Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 23 and Oct. 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Doc.Downloader.Emotet-9781906-1 Downloader Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Trojan.Zusy-9783138-0 Trojan Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Packed.Dridex-9783334-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Worm.Gamarue-9781588-0 Worm Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Trojan.DarkComet-9781595-0 Trojan DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Ransomware.Cerber-9783078-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.
Win.Dropper.NetWire-9781821-0 Dropper NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Ramnit-9783386-0 Malware Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.
Win.Dropper.LokiBot-9783471-0 Dropper Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.

Threat Breakdown

Doc.Downloader.Emotet-9781906-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 30 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
112[.]175[.]184[.]11 29
211[.]238[.]13[.]59 28
192[.]35[.]177[.]64 24
72[.]21[.]81[.]240 5
23[.]46[.]238[.]193 5
23[.]46[.]238[.]194 3
23[.]3[.]13[.]154 2
23[.]3[.]13[.]88 2
8[.]253[.]45[.]214 2
8[.]249[.]219[.]254 2
23[.]46[.]238[.]232 1
8[.]253[.]131[.]121 1
8[.]249[.]241[.]254 1
99[.]86[.]230[.]14 1
212[.]54[.]132[.]65 1
194[.]150[.]118[.]7 1
192[.]254[.]184[.]227 1
62[.]171[.]142[.]179 1
45[.]56[.]127[.]75 1
45[.]77[.]154[.]161 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
jinyangsheetmetal[.]co[.]kr 29
www[.]dothome[.]co[.]kr 28
guide-page[.]dothome[.]co[.]kr 28
apps[.]digsigtrust[.]com 23
apps[.]identrust[.]com 23
ctldl[.]windowsupdate[.]com 23
a767[.]dscg3[.]akamai[.]net 12
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 6
cs11[.]wpc[.]v0cdn[.]net 5
e13678[.]dspb[.]akamaiedge[.]net 4
wordy-words[.]com 1
Files and or directories createdOccurrences
%HOMEPATH%\Ib5wcmj 29
%HOMEPATH%\Ib5wcmj\S76lego 29
%HOMEPATH%\Ib5wcmj\S76lego\V7qijxbn2.exe 29
%HOMEPATH%\Tnwkyvd 1
%HOMEPATH%\Tnwkyvd\Rzr9729 1
%HOMEPATH%\Tnwkyvd\Rzr9729\Lr8xwzk5t.dll 1

File Hashes

01b228cd4f024acce23be7b762797915e8ece1d47c301e20f9596a98aed2acb5
0cbc8f1c920ee2d242a6ca5d19dfadee47264af9f96e500ffd59de43cc83bd0d
30aa3f0d8ff2254375695811a076d309440d33b009b142827eb9e890dba07864
3d931f3056e01ac585facd9cd6b2295bd63dbc6e340ccc4d94549533f42558e4
3ff0742359552875b1c51123cda087f09d97186d0f5540ada3e9611b8a94e9f9
401e3ed004f6a908758dcda91de701a2bf29c67379e11a3fa21438ceb5323864
4184aff59a80548872251572d47d8a0f88865d08d8b944efeadb47c07d6f30d8
54e4fc3613affad5354fc1058f7879031c1191f2e8e79b72df4673bae4603695
5faf67cb4b9dbfd86904abb00fed294cac743cafc127f9502b779ffc6aedb7c7
61c90e0b60ab1ac4a891679a1e051a65654201f44b65be90543c41691ebe8204
65fab287607d55bb546b639bcce9b869bae1c1fda07a15c68e1b9ebe8a626a68
69d757b68d226d928a8538ca855767f25d71e1acc3b2cf87443689a15ef183ce
711fafda2f160ff5d89246ee698c4ba0738663a2a0a61469c401fc03f59b4550
74e16bd58ef88cfbc4267cf32b54a6444f5a01675811af2f8da025c1dd9e7272
7842ec4931932147604f75c89617191783e8dc127ebf81f6d312535a5cf40b51
7d9599a9e2c14590ddd67015da53020abdbb1963fc03fac2a061a5aa15e4f0e1
8849667217cbf5aaf17be7bc7eaef3b073f32d6d7d7a6f36a022c270228a0d8b
8c15a10ed4c619cdc9eefbb7d32596330ccb2dbc41b5e21841dd141fee55a85b
97b65be9fd47454760b1e5fd5912b7ec4d36712b38bc2c381b4671464abc096f
9a666094b1345025d71c0b39d2adbd628fe43f2bc867345884787f6505777ce8
9cf25c48f4ec39224ac29cc1f585d0127b85a378dac61c893d5b383577137701
9e05c0fe7a5abfed3c86b44e32efdad88d0417ebb89de20917ca9d131beb1cbc
aa414e3dff891cabd67c28ee690955af72dbb5916a8b15e26e8df32a245fff68
b25f82dbf33bc9cc154be6c8bef79aa2b570c84eba334f3fc27ae55681f6c154
ba76faaf67244b22ede91ccbdb43e3988b58539eeac446392d0c61afbb5ef437

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Win.Trojan.Zusy-9783138-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: shell
14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Shell
14
<HKCU>\SOFTWARE\MICROSOFT\MULTIMEDIA\DRAWDIB 5
<HKCU>\SOFTWARE\MICROSOFT\MULTIMEDIA\DRAWDIB
Value Name: 1152x864x32(BGR 0)
5
<HKCU>\SOFTWARE\WINRAR 2
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 2
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: NvCplWow64
2
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: CleanShutdown
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: q
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\PROVIDERS\EVENTLOG\{01979C6A-42FA-414C-B8AA-EEE2C8202018}
Value Name: LastKnownState
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\PROVIDERS\EVENTLOG\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}
Value Name: LastKnownState
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\PROVIDERS\EVENTLOG\{945A8954-C147-4ACD-923F-40C45405A658}
Value Name: LastKnownState
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: S1863976
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: S433451
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: S7917121
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: S93753
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: S1485975
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: S1578498
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: S98148193
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: S95106110
1
MutexesOccurrences
Local\MSCTF.Asm.MutexMyDesktop1 5
Local\MSCTF.CtfMonitorInstMutexMyDesktop1 5
UFR3 1
UACMutexxxxx 1
UPDATE__ 1
Local\{FC1598C2-51AC-3064-B0DB-AEA399D273CB} 1
Local\{D7B3FDF3-349D-1BC2-B0DB-AEA399D273CB} 1
Local\{FC1598C1-51AF-3064-B0DB-AEA399D273CB} 1
MAIN_575583278 1
BACKUP_575583278 1
GLOBAL\{<random GUID>} 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
94[.]100[.]180[.]160 1
204[.]79[.]197[.]200 1
160[.]72[.]43[.]240 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
econtractsupplemental[.]biz 5
irresistiblenitro[.]pw 5
zoneupdate[.]xxuz[.]com 5
bw10[.]ru 2
whatismyip[.]akamai[.]com 1
smtp[.]mail[.]ru 1
com-index[.]org 1
www[.]l0ng-sheng[.]com 1
gradusyporno[.]biz 1
Files and or directories createdOccurrences
%APPDATA%\skype.dat 5
%APPDATA%\skype.ini 5
%APPDATA%\Microsoft Corporation 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\qw2jd.exe 2
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 2
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 2
\TEMP\ufr_reports 1
%APPDATA%\Microsoft Corporation\webid.emo 1
%TEMP%\1067368434.bat 1
\TEMP\ufr_reports\NO_PWDS_report_25-10-2020_06-43-32-11B0A35710D760E40567A55CF3411F9E-LHON.bin 1
%TEMP%\report_25-10-2020_06-43-32-11B0A35710D760E40567A55CF3411F9E-LHON.bin 1
%TEMP%\NO_PWDS_report_25-10-2020_06-43-32-11B0A35710D760E40567A55CF3411F9E-LHON.bin 1
%APPDATA%\575583278 1
%APPDATA%\Microsoft Corporation\rasRes.po 1
%TEMP%\tmpe730cf78.bat 1
%APPDATA%\Ogag 1
%APPDATA%\Ogag\pyga.exe 1
%APPDATA%\Xiev 1
%APPDATA%\Xiev\otyd.kah 1
%TEMP%\1067358263.bat 1
%TEMP%\NO_PWDS_report_25-10-2020_06-53-33-24A511FDDE70B159AAEB7EB3DA92FBEA-NHON.bin 1
%TEMP%\NO_PWDS_report_25-10-2020_06-53-33-24A511FDDE70B159AAEB7EB3DA92FBEA-NHON.bin (copy) 1
%TEMP%\report_25-10-2020_06-53-33-24A511FDDE70B159AAEB7EB3DA92FBEA-NHON.bin 1
\ufr_reports\NO_PWDS_report_25-10-2020_06-53-33-24A511FDDE70B159AAEB7EB3DA92FBEA-NHON.bin 1

File Hashes

038a6e721ccaf4f85cbf6426f9ac56398329a5b0d5e39b47e252ec9fc36a4cd9
1dbaa6d5180e36d442468cc09103a3af7c5419d51efd1be5c169db76a1a3bb4b
2704c91b79122541aedd73cf566d9d21954b2749e66ffd09a990f5d819db92cd
3a8a64cc4749fbeef33eb7d7372ab87ae640f090b9cf273013d63d28c4fba906
3dc9d2f984818f1ab09fd1e497999a776d937b52ca63dfdc9105f8f8aa8dc70f
4d14fdd922da3edfdb5b429df8399d7c8d54726d86a249f89d19f3ada679777e
54a6f0cc265f47e8055d45f46690c72ce54471c3a47a9503ae77e2d1af97fc50
55adb469aa11ffb5332da78a65ee2250745681e9d13a08d0fd0b6ccf7658f23a
748f24efcc5abc9b27ad543656be18eb9be9a41e6b7b789ff93cd476a33058e5
7515cfb46897fe00687528035e5b6821976057e7d7a6a121f87d77b5bbb1dff5
76b4c17a991180198ae56b3fda91fedc542a94ea4ee3d6e9f5a9c20b40652155
7b39ff2ab4b35564b0c27c3b6f7d5863d5e937f18d33a4e8dac1f7bed4e7eac9
7f9b0633c56f790d398eae54a490e3fd6862ce581d2546ecbdfe4133cfddb4bb
884a0ec81a0b59f9a7607e83517fd76c8870c05327102ab285a612b865445981
8f8e087073bd97a8881e2d4d0e4495ebe3f9d4ed0fd5a8d899b769d7d169de0b
92fcfbd45360ad571df6e6652ade1989bf8f405dc0365042516eec71337decf0
9572e7c55e5a3bfa38958106de95f6fff4e11b51993a0f37a3658b443c7b203a
9f9490914db8bdcaccce7bbb9f6813693c869e4ff72e5eb0630a66d24496eed6
a1b77e096c72aca159e1adb0bb60ae89437bf6597c19ac2a76d749a35d4db81a
a1eb43cdbbbe64b92279b9a566ca729e6c6c401ad5881f904a13303851fcd9ac
c8e3e4a8100670eb38dca4b65b5d69d10771cc77baf11df8270264764c4e1974
cb407e78fe8074db49ed67a09256188c1f4a9dbf17e52993ec7e9eae2f720eed
cf4532cebf80a5f9dc92cd0649804034a5d0e2de697f7ea1cf295f466b555d50
d593383a7af4d48b75e4b5de89b889195570dd1fab9ee0d2cb024f44299716a3
e359b5c61f1a6b345877dab75733bc73496df478387cbb0dcefe741f92750920

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Win.Packed.Dridex-9783334-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
25
MutexesOccurrences
A6fwRjvlk5 1
H8J1lICGUq 1
HyCS4sdKLx 1
LSdwvTQdUX 1
U5WbBipwDa 1
oo47WV9c65 1
sz3sUY4qcM 1
5ITIx4iM6p 1
9FTPeMQvAv 1
9QxMEhesCr 1
LvBMkrEuFb 1
dfFednqUeH 1
eiXTEQ9gs2 1
veLyWUA7lP 1
fpI9wyU1PB 1
Ij4Dhw1lVK 1
Nw67cSz7Q1 1
98fAwBNUGq 1
FRldFay3FE 1
rxj6wYmHOI 1
33kZlV2YdE 1
BcrN9qpjfk 1
e9dzjVKXPV 1
frnINROIQ7 1
aYVo5y1H6W 1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]9[.]238 25
104[.]23[.]99[.]190 14
72[.]21[.]81[.]240 7
104[.]23[.]98[.]190 7
209[.]85[.]201[.]138/31 7
209[.]85[.]201[.]100/31 5
209[.]85[.]201[.]113 4
209[.]85[.]201[.]102 2
172[.]217[.]197[.]113 1
172[.]217[.]197[.]102 1
173[.]194[.]175[.]94 1
173[.]194[.]66[.]94 1
173[.]194[.]207[.]94 1
23[.]3[.]13[.]154 1
74[.]125[.]192[.]95 1
172[.]217[.]197[.]105 1
172[.]217[.]197[.]84 1
23[.]3[.]13[.]88 1
173[.]194[.]204[.]94/31 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 25
ctldl[.]windowsupdate[.]com 9
cs11[.]wpc[.]v0cdn[.]net 7
a767[.]dscg3[.]akamai[.]net 2
www[.]qokgr79e2m[.]com 1
www[.]j1vyrxmrjp[.]com 1
www[.]yphp7pczcf[.]com 1
www[.]xj4786k5c8[.]com 1
www[.]yhe6v0axl4[.]com 1
www[.]yfgjuvoszy[.]com 1
www[.]qc6qsy78n1[.]com 1
www[.]zqn0yzqs1e[.]com 1
www[.]0avz66fog7[.]com 1
www[.]4xfbeukqkw[.]com 1
www[.]0uropkrsxp[.]com 1
www[.]baxd6kgxjt[.]com 1
www[.]mmv281to35[.]com 1
www[.]5u5bszp6tu[.]com 1
www[.]fwgfuexinu[.]com 1
www[.]mot5i2o2l2[.]com 1
www[.]ndltv6qila[.]com 1
www[.]bo533w6ddo[.]com 1
www[.]nldnrhrmre[.]com 1
www[.]ovbrqutre3[.]com 1
www[.]bxs14yn0h0[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
<malware cwd>\old_<malware exe name> (copy) 25

File Hashes

09af88ef17761cefd758c61b143bae802862555d0f8c6d3f049413318d37b08d
09cb95a738e2a8d830e586002b15f08d11dfefc63c446138c0a4dbbbe4a6c11a
32decc5ea4546e511ff32b50aba9238b0a7282a92f255cc2fd90a56473b88fb1
3f0f233d0bf149efaa5650bab50117156a1749da2b9a4af9357fa9995257ff15
42910d308cde146f42c0912ac77365565074e687bdab03eede59f0d78603ab9f
43e6790036afc84588e501cc8c2c2a73c9a29c3efd3e12a5aec9d1030133f00b
5bdd04a60eca8a918b0d02153e9c7ebb6bd7b40a0f1c64ecdceb7d5011278199
64b26b69347fe739180de3fb93e7dccc0cc1125b5bc0ca32dbc4f6946cb5c5fe
74175e1672bf3edcc4b646a864a797fbdba27bb46bdaa8b1bd16215e08553964
75ebe05f98ec3646befcfca399f9704fd869b1bcd355eab97f848c275455b893
82c09a3e5927895c96cd7bd56fc7721aa51c8f29b85d9787b65cd6c48b205b34
8ba571b545ed160f9f5478cca7333fc0a9efbd86b3a2d854791137414848a542
914a65e35660512331540075cfead41a7fd79216e9422269adfef8d9f7d1078a
91f1e56261a579bc958964de0cf2bd76c74ee3605bd747b53de2ed97ab6dd411
93a6029fa7d1ebbc1ca6f3e7df17867338e9b396a59ef315c3bb952fa53df8fa
9a0fb835619dd01b774b56a51510d6cb611f49918f43708b33687da40b005e71
9c0bad682b05c817a8e4222f7b7b3e1652a072d436417cb549cc23b487a6ae33
b3bbccf1d221357ec5a0463268ed771b210177ac1f15996a95ce7bf2c624d686
bc1889aa8dd037ebaf42098801c9fb782281f8111613f928bd9b77f506b8dfab
bc385e551cb8ee72bb7fdd0f7c4de6d35569c0bf7fd8c180bc010a63dea9fdee
c8dd6c83aa706111ae6856ae9512a52a2170315fec6c0e7707242a979d87c6a7
ca839e56067a3f0b82019352e12b5f102e4f0cb6898adc3b3f5733783ad8c793
d1e7e69c8c690cb15b33e4237f0b3cde183fa44d89e1b9981efe46efe69cb813
d84c4dfafbb3d1ad8b5cd5d1b03f82a00a44d42ce77001116c7cf0cb225f342b
e6c58c3dadedced94877a6cf9942da069eafa2cb017092b5c02d71a4b6a367a9

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Worm.Gamarue-9781588-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 36412
13
MutexesOccurrences
2562100796 13
lol 13
Global\0cb96421-147d-11eb-887e-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
40[.]70[.]224[.]146 13
99[.]86[.]230[.]122 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
windows-online[.]org 10
update[.]microsoftcom[.]org 3
Files and or directories createdOccurrences
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 14
%ProgramData%\Local Settings 13
%ProgramData%\Local Settings\Temp 13
%ProgramData%\Local Settings\Temp\msioizi.scr 1
%ProgramData%\Local Settings\Temp\msitayvm.pif 1
%ProgramData%\Local Settings\Temp\mshfra.bat 1
%ProgramData%\Local Settings\Temp\msziubvuf.exe 1
%ProgramData%\Local Settings\Temp\mscwxwa.com 1
%ProgramData%\Local Settings\Temp\msbuuu.com 1
%ProgramData%\Local Settings\Temp\msofwe.cmd 1
%ProgramData%\Local Settings\Temp\msbaow.exe 1
%ProgramData%\Local Settings\Temp\msbxck.com 1
%ProgramData%\Local Settings\Temp\mscqpy.bat 1
%ProgramData%\Local Settings\Temp\mswuxfovo.cmd 1
%ProgramData%\Local Settings\Temp\msiqfufi.exe 1
%ProgramData%\Local Settings\Temp\msukunxua.exe 1
%TEMP%\WER5F3.tmp.WERInternalMetadata.xml 1

File Hashes

06b4f131a4a113b2e84944d4e8c0d2f0e726e2fb9df3a4fbbadcc3a0ba67f109
1bd8e3a2169c78d4095aaab9babb21c5583de6e6303e65f459bd42ff6134b5fb
2bbe259d1986310f44bcf3cfc2ba5734d930863b8b753be89a3d02653c97cde5
2cead89d831f5d5d0e0e864b93a5c8fb695ca26d845e92473a9d699779f9145f
31531c19e5ca46451505e7721987bd206a993477c73b03d4092886fd1e800c7f
3330c832688db6e11cc929013f8478cee67af8a62571d6bcaf669d2023765479
44964e83b6b35625717b4d67a3f79072e62b1220366c41ce80fc5d1aea2fd469
517fb755ea9d177149f9aba5ec84bf701800b4a95afeecf84820c3e52131d8e3
519696e96240333e4f46c2fe80fa476d00650570b7e1bd1722ce8c27052c9706
5373b5d455604c58737b7c85087d05c54f920a689ba188b187c60fe7d6bc6bf7
68312000c6ef7512bd7165f1e2e7c72a62da374577897d3427f80a0547568a23
6d437f74cafc9ed41762efc4be7fda18c001ec00d8bf71e0c49e769058d4f0b1
85d0d7ce5fdec6019cbe387cdc66d04d766fcc5257ca227f4afc8a06e28d6823
cdcbb9aeca9ec2e346b2123750bd8ac3ca49f10a77efe624e033b635977dcbcd
dc6cc4db0a70ff203925609342517e23e9717f084ec0f3b92c1850ce79767609

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.DarkComet-9781595-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\DC3_FEXEC 6
<HKCU>\SOFTWARE\ASPROTECT 3
<HKCU>\SOFTWARE\ASPROTECT\SPECDATA 3
<HKCU>\SOFTWARE\ASPROTECT\SPECDATA 3
<HKLM>\SOFTWARE\CLASSES\INTERFACE\{747FAA95-5D00-4EA1-9F1F-035D2A88FDA4} 2
<HKLM>\SOFTWARE\CLASSES\INTERFACE\{747FAA95-5D00-4EA1-9F1F-035D2A88FDA4}\PROXYSTUBCLSID32 2
<HKLM>\SOFTWARE\CLASSES\INTERFACE\{747FAA95-5D00-4EA1-9F1F-035D2A88FDA4}\TYPELIB 2
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2935849A-3F6A-4DF8-8395-CF9AB3BE1835} 2
<HKLM>\SOFTWARE\CLASSES\VAXSIPUSERAGENTOCX.VAXSIPUSERAGENTOCXCTRL.1 2
<HKLM>\SOFTWARE\CLASSES\VAXSIPUSERAGENTOCX.VAXSIPUSERAGENTOCXCTRL.1\CLSID 2
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2935849A-3F6A-4DF8-8395-CF9AB3BE1835}\CONTROL 2
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{148188FB-A6D9-48BC-AE37-65786376CD8E}\1.0 2
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{148188FB-A6D9-48BC-AE37-65786376CD8E}\1.0\FLAGS 2
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{148188FB-A6D9-48BC-AE37-65786376CD8E}\1.0\0\WIN32 2
<HKLM>\SOFTWARE\CLASSES\TYPELIB\{148188FB-A6D9-48BC-AE37-65786376CD8E}\1.0\HELPDIR 2
<HKLM>\SOFTWARE\CLASSES\INTERFACE\{9858F01E-3474-40B6-996B-7867195B6A6C} 2
<HKLM>\SOFTWARE\CLASSES\INTERFACE\{9858F01E-3474-40B6-996B-7867195B6A6C}\PROXYSTUBCLSID32 2
<HKLM>\SOFTWARE\CLASSES\INTERFACE\{9858F01E-3474-40B6-996B-7867195B6A6C}\TYPELIB 2
<HKLM>\SOFTWARE\CLASSES\INTERFACE\{9858F01E-3474-40B6-996B-7867195B6A6C}\TYPELIB
Value Name: Version
2
<HKLM>\SOFTWARE\CLASSES\INTERFACE\{747FAA95-5D00-4EA1-9F1F-035D2A88FDA4} 2
<HKLM>\SOFTWARE\CLASSES\INTERFACE\{747FAA95-5D00-4EA1-9F1F-035D2A88FDA4}\PROXYSTUBCLSID32 2
<HKLM>\SOFTWARE\CLASSES\INTERFACE\{747FAA95-5D00-4EA1-9F1F-035D2A88FDA4}\TYPELIB 2
<HKLM>\SOFTWARE\CLASSES\INTERFACE\{747FAA95-5D00-4EA1-9F1F-035D2A88FDA4}\TYPELIB
Value Name: Version
2
<HKLM>\SOFTWARE\CLASSES\VAXSIPUSERAGENTOCX.VAXSIPUSERAGENTOCXCTRL.1 2
<HKLM>\SOFTWARE\CLASSES\VAXSIPUSERAGENTOCX.VAXSIPUSERAGENTOCXCTRL.1\CLSID 2
MutexesOccurrences
DC_MUTEX-9DFRKQ7 6
--((BAN))-- 2
BatVoip 1
SUA41015F7B117446e4BED6587B760E3831 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
37[.]8[.]24[.]63 6
192[.]145[.]120[.]42 4
192[.]3[.]138[.]58 2
156[.]206[.]233[.]239 2
41[.]43[.]191[.]164 2
204[.]79[.]197[.]200 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
xcdsdd[.]no-ip[.]org 6
voip-proxy[.]voip01[.]com 6
medhat[.]myq-see[.]com 4
cccxxxx[.]servequake[.]com 4
11410cc[.]admingas[.]com 2
kingprog[.]no-ip[.]org 2
microsoft[.]net[.]linkpc[.]net 2
network-service[.]myq-see[.]com 2
voip-proxy[.]rr[.]nu 2
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\CONFIG.lnk 10
%APPDATA%\Microsoft\Internet Explorer\ACS.COM 8
%APPDATA%\Microsoft\Internet Explorer\ACS.HTT 8
%APPDATA%\Microsoft\Internet Explorer\lol.cmd 7
%APPDATA%\Microsoft\Internet Explorer\lol.vbs 7
%APPDATA%\dclogs 6
%APPDATA%\Microsoft\Internet Explorer\sip.exe 6
%APPDATA%\Microsoft\Internet Explorer\aspr_keys.ini 3
%APPDATA%\Microsoft\Internet Explorer\libsipnative.dll 3
%HOMEPATH%\Desktop\eyeBeam.lnk 2
%HOMEPATH%\tmp\ijpm.com 2
%HOMEPATH%\tmp\CONFIG.VBS 2
%HOMEPATH%\tmp\start.cmd 2
%APPDATA%\Microsoft\Internet Explorer\Sip_Tool.exe 2
%HOMEPATH%\tmp\ lol.vbs 2
%HOMEPATH%\tmp\15126.NPY 2
%HOMEPATH%\tmp\2929303.vbe 2
%HOMEPATH%\tmp\61396.GOF 2
%ProgramFiles(x86)%\V-Lite\unins000.dat 2
%HOMEPATH%\tmp\6906121.RID 2
%ProgramData%\Microsoft\Windows\Start Menu\Programs\V-Lite\Uninstall V-Lite.lnk 2
%ProgramData%\Microsoft\Windows\Start Menu\Programs\V-Lite\V-Lite.lnk 2
%HOMEPATH%\tmp\axc.vbe 2
%HOMEPATH%\tmp\ijpm.sys 2
%HOMEPATH%\tmp\start 2

*See JSON for more IOCs

File Hashes

2805cae6ec67e9c96178763409cf1dc6469e8f2f98cea41639c99bdc937f567a
6f67e7a825ebb4d7967d9d0534535202c3f9612a9fbcf8e7c9c84fb7d7a42339
73cfe6fd3629a82ed86118c448b62ad6ce6a01a13006576027b04b92e361023c
8a801a14b31e833d28ab041143f5e4df09b435900e520f203be4ef75f5e0ea74
9c00e6e91ef23526765921a0f2c646239f27d3af9869320da9b0079bf36c45d0
9dac760d7f17a483323225cb11628fc5e58cfe9e7e36b88367496d4775584443
c1bfa678a7c3cc862db5f37ce03a8a808374e1a59c2594260deb72d56f30b5d8
cf06e02ea64b78a79d8537045bffae323fe9459520604c3d6a47e67745278320
d069a2c0b47bdd7aca8d9a12ca1a7066bee07dad806c8c35d70b192b2424d923
d743b7be3b0222e64d1767932456227c5b5e93d4065b5239516a717c13fbbc79

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Win.Ransomware.Cerber-9783078-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 93 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
91
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
91
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: SuperHidden
91
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} 91
<HKCU>\PRINTERS\DEFAULTS 91
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Installed
45
<HKCR>\LOCAL SETTINGS\MUICACHE\7C\52C64B7E
Value Name: LanguageList
22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: CleanShutdown
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPLETS\SYSTRAY
Value Name: Services
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: FlashPlayerApp
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dnscacheugc
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: dnscacheugc
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xpsrchvw
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: DWWIN
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: takeown
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: java
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: java
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: sdbinst
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fc
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wuapp
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: odbcconf
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: odbcconf
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mcbuilder
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: mcbuilder
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cmdkey
2
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 91
GeneratingSchemaGlobalMapping 35
cversions.1.m 16
cversions.2.m 16
shell.{<random GUID>} 12
Local\InternetShortcutMutex 3
{C20CD437-BA6D-4ebb-B190-70B43DE3B0F3} 2
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
208[.]95[.]112[.]1 91
31[.]184[.]234[.]0/23 91
216[.]239[.]32[.]21 21
104[.]26[.]14[.]73 21
216[.]239[.]38[.]21 20
216[.]239[.]36[.]21 20
104[.]26[.]15[.]73 20
172[.]67[.]75[.]176 9
216[.]239[.]34[.]21 7
204[.]79[.]197[.]200 1
5[.]9[.]72[.]48 1
217[.]172[.]179[.]54 1
130[.]0[.]232[.]208 1
144[.]76[.]108[.]82 1
185[.]253[.]217[.]20 1
45[.]90[.]34[.]87 1
83[.]151[.]238[.]34 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ip-api[.]com 91
ipinfo[.]io 30
freegeoip[.]net 30
www[.]torproject[.]org 1
cerberhhyed5frqa[.]as13fd[.]win 1
cerberhhyed5frqa[.]zx34jk[.]win 1
cerberhhyed5frqa[.]rt4e34[.]win 1
cerberhhyed5frqa[.]xo59ok[.]win 1
cerberhhyed5frqa[.]6oifgr[.]win 1
Files and or directories createdOccurrences
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2} 91
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\Component_00 91
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\Component_01 91
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\Component_03 91
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\# DECRYPT MY FILES #.url 45
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\# DECRYPT MY FILES #.vbs 45
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.html 45
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.txt 45
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.url 45
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.vbs 45
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.html 45
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.txt 45
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.url 45
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\# DECRYPT MY FILES #.vbs 45
\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html 45
\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt 45
\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url 45
\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs 45
\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html 45
\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt 45
\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.url 45
\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbs 45
\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\# DECRYPT MY FILES #.html 45
\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt 45
\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\# DECRYPT MY FILES #.url 45

*See JSON for more IOCs

File Hashes

0b8af69c0a2b8b2b884d05a2e505d5161030e2a40a9d34dd64083eb3118844ab
0e84505b9c770eadb390d70c33f215fac5cb82d869f544bef89bf2ef112a6dc2
101b08dcaba66e977d4eb0ac70a2aefc120e20d1bb101e77d04e77d9f7d616e9
12b82c4810c7d876f28168ace81681fdd5bbec9368490b407545ce5a9720352b
13e66520cc4b8a7c1b936ec079b7f9d21cf51e57e8ad2424f6a6a716ecb69355
173d25a96dcccd51318cfb9cdfee8c8f99826caa3081fedc8160e6b15e38c2f1
17850b4e7fac01d4ad3d8dd30f06ecb9a82db7fc5b6eb38e50597082a59d1e8c
18165fa21cb4fcd2ace9dbd9205409c045d07c71f4f0ea64ac23b074a9498f46
18af23671757dfa0569e670f0629e3dba8907541c950c9001de1b9aa77a5ed04
1f27e14b7997f4cd0a368c9f9add32b592ebbb63bc81033a356d6212c85bf67b
203cdb2be697f2da0b9c7005b30fa13675a158d9223a23131b44dbaadc1d287e
238c896469ed592cb90cbcba697f08002c0deacc7a0ef7d16982533d472d9fe0
2518e9b31474f9e1f0114ad71e2c14f71c9a06060d0143b84b50e4f14a3a3980
276e7d98b2e77b64988596426f884296960f17f110ab24ff2568258219a16b76
27703462bb5f7faa95c5ed7d9b71d958446f66cdda814116bfb311beffa6bedf
27c35f49abaa4dc41969f4fd75670fbb06cbe11e87c56f34fa78f634c9d6d4d8
27d1fd048c0088c09f4b8180967c610ecd08d8661a4b89b065bcb69aa1a78119
29b73665a63863c619e8d0c316a5ea0efb88f8d5c59246834be2b1ad2e92148f
2ba7251e8d3030225be7b14d2dcc8a22479edf4c19dd87db9af8740b07114f04
2f19da28a63129dcc3dbbb39f59d19bf2cf56c8dd67831ea1fc471818b2dd1fa
31b0b0bfe0932f3ec2e387890b00c10b741d70115da20c5af7cb1e279d42625e
32c72d0e2a298df6eb1035c865c8f33964f05ada7825ad02070d8664527f3805
32e3a27a330bc82c7980edc6ab0a33a5f407bd9a61724ae0ac10346a93e66138
35322c5363034d61e5583c2511ff47bee893662ed1fabe95a8640c00c81cbc6a
3718985103242e830152c23563ab92e94d963a34d828e8af14132a66deff7ebd

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


Malware


MITRE ATT&CK


Win.Dropper.NetWire-9781821-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 212 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Google Chrome ®
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{PFD888J8-2MA5-M2T1-QRF4-66B3AGM2UJTB} 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Google
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: crsss
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{PFD888J8-2MA5-M2T1-QRF4-66B3AGM2UJTB}
Value Name: StubPath
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4OOD3SLU-1H77-1W64-FXF7-2OBEY2TA6336} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4OOD3SLU-1H77-1W64-FXF7-2OBEY2TA6336}
Value Name: StubPath
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{YPKM6NA0-5101-UXX3-2URL-438R8JQ2I7W5} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{E65M024V-7LD5-8SW6-20OX-S56I02BYG2W6} 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AdobeRX0
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{E65M024V-7LD5-8SW6-20OX-S56I02BYG2W6}
Value Name: StubPath
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{R05YIYX2-V032-65C5-060Y-IOS52WT081E5} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4S8WYDXY-B1CG-NO66-FMVM-72C8WXM156GP} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{OB8V6U3R-X123-SYUA-116E-4UF6HJ3K8EB0} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{68U63KX2-4150-PO37-0R2D-6J8SU5HHBNX5}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{J425YD62-7024-1X6Q-J4RN-37P4YVF5708X} 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: SophosScan
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{J425YD62-7024-1X6Q-J4RN-37P4YVF5708X}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{46X25B7E-T07O-4IM1-60R4-MKJVT8VOY724} 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AdobeXR0
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{46X25B7E-T07O-4IM1-60R4-MKJVT8VOY724}
Value Name: StubPath
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{DUOUPKL7-57QL-PLK0-02M8-NX2N0VX0AK32} 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Local
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{DUOUPKL7-57QL-PLK0-02M8-NX2N0VX0AK32}
Value Name: StubPath
1
MutexesOccurrences
- 100
<random, matching [a-zA-Z0-9]{5,9}> 94
f„èŒJÂÜø 2
êå]²¸¤ 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
125[.]163[.]105[.]123 5
37[.]48[.]80[.]173 3
67[.]214[.]175[.]69 2
94[.]73[.]33[.]36 2
138[.]197[.]221[.]199 2
138[.]197[.]221[.]196 2
172[.]217[.]197[.]95 2
209[.]85[.]201[.]94 2
173[.]194[.]208[.]94 2
37[.]46[.]114[.]246 2
5[.]254[.]112[.]53 2
188[.]190[.]100[.]82 2
216[.]38[.]2[.]214 2
81[.]64[.]53[.]223 2
212[.]7[.]208[.]83 2
3[.]134[.]22[.]63 2
3[.]129[.]252[.]224 2
86[.]20[.]109[.]42 2
84[.]197[.]77[.]47 2
151[.]236[.]15[.]24 2
46[.]246[.]126[.]193 2
172[.]217[.]197[.]100/31 2
46[.]244[.]18[.]141 1
185[.]17[.]1[.]208 1
5[.]56[.]133[.]55 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
yorkiepet[.]ddns[.]net 9
frankief[.]hopto[.]me 7
local[.]cable-modem[.]org 5
teamviewer[.]ddns[.]net 5
steven11[.]ddns[.]net 5
alertsdanish[.]bounceme[.]net 4
online4y[.]ddns[.]net 4
alibabaoffice[.]ddns[.]net 4
tomekgos3[.]ddns[.]net 4
moneybank[.]dyndns[.]info 3
mcpvpserver3[.]no-ip[.]org 3
nightwolf[.]dyndns-ip[.]com 3
logmein[.]loginto[.]me 3
living2013mh[.]no-ip[.]biz 3
silver13[.]ddns[.]net 3
wesleydan[.]noip[.]me 2
nimda2[.]ddns[.]net 2
doncj[.]3utilities[.]com 2
tvnserver[.]serveftp[.]com 2
kingp96[.]chickenkiller[.]com 2
okobino23[.]no-ip[.]biz 2
am[.]markussols[.]com 2
jingledenver[.]ddns[.]net 2
kilbitoke[.]ddns[.]net 2
counterstrikemur[.]chickenkiller[.]com 2

*See JSON for more IOCs

Files and or directories createdOccurrences
\TEMP\.Identifier 197
%APPDATA%\Install 75
%APPDATA%\Install\.Identifier 73
%APPDATA%\Install\Host.exe 58
%SystemRoot%\SERVIC~2\Local Settings\AppData\Local\Temp\MpCmdRun.log 24
\.Identifier 22
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 8
%APPDATA%\Install\crhome.exe 5
%LOCALAPPDATA%\Google 4
%APPDATA%\Microsoft\.Identifier 4
%LOCALAPPDATA%\Google\Chrome 4
%LOCALAPPDATA%\Google\Chrome\User Data 4
%LOCALAPPDATA%\Google\Chrome\User Data\.Identifier 4
%APPDATA%\Mircosoft\.Identifier 2
%LOCALAPPDATA%\Google\Chrome\User Data\Chrome_browser.exe 2
%APPDATA%\Mircosoft\crsss.exe 2
%APPDATA%\TCPview\.Identifier 2
%APPDATA%\TCPview\Tcpview.exe 2
%APPDATA%\Install\Adobe.exe 2
%APPDATA%\Local\Microsoft\Windows\.Identifier 2
%APPDATA%\Local\Microsoft\Windows\svchost.exe 2
%APPDATA%\.Identifier 2
%APPDATA%\Install\iexplorer.exe 2
%APPDATA%\Install\111\27\897\89\78\2\278\97\89\34\52\53\1\23\234234234\255656\78978978\789789\.Identifier 2
%APPDATA%\Install\111\27\897\89\78\2\278\97\89\34\52\53\1\23\234234234 2

*See JSON for more IOCs

File Hashes

010c2634c83245bf226b4ad088baafb734c8adf615333e66785dec1ef0c342ac
018df234f9071560f0e224161a7a81a76ab3c91b4c0d01b5393e0b6cc0a2267d
020116ae5b985aee52a6bd8800f8ad3b98f55da90c3f54d93be1313d25fb45a8
03c04df03ac5723c680d619ac239f7b5f228f0cedc0d1669356e74772a4bcdf9
03e4458d18c8271fe9d6897c2430116cbca0b4a831da0577e527d6f7f89fe503
03ea506f92056b35a22d762cd63387e1d4afd46219a17b0d31630554a3540c97
0490933dc6938a8310b10f6da69f56670f875b27c66168d4a9ef7aba3978f8db
09992a21794de79dce09934282686a28e210937c298034e3fec29ccc8d381f5d
0c798721a5b3f88c18074088495d5c44aaf5de61ebf9bbf1def6bdb7ee39680d
0c9bb94250cd22b55ebb209747362046994a7903b41eb3010d3e47b8ea93607b
0fca46b7d77046cb9bf84271f8ea678f8f950bc7ebc81ac7e2c5afd3e96f41c3
0ffd27947317c077517b9a8d6dc462341337a60ee4331e299ce1a78e1df2a7a7
1269855d8a83079231d8f28b867f3e5ac285c1f14689bb5a2dba0873a06c73cf
194c749c1235b74350e0d2f23c87306bcaad5eff06710fe26e6121c77520aedb
19814a08bf18ae10977666476850e0d2e6a652666ee8345d45f1c774097bca34
19a13704dda9b585574a1cd18997861ecb2e45232fa3c26670df6aae48ac00ea
19b24c39279fd62f088b075dd118ee52aa3c05421605435b4b77e90cf05ec3d3
1aadc7110ccec580e14a938e45dcce5e583532fa98da1393cb79d6d33f94c6fc
1cc7bd0a6e3d5f9221307c74e796d5d56217e69aaae6ea9a84117bc42e3a1b6d
1e1b15f8ca93c05fd793ea3db2196b0535b513e048437f213350a31d4111ebd4
1ee1b6b01852c2b69b0e6e3f189ad34f33322e6fd40228a0f18b3e9b0f7e4638
200b533aebbebab905394591611188adabfd9c89d8de905eaee95aeda31de7bb
205fb4188ae904891e4e63924ad239341b8e7a7161a25e869fcfc94c6fc9ed9f
208cd4d94a662ef23e1e195ac75c1b2e96e1070999ff7bdb2949c232b94c9fae
229725b0df3d62cbaa721743038ca14a62c2901c76ef178c4fce177e2b1a61eb

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Ramnit-9783386-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278} 13
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F1CF8F61-AB1D-11D4-ABBD-0050BACEC828} 13
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F1CF8F61-AB1D-11D4-ABBD-0050BACEC828}\RZNBMLVLLUSWUDBORC1MMEVGU1UTRKG1MZAW 13
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{AC3909C5-DC79-47E5-86CA-7FB5C041A37C} 13
<HKLM>\SOFTWARE\WOW6432NODE\RISING 13
<HKLM>\SOFTWARE\WOW6432NODE\RISING\RAV 13
<HKLM>\SOFTWARE\WOW6432NODE\RISING\RAV\CFGUN 13
<HKLM>\SOFTWARE\WOW6432NODE\RISING\RAV\CFGUN\PREVENTUNINSTALLSWITCH 13
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CAA2D3B1-4BB5-4A45-A17A-122773379D99} 13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES
Value Name: Rising
13
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F1CF8F61-AB1D-11D4-ABBD-0050BACEC828}\RZNBMLVLLUSWUDBORC1MMEVGU1UTRKG1MZAW
Value Name: ProcKind
13
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F1CF8F61-AB1D-11D4-ABBD-0050BACEC828}
Value Name: ProcKey
13
<HKLM>\SOFTWARE\WOW6432NODE\RISING\RAV\CFGUN\PREVENTUNINSTALLSWITCH
Value Name: PreventUninstallSwitch
13
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\IMPLEMENTED CATEGORIES 13
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\IMPLEMENTED CATEGORIES\{607568DD-B059-434B-B7E7-38EC51998F8E} 13
<HKLM>\SOFTWARE\CLASSES\APPLICATIONS\SHPLAYER.EXE 13
<HKLM>\SOFTWARE\CLASSES\APPLICATIONS\SHPLAYER.EXE\SHELL 13
<HKLM>\SOFTWARE\CLASSES\APPLICATIONS\SHPLAYER.EXE\SHELL\OPEN 13
<HKLM>\SOFTWARE\CLASSES\APPLICATIONS\SHPLAYER.EXE\SHELL\OPEN\COMMAND 13
<HKCU>\SOFTWARE\2345EXPLORER 12
<HKCU>\SOFTWARE\2345EXPLORER\EXTENSIBLE CACHE 12
<HKCU>\SOFTWARE\2345EXPLORER\EXTENSIBLE CACHE 12
<HKLM>\SOFTWARE\WOW6432NODE\2345EXPLORER 11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\2345EXPLORER 11
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\2345EXPLORER.EXE 11
MutexesOccurrences
Global\Global\CfgDll.dll_MUTEX_WRITE_MEM_Rav_Formal11 13
Global\Load_Shared_Memory 13
Global\MutexRS_CLIENT_TABLE_LOCK_C__PROGRAM_FILES_(X86)_RISING_RSD_RSSETUP_C1.DAT 13
Global\MutexRS_CLIENT_TABLE_OPEN_C__PROGRAM_FILES_(X86)_RISING_RSD_RSSETUP_C1.DAT 13
Global\MutexRS_SERVER_TABLE_LOCK_C__PROGRAM_FILES_(X86)_RISING_RSD_RSSETUP_S1.DAT 13
Global\MutexRS_SERVER_TABLE_OPEN_C__PROGRAM_FILES_(X86)_RISING_RSD_RSSETUP_S1.DAT 13
Global\RSFMAF 13
Global\Rising_RSD_Setup_RAV 13
Local_RSD_Setup_RAV 13
{E5C53971-D80E-4500-BE0D-761BF3CD8457} 13
Global\0BE9B2B0-68B5-43f3-AC16-4846F19A4F84-CCenterravRPCOK 13
{5FB6C19F-7555-4686-BC3F-FA506047C1D8} 13
E 12
xxxxxxywerewfjlwkxxxxxxxxxxkkkkkkkkk66666666666666666666fsfds 11
{08E91450-6DDB-45ce-BA37-BE9D85B3D5EA} 10
Global\{97ED6B7B-FABA-4282-B5E8-E5150894AB99}_45116 9
Global\MutexName_56E5E2AB_0105_45C3_AFB6_730732D2A14F 8
Coral-{9BB4EBA7-26A1-41de-AE0C-95467A1AED6F} 6
Coral.Process.DownLoadManger.Mutex.{CE9E1856-4817-47BC-B5C0-7DD93A6BED5B2} 6
Coral.DB.Mutex.{AB27D7FC-54D6-4E6C-ABAA-043DFADCA0B5} 6
Coral.DB.Mutex.{C71C288A-65E7-4DD0-A550-54A9C2CD612B} 6
Coral.Grid.Mutex.{27A5F43D-736E-4e5b-AC34-C7AFBA9B4F5B} 6
mutex_qqbrowser 5
mutex_qqbrowser_uninstall 5
7EAF80CB-F21E-48a7-9E1F-7988364510DD 5

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
47[.]246[.]24[.]228/30 12
211[.]159[.]130[.]104/30 11
104[.]254[.]66[.]40 8
203[.]107[.]55[.]116 8
47[.]246[.]24[.]225 7
211[.]103[.]159[.]80 7
106[.]120[.]154[.]163 7
106[.]120[.]154[.]174 7
104[.]254[.]66[.]16 7
47[.]246[.]24[.]226/31 7
47[.]246[.]25[.]228/30 7
221[.]204[.]165[.]208/31 7
120[.]55[.]104[.]133 6
157[.]185[.]146[.]132 6
106[.]120[.]154[.]110/31 6
183[.]146[.]18[.]238/31 6
183[.]146[.]18[.]240/30 6
106[.]120[.]154[.]112 5
47[.]246[.]25[.]226/31 4
47[.]246[.]24[.]232 3
58[.]251[.]106[.]185 3
121[.]43[.]19[.]225 3
47[.]246[.]25[.]232 3
104[.]222[.]251[.]101 3
110[.]43[.]84[.]181 3

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pv[.]sohu[.]com 14
t[.]cn 14
int[.]dpool[.]sina[.]com[.]cn 14
config[.]i[.]duba[.]net 13
infoc0[.]duba[.]net 13
ww3[.]sinaimg[.]cn 13
ww4[.]sinaimg[.]cn 13
ww2[.]sinaimg[.]cn 13
cd001[.]www[.]duba[.]net 13
center[.]rising[.]com[.]cn 13
ww1[.]sinaimg[.]cn 11
rsup10[.]rising[.]com[.]cn 11
master[.]etl[.]desktop[.]qq[.]com 4
c[.]pc[.]qq[.]com 4
image2[.]juezhao123[.]com 3
dlied6[.]qq[.]com 3
image[.]juezhao123[.]com 3
www[.]w8602[.]com 3
www[.]w5win[.]com 3
www[.]w8632[.]com 3
www[.]2345[.]com 2
ie[.]2345[.]com 2
www[.]sohu[.]com 1
f7usa[.]a[.]sohu[.]com 1
www[.]xiaoheiban[.]cn 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%TEMP%\RAV.cfg 13
%TEMP%\RAV.cfg.tmp 13
%TEMP%\RsdSfxTmp\Auto.ini 13
%TEMP%\RsdSfxTmp\rscfg\rscfg.dll 13
%TEMP%\RsdSfxTmp\rscfg\rscfg.xml 13
%TEMP%\RsdSfxTmp\rscomm\Proccom.dll 13
%TEMP%\RsdSfxTmp\rscomm\Proccomm.dll 13
%TEMP%\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll 13
%TEMP%\RsdSfxTmp\rscomm\cnt08.dll 13
%TEMP%\RsdSfxTmp\rscomm\cnt09.dll 13
%TEMP%\RsdSfxTmp\rscomm\moncom08.dll 13
%TEMP%\RsdSfxTmp\rscomm\rscomm.xml 13
%TEMP%\RsdSfxTmp\rscomm\rscommx2.dll 13
%TEMP%\RsdSfxTmp\rscomm\rssqlite.dll 13
%TEMP%\RsdSfxTmp\rscomm\syslay.dll 13
%TEMP%\RsdSfxTmp\rsdinfo.dll 13
%TEMP%\RsdSfxTmp\rsdk.dll 13
%TEMP%\RsdSfxTmp\rsdk\comx3.dll 13
%TEMP%\RsdSfxTmp\rsdk\dfw.dll 13
%TEMP%\RsdSfxTmp\rsdk\procenv.dll 13
%TEMP%\RsdSfxTmp\rsdk\rscom.dll 13
%TEMP%\RsdSfxTmp\rsdk\rsdk.xml 13
%TEMP%\RsdSfxTmp\rsdk\rsxml3a.dll 13
%TEMP%\RsdSfxTmp\rsdk\rsxml3w.dll 13
%TEMP%\RsdSfxTmp\rsdk\traywnd.dll 13

*See JSON for more IOCs

File Hashes

152256f7c44d897eb6b1001cc0e8a0d7c9baf48de499923894ddaa4682f25b84
1776e8d7521cdbd6a7a5a211c11da0e32a64515964d72904010c2a1b08ed8795
39a496e1d562da1b0163142647a527c541ef0380577ed791f50296178ba768c5
3bea96b04c4fc1bf00f4625b16b63d998202b499d29c420d294c3d38d3a63aaf
41e5d3ef200af3ed5bfc307ded1f46098581a478f26f45ba741574e07ea99b3e
86f123996ddec6990e7cab5e6df3a7bc374a3ef4361d8bf572e53d39589f99d8
8c122c2970bf49eeab8fcd58cddf687d087663ab8fa4cfee32ae44eeda7e45fe
8e4103d002eea750917ed49c1ae43b93e5bc0f61e265efe5239c9f5d507c9f85
99d418835896c6026fa23fec560b555b5dc099ac136ef9c0d8145346903af916
a2a52e340dffb52b75b51e44e9147a6ef58a951bb74a8d4597dfd48943405d40
b746584c616ef0cd0db7fbb94d2292b4b8510049346e0e6123878e9fac38b840
d175d915cabf5defc14737d0c6b30d9acdb16a20ecb644d3ba2593bec1d1df18
d1f0ed10cece8335abb15353b7aa8989e32247069e76c8cf4bd590ca75f46465
f2209bfa8fa241325dd39e08162c3932197a3d480583ee448f859f86074aaa75
f4f35f6d3f67b202700ad838697f67ea604c2548d7f59b1ed46091afc70c8449

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Win.Dropper.LokiBot-9783471-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\PUBLICPROFILE
Value Name: EnableFirewall
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDPSRV
Value Name: Start
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE 8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE
Value Name: Debugger
8
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A} 7
<HKCU>\SOFTWARE\APPDATALOW\GOOGLE UPDATER
Value Name: LastUpdate
7
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MYMAILCLIENT 7
<HKCU>\SOFTWARE\APPDATALOW\GOOGLE UPDATER 7
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0E121E41 5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0E121E41\C28FB9BA8E7D
Value Name: a659cfc22c71119
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0E121E41\C28FB9BA8E7D
Value Name: 6888ba0030fb
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0E121E41\C28FB9BA8E7D
Value Name: 971ae43462ae5e84a7f
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0E121E41\C28FB9BA8E7D
Value Name: e325b447a677a64e
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0E121E41\C28FB9BA8E7D
Value Name: 54d42584b52325841
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0E121E41\C28FB9BA8E7D
Value Name: 1a3c254271
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0E121E41\C28FB9BA8E7D
Value Name: 25d466015585a2a
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0E121E41\C28FB9BA8E7D
Value Name: 4c8756bdc22d7d231
5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0E121E41\BF4A0695A26DA0B1F 5
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\{3E0AE736-E36F-7A5F-0575-AB594FE2749A}\0E121E41\55F941A93A30DC52 5
MutexesOccurrences
GLOBAL\{<random GUID>} 7
3749282D282E1E80C56CAE5A 5
Global\Instance0: ESENT Performance Data Schema Version 85 1
Local\Identity CRL v1 File Access 1
Local\MSIdent Logon 1
Local\OutlookExpress_InstanceMutex_101897 1
Local\microsoft_thor_folder_notifyinfo_mutex 1
Global\77ccb2c1-1726-11eb-b5f8-00501e3ae7b6 1
Local\{<random GUID>} 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
40[.]70[.]224[.]146 4
91[.]92[.]109[.]119 4
52[.]185[.]71[.]28 2
212[.]7[.]208[.]130 2
172[.]217[.]9[.]238 1
40[.]76[.]4[.]15 1
184[.]168[.]131[.]241 1
5[.]255[.]255[.]80 1
85[.]143[.]215[.]139 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
13hjkz7513v64541852v65431b5411dxv24[.]su 5
13uhbt1z3tz78a56sdvghf1563451[.]ru 5
1376bad654134c667213[.]online 5
1378137613gbadz13567ds13[.]su 5
137zt67g1635r5bd671563gbzasduzh512[.]online 5
713zgjj2iigbh1766av441bsd67613[.]ru 5
7163zbh16356ztug13765gv541[.]su 5
asdjihnu1z763hubad6tn13[.]su 5
hjadzgt613bhu8967rv61563fv[.]su 5
ngnanoservebkup[.]duckdns[.]org 2
yandex[.]ru 1
hdfc[.]pp[.]ru 1
www5[.]tamareirashotelmg[.]com[.]br 1
www5[.]cdljussarago[.]com[.]br 1
guardiasolutions[.]net 1
specializedhelp[.]com 1
dolamosssepo[.]com 1
dolamosssepo[.]xyz 1
rossmailers[.]club 1
rossmailers[.]com 1
rossmailers[.]me 1
rossmailers[.]net 1
rossmailers[.]org 1
rossmailers[.]pw 1
rossmailers[.]space 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%ProgramData%\CPU Temp Monitor Service 5
%APPDATA%\D282E1 4
%APPDATA%\D282E1\1E80C5.lck 4
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\.lock 2
%TEMP%\date 2
%TEMP%\date\quote.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\quote.vbs 2
%LOCALAPPDATA%\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore 1
%LOCALAPPDATA%\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat 1
%LOCALAPPDATA%\Microsoft\Windows Mail\Backup\temp\edb00001.log 1
%LOCALAPPDATA%\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol 1
%LOCALAPPDATA%\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol 1
%LOCALAPPDATA%\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol 1
%LOCALAPPDATA%\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol 1
%LOCALAPPDATA%\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol 1
%LOCALAPPDATA%\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol 1
%LOCALAPPDATA%\Microsoft\Windows Mail\edbtmp.log 1
%LOCALAPPDATA%\Microsoft\Windows Mail\tmp.edb 1
%System32%\Tasks\Windows Update Check - 0x0B4E02AC 1
%ProgramData%\JJ9sapozc 1
%ProgramData%\CXPyQGazc 1
%ProgramData%\CPU Temp Monitor Service\ilmionusa.txt 1
%ProgramData%\Google Updater 2.0\cxoggqpqd.txt 1

*See JSON for more IOCs

File Hashes

14feeadf0fbf5856bc79083adf435244943bfdd018507a74d9d3192a4ce75412
1518a09576d0bae80814a6e77e7ff2867c8c50dcd32f9aa65f8f214696577cc4
21ae30d6d1ba9896f7f4c88994eaeefe01985b5fa983d954c9783a90f5d53814
24bcedc2b52ddd789a3548c885b3cc24e9e108b854074aad8887c23d8ce99291
26db4171635e50e88c8a422e053c1b4f5b67faadd28b53aee6c281b6ccf03ae8
28dbcb7bd8d6840eba176889a10e8f5d8528f7f5fe106eeba30100c6f69f0ad4
366a6fd76d3c517bebf7ccd64bc9b7b521ad6f547f40e73e049d688c9fb78017
3a4512bd99ced05daefa040cecd76389da354bdc5bbd56d28b44dfea3b50da3c
4305606a19e8b63fb41308f7a3f38fca04b24044ae1280ea4d6a2d397a708737
49c1f3b5b1996e2751a630b6241d00723e0776aaf4b148897cabc2830a068ceb
4b2322030fa0897f8f52d9e12787b3948c6091d1acf4eb5cd298ce825ec3942e
4fca81a53d5943adbb7efc3f6facfb18369683fa9ef5839a7cb65bf4b695d332
5ac55094195cd455ffcfc8346f09b4ba0b9e58357c79a43d066df9bc8331e1ea
85b756bbf372ad8b726a1d6d90f1011d6aedaf886c784e3450e6e0e6ab51b947
b5a0b908605a06004318174fbc1def50cdc1f42cdea53b856a1c307976c19340
bd3f0146d364ccb1ee962dcd59db6155c61d23fb6611166fdc91e08102416154
d4907d0cb2f6985564ef4c3307a27b035f5d56b6165ffb381cfde22a7053689a
e8b3a9a3f1fa65e91baa02a2e44e60104dbd10ea469b33fbde9849e25a0aebf0
f0dc81ec4e9bea857546d420eb08441e6afc12497b92eb05864a89967303e1d4
f1a377107ff8d2296e03bc4635ff5a93e79cf6bcfd7ecef67736ac879af42199
f4c4ec48362c76dc0fd52f9833cb5eb8d90392de578d924411f710a58f36c7a6
fcfe10d0c9181bf72eda69e3b51a7deff46b4380119cc74a0d9482a6560cc67b

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


Umbrella


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Dealply adware detected - (4919)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Process hollowing detected - (4755)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Fareit trojan has been detected - (1298)
Behavior assocaited with Fareit has been detected. Fareit is an information stealing trojan that can send sensitive data back to an attacker from the victim machine.
CVE-2019-0708 detected - (1195)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Kovter injection detected - (827)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Installcore adware detected - (588)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Crystalbit-Apple DLL double hijack detected - (522)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Squiblydoo application whitelist bypass attempt detected. - (402)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Excessively long PowerShell command detected - (319)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (305)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.