Friday, December 11, 2020

Threat Roundup for December 4 to December 11


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 4 and Dec. 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Packed.Dridex-9802347-0 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Dropper.Gh0stRAT-9802375-0 Dropper Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Dropper.Emotet-9802602-0 Dropper Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.njRAT-9803023-0 Dropper njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Packed.ZeroAccess-9802579-0 Packed ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns.
Win.Packed.Glupteba-9802607-1 Packed Glupteba is a multi-purpose trojan that is known to use the infected machine to mine cryptocurrency and also steals sensitive information like usernames and passwords, spreads over the network using exploits like EternalBlue, and leverages a rootkit component to remain hidden. Glupteba has also been observed using the Bitcoin blockchain to store configuration information.
Win.Dropper.Remcos-9802952-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Trojan.Razy-9802759-1 Trojan Razy is oftentimes a generic detection name for a Windows trojan. This cluster includes malware from families such as QuasarRAT, Agent Tesla, and AsyncRAT.

Threat Breakdown

Win.Packed.Dridex-9802347-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
17
<HKCR>\LOCAL SETTINGS\MUICACHE\7C\52C64B7E
Value Name: LanguageList
17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
17
Mutexes Occurrences
hOjOttPCDM 1
AahblJeMvR 1
C9G1UlIgM5 1
iVajgIApbQ 1
TMFhQ7dQB4 1
WhisRHryt6 1
zwsYfr6U2I 1
odWNEztQSb 1
yCFzSik8m0 1
z6zDJ0r4vR 1
FmMJfhjNfM 1
H9PTEJSDMJ 1
Mf2BPFGBVf 1
W43mJcS9K9 1
XHtwiaDwmt 1
iywjv1IeMJ 1
mghoA1l2Pn 1
yp00EoQiMA 1
FcwSNs2leB 1
IcOsMsWj6G 1
KM1JIqU8jS 1
R0CMz3mZag 1
WuATNdv48I 1
dBnXoPFvaT 1
ttNoxD4cfb 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]9[.]238 17
104[.]23[.]98[.]190 9
104[.]23[.]99[.]190 8
173[.]194[.]206[.]138/31 6
23[.]199[.]71[.]208 2
23[.]199[.]71[.]185 2
173[.]194[.]206[.]102 2
173[.]194[.]206[.]113 2
173[.]194[.]206[.]101 2
204[.]79[.]197[.]200 1
23[.]199[.]71[.]147 1
23[.]199[.]71[.]169 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pastebin[.]com 17
ctldl[.]windowsupdate[.]com 6
a767[.]dscg3[.]akamai[.]net 6
www[.]xa65vyn0cw[.]com 1
www[.]rxogeti6xq[.]com 1
www[.]9kp1f6hmx9[.]com 1
www[.]avjd26n3d9[.]com 1
www[.]zy5fofibiy[.]com 1
www[.]dmed5sfhsk[.]com 1
www[.]ayvurub1ky[.]com 1
www[.]6brexmpv8b[.]com 1
www[.]fkmpbgtdxl[.]com 1
www[.]izs2zq7pbn[.]com 1
www[.]7nlkhw19sz[.]com 1
www[.]lbgxifqxmn[.]com 1
www[.]7rw9ax3icv[.]com 1
www[.]kmptxrmfky[.]com 1
www[.]9nuyv4kyvc[.]com 1
www[.]t2ht5hghoc[.]com 1
www[.]fop6g8f7lh[.]com 1
www[.]9simrbwq19[.]com 1
www[.]vtr5w5o3sb[.]com 1
www[.]7qka0kqtgx[.]com 1
www[.]ei7s1w8oof[.]com 1
www[.]th6og2oefs[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
<malware cwd>\old_<malware exe name> (copy) 17
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 11
%TEMP%\WAX25.tmp 2

File Hashes

0438a52d124dca5794082567a9e13f5104f476d67c2cb6c3e1ce238c80c2d555 25b6691a9cf3bf16ef9f90e03d0b12dd7a5272e95334d142cf3f9e99e7f3dffb 28af621a9168d250c89737f62637c0c91e75678fcebf5d786198809a38ad5242 2f30e21f28818dfb86e8a073e459f6dbc66169463758b0384adeb40a5e368493 52bc1e9e71140b18779589144ec1949443cf29433d6ae108e40c8fa9ba58a33b 5e1b9b55f1d3ac2ab0c0bdd9a75601893452c8a45bbc2f3a12fe6ac2245de40e 5f716a721386c7e3aa19887638cfdd2b149b68ad63e56b0dad1e4ebf6d5d7348 67194de6e79d2caff334922c11886ee2924ed054859236314b153beef4af7ed1 6c5dd120d17a3590ab0d376a44b6630299110794f34cdf4941211a5150324d72 7145fefb50e00ff03a9f1a7ab0e50b1e0fdc52748897bf6b8c5ce226d037d54e 84d0739b0a03a42eef46159a4f8a9615c62456c277d522fe01ae74b67d0c451f 9ddcf9dcc67cad4dee26eac4ab4c17e834f64510c1253d4448605b0073f1b1ab a2559bfa8fc89feab0f1c363dd84ba05a546534de8c9ea1a62809d7a4a2daa33 a5b820fcf77103cbc0aed26431fbffdc929f3041827962523080fccabb4990fa c226a56492044724a4267c104005162f08a65f641df643beba46538e10970a0f c3afdc6c287d04385fd36aecb5f08269aa341b12ce9c4a856f3be15106131f00 cee9ff4cc1a36c223d9ed296e32ca222b295ec609177f1aff02c7889846926ca

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Gh0stRAT-9802375-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\XTREMERAT 5
<HKCU>\SOFTWARE\XTREMERAT
Value Name: Mutex
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
3
<HKCU>\SOFTWARE\SERVER 2
<HKCU>\SOFTWARE\SERVER
Value Name: ServerName
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{BE3SENU1-028P-RA7C-TPBU-6SP145IL8VYM} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{BE3SENU1-028P-RA7C-TPBU-6SP145IL8VYM}
Value Name: StubPath
2
<HKCU>\SOFTWARE\SERVER
Value Name: ServerStarted
2
<HKCU>\SOFTWARE\((MUTEX)) 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2} 1
<HKCU>\SOFTWARE\SILAR 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{268440QE-82NW-T265-8D28-T8YA6XD4LE6B} 1
<HKCU>\SOFTWARE\SILAR
Value Name: ServerStarted
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{268440QE-82NW-T265-8D28-T8YA6XD4LE6B}
Value Name: StubPath
1
<HKCU>\SOFTWARE\SILAR
Value Name: InstalledServer
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: erxl
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: erxl
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2}
Value Name: StubPath
1
<HKCU>\SOFTWARE\((MUTEX))
Value Name: InstalledServer
1
<HKCU>\SOFTWARE\((MUTEX))
Value Name: ServerStarted
1
Mutexes Occurrences
XTREMEUPDATE 2
a13932873816.f3322.org 2
--((Mutex999))-- 2
--((Mutex999))--PERSIST 2
--((Mutex999))--EXIT 2
--((Mutex))-- 1
--((Mutex))--PERSIST 1
((Mutex)) 1
Bif1234 1
0ok3s 1
C:\TEMP\75880ef2b1fbfd5e76fb0187209d561c.exe 1
C:\TEMP\62063120f188c1272bd4673763a67d297192f3aa2b23208840aa359bacc2a7c1.exe 1
SiLAr 1
SiLArPERSIST 1
SiLArEXIT 1
gogo 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
118[.]193[.]233[.]10 2
204[.]79[.]197[.]200 1
173[.]194[.]207[.]113 1
173[.]194[.]207[.]102 1
173[.]194[.]207[.]100/31 1
173[.]194[.]207[.]138/31 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
roma1996[.]no-ip[.]org 2
a13932873816[.]f3322[.]org 2
cescmouad[.]zapto[.]org 2
mohamedmmk[.]zapto[.]org 1
Files and or directories created Occurrences
%SystemRoot%\InstallDir 3
%SystemRoot%\InstallDir\Server.exe 2
%TEMP%\x.html 2
%APPDATA%\--((Mutex999))--.dat 2
%APPDATA%\Microsoft\Windows\((Mutex)).cfg 1
%APPDATA%\InstallDir 1
%System32%\Bifrost\server.exe 1
%APPDATA%\Microsoft\Windows\((Mutex)).dat 1
%APPDATA%\InstallDir\schov.exe 1
%APPDATA%\Microsoft\Windows\SiLAr.cfg 1
\TEMP\6c4c05531de14f22fa28e17b4780402c6d0ba596893c80a5f2f4d54cdea87081.exe-up.txt 1
%APPDATA%\Microsoft\Windows\SiLAr.dat 1
%SystemRoot%\InstallDir\erxll.exe 1
\464028622.exe-up.txt 1
\464028644.exe-up.txt 1

File Hashes

061833f8a5a832097aab274769a3db59a3bd8886c5ee8e12224ec4a739aa97fa 0b239301ec2c501802b7580db60fc51a5b10cf9a41922a0311409a1100d61b84 1d70e3972fc2b676dceb9a6c7eec4e1096a35ad6e70c60089f92759d6e67ae5a 21e804b8efe086dbdfd6c4fd6613827dbc5848447883b0659ee8a0f328b27f66 22323c4ffb970c519bb2a916d12c932ee5e41572418ffaeff956e485d47cd38e 24b2328578f28de565e7d7c6f2fa521b8f5e155b07f3e0ac5932e5ec33d55b7f 2b47467fecc2d2c0842722ac992cffcb7a6d67367c2a300ad98d097313d18ecf 2b5e2da6d315c644743753dd4e1e592637141cfd4dba494904b1b006f61a14ef 2f3c45e1af30c17934971cd1e5cf6f69aa98511d4735e82e16dff72bbb9a8e76 36a541cd5ad11443cb607f714081de260c39861fb4775e425fac5158752d967d 3725358403b7c0a541024567884417e999dbdbc54c4709a383f052270db350a3 3832b21e6d372ce8e3141ed14b7c36d8a9703dfba0206af441681af03efe3d2b 3987db32e8df8aaab2cec8703554cef010ce9edeb5ba5d50ae42fc5a49df0c8e 3d5c2c1924c219f5cc196beb76b6c0b2443498cf26964400e4a38f1a32b5f721 48d0884c818445c9bc19d64834df519bb76d392993fba9d3d1938aaef1ef058c 4c1f0fec04f52728f1a4f5424d284a80c8428a49a5c152b85bb336638f494639 62063120f188c1272bd4673763a67d297192f3aa2b23208840aa359bacc2a7c1 63add2cca5a5c2e505616771fabf419cc04f1aea1b214c3348c155683ff16dc4 6c4c05531de14f22fa28e17b4780402c6d0ba596893c80a5f2f4d54cdea87081 6eed9f824e3fa66a6893d54841eb74dfdfdba24bd3c2affbfbe64f2a5c8c3467 709e075d241ab412c961beb25f37669fd28515b0c1b3952f65c4ae3753516719 75a776755bfdd3cfb59286c4feaf6d7216f40f98b6a624ff516dd50abfa26546 88fbd8e0069f74a4e8744f2a58907b66159631966e4f4df993bae4f1f6402acb 9152892c70648ac51000106eadd8030e14a31b17145fd6f036dd6272b11945e4 9752a5294e59ec46bbc18cde6f1ec0dcc3497ce6843d35d20dd8dc1d09ac9aac
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Emotet-9802602-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LODCTR
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LODCTR
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LODCTR
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DXTRANS
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IR41_QCX
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMPPS
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PUSHPRINTERCONNECTIONS 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PUSHPRINTERCONNECTIONS
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PUSHPRINTERCONNECTIONS
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PUSHPRINTERCONNECTIONS
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PUSHPRINTERCONNECTIONS
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PUSHPRINTERCONNECTIONS
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PUSHPRINTERCONNECTIONS
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RSHX32
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ENCDEC
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IR41_QCX
Value Name: Description
1
Mutexes Occurrences
Global\b2caa881-360e-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
83[.]110[.]222[.]32 12
186[.]137[.]19[.]52 12
37[.]247[.]101[.]241 7
181[.]58[.]181[.]9 3
190[.]251[.]216[.]100 3
54[.]36[.]185[.]60 3
202[.]79[.]24[.]136 3
111[.]67[.]12[.]222 1
110[.]145[.]11[.]73 1
96[.]252[.]116[.]33 1
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\olepro32 1
%SystemRoot%\SysWOW64\input 1
%SystemRoot%\SysWOW64\mfc100esn 1
%SystemRoot%\SysWOW64\msxml3 1
%SystemRoot%\SysWOW64\msvcirt 1
%SystemRoot%\SysWOW64\wpdshext 1
%SystemRoot%\SysWOW64\davclnt 1
%SystemRoot%\SysWOW64\netcfgx 1
%SystemRoot%\SysWOW64\systray 1
%SystemRoot%\SysWOW64\RMActivate_isv 1
%SystemRoot%\SysWOW64\rsaenh 1
%SystemRoot%\SysWOW64\msnetobj 1
%SystemRoot%\SysWOW64\comres 1
%SystemRoot%\SysWOW64\polstore 1
%SystemRoot%\SysWOW64\odbccr32 1
%SystemRoot%\SysWOW64\pdhui 1
%SystemRoot%\SysWOW64\NlsLexicons0416 1

File Hashes

09e38ad469ebb81937c1b10eaf3a739787632bb8ae181cbf5790151bf33948fb 287a7c162ca363d8bb8d359a8a957fc048eaed218e1d2fe98fc8cc9e072b1fb8 376644248967d606a6603e20406170d51ef0ebf2fe558bfd1d63eecb56c6076e 6235cb76131d1a50d16318e26dadd995cd2aee85c8eb5b0173cc8241c9d4a3a5 664302d1cbe6cb663e1b47019bf28914c348dde9a060bff968c9e232506733ef 7d687d5e1616ba9372c1978222de70265c5ecd62dc04d6986b9f3349f84fa6a6 84ef881d77235ce0b9e28c6c071e4a527d760aa0711a94c8868945258a6602b7 900b45e74d63d31d6e256578d1e111abda9b7884cb4fae38d32875857a07725d a968f3dfac31ada131477dba93a7f79db71dcc9fb7d2c5f2c6e98aff68fcd6e5 aa12adf079d46b70df6e5903cefa3177c2ef7dc120de4652ee17f21363d5e576 b00d5896e485a3081659788cb84c7c4d0692b6c8b751d57f21b4eaa8210a52b4 bccf0b192412b8901ebef34760a8ae6dae924c71b5610af5b6878456391b0c18 c47ea8dbda9255b17dc3c29bdc16786bc0cc5e2d30bea17c7c3db02e83e75600 d8b897f36e0fe1276482182bc7ee4cade32cc14f9386ffaa77cb85e937a3aa55 deb42d10d75557a8c96ea39ae0220dd1dfd829d5374ab9094677888299a95d1c f879de51bc9e1ff40d32d1bd162a12683a21fb415a9d1703450cdc39e27d24c8 fd6e331c073461e085c665fa2b272402eb928336778fd18ba5f125d0893f46e8

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.njRAT-9803023-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry Keys Occurrences
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di
11
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: remcos
11
<HKCU>\SOFTWARE\A9265285803FA7F0A7CFB92ADF60AE69 11
<HKCU>\SOFTWARE\A9265285803FA7F0A7CFB92ADF60AE69
Value Name: hp
11
<HKCU>\SOFTWARE\A9265285803FA7F0A7CFB92ADF60AE69
Value Name: i
11
<HKCU>\SOFTWARE\A9265285803FA7F0A7CFB92ADF60AE69
Value Name: kl
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: remcos.exe
11
<HKCU>\SOFTWARE\REMCOS-HQ23DY 11
<HKCU>\SOFTWARE\REMCOS-HQ23DY
Value Name: EXEpath
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 5e2e9a36ea2fda5b9ec0636a657a5e8d79cb4d95541a3f22e757213390b36b06.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1dc0ac772a666dda0056c5bc75333b62b3c8439bc3375df1c673a516c4bf54c2.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: da71a0198b8df9450eb5c3ba24c38a6454d439be512d8da2cffbcb88596f9386.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: f0ae868389da2c5d56ff3aa7305941c0b71bc1c36905bd77ade2777bbeabd48e.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 778d23ab8e41268bfa52dd24585c148fb0ab31ae6be2879ddb6ff0a89e5d6050.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: e2d6913ff68b457b4a9b96c67d1a18709cfae25bc31e57a229bdc8c59e194133.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 5bcf5a666f3c462b8fa0330698e9571c7c679fba53e7bafc90ba4e4df112ceab.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: caccbf129ab338b2fee9435afbd1bf2c97973020dde2444c02762c9c207bd6c7.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 67280c082dcddf152bd01b2de9483877e9c37e580dd5a553b651afb5bd2f549f.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: b000b74268695280cba4bb15c6ecc4077779db73615a1f57d78ae2edc2417085.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 82e62056e373804065c4344729e19a7ba2290fb50c786bec211dfe24b5f5d3d0.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 3bd38058c26c23156c5a0f448544e49e4b6bcf9320d7c436ad9c10107325368e.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 8788f21e7596e1d46e92c7e8eb7beedd54eee2c4b8a37a939f73a8ddc80bdb2c.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: a871b6d6330b979e32fb825227ef683248d73c01c955caeedc21f9d437d7c97a.exe
1
Mutexes Occurrences
Remcos_Mutex_Inj 11
a9265285803fa7f0a7cfb92adf60ae69V2lyZQ== 11
Remcos-HQ23DY 11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
84[.]200[.]65[.]36 11
204[.]79[.]197[.]200 3
Files and or directories created Occurrences
\TEMP\aspr_keys.ini 22
%APPDATA%\ASound.exe 22
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ABsound.exe 22
%APPDATA%\remcos 11
%APPDATA%\remcos\remcos.exe 11
%TEMP%\install.bat 11
\Device\ConDrv 11
E:\remcos.exe 11
%APPDATA%\remcos\aspr_keys.ini 11
\remcos.exe 11

File Hashes

1dc0ac772a666dda0056c5bc75333b62b3c8439bc3375df1c673a516c4bf54c2 2274b3c97db69cce6d89297c7315089421c2ccdc2d8109ed7fbd26b7a331e37b 3bd38058c26c23156c5a0f448544e49e4b6bcf9320d7c436ad9c10107325368e 51f27d2d813f0b6920424466910d263ea0d0ef138f37d320eddbb597a3534d88 5bcf5a666f3c462b8fa0330698e9571c7c679fba53e7bafc90ba4e4df112ceab 5e2e9a36ea2fda5b9ec0636a657a5e8d79cb4d95541a3f22e757213390b36b06 6555f50b34e80454bf8a039ea00c45197f131cc16103fa9bc6caf4c260960042 67280c082dcddf152bd01b2de9483877e9c37e580dd5a553b651afb5bd2f549f 778d23ab8e41268bfa52dd24585c148fb0ab31ae6be2879ddb6ff0a89e5d6050 82e62056e373804065c4344729e19a7ba2290fb50c786bec211dfe24b5f5d3d0 8788f21e7596e1d46e92c7e8eb7beedd54eee2c4b8a37a939f73a8ddc80bdb2c 8e15ee87c184118279b5235afa195421ddc6b0fe346105e7327c1948e49a01c9 8ff1b62757a618adcfd4663f6c146a963f7fae674b660a79b08e14b42c55b98d a871b6d6330b979e32fb825227ef683248d73c01c955caeedc21f9d437d7c97a b000b74268695280cba4bb15c6ecc4077779db73615a1f57d78ae2edc2417085 caccbf129ab338b2fee9435afbd1bf2c97973020dde2444c02762c9c207bd6c7 cba4090a0acac9932f3a1befee047efc28ff6fc7b0bb13c10f9927a9061082d9 da71a0198b8df9450eb5c3ba24c38a6454d439be512d8da2cffbcb88596f9386 df2179441fd702bfa245e5d19577a16480f1ab943e9fe104301a2121115ab500 e2d6913ff68b457b4a9b96c67d1a18709cfae25bc31e57a229bdc8c59e194133 e5a43422eb2f64b6f8675512f89d3a592f91499106159d8d15a2f130602aad23 f0ae868389da2c5d56ff3aa7305941c0b71bc1c36905bd77ade2777bbeabd48e

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.ZeroAccess-9802579-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
24
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32
Value Name: ThreadingModel
24
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
24
<HKLM>\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32 24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: ErrorControl
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: DeleteFlag
24
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
180[.]254[.]253[.]254 24
166[.]254[.]253[.]254 24
135[.]254[.]253[.]254 24
117[.]254[.]253[.]254 24
119[.]254[.]253[.]254 24
134[.]254[.]253[.]254 24
206[.]254[.]253[.]254 24
222[.]254[.]253[.]254 24
182[.]254[.]253[.]254 24
190[.]254[.]253[.]254 24
184[.]254[.]253[.]254 24
197[.]254[.]253[.]254 24
183[.]254[.]253[.]254 24
158[.]254[.]253[.]254 24
204[.]254[.]253[.]254 24
230[.]254[.]253[.]254 24
209[.]68[.]32[.]176 24
71[.]123[.]238[.]4 24
24[.]57[.]248[.]253 24
71[.]8[.]195[.]183 24
188[.]25[.]246[.]11 24
78[.]39[.]201[.]179 24
76[.]116[.]188[.]223 24
76[.]109[.]163[.]88 24
68[.]60[.]107[.]146 24
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
j[.]maxmind[.]com 24
Files and or directories created Occurrences
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8 24
\$Recycle.Bin\S-1-5-18 24
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f 24
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@ 24
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L 24
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U 24
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n 24
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f 24
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@ 24
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L 24
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U 24
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n 24
%ProgramFiles%\Windows Defender\MSASCui.exe:! 24
%ProgramFiles%\Windows Defender\MpAsDesc.dll:! 24
%ProgramFiles%\Windows Defender\MpClient.dll:! 24
%ProgramFiles%\Windows Defender\MpCmdRun.exe:! 24
%ProgramFiles%\Windows Defender\MpCommu.dll:! 24
%ProgramFiles%\Windows Defender\MpEvMsg.dll:! 24
%ProgramFiles%\Windows Defender\MpOAV.dll:! 24
%ProgramFiles%\Windows Defender\MpRTP.dll:! 24
%ProgramFiles%\Windows Defender\MpSvc.dll:! 24
%ProgramFiles%\Windows Defender\MsMpCom.dll:! 24
%ProgramFiles%\Windows Defender\MsMpLics.dll:! 24
%ProgramFiles%\Windows Defender\MsMpRes.dll:! 24
%ProgramFiles%\Windows Defender\en-US:! 24
*See JSON for more IOCs

File Hashes

01bd7aec164fd36239963b37c2761317bf6db3abf1a2d338d1c66885445604ee 2378eabcb037f4411fa05b169167b85a7901ce007197c716b9028c7527146fa8 29b26861290fe131baeca9acca5f0ca958ed1c702237fe365d65bb5d29707a53 3aaa445d0630fa62565be3fb765bc06851477cc7478f895505cc094bdf7ab0d5 4482f9da16c07274b890bfb244389f237a717c0b61648776370d95248c769df7 589b8056d1cf9fbb9b6f89e6abc42582ab1a81b1d932ad27f22d1e9f09ac7acd 7cbfced59f6566556e1be84e1369ea5adfbdaf891969a8602ffaa664ba9c0ac2 805e33905b4e8643aafa7e8546d8deefe8d8d5ee961670657b2e3676ba476904 8518cd7c18488c073741109ddff7b513bd57ab0de25858c831d4ebafb946df75 89bc98d97c5d3ffd1f4ce56195caecb8fb42ce06602211cc9333b8958e873fd4 8e6b9bf356f086421befdf2f4cf3abd8bf4daafa1a485f3c62687575efeb49eb 949fbbd3dec56f99892cd187143f69b6de671afb9450897fdf3ed0585c473263 a167bfe2d397b93e2219315c9b5f7defa70dceb6ceda1e71de5df3ece646ff3b a85351606a9ec16518e9c4cac165df36b30c93c5f18d9cba59d603f6c60f4f7b a9008fd3f68de29569fcd8d3beae712e3b1a39b786de19025e83b8608de86db0 acefc076338ee225f094011dde86b06fb8665447b8a9c7ce0f7ab73431d84123 b1f2275e439056d7096255258174e4a14fcd68cd8a55a650fb4b4572cfee871a ba53f06e9cfc3096c64bcbf4436d1b9be340f3ae389d42772ec4a3bcd2527647 bbe7f92026515c70f0ebf8b9aac0ddf8e96a2a8303083793ee70b2a39696c389 c877e98e157126d72a0f8ffd07d4e7ae138be0df2abf58a39623966a6a15aac7 e3dbeab85a84e5e30761a25a61d97d98b029b451bd409153207918028831ee15 e96dd450e0bd9f13bb32e8ef3775b13c82642bf8d98e04b20863454ee9941fb6 f2df912cb6940c86ee73da5f3e61f8e92c2bde6b1a5f8d9fc715608d2271ca9f fe2c2ef40274fe98b07b19813fbe3c636c78fb59fa5a0a6d76969ac9c6f04ffc

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Glupteba-9802607-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 7
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 4
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
4
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: DistributorID
3
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: CampaignID
3
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: SB
3
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: PatchTime
3
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: PGDSE
3
<HKCU>\SOFTWARE\MICROSOFT\A1890984 3
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: Firewall
3
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: Defender
3
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: FirstInstallDate
3
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: ServiceVersion
3
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: SC
3
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: VC
3
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: ServersVersion
3
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: OSArchitecture
3
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: IsAdmin
3
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: AV
3
Mutexes Occurrences
Global\SetupLog 3
Global\WdsSetupLogInit 3
Global\h48yorbq6rm87zot 3
Global\ewzy5hgt3x5sof4v 3
Global\xmrigMUTEX31337 3
WininetConnectionMutex 3
NattyNarwhal 1
NeoNetPlasma 1
NetRegistry 1
OneiricOcelot 1
OnlineShopFinder 1
P79zA00FfF3 1
PCV5ATULCN 1
PJOQT7WD1SAOM 1
PSHZ73VLLOAFB 1
RaspberryManualViewer 1
RouteMatrix 1
SSDOptimizerV13 1
StreamCoder1.0 1
Tropic819331 1
UEFIConfig 1
UtopicUnicorn 1
VHO9AZB7HDK0WAZMM 1
VRK1AlIXBJDA5U3A 1
VirtualDesktopKeeper 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
239[.]255[.]255[.]250 4
43[.]231[.]4[.]7 4
157[.]240[.]18[.]174 4
69[.]55[.]5[.]249 4
85[.]114[.]134[.]88 4
217[.]172[.]179[.]54 4
5[.]9[.]72[.]48 4
130[.]0[.]232[.]208 4
144[.]76[.]108[.]82 4
185[.]253[.]217[.]20 4
45[.]90[.]34[.]87 4
104[.]47[.]54[.]36 3
157[.]240[.]2[.]174 3
204[.]79[.]197[.]219 3
104[.]214[.]40[.]16 3
83[.]151[.]238[.]34 3
173[.]194[.]207[.]103 3
173[.]194[.]207[.]106 3
173[.]194[.]207[.]147 3
23[.]5[.]238[.]97 3
104[.]31[.]82[.]101 3
173[.]194[.]207[.]104/31 3
172[.]217[.]12[.]142 2
172[.]217[.]10[.]100 2
40[.]112[.]72[.]205 2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft-com[.]mail[.]protection[.]outlook[.]com 4
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 4
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 4
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 4
249[.]5[.]55[.]69[.]in-addr[.]arpa 4
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 4
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 4
schema[.]org 3
vsblobprodscussu5shard60[.]blob[.]core[.]windows[.]net 3
vsblobprodscussu5shard35[.]blob[.]core[.]windows[.]net 3
ip02[.]gntl[.]co[.]uk 3
msr[.]pool[.]gntl[.]co[.]uk 3
easywbdesign[.]com 3
native-vita[.]np[.]ac[.]playstation[.]net 3
misterysnith[.]com 3
www[.]amazon[.]com 2
www[.]google[.]co[.]uk 2
www[.]sendspace[.]com 2
api[.]sendspace[.]com 2
a2047[.]r[.]akamai[.]net 2
www[.]tiktok[.]com 2
e17058[.]b[.]akamaiedge[.]net 2
cs11[.]wpc[.]v0cdn[.]net 1
authserver[.]mojang[.]com 1
www[.]google[.]com[.]mx 1
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-z]{8}'>.exe 7
%SystemRoot%\SysWOW64\config\systemprofile 4
%SystemRoot%\SysWOW64\config\systemprofile:.repos 4
%System32%\config\systemprofile:.repos 4
%SystemRoot%\Logs\CBS\CBS.log 3
%SystemRoot%\rss 3
%SystemRoot%\rss\csrss.exe 3
%TEMP%\csrss 3
%TEMP%\csrss\dsefix.exe 3
%TEMP%\csrss\patch.exe 3
%System32%\drivers\Winmon.sys 3
%System32%\drivers\WinmonFS.sys 3
%System32%\drivers\WinmonProcessMonitor.sys 3
%TEMP%\Symbols 3
%TEMP%\Symbols\ntkrnlmp.pdb 3
%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02 3
%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02\download.error 3
%TEMP%\Symbols\pingme.txt 3
%TEMP%\Symbols\winload_prod.pdb 3
%TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361 3
%TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361\download.error 3
%TEMP%\dbghelp.dll 3
%TEMP%\symsrv.dll 3
%TEMP%\csrss\DBG0.tmp 3
%System32%\Tasks\ScheduledUpdate 3
*See JSON for more IOCs

File Hashes

0eecee054fb7353dbbc46abdde39705b787b19d15236c1959df09c4aee53e46d 189e9a0a7cfb69251188cdee33dee987752cc1ff1cae2a9e5a9c6b67a7f4e01b 1b0587f0a67108ab5c4cda0d4b25da6d4084c24e6f005dd2faf6945497fd5cad 21486d7b3ecb4b900855c395fbd00aad8076a233957ed319fc6ba6a903f43193 222a56d032717796fe1cc98c780aa319e921c3f484770f3f0d9144bbbbe11af9 25047ee6a23764e967726cc98596f8ccc5fc6dd4104f11dcb9a8ea1869774db2 3e87bbc2473de7e078c0a74e7b44a9984fc448e429f10c5815509c9707767678 431573008621cebbd01b2a7e02adf3bf55aa120ac2487a6e8a19c511117c3f95 450c6ae581e0e308ab64d7cffc0d5cbd8e212d0bb29a2bc12201d64d2bdd0cd2 6accb2d39874712672ab43ee45b3ef857e2df49fd823786aa73dbd27121486b2 7e18ce3262edaaf4f162489b2aad41cebae59b5c160e0b008e42da0496b19326 84813a9c909a9863aa4338b52404044dd254d4bacaa1dd8eef9d39d5986860f1 aafbd788d26335b0826ead6bed529b8210b2987e02f478b20869c65a1cf47a1e ae7c9bc81e420d9a01086354756e62c04bc3310b8fb416fe84586286851d4849 aec65175cff3ab312146a5c4b8862e9b42b2e1a5fc2141c268c71df0e8c57a39 c6d07979e447e848397428109cdec18ac3b9f7abd85ba60a4da18c09c2eb4339 dc78903b9a7713bb20d4c283051c1bc956807fc4278d6bde180052509126fde6 e3888e50d083eb9735a1b64f7036df96cc3eff11431d2d2d3d206a815656feb8 e977164f572608f080e792ceda605a6f93e0d6d4371f9a9b9c0142da9a166ea3

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Remcos-9802952-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\100GT6LMW5 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Rrfk
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Uenp
2
<HKCU>\SOFTWARE\-05483U 2
<HKCU>\SOFTWARE\-05483U
Value Name: exepath
2
<HKCU>\SOFTWARE\-05483U
Value Name: licence
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ubpk
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\5RL776V9TH 1
<HKCU>\SOFTWARE\REMCOS-EQUZJ7 1
<HKCU>\SOFTWARE\REMCOS-EQUZJ7
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-EQUZJ7
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Xfyu
1
<HKCU>\SOFTWARE\REMCOS-6OIDK4 1
<HKCU>\SOFTWARE\REMCOS-6OIDK4
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-6OIDK4
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Puag
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Lneo
1
<HKCU>\SOFTWARE\REMCOS-85Q2ZF 1
<HKCU>\SOFTWARE\REMCOS-85Q2ZF
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-85Q2ZF
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Edcv
1
<HKCU>\SOFTWARE\MICROSOFTWNDDDOWS98-Q8G3TQ 1
<HKCU>\SOFTWARE\MICROSOFTWNDDDOWS98-Q8G3TQ
Value Name: exepath
1
<HKCU>\SOFTWARE\MICROSOFTWNDDDOWS98-Q8G3TQ
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ekdq
1
Mutexes Occurrences
Remcos_Mutex_Inj 6
-05483U 2
- 1
Remcos-EQUZJ7 1
Global\a9f2cbb1-36d7-11eb-b5f8-00501e3ae7b6 1
Remcos-6OIDK4 1
Remcos-85Q2ZF 1
microsoftwndddows98-Q8G3TQ 1
Global\cf0bf671-36e0-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
162[.]159[.]135[.]232/31 6
162[.]159[.]133[.]233 5
162[.]159[.]138[.]232 5
162[.]159[.]130[.]233 4
23[.]3[.]13[.]154 3
162[.]159[.]134[.]233 3
23[.]3[.]13[.]88 3
185[.]140[.]53[.]129 3
79[.]134[.]225[.]75 2
67[.]217[.]34[.]36 2
162[.]159[.]129[.]233 2
162[.]159[.]128[.]233 2
205[.]185[.]216[.]42 1
79[.]134[.]225[.]76 1
198[.]136[.]51[.]123 1
216[.]38[.]7[.]231 1
162[.]159[.]136[.]232 1
162[.]159[.]137[.]232 1
23[.]46[.]239[.]18 1
154[.]127[.]53[.]33 1
23[.]227[.]38[.]74 1
154[.]219[.]109[.]117 1
194[.]5[.]98[.]14 1
37[.]139[.]64[.]106 1
193[.]112[.]252[.]5 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
discord[.]com 9
cdn[.]discordapp[.]com 8
ctldl[.]windowsupdate[.]com 8
a767[.]dscg3[.]akamai[.]net 7
digicon[.]com[.]mx 2
shops[.]myshopify[.]com 1
cds[.]d2s7q6s2[.]hwcdn[.]net 1
style[.]ptbagasps[.]co[.]id 1
insidelife1[.]ddns[.]net 1
efiigbo9[.]duckdns[.]org 1
uzbektourism8739[.]ddns[.]net 1
waxb[.]ddns[.]net 1
export[.]zapto[.]org 1
www[.]longhuixiang[.]com 1
graceland777[.]ddns[.]net 1
www[.]cnyxcb[.]com 1
www[.]hklangbin[.]com 1
airseaalliance[.]com 1
www[.]jiyami[.]com 1
Files and or directories created Occurrences
%ProgramFiles%\Microsoft DN1 3
%LOCALAPPDATA%\Microsoft Vision 3
%TEMP%\DB1 3
%APPDATA%\remcos 2
%APPDATA%\remcos\logs.dat 2
%LOCALAPPDATA%\Microsoft\Windows\Ubpkdrv.exe 2
%LOCALAPPDATA%\kpbU.url 2
%LOCALAPPDATA%\Microsoft\Windows\Rrfkdrv.exe 2
%LOCALAPPDATA%\kfrR.url 2
%LOCALAPPDATA%\Microsoft\Windows\Uenpdrv.exe 2
%LOCALAPPDATA%\pneU.url 2
%APPDATA%\84158DQ4\841logim.jpeg 2
%APPDATA%\84158DQ4\841logrf.ini 2
%APPDATA%\84158DQ4\841logrg.ini 2
%APPDATA%\84158DQ4\841logri.ini 2
%APPDATA%\84158DQ4\841logrv.ini 2
%LOCALAPPDATA%\Microsoft\Windows\Ekdqdrv.exe 1
%LOCALAPPDATA%\qdkE.url 1
%LOCALAPPDATA%\Microsoft\Windows\Xfyudrv.exe 1
%LOCALAPPDATA%\uyfX.url 1
%LOCALAPPDATA%\Microsoft\Windows\Puagdrv.exe 1
%LOCALAPPDATA%\gauP.url 1
%LOCALAPPDATA%\Microsoft\Windows\Lneodrv.exe 1
%LOCALAPPDATA%\oenL.url 1
%LOCALAPPDATA%\Microsoft\Windows\Edcvdrv.exe 1
*See JSON for more IOCs

File Hashes

17ce305b1d7dc60edc0264f667fe3240748b1df6afbe52311b8cc4da4940b6a2 18ef79513b6dc4d43f4f82eafe8f959e28241d9f59014455e8d41ed46bc4af01 26a87111706cea17c6c109529a0f0b88b6608674bdee40a5f22c36660c1b7d87 2973998f22457af15ac0f1a3833eaf90d4b903b66ffc8c7ef5a8805118928f8b 2ab935432fa967a19d4032a45858b90881ebdb5e509a3b750ebe824e4726301a 4e2aa3d570b2e8c60bcd80195037ea40236d0bc3d4179aed6adca240523667f3 59c12ee8b180171de9dd2a94274240b0e5c905c81f3fc9af50ca2bd0407dbf3a 5c06343836eaa10ed0250933b91b96c8a2700235a137752fc44ee0bdc00e2ac7 7c9e7b4737e7924b3ae4e319b8fe471001328703e7408532050ab0371af8a8d0 9eb32ce490c4ef9d5bc0759534b299814e90573df8db73efcae24afe30ab99e2 b40353ee592318cf135892467a2b0dd534737c35cf18aca8fd52535776757aa7 c0a1e8abafb7bb3a59400123502c57f4b5fabbe886ddf1064a785261704bd157 d777254c6eee49e645f44e29d7b7b428c00511387ba18910b9ab7237f22f04c2 d7a010fb8a426b4f7fe0a79398d16f783d93fd369325284e69c572ee691d7e73 dfa55212542ed697d1dba24d643315d5b3b3cbd659b68a11f9174a68fdaf4cf6 eea78aab7fd56e8f2fe565d66dc622c0b0915214916fac9bf5da42aa37001b7a ff23e674f9d6ddaed90d3302f5bf2321e651aeb31b878f19d15f81f528a5e2e2

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Trojan.Razy-9802759-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di
1
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\AUTOENROLLMENT 1
<HKCR>\LOCAL SETTINGS\MUICACHE\7C\52C64B7E
Value Name: LanguageList
1
Mutexes Occurrences
QSR_MUTEX_dQvCIzmEBFgxmMuIEE 6
3749282D282E1E80C56CAE5A 2
9DAA44F7C7955D46445DC99B 2
1heU2UYKCvvVebV1cCysANqKqmHvG7Hq3.00 2
Windows Update 1
689fde1a38506f17232d 1
AsyncMutex_6SI8OkPnk 1
Global\37e3c740-2f39-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
208[.]95[.]112[.]1 6
185[.]157[.]161[.]109 4
185[.]157[.]162[.]81 3
114[.]114[.]114[.]114 2
1[.]2[.]4[.]8 2
173[.]194[.]207[.]113 2
173[.]194[.]207[.]102 2
194[.]58[.]200[.]20 2
185[.]61[.]148[.]26 2
45[.]153[.]186[.]90 2
173[.]194[.]207[.]100/31 2
173[.]194[.]207[.]138/31 2
213[.]227[.]154[.]174 1
209[.]59[.]188[.]68 1
172[.]105[.]121[.]115 1
213[.]226[.]119[.]226 1
180[.]235[.]148[.]26 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ip-api[.]com 6
yz[.]videomarket[.]eu 6
0 2
ntp[.]se 2
sdns[.]se 2
maxchris[.]wm01[.]to 2
googleforshares[.]publicvm[.]com 1
alahlasi[.]com 1
www[.]promoweb[.]co[.]id 1
xyz[.]videomarket[.]eu 1
25e9ca102fbf458c824b3470b19eb940[.]se 1
73d56949a6e23ccbfd8048a11df603a0[.]se 1
9d0ba0c1ce6e45fd88374fb98ea72300[.]se 1
cda08c1ab88d515296a2184a9f624b54[.]se 1
d3cfc82a1e3d30f0f7a300be637bbce2[.]se 1
0a76aee110a5af1b9dcc07b25bf6f6be[.]se 1
46bb0e88a441c403bfd63624a90d3327[.]se 1
5b7e3e64e9c88c6969bb03620e2c9685[.]se 1
701e5f7af5b7df7d911c31e4539712f2[.]se 1
d2407d8f1c03e4afa2fe9efcafc21d96[.]se 1
promoweb[.]co[.]id 1
Files and or directories created Occurrences
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 9
%APPDATA%\<random, matching '[A-Z][a-z]{3,5}\[a-z]{4,6}'>.exe 7
%APPDATA%\Logs\12-04-2020 5
%APPDATA%\D282E1\1E80C5.lck 2
%APPDATA%\7C7955\5D4644.lck 2
%APPDATA%\Logs\12-01-2020 2
%ProgramData%\rliQSisJaf 1
%ProgramData%\rliQSisJaf\cfg 1
%ProgramData%\rliQSisJaf\cfgi 1
%APPDATA%\7C7955\5D4644.exe (copy) 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\App Update.vbs 1
%APPDATA%\Logs\12-02-2020 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\cviqw.vbs 1
%APPDATA%\fgbpq\emqkp.exe:ZoneIdentifier 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\nmkjq.vbs 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\wqbb.vbs 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\kloqp.vbs 1
%APPDATA%\qsxbq\rqtpl.exe:ZoneIdentifier 1
%APPDATA%\lktq\jqft.exe:ZoneIdentifier 1
%APPDATA%\rtqgb\ernqm.exe:ZoneIdentifier 1
%APPDATA%\Logs\11-25-2020 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\nmqp.vbs 1
%APPDATA%\dfghq\polvq.exe:ZoneIdentifier 1
%APPDATA%\Logs\11-27-2020 1
*See JSON for more IOCs

File Hashes

03d4ed1373cdce6391f36f37b184013f9da419af50eacbb174a1cfab2bd35fca 050e1607a2f0a09c41b618cda2e002061ee13abcbfb2dcd1c2a5a16148cc8ec8 23ed6ef7aec39fbc37b613e5ad3611a84ba1facc92489ed818dcc72bee129022 2f94645d28817c56c208136d20e5ead89e5d0ef6626828cd1282c4c7e77ba68f 42bce47fdbd23c02eebf406de09e04f029347d4b8c05a7d728e8b8149533fb4b 45a2efb593e6218fc36bd00c397a358b180d20b743ae9430074fb29664013c82 57388e40955da2809368e790832808c499ac7c2a712c118b32698c8eb60eaa0a 5f16bdc7ec568e24dfa4dc9ee6e63d0a2886765319277ac20e0554ccdb093028 61a5d76fff337300b6ea55e5371e6e951b2e3eae08972e43e20b3c443945cc57 6970c715f79a9e9a61a24b90f8aa6da086f69bdf71e9a7e81ed5e4958000cb9c 6b1cda0ebe4790dd8f97271a43ab39cf60516546388f11eeeab13fe226e8349d 72059ace4818aab4e44f27c08b16914c773f9b91a5db14c889f6a8a893e016be 730aed50f3cbff66987900b169e00c3318208044d402b6226d729a6ffe75c6f2 7f3e5e8e94217110c158eb909a519c8878da9b887267e028454948d4b9a52ca6 b3e1f3ed2ed33bd4d98232515b01f134dc62f5b2a440d8ed9abb9a163b2afcad c31092a2440d07fa42015a132cab105a258d88cd33a87799bbcaa85f165bc716

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

CVE-2019-0708 detected - (3874)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Dealply adware detected - (3222)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Process hollowing detected - (2138)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Crystalbit-Apple DLL double hijack detected - (1862)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Installcore adware detected - (1335)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Squiblydoo application whitelist bypass attempt detected. - (962)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (896)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
A Microsoft Office process has started a windows utility. - (700)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Certutil.exe is downloading a file - (609)
The certutil.exe utility has been detected downloading and executing a file. Upon execution, the downloaded file behaved suspiciously. The normal usage of certutil.exe involves retrieving certificate information. Attackers can use this utility to download additional malicious payloads.
Maze ransomware detected - (492)
Maze ransomware has been detected injecting into rundll32.exe or regsvr32.exe. Maze can encrypt files on the victim and demand a ransom. It can also exfiltrate data back to the attacker prior to encryption.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.