Friday, November 6, 2020

Threat Roundup for October 30 to November 6


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 30 and Nov. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Malware.Upatre-9785658-0 Malware Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Packed.Phorpiex-9785125-1 Packed Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide-range of payloads, from malware to send spam emails to ransomware and cryptocurrency miners.
Win.Dropper.Tofsee-9786165-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Doc.Malware.Emotet-9785374-0 Malware Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Chthonic-9785809-0 Malware Chthonic is a banking trojan derived from the Zeus family of banking malware. It is typically spread via phishing emails and attempts to steal sensitive information from an infected machine. Chthonic has also been observed downloading follow-on malware such as Azorult, another information stealer.
Win.Packed.Dridex-9785894-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Dropper.Gh0stRAT-9786931-0 Dropper Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Worm.Ruskill-9785976-1 Worm Ruskill, also known as Dorkbot, is a botnet client aimed at stealing credentials and facilitating distributed denial-of-service (DDoS) attacks. It spreads via removable media and through instant messaging applications.

Threat Breakdown

Win.Malware.Upatre-9785658-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 156 samples
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
188[.]247[.]130[.]190 156
192[.]124[.]249[.]18 156
72[.]21[.]81[.]240 23
205[.]185[.]216[.]42 16
23[.]46[.]238[.]194 14
23[.]3[.]13[.]88 13
205[.]185[.]216[.]10 12
23[.]3[.]13[.]154 9
204[.]79[.]197[.]200 6
23[.]46[.]238[.]193 6
216[.]218[.]206[.]69 1
172[.]217[.]197[.]94 1
172[.]217[.]135[.]40 1
172[.]217[.]197[.]84 1
173[.]194[.]205[.]94 1
173[.]194[.]175[.]102 1
209[.]85[.]201[.]104 1
74[.]125[.]155[.]201 1
173[.]194[.]184[.]43 1
74[.]6[.]231[.]21 1
8[.]248[.]155[.]254 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
antikvarium[.]ro 156
renform[.]co[.]za 156
ctldl[.]windowsupdate[.]com 76
www[.]harcomarakkal[.]info 74
www[.]gobeshop[.]com 74
gobe[.]antikvarium[.]ro 74
www[.]antikvarium[.]ro 74
www[.]gobe[.]antikvarium[.]ro 74
www[.]renform[.]co[.]za 72
a767[.]dscg3[.]akamai[.]net 24
cs11[.]wpc[.]v0cdn[.]net 22
cds[.]d2s7q6s2[.]hwcdn[.]net 22
a767[.]dscg3[.]akamai[.]net[.]0[.]1[.]cn[.]akamaitech[.]net 1
Files and or directories created Occurrences
%TEMP%\updater.exe 156

File Hashes

00e185820e9a43a519a6d8e009caa5dbef28fb4a8cac78e0f89c9d7f17285b90 022c473c454df1440377b4791ff715c7bd4c47f7c9bc3eabca5160b53e061fea 02801e7631b85da5a51e2f6f6e1db1f4a2b0a363864761a70671aed611c67f2c 05281b95ee6ce80a528e36f1bffb7452f1ecad1c30eb5be4d8a80260a83dd1db 070dd9c3ee344d9207305a0dd422d5cf5b61859063a242ee93b75330e522f394 075d9367cced9b586175e1592b4c6280a567c151dd2f638533563da19ef94627 076b9708753a41fc16773b976ea072e63d0e5c1bf45a730610c130913210894f 08eba9511f0c9fcd8c0a91aa8f00e353898917bd6cd0ada36f9b694170c6a004 0a0918b44a952d28e7be6946e2138a71f808ef250543af253fbcf03b58884229 0a18d76eadd1e6b2da475eb71310289068a18274f7a72ecdaa64ea2281b07fc7 0a82b11e85126cb623e27a61726f74637e8c652187cf9a770bae47056ec823ef 0ae81273084ac32b25d8c604256e30fa4426711e5f9b525cb6979ded72886ec6 0c0e4dd0566ca31d20d0cf43ee47b0d5af3e68e853f89f458c7358fe40980ab7 0e0fb83e04e675b809013f37d4af1ff31c36e4813c518b97dd395ec97dcbc92a 0edaf9c336bb1123ed3dc419a54d483670352cb075c70bb8ed59cbe38048e482 0fc901eb87412c4c4734827a0b220de9f6a5932600d1f15bfb643ef2b9eeb0e2 1025f9c3232e2f5b318e5ea8f0cc586c91c161d254917d0491e6827309ffdab4 10fce896467d57aa1e9c9a778f16bfe25e8d8b9421f69ff2095fc7d60105a63b 113eedd981dffbcb9039f646be991681a3be66069b0fe5bbef60135b2bd633a4 11a20d7c6783209ed9f57dfa22d665144590ca8d296b40a1805c9269fbc7b82b 131da532114bed0cf7fb3fec6e07bce430dd81eea06ff1c37d5cae3e82345afc 1339b417dc6a9fb2f4148ce0922d91b7dbfd16a18b23eddf45698e5859a21a28 14248c863bdaea2df1bde2d0a01f3d2506a2bcf5810fb651b27e2fe16b03b2e7 146413516e7e49489e8e1ca7e56b9a3173173a18e5e9078f3ee9a004d9b18d70 1473d2c2c22d2389f5251cea465e3b44621bd473636b4e3fe46f19e6ad6db70a
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid


MITRE ATT&CK





Win.Packed.Phorpiex-9785125-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesOverride
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AutoUpdateDisableNotify
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Host Process for Windows Services
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Host Process for Windows Services
13
Mutexes Occurrences
543261 13
d77df7f 6
<random, matching [a-zA-Z0-9]{5,9}> 6
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
217[.]8[.]117[.]10 13
67[.]195[.]204[.]72/30 8
98[.]136[.]96[.]92/31 8
144[.]160[.]235[.]143 6
67[.]195[.]228[.]110/31 6
147[.]75[.]47[.]199 6
74[.]208[.]5[.]20 5
68[.]87[.]20[.]5 5
144[.]160[.]235[.]144 5
212[.]83[.]168[.]196 5
67[.]195[.]228[.]94 5
67[.]195[.]228[.]106 5
67[.]195[.]204[.]77 5
67[.]195[.]228[.]86 5
67[.]195[.]228[.]84 5
98[.]136[.]96[.]91 5
98[.]136[.]96[.]76/31 5
67[.]195[.]204[.]80 5
144[.]160[.]159[.]21 4
67[.]195[.]228[.]109 4
106[.]10[.]248[.]74 4
67[.]195[.]204[.]79 4
98[.]136[.]96[.]74/31 4
104[.]47[.]22[.]161 4
17[.]42[.]251[.]10 4
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
tldrnet[.]top 13
mta7[.]am0[.]yahoodns[.]net 5
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 5
mx2[.]comcast[.]net 5
mta6[.]am0[.]yahoodns[.]net 5
aol[.]com 5
mta5[.]am0[.]yahoodns[.]net 5
comcast[.]net 5
sbcglobal[.]net 5
al-ip4-mx-vip2[.]prodigy[.]net 5
al-ip4-mx-vip1[.]prodigy[.]net 5
rocketmail[.]com 5
api[.]wipmania[.]com 5
icanhazip[.]com 5
fw[.]dnsforwardingservice[.]com 5
www[.]haoqq[.]com 5
worm[.]ws 5
aim[.]com 4
yahoo[.]com[.]cn 4
yahoo[.]com[.]br 4
loeghaiofiehfihf[.]to 4
4944[.]com 4
id43537b6[.]301nn[.]com 4
2943[.]com 4
7086[.]com 4
*See JSON for more IOCs
Files and or directories created Occurrences
\autorun.inf 13
\.lnk 13
\__\DriveMgr.exe 13
E:\autorun.inf 13
E:\__\DriveMgr.exe 13
E:\.lnk 13
E:\__ 13
E:\__\$RECYCLE.BIN 13
E:\__\$RECYCLE.BIN\S-1-5-21-2580483871-590521980-3826313501-500 13
E:\__\System Volume Information 13
%APPDATA%\659679465.txt 7
%TEMP%\3012022720.exe 1
%TEMP%\3202817528.exe 1
%TEMP%\2594923310.exe 1
%TEMP%\373712674723.jpg 1
%TEMP%\3434920472.exe 1
%TEMP%\1060012425.exe 1
%TEMP%\2057418053.exe 1
%TEMP%\2264239364.exe 1
%TEMP%\3595337295.exe 1
%TEMP%\3996610122.exe 1
%TEMP%\2875386318562071.jpg 1
%TEMP%\1597422233.exe 1
%SystemRoot%\20496126611642\svchost.exe 1
%TEMP%\1990837273.exe 1
*See JSON for more IOCs

File Hashes

09075d0a550030f67320903d953299351f9cff9154a346b1ac79c42abb1ae71f 1f107673dd877c2ae866a5c6e928a32cd478a83c6ed44887331d463eeb75aeec 352fc841301234264a4dd9fc6b5183e4e75af0e4f2e8fd14d63b690f94d77953 4a997d3956f2abdc62b3eb6285e0dc58dfe7e9d5e0576881d0f5029b637906a4 52be819694d39fb2c4dca0f04a05e752962ce2b5bfd22b5b0ecce48fb77a80f2 53d849666ea5a275782df99167278b7c2fbdd9d4f076f74e579cb7b2be889a4d 634e71695e0c28d19d73858919aa643539e88476d5b354c6adf9a2391f06d774 6ef47d12e5942fc573947b873fe63e4d67381e13681ef5e2aceb1fec709487dc 7d68e936dfaf3b519910cde5500357ab201ce4275820ee03369fc85c676e6851 8daba59caa8385a0d80c166c7001d437574518a26d3e8f77c0e644a71a5bdcf1 a5e2762a1280895271cdc4d3bec6bdd0d15359909d19b762c0a1e499edd9f3be bbfca05890d48cd3ad89b764b33dd63c76c0ada37decc9e43687bca0445ed959 c42a246eef615127b279c85840e84a3b7755379bd05d7cc7ed580092c504d0e0 c49241b4655ee061861705779415c9bc2e19010e3d82ecdc3e3754a336aa75de df2fdbfd8576d32ecbe2342460f7767254e33c00ebb61ce73090e6b8cbfa60c1 e26c0f095b9f9ccde19547cd658305906cd05da82ca1d6e598a0119698821d21 efd94300a1677b7d575aad142c18c3f38abeb51572cce815b98dfc27d5335560

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Tofsee-9786165-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 78 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
64
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
27
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\lesyxfla
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\qjxdckqf
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\gzntsagv
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\athnmuap
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wpdjiqwl
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\buionvbq
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dwkqpxds
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\cvjpowcr
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ibpvucix
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kdrxwekz
2
Mutexes Occurrences
tohgahytgbwkde 78
Global\<random guid> 12
Local\{41435A30-AC43-1BEB-BE05-A07FD209D423} 2
Local\{9F866EB0-7223-292C-7443-C66DE8275AF1} 2
Local\{1FA75506-F2C9-A9A0-F4C3-46ED68A7DA71} 2
Local\{184D9E3E-976D-0AAE-E1CC-BBDEA5C01FF2} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
239[.]255[.]255[.]250 66
43[.]231[.]4[.]7 64
172[.]217[.]10[.]36 64
104[.]47[.]53[.]36 64
69[.]55[.]5[.]249 64
85[.]114[.]134[.]88 64
217[.]172[.]179[.]54 64
5[.]9[.]72[.]48 64
130[.]0[.]232[.]208 64
144[.]76[.]108[.]82 64
185[.]253[.]217[.]20 64
45[.]90[.]34[.]87 64
157[.]240[.]18[.]174 60
23[.]5[.]238[.]94 40
99[.]181[.]79[.]2 33
216[.]239[.]36[.]21 32
69[.]31[.]136[.]5 24
83[.]151[.]238[.]34 20
23[.]10[.]134[.]216 19
40[.]76[.]4[.]15 18
37[.]1[.]217[.]172 18
209[.]85[.]201[.]104/31 18
172[.]217[.]12[.]131 16
40[.]113[.]200[.]201 16
172[.]217[.]7[.]3 16
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft-com[.]mail[.]protection[.]outlook[.]com 64
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 64
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 64
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 64
249[.]5[.]55[.]69[.]in-addr[.]arpa 64
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 64
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 64
www[.]amazon[.]com 46
native-ps3[.]np[.]ac[.]playstation[.]net 42
video-weaver[.]fra05[.]hls[.]ttvnw[.]net 33
api[.]sendspace[.]com 24
doi[.]org 21
work[.]a-poster[.]info 18
ip02[.]gntl[.]co[.]uk 18
msr[.]pool[.]gntl[.]co[.]uk 18
www[.]google[.]co[.]in 17
ieeexplore[.]ieee[.]org 15
e17052[.]b[.]akamaiedge[.]net 11
api19-normal-c-alisg[.]tiktokv[.]com 9
yandex[.]ru 8
www[.]google[.]ru 8
117[.]151[.]167[.]12[.]in-addr[.]arpa 8
d3ag4hukkh62yn[.]cloudfront[.]net 8
www[.]google[.]ca 7
www[.]google[.]de 7
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 64
%SystemRoot%\SysWOW64\config\systemprofile:.repos 64
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 64
%TEMP%\<random, matching '[a-z]{8}'>.exe 62
%SystemRoot%\SERVIC~2\Local Settings\AppData\Local\Temp\MpCmdRun.log 28
%System32%\config\systemprofile:.repos 26
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 23
%TEMP%\Liebert.bmp 2
%TEMP%\dcsovrw.exe 1
%TEMP%\vukgnjo.exe 1
%TEMP%\cbrnuqv.exe 1
%System32%\qfunjen\srdzeoyl.exe (copy) 1
%System32%\pkxnknf\zqjmtgsr.exe (copy) 1
%System32%\ughysqz\idkhgdza.exe (copy) 1

File Hashes

069ea281844ff1808aa48539def6a24479afe01a25e23b9262e87c14c93ec13e 095b4fecedceb8fbcc4d5bd1eb0862a96ecfd6df955dc04b712036831e91dd3d 1468edcdfb51ca221782f4ae316daf9e4f4946ac86f2e25a1a2a5d5e51e0924d 14d600fe83c52c076b3a42e8024f5f5314521144bbb6bcb7ad28459f2bbf277b 188e82d0a01488c2099946a5b3840ae66200123dd65d319a37280dbf6cb91a18 1a15ce556b405c83d16b4134d1a01607615073ce13f926cafca679320e749c9f 1dff2f248154478340885ea522c8514336f86d68c2ec7e617e67d4da1acb769e 2270bf23e21935ce426bd5e76a6e563af03e0f824de1cc9c2942c006e62a586d 23e29aef802675a5f1de9b8eef8800b17273f96cedc7aa88b3a7fb4c3ce4a867 259da64d5d4b23db8b18b9426cb7066f439b5c7d29a13a8af18c74c04c8a1c12 2746faae0c729c4cb30744bc93399e53cb654737bceb7416622fdff7e8e9f167 27dcdd583f6fa32592d52fd1c4259ee45b3bb313e53686bee2c58a65275242ca 2dfdf42b5f44e8749d7f80509cfa177badaf630aa257725858b32869573f9905 31567bd427558512a09b5bad5ecd66d49d24936d4fd371f6e9528c7ac0907a34 3282c6118b3056a0845b287914703af1c66e5afa7108aaf8ac7286bdd843c16b 32ab3d024593359940216f673961ce3d2ac0778c79206842cb72a04ccc9a4f5a 391819c8751f0ae54665494e5bfce92661cf8831d3951bae941aa45f88a74271 4160736c2e1c9375845477ef3f75364da847da5952b2053b766e0800259c2668 416c6d69301932733536614897b254e0da5c12b19d8c13c576270872a9c044d8 434064cb5f9ab9893cc493404f6d20f63e1040a8f575ad94199ae6d5d6ffa78f 445fad09f0f31503bf8efe89408a096857893fd8a9c83fc9b82fe0ac2f3f8d77 45de89180c914c587b00cc4968488ca04cc41a4bc1eafafa3f4bdfebaefaa72a 4650e7095f43afad90791122f1b5f34abf091e8eb95b373745b25a3557f4a039 488dba0ceb1307885d5611cbc5bca79fdc54bdf2f083390c0029bbde16f4ab3f 51d065eaddbf65c00ca1afb0a66b32aab8eab13298d7873dd1abf12f3c8fac71
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Doc.Malware.Emotet-9785374-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 66 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EFS
Value Name: Start
19
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
190[.]202[.]229[.]74 66
70[.]39[.]251[.]94 47
118[.]69[.]11[.]81 47
156[.]247[.]12[.]150 40
176[.]65[.]242[.]190 25
104[.]28[.]25[.]139 16
104[.]27[.]132[.]14 15
120[.]77[.]243[.]218 13
104[.]28[.]24[.]139 11
172[.]67[.]220[.]107 11
104[.]27[.]133[.]14 9
172[.]67[.]191[.]219 8
87[.]230[.]25[.]43 2
50[.]63[.]8[.]21 1
104[.]27[.]154[.]51 1
104[.]27[.]155[.]51 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]cloudflare[.]com 41
vidadohomem[.]com 40
uxnew[.]com 40
www[.]ecobaratocanaria[.]com 40
kharazmischl[.]com 25
e13678[.]dspb[.]akamaiedge[.]net 14
help-m2c[.]eccang[.]com 13
dotasarim[.]com 1
servitekifix[.]com 1
Files and or directories created Occurrences
%ProgramData%\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat 66
%HOMEPATH%\Ujmiqax\Pkv18r7\Ey19z0q7g.exe 40
%HOMEPATH%\Ujmiqax 40
%HOMEPATH%\Ujmiqax\Pkv18r7 40
%HOMEPATH%\Wqewzer 25
%HOMEPATH%\Wqewzer\Zdoz0xf 25
%HOMEPATH%\Wqewzer\Zdoz0xf\Xp13y90.exe 25
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 14
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 7
%SystemRoot%\SysWOW64\muifontsetup 2
%System32%\gpresult\netsh.exe (copy) 1
%System32%\shsvcs\mfnetsrc.exe (copy) 1
%HOMEPATH%\V01rgaf 1
%HOMEPATH%\V01rgaf\Nh52o_w 1
%HOMEPATH%\V01rgaf\Nh52o_w\Q_45u5e08.exe 1
%System32%\netiougc\cmd.exe (copy) 1

File Hashes

07d3d262ae5934d62b36cc25fbef3f80269f27cc3922c4904b052e15020b98c3 0c412bfeab72cef839152317d8b8e1cefcb9a1576272cb225d50950cf3b01626 0fddec33e37cff1e923bf08dbbb3842f0f41b019150024485d0fd2b7e6566a70 12d243ca57615b72c7f8e54be76f0c6003e18505b83ccf20ccc4ba1c7e65ceb3 172d9ebe418ee909cc8a04a6c32c4226036a99b84741cbd6cbc9aebc06261205 173925fcf34d96b57dae1588dd122142098de986aa2f0bad8fef6e84992c0b74 1773f8c0f1a4e79c6f8ac705e22d9941834323a32ee8fa05f121cb6897653749 1a3231aebab78019fb2bc9e46905bcbaf3823a9313d185abcb8129a9118aef84 1a6844baf881159841bd417f1c7181d83ea822bee82fa623078ba0f26f5b359c 1d155be37cf38fd0b848877f9e628c9b5ad554526e058dd105de59785af38597 1d2af5dd62e301948ff6c0865c7ab91cef421faefa69a645dc6e28a7d73d1509 1da688acac13e5306fbbe1dd92c16af2acf14f18abfc3dcfbd6b662229b6cb5f 1defcb4475194ea4a24452f448eefc5c738e97913a331bd23a6b79d9e5d6f4a3 2060f8ff8979ab821ead7cd281080b99690c688fb0f2dda5b69c0116de34181c 221d1ea189ab22be290818493a26860b54e61219fad0d7e39714eec24a36e19b 25e8c13c4b6c836295fc6e8041be76e87c719558d694234c8f2318216a656783 2b350167cafa693cdd1ce26f6be0995149aea969575b0bd687a8c375aa3aed23 2ea40ba44f27c2c37e02cb3e34fc79033be5fe742d29d5bcd6fc0a30f39fa78a 326580245321200ddab731ee069c2620f696f92daa20029ec229b6b989edbbea 34656bdf6918d4026fd1b5a563670a0a137f76d34569b44e01cc9982385c8452 34cd9b83b3541e4301ed441dd798c66fce18cc6b1da77f3d87ced769a67ba8f4 368c65572de503cf23b71bc24a913911eaf124cff53481f92d75ae1ad48f0eed 37a642047e81e9eb0752fcff65a2cc9f2b62cae49bc99f7e76240d1847ae53dd 38a2ee825fa1600afcf810bdc17461b4938156146e8ac42851e907f0f247bafb 390316c90b5b70cf05ab4cc939769eccd40ba6cedf291d86f3a55c82f4491025
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



Malware



MITRE ATT&CK





Win.Malware.Chthonic-9785809-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\UAZI SOFT
Value Name: UaziVer
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Live Installer
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Windows Live
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Live
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 5
<HKCU>\SOFTWARE\UAZI SOFT 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: BCSSync
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 1081297374
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: Load
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1081297374
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lliseconc8a
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: lliseconc8a
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lisecosys
1
Mutexes Occurrences
1z2z3reas34534543233245x6 5
1009299684 1
2562100796 1
lol 1
lliseconc8a 1
lisecosys 1
lliseconc4 1
sysaebwasys32 1
liseccdsew 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]215[.]148[.]63 4
104[.]42[.]225[.]122 4
40[.]112[.]72[.]205 2
80[.]82[.]65[.]74 1
91[.]232[.]105[.]121 1
89[.]248[.]174[.]17 1
217[.]23[.]10[.]156 1
93[.]190[.]139[.]161 1
66[.]196[.]118[.]37 1
64[.]70[.]19[.]203 1
95[.]81[.]173[.]8 1
74[.]208[.]5[.]13 1
91[.]236[.]251[.]24 1
91[.]190[.]217[.]143 1
85[.]199[.]214[.]100 1
104[.]18[.]33[.]245 1
104[.]18[.]32[.]245 1
40[.]70[.]224[.]146 1
188[.]125[.]68[.]59 1
91[.]190[.]218[.]34 1
134[.]170[.]58[.]222 1
185[.]41[.]243[.]43 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
europe[.]pool[.]ntp[.]org 4
and30[.]blabladomdom[.]com 2
www[.]update[.]microsoft[.]com[.]nsatc[.]net 1
and19[.]amainwrorldnancy1[.]com 1
sx13[.]ws 1
produkktc[.]com 1
Files and or directories created Occurrences
%APPDATA%\WindowsUpdate 5
%TEMP%\temp41.tmp 5
%APPDATA%\WindowsUpdate\Live.exe 5
%TEMP%\apiSoftCA 5
%APPDATA%\Windows Live 5
%APPDATA%\Windows Live\debug_cache_dump_2384394.dmp 5
%APPDATA%\Windows Live\pldufejsya.exe 5
\RECYCLER 5
%ProgramData%\msodtyzm.exe 4
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800 4
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-13633451\sysaewazbys32.exe (copy) 1
%ProgramData%\Local Settings 1
%ProgramData%\Local Settings\Temp 1
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-13633451 1
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lliseconc4.exe (copy) 1
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lliseconc8a.exe (copy) 1
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lisecewwevw.exe (copy) 1
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-196852800\lisecosys.exe (copy) 1
%ProgramFiles(x86)%\ms.exe 1
\Documents and Settings\ALLUSE~1\Local Settings\Temp\msuittc.com 1
%ProgramData%\1621684696 1
%ProgramData%\1621671514 1
%ProgramData%\Local Settings\Temp\msceyzi.com 1
%ProgramData%\1621667739 1
%ProgramData%\1621687692 1
*See JSON for more IOCs

File Hashes

003b89285bc13b8573e2170e455da7e5fe90677a40046e853b64a25531579bf2 01fd7ff2ad9370a49097b32ae9677bca3c5f2b3522336c4efacab27825870cfd 05a2d21b21713f3ca7d505c5ce8b07f6f8607d80cf530fa771686c51081e73cb 10a1ec9b9ebb4bb284c2da44d98007d4f8976088bd927bef1ead04717dd81b4a 13cd6ad3f115a94ddaec4af394e40b780b5a6ff312dcf6d443174962fcd0b839 1d4f096a2f7f6e0c80980935d8b7a1fd73ba2841f2ddfc44572a37e921ee541f 275dbcddeda29abe18ad1037a4168b524c519f3d226128ff88800f94a056ead3 30b6eba0bdcc60bf966241027b8e6dd8e820dd04c2ad496c7b5f897e0d334fa3 33cf647bec5cc5cab315ea127cde0e83c27bd3e9eb938dfde4f90bdc682109f2 39bfe631cd181066beab0136ed9a357a555f0bf7dec59a4cb7ee916fef2416cc 41f15d6d23a7b8858bb4bea4dc95792fc2de79afcdc423a224b029b677576cf9 4679aa442b391c42adef3df4be14b408bd3613558f9ef126457a89e3b0337040 4966ad80e045b12e2e70cfa04c87ee794a83f30e19f095917533fdb281fc681a 4a1f46e1922c8f914f6839d4b2ba21e1a21b486cf385895a4771f2e8e6f8668d 502e1c04e139d46e130050768561bfcde8d19ac54c4be540c2b96cb5602809d7 554a35d04d50054b23bc13835f1d496efc085e4d9afb6f914fb9b6f23e99557e 55f1fda3b8323043d8f4677836cc6b8628e7a4549acc6f47445294ab245b3fe8 5ca4b209a6b85823a87b9fa1ea4c4c848b09fcb12170f62e5edf10cdd8830a7d 62ca6f8316d46214392245741f78a5419f73f9b905c4bbd1987c20ac4ee4b36a 638771c2438eeb5bb5536ec809ddba8d69f19a8f26631f1d85d5c778285fdd9d 6bc0fcc5283227fa7a5196d430ebffa1b1587c1fa2b6aea5c011210001b86e46 6eb20ad544002a96343789c5fee3f2276fa7990b235d8ec044b4497bf5537fd1 71097398094bf0e93f1f1ec54f7a0b4251d28337ffe2852ac2e95980c6aa623a 757592e4ee31a9c1ad62651021750795727fc6315042b0de0c53ce85973f18f5 7ed74270c6c93f174c4fb7a12b8f40315e7fc9da36835c159f14216da948552d
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Dridex-9785894-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
22
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
22
Mutexes Occurrences
DmWztupN15 2
Tx6jwJAM4u 2
U5V9DbdhfF 2
ryXnTD2ezo 2
KDNaoOVVfT 2
dF2AVVCy7l 2
7uHVFHZDFk 2
lL6KtvQiq1 2
EP9EMSSVQ6 2
HrZPxaIPBI 2
N3u0Dop4an 2
Q4tSSmx1CZ 2
fXnEB76vnI 2
jdA76RcySE 2
rkl4hgn0V1 2
BdS1Qmbni4 1
HDRb9tFxYp 1
j27R3cTIpk 1
CoHzK0GUZg 1
r5UC9S0t2v 1
DAJC8AWYXb 1
xla3YIyYoR 1
ttzpd0hxmn 1
JoZ9A47Yp4 1
SMpm310TVA 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]165[.]142 21
104[.]23[.]98[.]190 11
104[.]23[.]99[.]190 9
173[.]194[.]175[.]100/31 8
72[.]21[.]81[.]240 6
173[.]194[.]175[.]138/31 6
173[.]194[.]175[.]102 3
23[.]3[.]13[.]88 2
172[.]217[.]9[.]238 1
204[.]79[.]197[.]200 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pastebin[.]com 22
ctldl[.]windowsupdate[.]com 8
cs11[.]wpc[.]v0cdn[.]net 6
a767[.]dscg3[.]akamai[.]net 2
www[.]rej8prie9g[.]com 2
www[.]07zxovyntn[.]com 2
www[.]sb44btlp7n[.]com 2
www[.]iuihsfzm8u[.]com 2
www[.]gfitpiuoss[.]com 2
www[.]gnshuhtnaw[.]com 2
www[.]bqhkycddr8[.]com 2
www[.]zwxatleckx[.]com 2
www[.]0kenznhg9g[.]com 2
www[.]5vuc9lumg2[.]com 2
www[.]akzm2hyi1x[.]com 2
www[.]euooktmxtb[.]com 2
www[.]gmk4fppr8e[.]com 2
www[.]ik3motvlaq[.]com 2
www[.]qntintmeed[.]com 2
www[.]f0pmdvneqg[.]com 1
www[.]zfwvllpbfe[.]com 1
www[.]asiht4ytm5[.]com 1
www[.]fot74sh42s[.]com 1
www[.]pbpsegyafc[.]com 1
www[.]gxzarf2tzz[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 21
<malware cwd>\old_<malware exe name> (copy) 21

File Hashes

1def0339aa6d3a3a1cf7111534a486b2bbacb7cf0aedcd2f001c5e21baad758c 350e673c5c5fc80b818c442abe15a5ccad5dac57cb5013af5afe06f685520014 3cf4cdd15d0dd3b4efaa13bbb3dc2c0916418e2b188dbb44f5af5a25416b6a9d 573269a168fa0455b23d749691950763c3d84222648ad01ceba36bce7f2d807f 78dd1dbe340765d9e1aff9276723d09599ee87b4d7d437ed49ce66a577e8f5cb 94fce7f94afecaaf6f522e2b352c96c0eeb57268f2f820a5b044b1043a3beffa 98b28eed870ad631fe80fd1a642baa23a3d42ffbc30f44fa02aba15e753e601f 9c565c37daa2407cee915e7e50363ad128a1a8d377713f8e6307483b6946eee6 9e70712f91ab5c0acbf2c97ec83961e92ef11c755eabc865c660e09c5ecafe02 a0651a06ab48d12a254c5ecf73135d4e33e97d76f6e8b1d43b27af4b794e117c ac2e6f5057f903a303f813dc434f18cf9f30f6d7ecc6aea5dd09ad03294b82a4 ade4872607057984a56f74f0916c0a31e44eb0494d2da595c8c31c01622e0d73 b3bd4394049cc23e50bb51191249fde4dac86c7dbec8388b524dcce4fcd2ff9f b90016b0ebc944761abdf812075485bacf4d0062dd043e7616b6845331aa2ecc c03155b6dd263b73c5d05ce345b40fd19aa5f54227d9cf7c23911f000d8d4e71 db89e0770e29f2ab79b7b6747686a7d7ed79fdfb26c05e2e0ee1a2f65553682c e1f646b58980727023bacf7304ff97c36985ed6a7bff36ba9ae87708687dd909 e26349124d8b018c79dc408bcf89332352607fa7837eb600b1421a207938e9cc e885562a826701ac43b019413e6a2c994451520c1be91854abf7782f72ade5e8 f491250f475a759480efb2332d0f87baa0a3ef125ac93fa5e6f00fcca9cb0b77 fde99631dc9a66fa4e922c812cefbffbc611587cc55d61c13026922cc97d5cc2 fe54752f3e6265bd1f9e46fcec90e1f359d04cde7c823dfaf9e4778d2e8fb1ef

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Gh0stRAT-9786931-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 21 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\CLASSES\MY345.APPLICATION 21
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{0387C339-2691-4BF2-8CDD-5DF7ED2E7B72} 21
<HKLM>\SOFTWARE\CLASSES\MY345.APPLICATION\CLSID 21
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{0387C339-2691-4BF2-8CDD-5DF7ED2E7B72}\PROGID 21
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{0387C339-2691-4BF2-8CDD-5DF7ED2E7B72}\INPROCHANDLER32 21
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{0387C339-2691-4BF2-8CDD-5DF7ED2E7B72}\LOCALSERVER32 21
<HKLM>\SOFTWARE\CLASSES\MY345.APPLICATION 21
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{0387C339-2691-4BF2-8CDD-5DF7ED2E7B72} 21
<HKLM>\SOFTWARE\CLASSES\MY345.APPLICATION\CLSID 21
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{0387C339-2691-4BF2-8CDD-5DF7ED2E7B72}\PROGID 21
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{0387C339-2691-4BF2-8CDD-5DF7ED2E7B72}\INPROCHANDLER32 21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH 10
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER 6
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR
Value Name: Description
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR
Value Name: FailureActions
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR
Value Name: Group
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MNOPQR
Value Name: ImagePath
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\STUVWX 2
Mutexes Occurrences
Microsoft.Windows.Setup 3
1x1elma7.xiaomy.net:35383:Cdefgh 1
ksg982211.e2.luyouxia.net:29001:Cdefgh 1
2313u080t2.imwork.net:8000:Stuvwx 1
2z213948z7.iask.in:25708:Lmnopq 1
211.149.235.224:443:Uvwxya 1
a731940742.gicp.net:58208:Cdefgh 1
27ow345733.wicp.vip:16935:Cdefgh 1
211.149.235.224:443:Qrstuv 1
273o4d5660.wicp.vip:20916:Cdefgh 1
22i5b37672.51mypc.cn:33657:Cdefgh 1
26k4593i06.51vip.biz:54871:Cdefgh 1
qwe134816767.e2.luyouxia.net:31173:Cdefgh 1
wdwda.3w.dkys.org:7051:Cdefgh 1
y2291815a1.51mypc.cn:17401:Stuvwx 1
Global\c6c38861-1ec2-11eb-b5f8-00501e3ae7b6 1
a731940742.gicp.net:12345:Mnopqr 1
www.wlxxlt.com:998:Abcdefs 1
232mr66094.iok.la:42192:Cdefgh 1
127.0.0.1:8000:Mnopqr 1
a731940742.gicp.net:58814:Pqrstu 1
2313u080t2.imwork.net:8000:Defghi 1
Global\c76805c1-1ec2-11eb-b5f8-00501e3ae7b6 1
2313u080t2.imwork.net:8000:Pqrstu 1
Global\c88aea81-1ec2-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
47[.]111[.]82[.]157 7
113[.]67[.]225[.]1 3
113[.]66[.]107[.]176 3
61[.]142[.]176[.]23 2
43[.]248[.]201[.]209 2
211[.]149[.]235[.]224 2
204[.]79[.]197[.]200 1
174[.]128[.]255[.]252 1
8[.]129[.]184[.]93 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
lock-domain[.]vicp[.]net 7
2313u080t2[.]imwork[.]net 3
a731940742[.]gicp[.]net 3
e2[.]luyouxia[.]net 2
1x1elma7[.]xiaomy[.]net 1
ksg982211[.]e2[.]luyouxia[.]net 1
2z213948z7[.]iask[.]in 1
273o4d5660[.]wicp[.]vip 1
www[.]wlxxlt[.]com 1
wdwda[.]3w[.]dkys[.]org 1
qwe134816767[.]e2[.]luyouxia[.]net 1
27ow345733[.]wicp[.]vip 1
26k4593i06[.]51vip[.]biz 1
232mr66094[.]iok[.]la 1
y2291815a1[.]51mypc[.]cn 1
22i5b37672[.]51mypc[.]cn 1
Files and or directories created Occurrences
%SystemRoot%\svchost.exe 6
\bd_logo1.png 1

File Hashes

0152995b1fee89c80f03fab026ae0f9c44508f62948d10205822ad7716b885ec 01e84ce98113f779cadee956f6484bee71df85df7a9ae6642df800c96a08f3cf 10ac467c7e267456fc323c0b9ee55ec86e1748d8ecc09094506ee84059fc653f 10df542bd6a785405acfbd78c93a83b4dde65ac33306d39d37049abdf7dfc628 1e02697568f1503e80f922f04a6446c621c63bcef7ea8d1cec9f3d75d3279c70 302d7a9bd6b38c4f6319f700796e60af0af5ab48bac686ceba0f49f8ceb60675 3733ce7461f690bc96646bb68516b4faaf0f8b4dd726a2a68f300effc4579979 59f28791319934001389ee25171316a1798be5d595b3efabb76b474125faaaf7 68d9fc67d8fe9259183be3490f0a82f862362aac918a91e84b75a8fa71961796 8658a5b6231083c82bcd74f62b87167b1f0509ae6d8358d1ffece1672134372b 9117b6de4498b636ec7e49c15adefe3b0f318eb77ed49c0077ae3bc335ad5436 9d733ade75d681619fd7bed292ddf0033a81da1402846bf146d95e9a41a09887 a7768a9c3777678f257f1d0ead63995bb162845ec848d9a0f6e79fb52cd63c3f a7f8f12f407592cf33b55052e7c0e5f159d49abef5f1810310c5077679535fdb b80b82aa5af2737b0637beecfa7ad8b53e69f67c0361bb25b2639b30e1e5af4d baf97205f16f4b50e0756c387fc23683926e552b88854e903c94b6f32a9f0c0d bd4fc63e0e5cceb2d9949300179c03b5730b2ae318e9ce4f315739195ba1aed6 cff9e2db78cabf10eb14cfd646965394af417b78b000ce16b183a426cc6cebc0 f19e26960d000933f81e41234ab46ce2db39193cd81fadf1ef4dd49d7559404b f2af74097b42468db01feadfbe1bd1f039b9f8efaa42831c7808fc4e6aeb8667 f8116bdd42916b0bf7e485c9c2c6f74abf8ecf7c7ff6c0e7e07154ce2a058b1d

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Worm.Ruskill-9785976-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Explorer Manager
18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Noawaj
18
Mutexes Occurrences
c731200 18
SSLOADasdasc000900 18
SVCHOST_MUTEX_OBJECT_RELEASED_c000900 18
-65b46629Mutex 18
FvLQ49IÀzLjj6m 18
FvLQ49I zLjj6m 16
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
212[.]83[.]168[.]196 18
204[.]95[.]99[.]243 18
162[.]217[.]99[.]134 18
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]wipmania[.]com 18
n[.]ezjhyxxbf[.]ru 18
n[.]hmiblgoja[.]ru 18
n[.]lotys[.]ru 18
n[.]yxntnyrap[.]ru 18
n[.]vbemnggcj[.]ru 18
n[.]yqqufklho[.]ru 18
n[.]jntbxduhz[.]ru 18
n[.]oceardpku[.]ru 18
n[.]zhgcuntif[.]ru 18
n[.]jupoofsnc[.]ru 18
n[.]kvupdstwh[.]ru 18
n[.]spgpemwqk[.]ru 18
n[.]aoyylwyxd[.]ru 18
n[.]zhjdwkpaz[.]ru 18
n[.]yugypkhvl[.]ru 18
n[.]dclhmfkcb[.]ru 18
n[.]srobpranm[.]ru 13
Files and or directories created Occurrences
\$RECYCLE.BIN.lnk 18
\System_Volume_Information.lnk 18
\jsdrpAj.exe 18
E:\$RECYCLE.BIN.lnk 18
E:\System_Volume_Information.lnk 18
E:\c731200 18
E:\jsdrpAj.exe 18
%APPDATA%\Update 18
%APPDATA%\Update\Explorer.exe 18
%APPDATA%\c731200 18
%TEMP%\c731200 18
%APPDATA%\Microsoft\Windows\Noawaj.exe 18
%System32%\sru\SRU.chk 16
%System32%\sru\SRU.log 16
%System32%\sru\SRUDB.dat 16
%System32%\sru\SRUtmp.log 8
%System32%\SRU\SRU.log (copy) 8
%System32%\SRU\SRU000A8.log (copy) 8
%APPDATA%\Microsoft\Windows\Sfvbvt.exe 1
%APPDATA%\Microsoft\Windows\Gvqwqc.exe 1
%APPDATA%\Microsoft\Windows\Yggrgp.exe 1
%APPDATA%\Microsoft\Windows\Cencne.exe 1
%APPDATA%\Microsoft\Windows\Nvusuf.exe 1
%APPDATA%\Microsoft\Windows\Rvpspj.exe 1
%APPDATA%\Microsoft\Windows\Xrbobl.exe 1
*See JSON for more IOCs

File Hashes

2b1e2326b0b37d311e0c8fc2810de353f24336a99fbf61a0a788385600610e81 3843476ce111d0165978bc0427adde30eaa107c1ad512bbcf6a6e3ee4524030b 3a6e951c5102c0b49619c9eaa4ac1a429cd3888a00ec385a4bd043b5913a569a 3e47322e7c70324553714b7c5220eff4902b8c50b4d61ba2f3f19ee4645f604a 5994380423f37b540168ac921c4b48dacbdb52bec45271bca8e14c1691e36810 5cc1ddad05d3aca1493eee9b6a2a3ca37713fe8bb1a6969eb6cce2c27fa98b54 65f2bda9e2e4ac4155878a8554e32e18ccad82134a81e91d0a961b8c0909e2b2 671d9bdef6074f40c6603389098a5f84a5120c42501059afd31332b249133004 6a762909e43783b6be5f06c2b05bc18516669b0b102d5cd56736fb7fc50e255a 74b5fe774d53840ec5342bd98a240ce382fc3e93bcfdb9bd6ae94ab55e1d2d65 80070eb3c54d7d555cf2750dcb8949a96ba6a20521432747d0768d82926715cf a5084902c76346058210e696ea0e4b7bf58aab71bb1501e668b7af98215e1a7d ac02958eccfadf2e6b7f66325dad85bf486ed2f24a59ac8f09a69597bfd9dbdd c36936d7379fbb9de7f79beae11bce5c3408d8ce78a3e6666f5da361d61dc857 cb213c083836d38c60732422b6bdd871018f8807458d3161a9ed669e0f4dfdd5 dfa92d883a730a374949b7cfc7e0a6b61a6f105b4774fbc75653f4747e3b1e18 e94e2513ae3d7d289ddd91e059554e0416a2e912e5153607c7f4de99a6a05282 ebd75aae6d7b3186ae59b84c7349c7abe52c6cca51f27d169b84ec2251dbc2f7

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (6755)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (4550)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
CVE-2019-0708 detected - (1703)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Dealply adware detected - (941)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Crystalbit-Apple DLL double hijack detected - (780)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Installcore adware detected - (447)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Squiblydoo application whitelist bypass attempt detected. - (431)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (197)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
A Microsoft Office process has started a windows utility. - (177)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Gamarue malware detected - (151)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.