Friday, January 22, 2021

Threat Roundup for January 15 to January 22


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 15 and Jan. 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Malware.Gamarue-9822361-1 Malware Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Dropper.Emotet-9819661-0 Dropper Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Razy-9820161-0 Packed Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.Glupteba-9823368-0 Dropper Glupteba is a multi-purpose trojan that is known to use the infected machine to mine cryptocurrency and also steals sensitive information like usernames and passwords, spreads over the network using exploits like EternalBlue, and leverages a rootkit component to remain hidden. Glupteba has also been observed using the Bitcoin blockchain to store configuration information.
Win.Dropper.Gh0stRAT-9823051-0 Dropper Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Packed.Ursnif-9822598-0 Packed Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Packed.Phorpiex-9822236-1 Packed Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, including malware to send spam emails, ransomware and cryptocurrency miners.
Win.Dropper.Shiz-9820582-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by victims visiting a malicious site.

Threat Breakdown

Win.Malware.Gamarue-9822361-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xplorer
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 36412
26
Mutexes Occurrences
2562100796 26
lol 26
<random, matching [a-fA-F0-9]{10}> 17
<random, matching [a-zA-Z0-9]{5,9}> 6
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
184[.]105[.]192[.]2 26
40[.]70[.]224[.]146 26
204[.]79[.]197[.]200 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
bighecks[.]net 26
imageshells[.]com 26
sonic4us[.]ru 26
www[.]yahgodz[.]com 26
www[.]update[.]microsoft[.]com[.]nsatc[.]net 17
Files and or directories created Occurrences
%ProgramData%\Local Settings 26
%ProgramData%\Local Settings\Temp 26
%SystemRoot%\xplorer 26
%SystemRoot%\xplorer\xplorer.exe 26
%TEMP%\DULKA.bat 2
%TEMP%\DULKA.txt 2
%ProgramData%\Local Settings\Temp\msmfhbsi.exe 1
%ProgramData%\Local Settings\Temp\msuzuva.scr 1
%TEMP%\GYXTV.bat 1
%TEMP%\KYAYM.bat 1
%ProgramData%\Local Settings\Temp\msfvoiuh.scr 1
%TEMP%\VHIFO.bat 1
%TEMP%\GYXTV.txt 1
%TEMP%\KYAYM.txt 1
%ProgramData%\Local Settings\Temp\msumio.bat 1
%ProgramData%\Local Settings\Temp\msumay.bat 1
%TEMP%\VHIFO.txt 1
%ProgramData%\Local Settings\Temp\mskoik.exe 1
%TEMP%\TKTQL.bat 1
%TEMP%\TKTQL.txt 1
%ProgramData%\Local Settings\Temp\mspvrxhaz.pif 1
%ProgramData%\Local Settings\Temp\msvmff.bat 1
%TEMP%\QVBCA.bat 1
%TEMP%\QVBCA.txt 1
%ProgramData%\Local Settings\Temp\msuonxo.com 1
*See JSON for more IOCs

File Hashes

01f8a8399128c5b1d28eede66c8210158f953f7532524b11820b4594fe6c4cec 02f890529e7942d8d5bf33526ebf2c7d8e6ea00310788bf0da4c922b66b594f3 03dbdcaafdbfa79bf07cc9f0cba701ac89cee816d5a5f013f25d7d9a50d7224c 0486801679b5488d2556996b3fc1c900c138b4be494e8ff167032a89b0ecbd75 048baf0600337726cbe3815515e26ca82349b3c82509fc9838baa3637fea1ae3 068f4c0583760f38e9cedbc7ee92e91384f0f150a7ef3265bc68ad43ed80c5f4 06efe814f821332baa047cfeecb508cadab64851cbbbe9c185343b41495a3630 07167a347491626ab171146a9e9dbf34454801a8a4fed9bcbe933270ea07a53e 0bfb3204d85a15a07f33a48f34ce0e1ce8be9a9051bb4196328623ac7a29c801 0caa88ca9f821cb27ebe21b969a837e7f4ce980c1f4e7c5eb51270d4c7c001d0 0cbffe42fc4dd07010aa7e11b6be649ea5a1b293dc89e6f98fc09dbadf67a407 0cc7c0df4318fe19510aacb9bb78d9d4fb0c99ff94ec91458173e68d4938971a 10e505aabb88b4ce4b1c05bb340f8b1db6106ee345ea5185b9eab64210e6c584 124628ded8f4114e9fc9a3c22b1c390a0f394f088eed97fde8613ec48c28bda3 15b52199c11627a7b2e1a6661eb8dbb2d31e61b4537c7b18755f7cc0d09ebc31 164d62604d8bb25d1220c809d677525fd00a60c6cf82675054092226a24fba26 16aa82f354d76edaf3317f4efb46782903e51c1d1a443c223f931d06be859a0b 188cf44de4a38c5d5585a9709e5c2598b1375a767b4b2117e884dc2e9f4d30e9 199e7c04d6edce300bc3d12cad2b8177802c26d8a88976ad44e050f64dbcdcf6 19ead9df01b119e294175718da3774fed231d0991166e109537706483a9a88ab 1acda0f7a53c1ab932ff0338abfdc7d6a6693de7631e9855eb4f40d1fe68a720 1b0151a88f27b1b709156ee879c976b22dfdc3ceb3d99dc471b454bbe0c581d9 1b6208ef89b18822e68d710072dc7c3193564965e367dc6d9a297a8071fd7b60 1bffb381f69821c5fb15955cce5be6e0e27514d02689e6927bdd2bfbc255157e 1ef8abe756a5a48387d8d2a4bbef08ef019ace1a401242c8e3ec5d1a1ab847b9
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Emotet-9819661-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 152 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EFSUTIL
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EFSUTIL
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EFSUTIL
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EFSUTIL
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EFSUTIL
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EFSUTIL
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MIDIMAP 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MIDIMAP
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MIDIMAP
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MIDIMAP
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MIDIMAP
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MIDIMAP
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MIDIMAP
Value Name: ObjectName
2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
167[.]114[.]153[.]111 152
107[.]170[.]146[.]252 152
173[.]212[.]214[.]235 152
67[.]163[.]161[.]107 152
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 25
%SystemRoot%\SysWOW64\Nlsdl 2
%SystemRoot%\SysWOW64\nci 2
%SystemRoot%\SysWOW64\sc 2
%SystemRoot%\SysWOW64\certcli 2
%SystemRoot%\SysWOW64\FM20 2
%SystemRoot%\SysWOW64\efsadu 1
%SystemRoot%\SysWOW64\RegisterIEPKEYs 1
%SystemRoot%\SysWOW64\mscms 1
%SystemRoot%\SysWOW64\cmdial32 1
%SystemRoot%\SysWOW64\panmap 1
%SystemRoot%\SysWOW64\scansetting 1
%SystemRoot%\SysWOW64\WfHC 1
%SystemRoot%\SysWOW64\mfc100u 1
%SystemRoot%\SysWOW64\SortServer2003Compat 1
%SystemRoot%\SysWOW64\KBDBASH 1
%SystemRoot%\SysWOW64\srdelayed 1
%SystemRoot%\SysWOW64\uudf 1
%SystemRoot%\SysWOW64\mfc140enu 1
%SystemRoot%\SysWOW64\user 1
%SystemRoot%\SysWOW64\NlsLexicons0045 1
%SystemRoot%\SysWOW64\UIAnimation 1
%SystemRoot%\SysWOW64\NlsLexicons0002 1
%SystemRoot%\SysWOW64\scksp 1
%SystemRoot%\SysWOW64\UIRibbonRes 1
*See JSON for more IOCs

File Hashes

04033b229a532d262f40847451bdf88944dcea9094e9782d001746546f8f882f 042567cd87aca21be5e1c9d23ab0b71b4a28a097614d13ed4d0632b86e2723bc 0446234f51478885c0ea7466f1bdbe890f6e79e1b1809b24d6e7d495e67add68 058b5b233e2ac83eb43a49953e521080ce6bfa76eb6e4e1ec9578481a777050e 06d85e7f38185289a1ea5c1511a5da13caea9bd7b4296483266e4261c65d00b6 073d5f13263f2a414f53cbee397418eacaa4bc13f58585ff3809408dd193f156 09c62eb183d49de9cfae559863b9892a266735e214b87bd5baa74bd6c60b2e1d 0c017ed3ee4a674ba340af267c692f4ed9fdadbfc2ea8e4568d3b7fbb976b0b9 0dd03cd9214d7af04202bbf2530f1496475bf9396ac2df8b786bdd289adcf8c0 0e7f80a3c621b8e20ccda1e2bd25870d18df7c359a61a0b02cdaaf1a2e40c4df 0fd6e3796c344274b4dd0e1a28e6ea4f18d40e5c5ba3d8184fe0feaa8a55b370 12ea3c5c12633413df9c6c7ee1e86c2253e115612bf05ea1ad5560fadd133aff 15ebd5cfbf0ad534d97801356043cd8d5be4f80fc1390ee047f6d10565fc4748 16f7618dc5e2f9dfbe22a8d41ee60b45467cf5c099b4eeed9713f0bccdfe04b9 17e746fa255fe60c105abc3d21a208cf3e1d75fa1efc7c609b6cf8d11e16578f 1d271cee065d6acecb5cd6870c60a26aead6bf34d978b3f776e2e6f0ed091c98 1ee1a466e0333c7af9ee349bdf6b2d254178f71efbf3527cfffeedc19a54c0b7 1f1ffa5f10b3b7d290a73909cd730ff458053d04dafd004da074c853f087d2c2 20a6ba715e5eac60a8169e043c5d7ed7e9d6009ed57d8782e1f1444dae18b227 20c47cb69a1de3feb425ea1bc96490b21bd78470abc39b435fa736613a8d90da 21f76b8535adcf9a046aef8ba456f4a2fa24f3426baa820934d8b8907143e862 27268a4fdb4a941ffb4523ea1d7e32a471a0e0039efd5fa4f1b05869a186351a 2c70d66f5f6017094c1ba7cca82628ee4fc1ae4702196e19f0c1e8b946a092c2 30380d64e534ee0fb31ab09225d32b6b81c7bdcdf83758467abf90a820deceff 30b312ae7200b384bc029c84bcf72ec99674e0d5ec35424abda1768b06133999
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Razy-9820161-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]67[.]144[.]180 15
104[.]21[.]73[.]114 14
172[.]64[.]98[.]15 13
172[.]64[.]99[.]15 11
82[.]57[.]200[.]133 1
104[.]47[.]12[.]33 1
93[.]17[.]128[.]123 1
211[.]231[.]108[.]175 1
204[.]79[.]197[.]200 1
72[.]21[.]81[.]200 1
23[.]3[.]13[.]88 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
adf[.]ly 25
cdn[.]adf[.]ly 25
chinnica[.]net 25
zipansion[.]com 25
ctldl[.]windowsupdate[.]com 1
a767[.]dscg3[.]akamai[.]net 1
Files and or directories created Occurrences
<malware cwd>\old_<malware exe name> (copy) 25

File Hashes

04d45d8eedd184c551811b516977fade6d877b016072729705c980155f33d922 0c9d5c04884fea0d16c26860149d05f253a5349bc8af2a118698e336506c70e8 0dce4e7c9573bddd33ee69bb8a4e3f1032ae8e756d652a54c69e68b737762d49 14acc1504d9d1eb08f0a86a3d8c272980f8da5833ba089f7b348ef41a077f8dc 18584cc26b3b765d08c3e523a0709936fe0bc1776eda954816fb535524a46163 1b1f572401d46816de5bd692d3df0884f4f0e4263ff1ac7e6fa03adc55a41bc3 25c566566f76d72ad90b483f5d805d3549df5be8c04a6e1474ca0db77e5803ab 260f32c8d955b30768e8954f12f1fe1af4d092f8f98dfdd4c62b97132e2c1a3f 2894691e2bc969e5121a699cad02aed2113ae6c9aa4d4b6681de7a09ef1bdd8b 2ca6a653b205e1f6a5fdecd3e0d750699b3228fc61f1b7e8150251b1b12bd0cf 306b96c1cf9299cf7f94339781e551d6ba20e487692d860a56b718ca9e7d7cb3 31b01fe91d78180d34010db576df412b228d804a4b13168def2578ed40d08c46 35d4f365dd723468924960844f432232f7632cb44bf499054a722a6211c3a83e 37f9c68b5ccd5719cc2f4208ba34187c8325d255c17e8f858790fc84612be358 3a685ad1d7153deef777bf3a5ce6ed1b17dec8b18cfd1b9d554697ea1f48f737 3ed6920a2bd765bc9c8e98834dc44e10dc8fb03de04b35d23e08783729f7c651 458c948688bf42dbec77605821210ced70219a4798f66dfb2ef79ae8cd795b50 46074942cd402bde983eae7cbbae2ce7d7510141fa2aba3c37881cf51a4b6438 476bbab48be0ff0c8b21e2a305f34514401b75566dadd141e9dae73d53018f74 490d5c59c351edf8c8dc2d26580fc1a066bde04cba3968fbb5609c38c746282b 4aef03ec4f83def30391fa4350d64b117acee50a307dc061d8f2e24bcb6361aa 4ba4644f8d4e16435cd3fcc9cdc6a97c115561fd496046cace2fefc6c8747969 4cb65965fbc3b5d5edf5d9b128b6441390174bc2936f884e9145bc9fae260208 4f781ec98089bc2855862f506720bce9db1034b7f88539edc99b661f035c409f 51ea497a4e29434d2b9a391647634e7e6685760f4022f1091be5ef6621374307
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Glupteba-9823368-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
Registry Keys Occurrences
<HKLM>\COMPONENTS
Value Name: PendingXmlIdentifier
10
<HKLM>\COMPONENTS
Value Name: PoqexecFailure
10
<HKLM>\COMPONENTS
Value Name: ExecutionState
10
<HKLM>\COMPONENTS
Value Name: RepairTransactionPended
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRUSTEDINSTALLER
Value Name: Start
10
<HKCU>\SOFTWARE\MICROSOFT\TESTAPP
Value Name: Firewall
10
<HKCU>\SOFTWARE\MICROSOFT\TESTAPP
Value Name: Defender
10
<HKCU>\SOFTWARE\MICROSOFT\TESTAPP
Value Name: Servers
10
<HKCU>\SOFTWARE\MICROSOFT\TESTAPP
Value Name: UUID
10
<HKCU>\SOFTWARE\MICROSOFT\TESTAPP
Value Name: CloudnetFileURL
10
<HKCU>\SOFTWARE\MICROSOFT\TESTAPP
Value Name: ServiceVersion
10
<HKCU>\SOFTWARE\MICROSOFT\TESTAPP
Value Name: VC
10
<HKCU>\SOFTWARE\MICROSOFT\TESTAPP
Value Name: OSCaption
10
<HKCU>\SOFTWARE\MICROSOFT\TESTAPP
Value Name: OSArchitecture
10
<HKCU>\SOFTWARE\MICROSOFT\TESTAPP
Value Name: IsAdmin
10
<HKCU>\SOFTWARE\MICROSOFT\TESTAPP
Value Name: AV
10
<HKCU>\SOFTWARE\MICROSOFT\TESTAPP
Value Name: CPU
10
<HKCU>\SOFTWARE\MICROSOFT\TESTAPP
Value Name: GPU
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRUSTEDINSTALLER
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRUSTEDINSTALLER
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRUSTEDINSTALLER
Value Name: DisplayName
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRUSTEDINSTALLER
Value Name: DependOnService
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRUSTEDINSTALLER
Value Name: DependOnGroup
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\rss
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Users\Administrator\AppData\Roaming\EpicNet Inc\CloudNet
10
Mutexes Occurrences
Global\SetupLog 10
Global\WdsSetupLogInit 10
Global\h48yorbq6rm87zot 10
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
206[.]191[.]152[.]49 10
192[.]35[.]177[.]64 4
72[.]21[.]81[.]240 4
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
blackempirebuild[.]com 10
okonewacon[.]com 10
weekdanys[.]com 10
ctldl[.]windowsupdate[.]com 3
cs11[.]wpc[.]v0cdn[.]net 3
apps[.]digsigtrust[.]com 3
apps[.]identrust[.]com 3
Files and or directories created Occurrences
%SystemRoot%\Logs\CBS\CBS.log 10
%SystemRoot%\rss 10
%SystemRoot%\rss\csrss.exe 10

File Hashes

06d9df7141ce79feeeff9ec051027f7099171a96c145096855a4772bd817b890 125652c0bb4a721b086d839ec436e06c0d1470441c75677312c25f6f04fc8e18 26633accc1881d2318f734ab2161b913faa8aa431237b73f82e2059aa87cf241 3c09a10baacfb2dd824537ac7e01354a3570f162f9bc5c12b3894b93f11852c1 56da3fd7b8ef98673d012f8124818a3dbf29ca675dc15819f76a310d82ec6d55 866048b15248f01eba97cd7dd842a77feccf06c4ef6054ec2ef7de3f6cddaf1a 9c55e6d9ebe82cb655b518dd8ae850f1246f56925050bf888b789476579ec072 a2dfc6213d5f71798e7d3c059bf38b5206a1f3c33d6f1692f43f4ed76dacb445 ceb57f9ee3d3116b529a59a7c50cc8c8695bd18af6008f2abb232ec222c3eaf9 f47a45c4d1c1948ce4bf7ee0972df1a8520477faa3f6c306e86b4648a5afcc54

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Gh0stRAT-9823051-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: D2A58B8C
16
Mutexes Occurrences
bibo9.8800.org:52099127.0.0.1:2012127.0.0.1:2012 16
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
46[.]82[.]174[.]69 13
93[.]46[.]8[.]90 6
8[.]7[.]198[.]46 6
59[.]24[.]3[.]174 4
204[.]79[.]197[.]200 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
bibo9[.]8800[.]org 14
Files and or directories created Occurrences
%System32%\Tasks\At1 16
%System32%\Tasks\At10 16
%System32%\Tasks\At11 16
%System32%\Tasks\At12 16
%System32%\Tasks\At13 16
%System32%\Tasks\At14 16
%System32%\Tasks\At15 16
%System32%\Tasks\At16 16
%System32%\Tasks\At17 16
%System32%\Tasks\At18 16
%System32%\Tasks\At19 16
%System32%\Tasks\At2 16
%System32%\Tasks\At20 16
%System32%\Tasks\At21 16
%System32%\Tasks\At22 16
%System32%\Tasks\At23 16
%System32%\Tasks\At24 16
%System32%\Tasks\At3 16
%System32%\Tasks\At4 16
%System32%\Tasks\At5 16
%System32%\Tasks\At6 16
%System32%\Tasks\At7 16
%System32%\Tasks\At8 16
%System32%\Tasks\At9 16
%SystemRoot%\Tasks\At1.job 16
*See JSON for more IOCs

File Hashes

13df9992d6e6fe8036b1e845e2b2bbdb50b01da05729539ec3be0c8f53dfb0b5 24751197156db914632faf39cd3576fe424ae62066511913527d387911a7aef5 431f09d47a816962472a9abc837c1470c0a3d6b784055d00ca92b1b40b55f858 61b5124d0fa3c8ddf2cfb9a5f247b0cf341ad482e0fab28885503bde77079017 628de41c6b6360d7094668772ddbaa1f43ad307af11ce48df0b16b7534734b23 6310af293d55a79e8383c100817438bea5fe4d2a60e6997a691f8c2e5356e467 6ac10d1df0b6f2cdd5822ef744c0104589cc0f1955acc8ce372d85f074cb024b 6fca7bcf1e375a7bebedeee98cade309514ca13e1bf3aa94c40033fe8900c077 92132cb2d69259137e59e7f965f046e55036573dc0a4b189de792a4e3a03a701 9d0cca1ed883ca2dfd208f615b5c1f4432c16a8783617d1ca950fbfc10749b8b cb0c16c882d62f6cad080cfd8cb6375d87f622459535ce26af484d3ef84a7cd3 cdce1a94b0b147e97fb1a2dbd2aa45f8750b93e70d428326bd9258c1cd8249b3 d25dd1615c89f5ad58ae6dc5006dda09b765d075cc477b101af55b9b86618436 e2a92f3dd853fc48f047db8991ab729b29b8e2fe696f1be11d49794fd827344f f4d8bebe6fc9e507d065f6c3e8c1a3b1f40a7348c71d3bd85fc4c5b4d1c3b6b7 f89bc1621186750839f3008f27b46675294548db40437cd4320502767ed6d286

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Ursnif-9822598-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: appmmgmt
9
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Install
9
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 9
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client
2
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: {F50EA47E-D053-EF14-82F9-0493D63D7877}
2
Mutexes Occurrences
Local\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269} 2
Local\{7FD07DA6-D223-0971-D423-264D4807BAD1} 2
Local\{B1443895-5CF6-0B1E-EE75-506F02798413} 2
{EF12DD09-8223-F98C-0493-D63D78776AC1} 2
{7FD64DD2-D271-0967-D423-264D4807BAD1} 2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]3[.]13[.]88 1
13[.]32[.]204[.]108 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ctldl[.]windowsupdate[.]com 1
a767[.]dscg3[.]akamai[.]net 1
Files and or directories created Occurrences
%APPDATA%\ds32mapi 9
%APPDATA%\ds32mapi\dhcpxva2.exe 9
%TEMP%\<random, matching [A-F0-9]{3,4}> 9
%TEMP%\<random, matching [A-F0-9]{3,4}\[A-F0-9]{2,4}>.bat 9
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\prefs.js 2
%TEMP%\670A\B385.tmp 1
%TEMP%\63A0\B1D0.tmp 1

File Hashes

2f3cb6e466450f645061c75730a70cb8111c579a6d578fdea0026aee50db6ce3 3a82fa6807b0a46b6bd883ad8a6305e8bc93d5c3af5cf4f63dcc09363a7e889a 769ea181377b47f6c71d646acfd58922601cf3f158e49d96171b4cd9a8ab4fdc 8621ae3915fc78b6daef9c12b88ca107fa808d93e12c3f1b2377abb46e7b3176 8ca63b2779dd2b7c93391d1fbcd5c56da3f5c44ad3ce1d3ad64532695f4fa1c3 8e1ac4b92067a57158483f2dceaedc386499329e098528911daf6b129369efdf 99327fba0db5e7a034387f7c19c337c8812cbf02dfa0bc27519fba4a450cf2a6 9c1ba9a534dda738f3fd1499240df80f63ddfe62c0ea97d8ecdf085477cbb5a8 9d6beb3573db73215be4fa6e6641eb1d8fb187ea100d7ffeccdea11bf51bd842 a4961c7f77ddfb7e78b6e9acfcdca8e494f9027f10ac7f13597d9dcd10361b60 b7ea09b82306c0b05c4615cc5cdd6402da23e0eea185a9d4658e0d48b24705db b9c938f8d29e97ecce00aab84a665429a1029860e8da88b51650e0e59e42bbe1 cf69fd3af520b93bf9274a751b01a0df42dc6faadf590e1f217641842dd14c26 d24b61c315655532b4e5b673b96f4001501ed71f4a03fc5fe155276907a164cc fe978efbc54492d3176237331cb03d80d586598de406734869816a0387612bae

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Phorpiex-9822236-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesOverride
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AutoUpdateDisableNotify
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Client Server Runtime Process
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Client Server Runtime Process
9
Mutexes Occurrences
732908 9
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
217[.]8[.]117[.]63 9
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
tldrnet[.]top 9
Files and or directories created Occurrences
\autorun.inf 9
\.lnk 9
\__\DriveMgr.exe 9
E:\autorun.inf 9
E:\__\DriveMgr.exe 9
E:\.lnk 9
E:\__ 9
E:\__\$RECYCLE.BIN 9
E:\__\$RECYCLE.BIN\S-1-5-21-2580483871-590521980-3826313501-500 9
E:\__\System Volume Information 9
%APPDATA%\winsvcs.txt 9
%SystemRoot%\10281458018072 1
%SystemRoot%\10281458018072\csrss.exe 1
%SystemRoot%\327498128152\csrss.exe 1
%SystemRoot%\272621964016696 1
%SystemRoot%\272621964016696\csrss.exe 1
%SystemRoot%\24095125919906 1
%SystemRoot%\24095125919906\csrss.exe 1
%SystemRoot%\22260349617408 1
%SystemRoot%\22260349617408\csrss.exe 1
%SystemRoot%\47992656222503 1
%SystemRoot%\47992656222503\csrss.exe 1
%SystemRoot%\52102595520262 1
%SystemRoot%\11127220823420 1
%SystemRoot%\52102595520262\csrss.exe 1
*See JSON for more IOCs

File Hashes

0bdffe7adc8fdb16db25352710f590560edf95e483597344cca8b35de5de32a2 1f2e2a79d69375b3846d93d45e8a5164e96c040c61ff8a181c92692baae2d436 25f867b8065165d7876adb29673ac78be2a731ae82b9ea57eb54ba6479bc642e 423f21debf9ccda6c203c08576379dead36c4a924571e318b36252d30ee3883f 4705bd675993da759d200bd2f38f6cefff2ad274d6f1bdc3ec6ce2b42f178ab9 4b0acc58b534480e3cb8e3dd49972869bafe55fae4276fe624587aa637f0d9ab 5df7a4e9f7a7c3b92d3b33e69b8dcf6fed854af35ee92bba08d20153a99c7588 846142d98720c04da06e2f49b821aa13911994e090303c6341d9cf175907e20c 86e2c64fb877e239b374dec907a88ba26bc13ba0452815c87992c47260bd5835 a1416d55d63c92f4de2dcdff0b2a0844e63c9fbcae9697162e2b84116f6d7594 a36970e3e45e31e0beef7738b3721011769ce619da57a56d67e9238b7e1ed64d b5374834bee80eff7e91ee84bce0bcaab90e351dc6b6c6a4d9455208a516824e b83ffd64aa01efcb0225ca34ab373d5894bb0e45f4834c4371699b43142563d5 c3a006d446a4b2ac6ceeada6b3d0713b2278b8612a772465d8238fc1e1ce22e8 d593540f0973258af7105866440629e819c2b7c289b5a2c1d54061489b403f04 d7b20cfd8f56359cc75c2dc76f64cade78db95948e223f85179c1a6b89a89446 de4db37a016fa2aa100abb7909e7f414af49f503dca6d44f63700c7685d3f48e

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Shiz-9820582-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
25
Mutexes Occurrences
Global\674972E3a 25
Global\MicrosoftSysenterGate7 25
internal_wutex_0x000000e0 25
internal_wutex_0x0000038c 25
internal_wutex_0x00000448 25
internal_wutex_0x<random, matching [0-9a-f]{8}> 21
internal_wutex_0x000002f0 15
Global\FDDD22EDa 1
Global\D3598D54a 1
Global\BB7B2AA3a 1
Global\CC568809a 1
Global\3D7AC57Ba 1
Global\A6F0F840a 1
Global\C01A9AE3a 1
Global\EFEF20A1a 1
Global\98641DF9a 1
Global\C441F149a 1
Global\8FEFC0C7a 1
Global\2F9AD72Ba 1
Global\A62B6E89a 1
Global\964B8B86a 1
Global\E411AEEa 1
Global\8311203Da 1
Global\2EEDBA19a 1
Global\A7E29BECa 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 15
35[.]231[.]151[.]7 13
35[.]229[.]93[.]46 12
204[.]79[.]197[.]200 10
27[.]86[.]106[.]68 1
176[.]9[.]119[.]47 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
vocumucokaj[.]eu 25
vocupotusyz[.]eu 25
vofozymufok[.]eu 25
voluzefexus[.]eu 25
vonupyfogiq[.]eu 25
vopepukaxej[.]eu 25
vopogakakud[.]eu 25
vopuqicyneb[.]eu 25
vowezacuryr[.]eu 25
vowucotyqyg[.]eu 25
vowuqykecij[.]eu 25
xubuvojajyb[.]eu 25
xubysaxywil[.]eu 25
xudevunymex[.]eu 25
xugutynyxoh[.]eu 25
xuguxujytej[.]eu 25
xugynajuquf[.]eu 25
xukafinezeg[.]eu 25
xukovoruput[.]eu 25
xukuqyruwoq[.]eu 25
xutekidywyp[.]eu 25
xuxehajexuw[.]eu 25
xuxetiryqem[.]eu 25
jenoqujumez[.]eu 25
ganovowuqur[.]eu 25
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 25
%SystemRoot%\AppPatch\<random, matching '[a-z]{6,8}'>.exe 20
%APPDATA%\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_768_POS4.jpg 1

File Hashes

00c473563ce34376d324afac03c61d4ff2076b671a2df25acc825d96376417e8 0982b8208f92f51a160370fc3475c6de221e74455faf915309df6d01f5fb2f20 0b7c4063292a0bc9d035465636f8417fc468cb9e8ca38bed8d46a3fd8c1c8c41 0eb073e3b66a04d3fa805ef712f394190b00935bd21673977aba2637e85388b7 0f71b63931c480c12dc226d3f754c0d2091b51b62ae3c803d014d96b7e9280c7 124c0496116cc46edc45efa8360a5b43bb6e1102918374ea40e29da9f1a67735 19371fc35c3e89e3b0a485a9453dff08fd0356fd73a6b21c88c1dabdfcb28cb9 1bcf2d24ef3069f25c5d303e074c69a93e9a18bc854e3a20eda27aa84f5b59e0 1d643a9ab964ab34859f78d44d749ce297d2b4dbeddd3e3a0f43c81ad3aa7ccf 2762a2927c19078805ebb2b86751877989aa4725e55b23d8319b08b2cde026e3 27b041ef98ed39451828822644eebaf1b89c3421369cd93f417744d913de418a 3159a77603da494478ba5662cabf468996f2b5aae2b07854438e3b9b5ca58767 315cce3d81b43f3bb453e91d4a1b87877bed233912c2e157046bb59835ffd62c 344454d280f746255dda85ea2275226065b8eb0866c91ebc628c0358361eb31a 3750fbfa977a766359b4ecf30bf72da2b7ebc1624c9409668ac841183ba5c869 435db88c61039253d8e05298a120733f83de926a9eb34ff90d62f7fa0c174c24 4b5bff1a9d4424cd617cb394a08a3eb1d20f84b4d0ef1fe23ba1885940a41f29 52947489871ad8e670c41ca32f2ecd9045faecba1896611f8d8108eb39a77ba4 5d8bc23fca419d528f2869e302ebafd47ac62afbcae50a2ad3662b1e7ea797e4 6c3c5b2d65c8808e938b1f265b34ecf3e79686d629e982485dea2572d85bd45c 76326d44d5ac13bf0ccedf39e0412ae4a4809bb42ea688ba48642d273bdfa630 76f40492306c010cd7a35ad7652606587eab614f8000f4d03103a99457911024 83495543ae0703ec8c02cba275692f8140c8d555cfa0eb9eb32157be0815fad6 86014cbfde27fbd34506e589f8d59745cc5f230e02abba5b63e42bbec25dc071 8c32553ee1d8606f9a1fff651f564f803e62aa2ae26ae94e9fa7726b7f44b793
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella



MITRE ATT&CK





Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (5760)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
A Microsoft Office process has started a windows utility. - (1248)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Squiblydoo application whitelist bypass attempt detected. - (667)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Crystalbit-Apple DLL double hijack detected - (568)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Kovter injection detected - (541)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Excessively long PowerShell command detected - (498)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Dealply adware detected - (390)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Gamarue malware detected - (143)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Reverse http payload detected - (120)
An exploit payload intended to connect back to an attacker controlled host using http has been detected.
CVE-2019-0708 detected - (94)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.