Friday, February 12, 2021

Threat Roundup for February 5 to February 12


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 5 and Feb. 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Worm.Razy-9830714-0 Worm Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.Zbot-9830578-0 Dropper Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Dropper.Kovter-9829554-1 Dropper Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Dropper.Cerber-9829555-1 Dropper Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.
Win.Dropper.Emotet-9829584-0 Dropper Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Dridex-9829614-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Worm.Gh0stRAT-9829943-1 Worm Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Dropper.DarkComet-9829678-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Dropper.HawkEye-9829906-0 Dropper HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.

Threat Breakdown

Win.Worm.Razy-9830714-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Mutexes Occurrences
174.139.6.42:3204 1
M174.139.6.42:3204 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
107[.]163[.]56[.]110 23
174[.]139[.]6[.]44 23
123[.]126[.]45[.]92 23
174[.]139[.]6[.]42/31 23
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
blogx[.]sina[.]com[.]cn 23
blog[.]sina[.]com[.]cn 23
Files and or directories created Occurrences
\1.txt 23

File Hashes

02a3f1471d35e500974a5c0b30150df7cc27c8e5bc3c13f03a36ec5755880de2 1c809dbc9f4283efbe0a37bce81f6c277906398ad4451e22a7a30bb9b661a1da 34cc5f14a6de79f130794f946911200cef9f4161d0f441fbcc8a4c04cc82cbed 4c51471ff27c1932316da37a036765e65b64842e5713e134ea56bc0caf3e1ff7 4e58a79e2238218c1d7b9923c0ef10612a0ecfd46266db111d59077ade487877 53182608a2eecc1bb2d30315e2f477526705f253437012c69692586913c5d753 6ad7a1a2107a7529c9106ece35296f4d8384ecac3041311ce5a7206d74e38d74 6ad954e44fa32853997f2e8a40684b59315b9857f0317a34dc394a3fc6b9dad0 841056a6a45f548371b39779bd7ec518b0e2be2b514507745e41e37f69f29a27 8f2cb4ea8bb5b59bb987a2e1739b37d9a57b755489f38947203bc667fbd09b54 969b53265de41528fd982faafc5ba7a1ca402b4098e07ef8ef776eb537f60e12 9708a1011bbd7e04516f73838dacef9bae938b7bc703c5ef04778f1a3a666d8c 9b6d175496ffa18bd04f6c0d9c085a094579de208330395747c2097e1a866aab 9b91749b03bd6a37a482a85e4366ff258c6f52abc99db74c370840241c5c6b06 9e10842db131a270d42436cb4f2056f5d9f2bc0522c715211a0c7629b97afbd3 a60124a1ce771d9c5d1decde7760d7886172de3ac664ad05f1ee9e868927d34d af8f137861b30f088fcdf8ef1f25ca3b3137775316da840d3e999660bd9c9660 b04c5b176df3486b09bb504e79427ec7c24b2ae74647867e6dbc0635875bcfda c32129d73874e1f53709a018baf39fe9102131aab51126be4096d7311bb2d72e c6d4df3c380b0de55d64911c15e76ae8256a4fbefd82d0ff38316ffcaa211898 d5c0b9da899246252e6b3990458994cdc7293aba2922ea53829dbfab32373bb8 d88bd4d30ce3bd954210d1abfcbed1374909aaf257e24db7cdaf795ce30278fc da61e01a3e719f3fb606f4c6c28005623c42f7cffcd8ab533699bfc2aef326d8 dab4b0c7526989d97592d956fd3b120129cd5ac9168be01c7b2488921a2c9d3b eeb692f8759afa228fe3e4e49f8f64833bb7a583dbf4fce825f5493268b857da
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Zbot-9830578-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE
Value Name: NextAtJobId
19
<HKCU>\SOFTWARE\WINRAR 16
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
16
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
16
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
16
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER
Value Name: EnabledV8
1
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER
Value Name: ShownServiceDownBalloon
1
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY
Value Name: ClearBrowsingHistoryOnExit
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1691575909
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1691583038
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1691583319
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: trivax1.Bin.exe
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1691581260
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1691583334
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1691574162
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1691584052
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1691577937
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1691576580
1
Mutexes Occurrences
Global\u29y4ewiof 3
Global\Fjs8Fhs_ 3
Global\JSDjDDSoD 3
Global\r839ruowfj 3
Global\AFjFJS__ 3
Global\b2c09161-6a84-11eb-b5f8-00501e3ae7b6 1
settingstravell 1
settingstravelu 1
Global\AEINV_USI_{72A74F44-972A-4EF5-B0EE-442704B1CAE9} 1
Local\AmiSharedMutex_3564 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
209[.]85[.]229[.]104 2
188[.]190[.]98[.]22 2
173[.]194[.]207[.]113 1
205[.]185[.]216[.]42 1
173[.]194[.]66[.]94 1
209[.]85[.]232[.]95 1
172[.]217[.]197[.]147 1
209[.]85[.]201[.]94 1
172[.]67[.]70[.]191 1
173[.]194[.]175[.]101 1
3[.]223[.]115[.]185 1
92[.]241[.]163[.]23 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
sexyladis[.]info 16
37050[.]b48b4b4c879e7211d6a13e26a8a914aaf6c218653840e81d9f[.]pfif3[.]hfuidhfd[.]jp 3
6[.]0[.]0[.]37050[.]2863923067[.]3163759174[.]0[.]0[.]b48b4b4c879e7211d6a13e26a8a914aaf6c218653840e81d9f[.]hfuidhfd[.]jp 3
6[.]0[.]0[.]37050[.]2863923067[.]3163759174[.]0[.]64[.]b48b4b4c879e7211d6a13e26a8a914aaf6c218653840e81d9f[.]hfuidhfd[.]jp 3
cds[.]d2s7q6s2[.]hwcdn[.]net 1
ctldl[.]windowsupdate[.]com 1
www[.]hugedomains[.]com 1
traxbax[.]com 1
Files and or directories created Occurrences
%System32%\Tasks\At1 19
%SystemRoot%\Tasks\At1.job 19
%System32%\drivers\etc\hosts 16
%System32%\drivers\etc\test 16
%System32%\drivers\etc\hosts.sam 16
%System32%\Tasks\At31 3
%System32%\Tasks\At32 3
%System32%\Tasks\At33 3
%System32%\Tasks\At34 3
%System32%\Tasks\At35 3
%System32%\Tasks\At36 3
%System32%\Tasks\At37 3
%System32%\Tasks\At38 3
%System32%\Tasks\At39 3
%System32%\Tasks\At40 3
%System32%\Tasks\At41 3
%System32%\Tasks\At42 3
%System32%\Tasks\At43 3
%System32%\Tasks\At44 3
%System32%\Tasks\At45 3
%System32%\Tasks\At46 3
%System32%\Tasks\At47 3
%System32%\Tasks\At48 3
%SystemRoot%\Tasks\At25.job 3
%SystemRoot%\Tasks\At26.job 3
*See JSON for more IOCs

File Hashes

056039ac543087b878919db4ce0d11ba7fb4dd8736e624274639121330fa0ca0 180a6808c87ebe10b55200876e6afb3884389837b3812ade9df7cbc1d7b7de80 1d848497ea0e68e69f9efff40d8383cdb8d0ff86ba9907c588885189b1f76608 30432dbb97e97a8e1f99b8fec1a3201b4625f515a0e25e10a4e1a9f770b32521 331c93cdbeef87cbb7ba88d6740d48a1b597f2105f5a31739486118d454ad457 3966b092dc79c12ad94e15dbb7195fa31652cac10133f536bf7ee8e4fd22e5eb 4b33a1948929662719bdd82aae7bfd51c22463367f9fe1c7797dce6789251d61 51ace6c3906f3622af3e4da578feff01e348617f54c82dbbc2a7db58d2c3775f 6125a74c229fc133260f6cac817b1d4fedf4565ade0a3f9d1212a04a67fa9c7f 66474df3ecc84aca4860992de2c45988156b0b46fc152a95b3dbda6a7a5211ac 66aa0c414db0d251592ccfbaba52f09ef82545874426f3e2f223fb92376f9609 6c57459003c18291409b620411f13330ffae27f7f2f0cc113e896a836e427855 7069e3c2f04c33cb9f9d57755de14576a1ae1d9d32b7713824c366056afd846b 738b6883327db5f98cecbe7234409af8d2112355793b7ae3bf1595b66c03d73d 7852baa8c0855fdb29f49fda7d2275933186704f1cf374fc5c42e07289e0251a 7a8907e3a793e426d562afddb48eb7fd8c76aee440ff6c70511012c39dda0eba 8f8ed4ee768f3d0aa060d4c3a7a92c081bbead99c804ae0f0b7a929681ea18e4 a12b29e06a95822193f73bba0a55707c610733a9f571f91773ebfdbbb3c34a3b a99c6e3e9ae3de3b3edf360cef94f6b6cbf916cd19dd9d4132c86b55acb34e4c ade33f33e76c025772ed89f63d529f31e16d0246fa7ddc0530168abb904dabb1 bcbf33e411bd1fc0866763b56ef1f37e4ab2e8d969763384bda076efd544c1f6 c2f0d3a680c78f181115e279dd95c8c5db7233ba313d5d1795dcc4b48fdd57c8 ce68168f4ba2e65f05b2e791ed47836aa3f90648d18d7e7e4015aec719f27416 d1e4f122367c8ce4e58b250ef2ef00191b68cb3d603af39257219a70606c623a dd7a0d851ba1923c15606285a10e55677dd7d5f9400549795caaa1ce430638a0
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Kovter-9829554-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade
22
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed
22
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78
Value Name: 0521341d
22
<HKCU>\SOFTWARE\FC6A75BE78
Value Name: 0521341d
22
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 22
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE 22
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE 22
<HKCU>\SOFTWARE\FC6A75BE78 22
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78 22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
22
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78
Value Name: bca7705c
22
<HKCU>\SOFTWARE\FC6A75BE78
Value Name: bca7705c
22
<HKCU>\SOFTWARE\FC6A75BE78
Value Name: b97dea2a
22
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78
Value Name: b97dea2a
22
<HKCU>\SOFTWARE\FC6A75BE78
Value Name: e536480a
22
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78
Value Name: e536480a
22
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cafa44a6
22
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 99297e9b
22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cafa44a6
22
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78
Value Name: 0905afc0
17
<HKCU>\SOFTWARE\FC6A75BE78
Value Name: 0905afc0
17
<HKLM>\SOFTWARE\WOW6432NODE\ISBM3P0UE
Value Name: oGKNokI
1
<HKLM>\SOFTWARE\WOW6432NODE\ISBM3P0UE
Value Name: SyPjmb37D
1
Mutexes Occurrences
C59C87A31F74FB56 22
Global\42EDC1955FE17AD4 22
0D0D9BEBF5D08E7A 22
1315B41013857E19 22
B8ED4D143840045A 6
6DD7DBFFCEB24BFD 6
Global\CD5FF936B43684FB 6
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
114[.]253[.]167[.]207 1
38[.]64[.]142[.]137 1
157[.]129[.]245[.]85 1
148[.]218[.]2[.]235 1
83[.]233[.]141[.]85 1
156[.]237[.]168[.]81 1
137[.]139[.]141[.]180 1
36[.]91[.]156[.]204 1
49[.]242[.]37[.]128 1
97[.]161[.]47[.]193 1
211[.]62[.]88[.]97 1
69[.]37[.]3[.]253 1
73[.]9[.]44[.]127 1
64[.]28[.]195[.]232 1
38[.]110[.]242[.]41 1
125[.]106[.]92[.]235 1
190[.]73[.]223[.]245 1
212[.]127[.]237[.]69 1
201[.]43[.]80[.]167 1
116[.]2[.]194[.]220 1
95[.]221[.]239[.]232 1
32[.]202[.]176[.]158 1
64[.]175[.]6[.]138 1
208[.]86[.]43[.]69 1
61[.]127[.]79[.]50 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]w3[.]org 3
go[.]microsoft[.]com 1
www[.]100ganghuo[.]com 1

File Hashes

1e974c0d21c83e55e91faff4440b617a64583f9f96c8171f7cf68057ecd39cde 29cff4ff6832e7f9ab365a41c001b795d40d53665e89fa573d21392372ca5bba 3b804ae44f61c1cd29fa4db5b7e1c8449723bf8b0746431dd66ccea50f1121a8 41915f34381fbbb210f0fa7b5180398381987f3d1b579a97bda4f2d977166e86 41b20715989d4b18d324903abae7e1dd07f2d2aa0aac11ac4550e5429522b92b 424ca3b858c29da3180ab7ca0b437d4ae69d3cdf9903e169db0797d60eeb995d 521adb484233e2ff5d53229fd4b319c7c54c19e089a3439f5250e1f8cb8ef9c8 5382095e86d7d4c96c6dc82f90295ad9d471a45bdbaeaa7189c7d10a2215577b 57ebf26260ab809f8549beaf7189c1ff2c52c24eb918b177fa8073b88e9362d1 68891b546ef28996139fb032bdb305bcffe8ae557c2b4fac43ed4e7fa922d1f4 6cbeefd5857c713d244475889c17b56330dad07074b93b67e57e1967390c5396 74be508572debc5809d2d1b12fdf9fc9e9604d5b085980fd5bdf3d6acee8270c 754e08220e8054d0b44e2a374db48d4e6ab31cb5ec1898a274cd35b32bffad16 81aef4732a54511af957a5fefd4a5479e685afc547b88ffa136baa6390748078 872935c53873acdf78176860dddd6448c993d79383a401a9f6e4698d96bdcedd 8c2eae23840b92322f519b3e4a6f4de77561675dc2e518b90db70f456e6eb11d 92035f8889ebd991039c6668b420112498d935028ca16f3fe20320ce2aed5ca0 a77ecb8bf7f9cf783975e0a26f082f326d46474761ef21525cf4d2d5b609cd3c aff0653ce35a20cf8bcf254cbeabcb14e89cda034d51f589d8d833d027c25f3e c0f654c2518ef407b5d6ca7d173b2e23a42612b37c8e1c074934ea4292654572 c425ae6a8979fddfcf88cdd53e83b7bcdc399f20b6832ed67d482fbc0c277d88 f37666d19f8437da69601d1230044323238bfdcca55733da6aecc2426635f49d

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Cerber-9829555-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: Run
13
<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
Value Name: AutoRun
13
<HKCU>\CONTROL PANEL\DESKTOP
Value Name: SCRNSAVE.EXE
13
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} 13
<HKCU>\PRINTERS\DEFAULTS 13
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_01
13
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_00
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: RMActivate_ssp
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: RMActivate_ssp
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Magnify
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Magnify
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: LocationNotifications
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: LocationNotifications
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: autoconv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: autoconv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wimserv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: wimserv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: perfmon
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: perfmon
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wuapp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: wuapp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: logman
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: logman
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: forfiles
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: forfiles
1
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 13
shell.{5B5347A7-9806-3802-3FD9-E106D6283088} 1
shell.{1345752E-C9F9-31EC-E79C-CD6E126B4BFA} 1
shell.{9258438A-63F4-77F6-F3A5-2AE433E0BFC4} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
85[.]93[.]0[.]0/18 3
54[.]84[.]252[.]139 1
54[.]88[.]175[.]149 1
54[.]152[.]181[.]87 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ipinfo[.]io 3
Files and or directories created Occurrences
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2} 13
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\Magnify.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\Magnify.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\RMActivate_ssp.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\RMActivate_ssp.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\autoconv.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\autoconv.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\forfiles.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\forfiles.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\perfmon.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\perfmon.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\wimserv.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\wimserv.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\wuapp.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\wuapp.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\choice.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\choice.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\logman.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\logman.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\LocationNotifications.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\LocationNotifications.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\RunLegacyCPLElevated.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\RunLegacyCPLElevated.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ucsvc.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\DevicePairingWizard.lnk 1
*See JSON for more IOCs

File Hashes

11752a59f3e0f1da8f0a5c10bc43ffe41f73ca471d04f2c0d1a4e90ce18d6939 214f926be0c975825898f9733b0543555b17165f2ed76551c1f00877e8b22ff9 443936e688d6ba85b3eb6f09906dbbf0743b71d7106ac1a60f46f2f9fb83a172 4c4187c62b97c8c167289a5dec65796404bb1288ab24da252977788d718b3361 5d2a9ba3a4504e95b684c941ef547076c9e5b0ba5f0bc483477eddd08fddbed5 60211e7c36b36ede1575be52c8b8de60612c81b68041a1b7d8ca976aa5df972b 7c5441111edbff3e1e6db2b9730ec0f1fac10d9e3c136af69466f20ae485b2e3 99157487d7abea9e2e319db1981a0e2d17fc6d951ecbf71c238e591d4c93471c af23f65f72785da1e976e097b74b4fba71c8d39fd532d104912eed424e513803 bb61c9e0cc44e8dcfa47d0faa8952edde8d03db24425b6d83350699340934b8e c6232a10478b049445b26edd345ff71aee05f08b37f82c321163b66442f5472d cfd5b9fa22aa9919fcc00f1301c33ee1308ce2f813a69c720d55ca01e47971d2 ef7887c0fe669b1c455d45d4e27dd0a77ec8402f56819687d0497a1063fc2ace

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.Emotet-9829584-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 42 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TLSCSP
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DEVICEUXRES
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TDH
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TLSCSP
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SC
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ACLEDIT
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GPAPI
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PROPSYS
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFC100ESN
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFPMP
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFPMP
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CAPIPROVIDER
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RASSER
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SFC
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSR
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MCICDA
Value Name: ImagePath
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
185[.]201[.]9[.]197 22
152[.]170[.]205[.]73 22
47[.]146[.]39[.]147 22
200[.]24[.]255[.]23 19
79[.]183[.]194[.]197 19
111[.]67[.]12[.]222 18
167[.]86[.]68[.]49 18
139[.]59[.]60[.]244 7
80[.]158[.]59[.]174 7
85[.]105[.]111[.]166 5
51[.]89[.]36[.]180 4
64[.]207[.]182[.]168 3
80[.]249[.]176[.]206 1
5[.]196[.]35[.]138 1
59[.]148[.]253[.]194 1
94[.]23[.]62[.]116 1
45[.]230[.]45[.]171 1
178[.]62[.]254[.]156 1
203[.]160[.]167[.]243 1
191[.]223[.]36[.]170 1
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 13
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 7
%SystemRoot%\SysWOW64\ieUnatt 1
%SystemRoot%\SysWOW64\adsldp 1
%SystemRoot%\SysWOW64\l2gpstore 1
%SystemRoot%\SysWOW64\pngfilt 1
%SystemRoot%\SysWOW64\comsnap 1
%SystemRoot%\SysWOW64\NlsLexicons0039 1
%SystemRoot%\SysWOW64\itircl 1
%SystemRoot%\SysWOW64\NlsModels0011 1
%SystemRoot%\SysWOW64\adsldpc 1
%SystemRoot%\SysWOW64\ntdll 1
%SystemRoot%\SysWOW64\PortableDeviceStatus 1
%SystemRoot%\SysWOW64\shsetup 1
%SystemRoot%\SysWOW64\msimtf 1
%SystemRoot%\SysWOW64\KBDBHC 1
%SystemRoot%\SysWOW64\wmvdspa 1
%SystemRoot%\SysWOW64\KBDMLT47 1
%SystemRoot%\SysWOW64\credwiz 1
%SystemRoot%\SysWOW64\mscms 1
%SystemRoot%\SysWOW64\msvcp140 1
%SystemRoot%\SysWOW64\autofmt 1
%SystemRoot%\SysWOW64\mstask 1
%SystemRoot%\SysWOW64\KBDARMW 1
%SystemRoot%\SysWOW64\clusapi 1
*See JSON for more IOCs

File Hashes

084801c4cf563b73356ce3cf7cecf363e14aa6b826799d45793b8b4d55f7077a 094767acb2708b323a03f42ea6b358ee1c1bd030505b92f3e6e1db08efb4bc9d 0a4bb6ea70ba3ba6c5fd41e585678163fe523ff82ef6b4b4d136e65d2e21727f 0d078ce4887d839c76f270e301e9dad954c29c615bf6c81db560065e1e255d1f 0f960b14d165e669049b66067eb8a80e6a871accd242e573be6ad59a6e302dfb 1629684677833e5b481244822e2196212fa296254342678cbf7d130d9c587b8d 1d2aa6789f146f3b4ec09ab98b1914b0f1e143ea0af2eea753eb6f90388ec17e 1d46cfee2462b31e7bbfad58ea780e09a38e700310ec1cf74bf9355c37103854 242a2851aeea677baafa89354920d434016f9b1de6674afffb756882b9157b2a 25911a0992f247379adcf16ec16f4439efdaf9963ddf0e5fa482324f8ba28cc6 3811c126dcbe238b1bef70d4856cc827b481ef17d95d25f0a106b153c8d5c99a 3bd11c28decda8215865a98c9dd247c6717abbfe959b3bbc9739424dc730feaf 560feb54dc61956c26405f1bc0ead724fe7dbcfe310b0af41ac67edcbe3cdb18 5659a2e8e8e255fbd20dd07045407731b8a6ef8a21bb90e9eedd5aa026d4c809 583fa234b4d127b9ca8f1997b331a5b36baa7b96c16fe8a968c7f8bea0ea98b6 5c812dc477901cc1d99de009c9a0f19e176a3743066b0c102e12a11df3161ce3 5e8690ffefbe44825b5678a7470c0398edec57630635ca6837d379a8361b2bd0 72701410ad09a499df8de99e8df448b1b7259970948b5752419720fc834e937f 7350074560e1a7f5b28694d3fde012cc29f4e95f8c70e8007ff91fd9f57c4565 76f32c8ece5ec2367e13be3a0c88ec139af61fe10e3f5184da613eac66e41f64 7f225129cab2e7bc786467e7df6cd8d957d659b120edce47c4e7c7a271665a8d 826abb7232a1ea3ec121831fc37a04ae3df4ee28d30a1929c50b6ec11f528873 8bd4635d80e960c5178c5b57bb65ac9bfce5799efe0567208b7856ebd07b9e7a 90345fe3aae82209d6a2a556ef7b0dfc9791134c63893427e177dfd180895af5 93c58cd40261a3015bda9dfb65af5ad115e553ac8ebd76e287d5078ea06602de
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.Dridex-9829614-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
26
Mutexes Occurrences
<random, matching [A-Z0-9]{10}> 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]10[.]110 25
104[.]23[.]98[.]190 14
104[.]23[.]99[.]190 12
72[.]21[.]81[.]240 5
23[.]3[.]13[.]154 5
173[.]194[.]175[.]100/31 3
173[.]194[.]175[.]113 2
173[.]194[.]175[.]138 2
23[.]3[.]13[.]88 2
172[.]217[.]10[.]78 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pastebin[.]com 26
w[.]google[.]com 26
ctldl[.]windowsupdate[.]com 11
www3[.]l[.]google[.]com 7
a767[.]dscg3[.]akamai[.]net 6
cs11[.]wpc[.]v0cdn[.]net 5
www[.]15oa0k7ecq[.]com 1
www[.]drkdybtkwc[.]com 1
www[.]dtraeay8tw[.]com 1
www[.]ec1bm1xafh[.]com 1
www[.]psnony2sev[.]com 1
www[.]dxtflrkpep[.]com 1
www[.]jsjldnxk25[.]com 1
www[.]1xsrtopgre[.]com 1
www[.]a2tjjbgljq[.]com 1
www[.]xinlykbqb1[.]com 1
www[.]afgysowzr3[.]com 1
www[.]5wnuwuv7xw[.]com 1
www[.]mf20sjfv41[.]com 1
www[.]n5aqjhqouh[.]com 1
www[.]d1bswfrh7h[.]com 1
www[.]uzqls7kxql[.]com 1
www[.]ydc6gs5cyn[.]com 1
www[.]zwvxvux7rr[.]com 1
www[.]7s9kbk0jb0[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
<malware cwd>\old_<malware exe name> (copy) 18

File Hashes

047a9a51f834143cf63c7d82de9501b136e3cffb39220f633515d8c6cc1812be 0f90634f405bcd81107618ef105b4cf3f446f2fe6a80cd1b206b07b753ef4811 111cbaa942fc4b48f8c8ebf37c1284d1ecc15dd2d05c41c1f589a8fee04c72b5 1be719d99a109606ef06bf8665c6f63374287b750065a170440cfb7ef4aea804 1db79b4fb1bcd20ac3ba13af24f572a311baa582c16eb5b9d174649af582d3f6 1ecf5f78eafdb097401bdab0a6cccd208e3138e69f211ce05a637647a93e80fc 227f171b9e01439e9dd686fb83928a13182e4fef000fd5c034d1b3412187c1cf 26e3b061c2d49b302059275410affef6861073575bb4bab07c550c9501839d2b 281860389daf31e5ef4c54d7ce3e39372920b6142f15656c68f73232a373bd64 2b6d05372a3b1064a8413a33fe8f5c2209870897447955a17b476b421c57253b 2c8294f60b056c1d993563878908bfdcb61bcbbb8ea14ee03562f170adbd4378 3034a6e006456b1016fc67069f6ad65498451922fd3b0ae874293cd90d59aa2b 325877253c7b1bd550e99d80048b0e0fe4b014ef74dd1dcbb201318e73a4f62d 32dace58ee58267957aaa8a017e840c436a57f053ab0b871df5646bd39bb579f 380d29048bbcf2c5970173398559e206b5c51fb165239b3c92fad7b3ae31105c 3c0fc8702206f4bf2534bd3eb4cf74cd1f515d2e162e75079127fbf305aef850 3dde69b3d354fd374a1c8afe53b6505f4b3dbf61d492c8b919a13876956fe032 3e10c7fc7676dab58eab3196b4b2994ab07bcc4e07638cecd8093e39815e9ec1 3f45ff6372eb682493c9cb07d08000e13fd4155e1bdf9413e387fa294dec9abb 4a91f0549250484e09c70b42057edfce9068a0d963db9997ef793721274fe0a3 4ff6ca90d9634f4596c39504b74809c8eee95443fdbf38dbcdc26737d98a1573 51ab9aedb438fa1f9dbbba0441220613d009fe99503303969292304f1388aca0 5222ef991cfc04625e882984c215027d7582f1260c1c6a3d1252bcacf121f818 539c82ab4dc05a8f109272e3e5e22a4aa6cbe94b3758f6da994deb0d99914d1c 54040f88d8ec184b8fee5e44751e4c28625cfcdeb63318c26594dcf5e49b3f7e
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid


MITRE ATT&CK





Win.Worm.Gh0stRAT-9829943-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: TFM0N
20
Mutexes Occurrences
pldofjxf 19
192.74.252.42:8760 16
AD.PLUSUNION.INFO:6620 4
98.126.35.213:11111 4
174.139.45.233:8590 2
54565C31 1
67.229.227.138:19527 1
174.139.124.214:3204 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
203[.]205[.]254[.]103 17
98[.]126[.]35[.]213 17
192[.]74[.]252[.]42 16
192[.]74[.]252[.]41 16
174[.]139[.]45[.]233 2
174[.]139[.]45[.]235 2
67[.]229[.]227[.]138 1
67[.]229[.]227[.]140 1
174[.]139[.]124[.]214 1
174[.]139[.]124[.]213 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
user[.]qzone[.]qq[.]com 17
i[.]qq[.]com 17
v1[.]krtedun[.]com 17
dns10[.]kodns[.]info 8
Files and or directories created Occurrences
\<random, matching '[A-Z0-9]{16}'> 20
\<random, matching '[A-Z0-9]{16}'>\setting.xml 19
\2txtv44lp2949lxm\Config.xml 1
\vt19x92e143et9qv\Config.xml 1

File Hashes

1d8c9ffe319759e1cb0a03e8eab116c6bc6e6308ade851935f436d5482f8740a 30777b09bb050ec10f39aeb60c2c376634240b4b5d50b55f51d53118b7345d1b 33ad59a2f4938f21cb29a303f6fb296763912a141644a76d858ea47c14b53a24 4553e2c6af9638d90e72cedd0cfe44485df41b2dc3a21a59f692e11c774008f5 4c8aa7ab8f1ea2ff4224f5802e22da2faf30cafa73210e66938000509bc4cc5a 65c9ce5807dc45323b1d259ad9a1c124b5742131c08a38f15f11a4778340061a 6914f0a0387077cccad081c440324bef02950e6838c1baab8dfb535d05359147 868a39d23fb29c6cc88e3d477839189ea5fa403cc63d5807397fb1c69473c227 9e293fd6304d5dd154309601ddd53c4e3e40ff3becf9122c7ce44652db16fced 9f27671c3d65737cf419b9f5c0e7a49040ffc473b01c002b843396f6cfdb108a a58ee6f6c469a0069de5dce0d1f7cedf312a390f85b4c6ddaafafb7cd9444f77 acda870b5c066e866ab407ac99944a73a40d7f61fd19ea61030df72292045ae9 ad2cb6dd22ffe9aa308b34bbbe28c2fa80952a93ce0d887528eafde318842d1b b1cd62f8d0628c6b93bfb2d34c78fd114c10952f6c878bb0f8e037c1d07459ab c2bce5bc128ab8d21cf7c89a351534d6da2400cfdb12f13e7bd7a4a385637785 cea569bf85a1b3a3c5dde9e85419c8eda32c55456b56e09985df2e7d1577fbd6 d564d5a4dcb61dc5158c6b3186500d024c7967e939ded2022c2e6ddedc85eec2 d80dc6d0e21c9d90184dfce82e7c2c096fd51f9b960b2ae980a241b0228cee6f f018180e4ef3ede32fb9e05245d8516e42c3184d759764948ed8195ece490085 f3da1652f11dbde56ad5cc69c88f35c2eec68c2c7b8d0b17a8d7c3b75458f9f2

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.DarkComet-9829678-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: winupdater
1
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} 1
<HKLM>\SOFTWARE\CLASSES\MSWINSOCK.WINSOCK 1
<HKLM>\SOFTWARE\CLASSES\MSWINSOCK.WINSOCK\CLSID 1
<HKLM>\SOFTWARE\CLASSES\MSWINSOCK.WINSOCK\CURVER 1
<HKLM>\SOFTWARE\CLASSES\MSWINSOCK.WINSOCK.1 1
<HKLM>\SOFTWARE\CLASSES\MSWINSOCK.WINSOCK.1\CLSID 1
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TYPELIB 1
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\INPROCSERVER32 1
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\INPROCSERVER32 1
<HKCU>\SOFTWARE\DC3_FEXEC
Value Name: 2/4/2021 at 5:59:57 PM
1
<HKCU>\SOFTWARE\DC3_FEXEC
Value Name: 2/4/2021 at 6:00:04 PM
1
<HKCU>\SOFTWARE\DC3_FEXEC
Value Name: 2/4/2021 at 6:00:11 PM
1
<HKCU>\SOFTWARE\DC3_FEXEC
Value Name: 2/4/2021 at 6:00:19 PM
1
<HKCU>\SOFTWARE\DC3_FEXEC
Value Name: 2/4/2021 at 6:00:26 PM
1
<HKCU>\SOFTWARE\DC3_FEXEC
Value Name: 2/4/2021 at 6:00:34 PM
1
<HKCU>\SOFTWARE\DC3_FEXEC
Value Name: 2/4/2021 at 5:58:55 PM
1
<HKCU>\SOFTWARE\DC3_FEXEC
Value Name: 2/4/2021 at 5:59:01 PM
1
<HKCU>\SOFTWARE\DC3_FEXEC
Value Name: 2/4/2021 at 5:59:08 PM
1
Mutexes Occurrences
DC_MUTEX-<random, matching [A-Z0-9]{7}> 9
DCMIN_MUTEX-<random, matching [A-Z0-9]{7}> 5
DCPERSFWBP 4
Global\24e4c1a1-6745-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
178[.]54[.]8[.]136 1
188[.]119[.]1[.]248 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
mrryy[.]duckdns[.]org 2
rufleks[.]no-ip[.]org 2
darkcometxx[.]no-[.]p[.]org 1
xdeniz059[.]duckdns[.]org 1
cash894156[.]ddns[.]net 1
Files and or directories created Occurrences
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\<exe name>.log 14
%APPDATA%\dclogs 13
%HOMEPATH%\Documents\DCSCMIN 4
%HOMEPATH%\Documents\DCSCMIN\IMDCSC.exe 4
%HOMEPATH%\Documents\MSDCSC 3
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 3
%HOMEPATH%\Documents\server.exe 3
%SystemRoot%\MSDCSC 2
%SystemRoot%\MSDCSC\msdcsc.exe 2
\REGISTRY\MACHINE\SOFTWARE\Classes\.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\MSDCSC 1
%ProgramData%\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe 1
%SystemRoot%\SysWOW64\MSWINSCK.OCX 1
%SystemRoot%\SysWOW64\DCSCMIN 1
%SystemRoot%\SysWOW64\DCSCMIN\IMDCSC.exe 1
%APPDATA%\msdcsc.exe 1
%System32%\MSWINSCK.OCX 1
%System32%\DCSCMIN\IMDCSC.exe 1
%TEMP%\Windupdt 1
%HOMEPATH%\Documents\00.exe 1
%HOMEPATH%\Documents\öööö.exe 1
%HOMEPATH%\Documents\aaaaa.exe 1
%HOMEPATH%\Documents\aaaaaaaaa.exe 1
%HOMEPATH%\Documents\server2.exe 1
%HOMEPATH%\Documents\as.exe 1
*See JSON for more IOCs

File Hashes

1daf2746645dcab7ea4ec4e75a9ac52c0722522b80c701691a12d2882d739a51 47f31e2c01e3608564d18be81c165583fec2e775ffbb913ca0bc31e5265fd850 52e6ad0b9fa496b52e9e1365d2208e7c60614ee0b4b231b4159d9218c3607ce6 5e371cd3f7fab8a9e095cfca5d22b01330109d22244cbadd2a4c800963769512 720c7086ec84b14499b6b0803c841c59e56f4b17f566afa633b68c155871f05a 771d51caabb75872ef9af76b2ba90693404f217a86885c82365b4b0f054db71a 783031a8d7e9d3b9c32b9827c2121d1da92e63a5fc99a089a6743c829be54855 83d6c112004f89884e05919f941ca3a5f3a918f4bde181bed477f659a275e630 853fe6dcbc1947060a26cfee85e433f0af72157f0e56672671f6f0bb9edb22c0 8f6cdb7c77903c36b0710a606cc71af7bf28b7bbc6f45e0d9467925c25e41afe 934936ac5b2cf33bb1cfcf6a750094beb7015119608a454d99ca8324669e9ec7 c4b6a21f07d4f5bafaea1238efcdd6da1783631407e612b2f598727cf69c5980 c72000deaafee8b3a26c31808316ecae94e429ff5d5b4334379adb1f91365c5f c76017b1ec2b90bdc6d3a6fd8e34b8c948dc2c103fe40c5ef690a3ebf14c2cea d48cd3dc1e4203c1af41580fa1575f4e478a6947b75ac92271c9cb24481dcb40 d4f8550b614995e44044bd2b83f4955bd60b9ec5ff4d7bfc3e0af4e04bbee535 f4202295bc667e7b2d086747892bcefc5c5dc65692d769d1b1aa7cf6a112ef41

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Dropper.HawkEye-9829906-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: foldname
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: fname
1
<HKCU>\SOFTWARE\ZUNIX 1
<HKCU>\SOFTWARE\UACBXOPHOIDLSDW 1
<HKCU>\SOFTWARE\ZUNIX
Value Name: LCTVY
1
<HKCU>\SOFTWARE\UACBXOPHOIDLSDW
Value Name: temp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: uAcbxOPhOIDLSdW
1
Mutexes Occurrences
Global\784d0b20-675b-11eb-b5f8-00501e3ae7b6 1
Global\73780b41-675b-11eb-b5f8-00501e3ae7b6 1
uAcbxOPhOIDLSdW 1
{84CAD4E6-93DA-46E4-8B81-9377B2B2ACB0} 1
Global\64533681-675b-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]16[.]154[.]36 7
104[.]16[.]155[.]36 6
77[.]88[.]21[.]158 5
136[.]143[.]190[.]56 3
173[.]194[.]66[.]108 1
217[.]69[.]139[.]160 1
104[.]16[.]19[.]94 1
104[.]26[.]4[.]30 1
172[.]67[.]74[.]163 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
whatismyipaddress[.]com 13
smtp[.]yandex[.]com 5
smtp[.]zoho[.]com 3
smtp[.]mail[.]ru 1
smtp[.]gmail[.]com 1
help[.]nominergate[.]gdn 1
smtp[.]mayadizeyn[.]com 1
Files and or directories created Occurrences
%APPDATA%\pid.txt 13
%APPDATA%\pidloc.txt 13
%TEMP%\holdermail.txt 13
%TEMP%\holderwb.txt 11
\Sys.exe 7
\autorun.inf 7
%TEMP%\SysInfo.txt 7
%APPDATA%\Windows Update.exe 7
E:\Sys.exe 7
E:\autorun.inf 4
%APPDATA%\WindowsUpdate.exe 4
%HOMEPATH%\Favorites\Links for United States\GobiernoUSA.gov.url 1
%HOMEPATH%\Favorites\Links for United States\USA.gov.url 1
%HOMEPATH%\Favorites\Links\Suggested Sites.url 1
%HOMEPATH%\Favorites\Links\Web Slice Gallery.url 1
%HOMEPATH%\Favorites\MSN Websites\MSN Autos.url 1
%HOMEPATH%\Favorites\MSN Websites\MSN Entertainment.url 1
%HOMEPATH%\Favorites\MSN Websites\MSN Money.url 1
%HOMEPATH%\Favorites\MSN Websites\MSN Sports.url 1
%HOMEPATH%\Favorites\MSN Websites\MSN.url 1
%HOMEPATH%\Favorites\MSN Websites\MSNBC News.url 1
%HOMEPATH%\Favorites\Microsoft Websites\IE Add-on site.url 1
%HOMEPATH%\Favorites\Microsoft Websites\IE site on Microsoft.com.url 1
%HOMEPATH%\Favorites\Microsoft Websites\Microsoft At Home.url 1
%HOMEPATH%\Favorites\Microsoft Websites\Microsoft At Work.url 1
*See JSON for more IOCs

File Hashes

0cc60a001470ecabe85754beef0d07b78de1641c51c3a03d65942f7cc891a501 0efa1987ea81b609603370f16303c9432a17389a6ae6ad35f39db8155492cefe 313c12302aac0dce682c608bbb87a98efb585426990eddab37e62a929ea44578 381c0a759f77e6d6b710763f119c4baf8dd17770da0459596194b0db024d25e5 44442d389918ebef5f69c3634971264ad26ff76a0097aee8731edde514ab5f57 49e0b254917c1518a0854f3529590b6115f88f0725cb33467419578e47e2a654 70856dcd88760e632c1179f1a8c6707706c99aaf89c0e68ba91590be17f6da83 7cac741b38d55555e63146cffa0c956f0f165eb93c1cd5c253c0de50b80362bc 7de1810e9c0d7564931512e160ec1062bf90aa0a98b6d0a5c0eac1c5236f3b01 a3236e4c3f0ac23b292f0cceeb913b661450d7c536ef3f020c73ff6730e5cd3a afda91d465139982f8514db180b72f43d716ac44d7740562b9ad243754ccc2e3 b4046a54de2f089e8172bb52c101240c9f490614c1e1c320372172d3924c2cb0 be1e3e037b53b4f9c853d37cf2a79d8fa89179725a46be354255bc1602f359dc c2ecaeab377bd2f93c99d27bd1da11c6897312749bc776366f69955355f2e884 d0b64ff06449f7fac769b89927ee07af5e08293f97b4313a993d475efef93d37 d6c6148d576f451d9c6ecba42e300fe1d4f7e3e65fd1c8f1b2ef48faa9af434c e8e395b302dac690def9b44f64ca83ef9948255a86331f17fe7a9e28754efc39

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (13544)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Crystalbit-Apple DLL double hijack detected - (7655)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Excessively long PowerShell command detected - (1571)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (1547)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Squiblydoo application whitelist bypass attempt detected. - (745)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (556)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Gamarue malware detected - (173)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Dealply adware detected - (120)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (69)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Maze ransomware detected - (37)
Maze ransomware has been detected injecting into rundll32.exe or regsvr32.exe. Maze can encrypt files on the victim and demand a ransom. It can also exfiltrate data back to the attacker prior to encryption.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.