53afdde52d9
45731af93dc827f10ca61072b7fe2b5c2d0322cb88cbddf9c70e38024a8d0c82
47d33e67feed7e80c588b6fa4171262f3237166d117bd495fded595bd6a11dc3
4e4fbf3f40f92ee665849125bd1d4f3863022605712bccd01d47d005562b49e0
514c4ae828fece5a14fe0d2e5da167b655a5e63a465c7a3bc218819c73b00d2f
591267f430a5cd76c7984a4f0287cd2581534aeb6240481cfb6f266e090aa084
5c5cdc35a6c9ee373f0864175610370716cccbe7abd86eba02d9198e42a1e517
5fc3507dec52c0671561d6d0b4ce516a021d2c57967b2c70079850d2e9c18546
67ff78f4d9bdb3e29dc96131ef4e1facec6ffbb1705376de597292424aa5ff6d
78b1592147ced127e8947845b19fb3cdb4a447feb7450fac877a9ae9c4d7093d
7bb03a8d2ea20e67f7b288373141da05dacf8bbaa10b2e5e409ba9f8fecdcbfb
7cd539816076160096f0ed7cf0962c4fe798be2e6d3f37c3f6ee92ef8010cb57
96d71b6f64784a6eecf1acfac7e77a537e631e3bcebb071ac7ac47dcc8504639
98b83d9f6fb99ec2bc19a46f06aec7ded2c0d6d9024b80b97a5a79d26416d83c
a0940d61a58c76796a088f0c31609d8b1d82c8a5d79888e1e16b1ff2d5037d00
add18977edf0a8e41784912381be91894857d0cccf49871c16d07fac3929a9f7
bc1c5d16bce60e3bc53d9da1293162ed0f918c4f605ce5e55843c9e9e18a6551
c44f7052e4422173199dbf217476a4a7b9a2a2d47dff8dc8b42f62645b9e997f
c78fbf1d80838f677990fb359885e7e904f73d9d8a72f3db1b36ec033d9bcb6e
d0dad811d0103a2fa321ecc92bcb6ea642c2325377221e946b83954645a628f3
d40f90bb483a3c75354e434ad6568fcf20f5dd647c8823dee0fdaf31c5035a08
ee75fa961f7c369fa87869abd96d7ac4d5ecedcfd09f0d54f77ebc34a819dd86

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.Gandcrab-9752130-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\KEYS_DATA 6
<HKCU>\SOFTWARE\KEYS_DATA\DATA 6
<HKCU>\SOFTWARE\KEYS_DATA\DATA
Value Name: public
6
<HKCU>\SOFTWARE\KEYS_DATA\DATA
Value Name: private
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\system32\rundll32.exe
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\YJSSYGN
Value Name: Impersonate
1
MutexesOccurrences
Global\8B5BAAB9E36E4507C5F5.lock 6
A16467FA-7343A2EC-6F235135-4B9A74AC-F1DC8406A 3
24e2b309-1719-4436-b195-573e7cb0f5b1{e161a13c-26f1-11e5-93ca-806e6f6e6963} 3
10853E93BDB42AC8C03259A196091EB198B68E3C 2
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 1
{FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 1
A9ZLO3DAFRVH1WAE 1
AhY93G7iia 1
B81XZCHO7OLPA 1
BSKLZ1RVAUON 1
F-DAH77-LLP 1
FURLENTG3a 1
FstCNMutex 1
GJLAAZGJI156R 1
I-103-139-900557 1
J8OSEXAZLIYSQ8J 1
LXCV0IMGIXS0RTA1 1
MKS8IUMZ13NOZ 1
OLZTR-AFHK11 1
OPLXSDF19WRQ 1
PLAX7FASCI8AMNA 1
RGT70AXCNUUD3 1
TEKL1AFHJ3 1
TXA19EQZP13A6JTR 1
VSHBZL6SWAG0C 1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
87[.]236[.]16[.]31 6
217[.]160[.]0[.]234 6
92[.]53[.]96[.]201 6
213[.]186[.]33[.]3 6
50[.]87[.]58[.]165 6
204[.]11[.]56[.]48 6
23[.]236[.]62[.]147 6
217[.]70[.]184[.]50 6
52[.]58[.]78[.]16 6
109[.]74[.]157[.]147 6
39[.]107[.]34[.]197 6
178[.]238[.]37[.]163 6
213[.]186[.]33[.]5 5
192[.]35[.]177[.]64 5
89[.]252[.]187[.]72 5
202[.]43[.]45[.]181 5
67[.]227[.]157[.]167 5
69[.]163[.]193[.]127 5
194[.]154[.]192[.]67 5
192[.]185[.]122[.]252 5
217[.]160[.]0[.]27 5
66[.]96[.]147[.]103 5
171[.]244[.]34[.]167 5
45[.]118[.]145[.]96 5
217[.]174[.]149[.]130 5

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]macartegrise[.]eu 6
bellytobabyphotographyseattle[.]com 6
www[.]wash-wear[.]com 6
boatshowradio[.]com 6
www[.]perfectfunnelblueprint[.]com 6
perovaphoto[.]ru 6
www[.]cakav[.]hu 6
goodapd[.]website 6
www[.]fabbfoundation[.]gm 6
alem[.]be 6
oceanlinen[.]com 6
6chen[.]cn 6
asl-company[.]ru 6
wpakademi[.]com 6
dna-cp[.]com 6
www[.]mimid[.]cz 6
acbt[.]fr 6
cevent[.]net 6
pp-panda74[.]ru 6
www[.]poketeg[.]com 6
nesten[.]dk 5
koloritplus[.]ru 5
tommarmores[.]com[.]br 5
www[.]lagouttedelixir[.]com 5
h5s[.]vn 5

*See JSON for more IOCs

Files and or directories createdOccurrences
\$Recycle.Bin\KRAB-DECRYPT.txt 6
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\KRAB-DECRYPT.txt 6
\KRAB-DECRYPT.txt 6
%HOMEPATH%\AppData\KRAB-DECRYPT.txt 6
%HOMEPATH%\Documents\OneNote Notebooks\KRAB-DECRYPT.txt 6
%HOMEPATH%\Documents\OneNote Notebooks\Notes\KRAB-DECRYPT.txt 6
%HOMEPATH%\Documents\OneNote Notebooks\Personal\KRAB-DECRYPT.txt 6
%HOMEPATH%\Documents\Outlook Files\KRAB-DECRYPT.txt 6
%HOMEPATH%\Downloads\KRAB-DECRYPT.txt 6
%HOMEPATH%\Favorites\KRAB-DECRYPT.txt 6
%HOMEPATH%\Favorites\Links for United States\KRAB-DECRYPT.txt 6
%HOMEPATH%\Favorites\Links\KRAB-DECRYPT.txt 6
%HOMEPATH%\Favorites\MSN Websites\KRAB-DECRYPT.txt 6
%HOMEPATH%\Favorites\Microsoft Websites\KRAB-DECRYPT.txt 6
%HOMEPATH%\Favorites\Windows Live\KRAB-DECRYPT.txt 6
%HOMEPATH%\KRAB-DECRYPT.txt 6
%HOMEPATH%\Links\KRAB-DECRYPT.txt 6
%HOMEPATH%\Saved Games\KRAB-DECRYPT.txt 6
%HOMEPATH%\Searches\KRAB-DECRYPT.txt 6
\Users\Default\AppData\KRAB-DECRYPT.txt 6
\Users\Default\AppData\Local\KRAB-DECRYPT.txt 6
\Users\Default\AppData\Local\Microsoft\KRAB-DECRYPT.txt 6
\Users\Default\AppData\Local\Temp\KRAB-DECRYPT.txt 6
\Users\Default\AppData\Roaming\KRAB-DECRYPT.txt 6
\Users\Default\AppData\Roaming\Media Center Programs\KRAB-DECRYPT.txt 6

*See JSON for more IOCs

File Hashes

0123afe6d5f4aaab66b79fcadd10334870c260a565500927a898d70820928442
07f7615650e7eaba19ea6ade09047220720a1c47c2021defebf2263308590992
10685d96676f498aaeeba160b2b9a8161396110c1f8b824d51303ba903c6a038
11ca5fe4757a20ba43ac151379cac73a0516c9a79e24dc39672311653c1dd529
1d55e7109d8f94a44aeb754fb4f40fd9e2f0c12a1024e8cfa11954529b1417dc
2939131dc2792d9b6acffad58c8b5768628f0be1aa851a07d895dfa7e6e5c486
33d0a363cd37763c71b63bf8bb4e0e9d9d67e91d495e78192ab92205b1bdaf07
384f67c81604704d3d6e7167441ad84defcb268a4790e66ddfb2352c199a2d56
390afd8e333a337aef9b87b1feab18006f72bddf1ed0b7f20d74de885494987d
3c5f741e33b7c7e81fd6e63444f5eedb0d547061321b6018f939dd5e51641f73
41f6b8ab621dd4eeee9436af04c5177a69d602dfd0355ce7ba17f8da5556811a
440eb026e00de106835ccbe1d55214f96a594531681af1eb33fb617a40e7401e
45cdf2d61f4d2d492c8638574347cc539573adef7a3cc07d6694f3fe92ad0f88
5776e98c556acdb8ef0de950723b22153e469894494d15762ca255db217be8fd
5d40c31336bafd5270d90241fb61c352e785d8b010d6484e4de33ba9491b5ecb
88460a1c87da7ca4518b1c95201baaaf807f523ff9fd6ec2492e88647311da65
9159436672e32c43d54f8a7a25549dc174fad7919cafb860ce5961c68189715c
a1043ce7d7579c7d3e14f50e1743835b017087be7fbefe884902230a4e10fd12
aeeeaaeea6ecef412b13adee9544fec6d700177b7e76f215bba89b5d6e07b829
b8fc8ef93dec63b905ee2e82ce3d34c7d822a9f0b30ffab9acebf6172e44e494
d33701427e0520e12f101d54286c1cff2733ed9793bc3a6cb269e382485e0be0
d742be9c2cec1aabdb74ab7c928f7ddb34655bc0901edf4360c1c1fc6a394984

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


MITRE ATT&CK


Win.Dropper.Shiz-9755163-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
6
<HKLM>\SOFTWARE\CLASSES\CLSID
Value Name: C9714A5B
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
4
<HKLM>\SOFTWARE\CLASSES\CLSID
Value Name: c971486e
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 2
<HKLM>\SYSTEM\CONTROLSET002\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Shell
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\DEBUG
Value Name: StoreLocation
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\DEBUG
Value Name: StoreLocation
2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER
Value Name: EnabledV8
1
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER
Value Name: ShownServiceDownBalloon
1
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY
Value Name: ClearBrowsingHistoryOnExit
1
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 1
<HKCU>\SOFTWARE\MICROSOFT WINDOWS 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AppDataLow
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: AppDataLow
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: AppDataLow
1
<HKLM>\SYSTEM\CONTROLSET002\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: AppDataLow
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AppDataLow
1
MutexesOccurrences
Global\MicrosoftSysenterGate7 4
Global\C9714A4D 4
internal_wufex_0x0000015c 4
internal_wufex_0x00000404 4
internal_wufex_0x0000044c 4
/<Free_Software>\ 2
internal_wufex_0x00000650 2
zXeRY3a_PtW|00000000 1
Global\d5a23261-f30b-11ea-887e-00501e3ae7b6 1
Global\dd701f21-f30b-11ea-887e-00501e3ae7b6 1
Global\heshs43eh45eh 1
Global\1Y7Q9G1OOOGUYW7S1uKYyEM1UUGA77U 1
Global\heshs43eh45eu 1
Global\kMwuKkoEA5kqEsGkAs7qGKA7I9KAa 1
internal_wufex_0x00000488 1
internal_wufex_0x000007b4 1
GLOBAL\{<random GUID>} 1
Local\{<random GUID>} 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
208[.]100[.]26[.]245 4
13[.]107[.]21[.]200 3
208[.]91[.]197[.]46 2
208[.]91[.]196[.]175 2
204[.]79[.]197[.]200 1
175[.]126[.]123[.]219 1
104[.]124[.]102[.]29 1
176[.]65[.]157[.]89 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
xuhifad[.]info 4
xuhihuj[.]info 4
xuhisyr[.]info 4
xuhynox[.]info 4
xuhypid[.]info 4
xuhyqun[.]info 4
xuhyrar[.]info 4
xulanin[.]info 4
xulapuj[.]info 4
xulaqyr[.]info 4
xularod[.]info 4
xulivar[.]info 4
xulixyn[.]info 4
xulizix[.]info 4
xulyfoj[.]info 4
xulyhux[.]info 4
xulysed[.]info 4
xuqanej[.]info 4
xuqaqox[.]info 4
xuqavud[.]info 4
xuqaxar[.]info 4
xuqihan[.]info 4
xuqikir[.]info 4
xuqizyd[.]info 4
xuqyfyr[.]info 4

*See JSON for more IOCs

Files and or directories createdOccurrences
%APPDATA%\-1732866500.dll 2
%TEMP%\71E6.tmp 1
%TEMP%\CF76.tmp 1
%TEMP%\tmp841ba49d.bat 1
%APPDATA%\Evgeo 1
%APPDATA%\Evgeo\owxaw.adv 1
%APPDATA%\Nife 1
%APPDATA%\Nife\wudio.exe 1
%APPDATA%\Ocboun 1
%APPDATA%\Ocboun\ewpu.fys 1
\g4fweq23.Bi 1
\g4fweq23.Bi\40842F38457.exe 1
%TEMP%\YU3C1A1.exe 1
%TEMP%\YU3C1A1.tmp 1
\g4fweq23.Bi\963FDA58DDD9E7E 1
%TEMP%\E547.tmp 1
%TEMP%\C4CC.tmp 1

File Hashes

18a1852a601d618c6172869c36b27c6cb36ae15436c654335dfe84954504898e
421fb4e60b5ddf11d5456170224ba935bf033689c1a679d3ace07fea5b00041c
5bad643662584c558d2a1d65621928e8681dd9770382820863c9f6d0b4e8ad73
71b52dfe10bf2ce5a88d06e4c66cdc3b34d933070a7b8e984f9b5ed1cb36a227
74bcf9d958ffb06408a4e01aacedfb503f2e484ebf2026ae10c0708132332c6a
80b48015c935dd1a4f3ce47e896c74321de60510b11b171ac937afd983c3e4a3
c6e223d9a20a0f4f21c4c0dd21d6a6fa094b51688322171aa54d7c7a996003db
dafbe2d5b3334c81504712162eaf3b333330d5a100deb68ce6a9033df764782c
e8688040a73b6393ca931129ac30aa24af9be6e5571f10e01203cb71810147bd
f3457979390343ca08458f68005cc84af0ed08b9594e65d45d3a6b8e5c287376
ffbc0f6d023ed357af6eeb674e3c451831068403a52bc7fe94a67c99356c4ca3

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Virus.Xpiro-9752316-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
16
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\ACCESSIBILITY, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B03F5F7F11D50A3A\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\CUSTOMMARSHALERS, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B03F5F7F11D50A3A\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\MICROSOFT.VISUALBASIC, VERSION=10.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B03F5F7F11D50A3A\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\MSCORLIB, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B77A5C561934E089\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\PRESENTATIONCORE, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=31BF3856AD364E35\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\PRESENTATIONFRAMEWORK, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=31BF3856AD364E35\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\PRESENTATIONFRAMEWORK.AERO, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=31BF3856AD364E35\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B77A5C561934E089\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM.CONFIGURATION, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B03F5F7F11D50A3A\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM.CONFIGURATION.INSTALL, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B03F5F7F11D50A3A\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM.CORE, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B77A5C561934E089\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM.DATA, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B77A5C561934E089\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM.DIRECTORYSERVICES, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B03F5F7F11D50A3A\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM.DRAWING, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B03F5F7F11D50A3A\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM.MANAGEMENT, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B03F5F7F11D50A3A\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM.RUNTIME.REMOTING, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B77A5C561934E089\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM.SERVICEPROCESS, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B03F5F7F11D50A3A\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM.TRANSACTIONS, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B77A5C561934E089\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM.WEB.SERVICES, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B03F5F7F11D50A3A\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM.WINDOWS.FORMS, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B77A5C561934E089\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM.XAML, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B77A5C561934E089\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\SYSTEM.XML, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=B77A5C561934E089\1
Value Name: RuntimeVersion
16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\ROOTS\WINDOWSBASE, VERSION=4.0.0.0, CULTURE=NEUTRAL, PUBLICKEYTOKEN=31BF3856AD364E35\1
Value Name: RuntimeVersion
16
MutexesOccurrences
kkq-vx_mtx1 16
kkq-vx_mtx64 16
kkq-vx_mtx65 16
kkq-vx_mtx66 16
kkq-vx_mtx67 16
kkq-vx_mtx68 16
kkq-vx_mtx69 16
kkq-vx_mtx70 16
kkq-vx_mtx71 16
kkq-vx_mtx72 16
kkq-vx_mtx73 16
kkq-vx_mtx74 16
kkq-vx_mtx75 16
kkq-vx_mtx76 16
kkq-vx_mtx77 16
kkq-vx_mtx78 16
kkq-vx_mtx79 16
kkq-vx_mtx80 16
kkq-vx_mtx81 16
kkq-vx_mtx82 16
kkq-vx_mtx83 16
kkq-vx_mtx84 16
kkq-vx_mtx85 16
kkq-vx_mtx86 16
kkq-vx_mtx87 16

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]79[.]197[.]200 1
Files and or directories createdOccurrences
%ProgramFiles%\Windows Media Player\wmpnetwk.exe 16
%System32%\FXSSVC.exe 16
%System32%\UI0Detect.exe 16
%System32%\ieetwcollector.exe 16
%System32%\msdtc.exe 16
%System32%\msiexec.exe 16
%System32%\snmptrap.exe 16
%System32%\sppsvc.exe 16
%System32%\wbengine.exe 16
%SystemRoot%\ehome\ehrecvr.exe 16
%SystemRoot%\ehome\ehsched.exe 16
%CommonProgramFiles%\Microsoft Shared\ink\ighnagcm.tmp 16
%CommonProgramFiles%\Microsoft Shared\ink\iibndipn.tmp 16
%CommonProgramFiles%\Microsoft Shared\ink\jiianoje.tmp 16
%ProgramFiles%\Java\jre7\bin\kefbfhkg.tmp 16
%ProgramFiles%\Java\jre7\bin\kfefgkli.tmp 16
%ProgramFiles%\Java\jre7\bin\qfemblig.tmp 16
%ProgramFiles%\Java\jre6\bin\cpkcoelj.tmp 16
%ProgramFiles%\Java\jre7\bin\nlfifejp.tmp 16
%ProgramFiles%\7-Zip\dklkkafp.tmp 16
%ProgramFiles%\7-Zip\klonohhl.tmp 16
%ProgramFiles%\7-Zip\nklemblo.tmp 16
%ProgramFiles%\7-Zip\nnknaeep.tmp 16
%CommonProgramFiles%\Microsoft Shared\MSInfo\gakpqfhp.tmp 16
%CommonProgramFiles%\Microsoft Shared\OFFICE14\nimidobm.tmp 16

*See JSON for more IOCs

File Hashes

00cae541f806bef35e8b7056c18f0fbfcf4271b5041194773f6ab07af8c17855
1da9498f9d75574bdbb6969ab423b559c370d61603e7c66ef7dd34efc168af71
21a5c373438de8a85a6bf798b24406a7658c0ac376d8820341dc5b973fb6bfde
2478553b39a47ac319550e9bf65c12cc08944bb61d60e8aabb8e48a751f94359
38ee02819c5d7d6a0336730be9aee691c42d12d09b5982197a4bbc7fc411374e
5b70fd5e886fc50ce1339c79843adb520e5197f9c759c7c00f15bfce1b946b4f
6737302d9422c8720861a818d7b042682c9f7b5b04a409b1f7dfc81b6e41381e
a178d3644ef3f1d41b93ccf94aaab483fb87a80aeb1fcf4d944b0cc3d5d80c73
b5e655696e1807c5f4ce0f7f86cfe988f92206a5cc0960c9d4d871922551a1bc
b9b702693b83d22988ae375b1b080128155c9e36cdb949c261797f2c4960f99b
bbb8bf6f5c8ff6d1028ba95bd64ddf19175e8a78ef6cea48eabf7fe125112d2e
cb08c29f457ad766d086cff777eed87baa4796c4f29bb92239f99107ecaded91
cba09cb5056c6ea03b6d42d0528df900ae55b41a47dc211f44163c8ef250d06a
cdfadce2ce67b7448c509d6e9b6a5d7e23aab7b5b4c7659cb83327ea2eb5ebc0
ddb9c3a37b16026ae097ded0b9209c6927bf31e616a18a4649651eb9fc7e07a2
e8f9007dd8e35219d165220e6eec14c0e675ce6c7c1ad83828e83ed2f98997d7

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Remcos-9753190-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 29 samples
Registry KeysOccurrences
<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}'> 15
<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}'>
Value Name: exepath
15
<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}'>
Value Name: licence
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: remcos
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Remcos
9
<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}'>
Value Name: WD
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: BEService
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Remcos
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: termsrvs
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: termsrvs
1
<HKCU>\SOFTWARE\GERNAROL-M1U559
Value Name: exepath
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
1
<HKCU>\SOFTWARE\CDG4@GJ^%8@1DGRZX0-XAJ90W
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ros
1
<HKCU>\SOFTWARE\REMCOS-K4PF81
Value Name: Inj
1
<HKCU>\SOFTWARE\WINLOGON-7WX0RC 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: winlogon
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: winlogon
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: winlogon
1
<HKCU>\SOFTWARE\WINLOGON-7WX0RC
Value Name: exepath
1
<HKCU>\SOFTWARE\WINLOGON-7WX0RC
Value Name: licence
1
<HKCU>\SOFTWARE\WINLOGON-7WX0RC
Value Name: WD
1
<HKCU>\SOFTWARE\BUDDHA-UL8D7Q 1
MutexesOccurrences
Remcos-<random, matching [A-Z0-9]{6}> 15
Mutex_RemWatchdog 13
Remcos_Mutex_Inj 7
Global\6edce601-ee48-11ea-887e-00501e3ae7b6 1
Gernarol-M1U559 1
xcfovntriyk-YI1YC5 1
Remcos_1ea366cbbff4406d9ec91975af9d2185-03565P 1
8fg4g_1x0#Dg10*&$-NAWTI9 1
ssl-L5P5EQ 1
vV4g_1x0#Dg%2^*&$-XSWNUT 1
cDG4@gJ^%8@1dgrZx0-XAJ90W 1
rmc-O4PSBB 1
winlogon-7WX0RC 1
Buddha-UL8D7Q 1
FRClient-SLVVGT 1
FcG4^@&XJ12&((5-CKKWIW 1
VcR4^@&2XJ1cx2&(450x-4GP23C 1
factura-14WEWM 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
188[.]92[.]73[.]19 5
198[.]54[.]117[.]198/31 3
185[.]140[.]53[.]233 3
195[.]22[.]26[.]248 2
89[.]158[.]68[.]82 2
198[.]54[.]117[.]197 1
91[.]193[.]75[.]10 1
185[.]140[.]53[.]209 1
72[.]191[.]142[.]158 1
51[.]103[.]16[.]165 1
185[.]19[.]85[.]174 1
23[.]105[.]131[.]209 1
91[.]92[.]136[.]136 1
103[.]211[.]55[.]190 1
77[.]247[.]127[.]173 1
193[.]27[.]228[.]31 1
198[.]23[.]219[.]24 1
185[.]239[.]242[.]20 1
46[.]246[.]80[.]68 1
136[.]244[.]108[.]136 1
91[.]193[.]75[.]247 1
194[.]99[.]104[.]35 1
139[.]47[.]100[.]27 1
139[.]47[.]3[.]161 1
184[.]75[.]221[.]35 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
eysk[.]city 5
edhrtyujffd[.]xyz 3
napaneli[.]com 3
4rdp[.]com 3
muhoste[.]ddnsfree[.]com 1
menstyle[.]duckdns[.]org 1
boyflourish[.]myq-see[.]com 1
mysticalsailor[.]myq-see[.]com 1
vikingo1928[.]duckdns[.]org 1
3houturk[.]casacam[.]net 1
foustraje[.]mywire[.]org 1
koustaeik[.]dynu[.]net 1
2houtie[.]kozow[.]com 1
houstus[.]gleeze[.]com 1
keking[.]myq-see[.]com 1
Files and or directories createdOccurrences
%TEMP%\install.vbs 17
%APPDATA%\Remcos 10
%APPDATA%\remcos\logs.dat 8
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 8
%APPDATA%\Remcos\remcos.exe 5
%APPDATA%\Screenshots 4
%APPDATA%\MicRecords 2
%APPDATA%\Battleye 2
%APPDATA%\Battleye\Beservice.exe 2
%APPDATA%\winlogon 1
%APPDATA%\Java\logs.dat 1
%APPDATA%\winlogon\winlogon.exe 1
%APPDATA%\logs\logs.dat 1
%APPDATA%\temp\logs.dat 1
%APPDATA%\WindowsUpdateConfig- 1
%APPDATA%\config-ssh 1
%APPDATA%\config-ssh\logs.dat 1
%TEMP%\Winzr 1
%TEMP%\Winzr\Winzr.exe 1
%APPDATA%\doc\doc1of2.dat 1
%APPDATA%\ConfigWindows 1
%APPDATA%\ConfigWindows\notepat.exe 1
%APPDATA%\Doc\doc1of2.exe 1
%APPDATA%\cos\rem.exe 1
%HOMEPATH%\remcos 1

*See JSON for more IOCs

File Hashes

02aedadce5196af662edfd0f7b99815a57bf9a6a5092de5f0c183d035cbe3079
16622134f1e3b12f0770a3e8c019c0f88d8bcb3a4cb92657fad1a8bfe34bdd78
35add3203117cff16c22c164752cf9e1a54256cd26d73434f83f57cc1b5ff99c
3ae35f2e1b9153b00d5db14571899a668e0099698410b43de9966c50f59d10ec
4b1930df96f03175f9284c8fa82028b7afaba6ff57ac3390417f430f12f2a00a
4dc2e58ed79ca9bfa091735a9a807024ebae00d6c8bbf1ec8640a3435ae45330
51b35a444a56ba73978be72576f80d613539a28f7af4cf32820c355303a629cd
562337663297dd8d928eaf9f138b9c86dca1aa7dc662c66167b7246b7f451d8b
603bbec852b4dace954ef0c061b8f0419a127798810be2c6efa246327bcc5b90
6328b867873245ccc983b23f0f46adaa6605de4850168bdb53a1d57a43fb2bf0
73dbd72d7233279ef53a2a34c8863d8a283d21e390fbe90f0ea09c68978a5678
8c9a46ffb93b53c2141ae50d99e106bd29d294e474e227f6097a79742d717d59
9734025fc07e9366ab534ea3b55207b0b22294e02521b37c8eea459fd5c685b7
9ad82e2403953a4ff4315cc573198d73b82e56faa712e405be11ca0086a91f5f
9b024c44ab5559d69c8a1977ee51d47e00f78a7ed51908ac31accbe113124531
a1c644a64801c61e1649517c3debc28b194b4f9d43e1a99bc28724f652c3ca5e
a9c9ca17a9349e8d2e53b26ea32b64338d0172d4026e773ee1a863bbe00cc898
aa7b5fdddb847580f8640d14982a16d8c9a7c47fc834f1af2a6f3dc5f20709e9
b0e37eb993783beb511aed001a6950ea9b10082089194bac68bd6efddb1d40d5
c8673eb7006a94e17267dfa992316f2f72998c9949d4fa820ceec52d4d0dd885
d406d8aa015f935f5ccfb63e94c980fcf49cc1a0edd884b5e2944e0c668c775f
d9d3ccc809cfdff9db02f6412369480ca58b1e4f15de78bcdb7085c4a397fcc7
ddc132e99df7a70778fa7e599495191587c6256e4ca7bff35dfe5f7c47b8a3c2
de94420cf4ee5151412dd3946dcc58ac75cc7d609caf9d7e0d12b446665b9e58
f4e408ab422ae079d1e3ff9abdaa1bc6f8b16188bf434ac5be5076245eb5fe58

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Dealply adware detected - (5876)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Process hollowing detected - (4104)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (3413)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
CVE-2019-0708 detected - (2464)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Crystalbit-Apple DLL double hijack detected - (575)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Squiblydoo application whitelist bypass attempt detected. - (558)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Installcore adware detected - (390)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Kovter injection detected - (326)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Trickbot malware detected - (295)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Gamarue malware detected - (104)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.