Friday, June 4, 2021

Threat Roundup for May 28 to June 4


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 28 and June 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Packed.BlackNet-9866245-1 Packed BlackNet is an open-source remote access trojan (RAT) written in VB.NET that is capable of keylogging, capturing credentials stored by web browsers, and taking screenshots of the infected machine.
Win.Packed.Zusy-9867730-0 Packed Zusy is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.Tofsee-9866292-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Packed.Dridex-9865326-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Malware.Nymaim-9867802-1 Malware Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses an algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Trojan.Zegost-9865428-0 Trojan Zegost is a RAT that provides an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, a well-known RAT that had its source code leaked, significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.
Win.Trojan.Redline-9865594-0 Trojan Redline Stealer is an information-stealer written in .NET and sold on hacking forums.
Win.Trojan.Zbot-9866263-0 Trojan Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Virus.Xpiro-9865848-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.

Threat Breakdown

Win.Packed.BlackNet-9866245-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: b381c8d9c38488f4e497324a03c966b4
2
Mutexes Occurrences
2
BN[] 2
BN[eda3c57cc6ee9167d0f2c9] 1
BN[b2d0e6b0d5e5f67e9cfce8b88391e2] 1
BN[87f0a0b89a9b71a177] 1
BN[9a9bffefaca57fec80acb766c69e] 1
BN[b28eebf775f881cea7c2b7af6ab564c3] 1
BN[faf06ca7] 1
BN[f58793ece076cdd174b4a76ec5] 1
BN[ccd7d8e7] 1
BN[7ec5b7a46dacc4ee8f838e82be7164ad] 1
BN[c7c89da47f6bf965b9e9d7b395c06d] 1
BN[f2abbf7ff7b4d9d088] 1
BN[d7bcf8cd8e738c67a06ff29fb6acdc] 1
BN[c6839ec3a9b2bacc89f9c7b7f8] 1
BN[d57295819e7a6d71a4] 1
BN[ea95808ebf6e67e1c77ed9fab384e0b3] 1
BN[a4d7c98c81ba70c8c072] 1
BN[9a74679877b7bbbba9b5efc6b0db] 1
BN[c7e07799649f8a766cb8b9fb90a3ea6e] 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
185[.]239[.]243[.]112 12
1[.]1[.]1[.]1 8
37[.]221[.]67[.]91 2
45[.]133[.]1[.]98 1
137[.]220[.]53[.]57 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
silentupload[.]com 12
Files and or directories created Occurrences
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\<exe name>.log 11
%System32%\Tasks\WindowsUpdate.exe 2
%TEMP%\Microsoft 1
%TEMP%\Microsoft\MyClient 1
%TEMP%\Microsoft\MyClient\WindowsUpdate.exe 1
%APPDATA%\Microsoft\MyClient 1
%APPDATA%\Microsoft\MyClient\WindowsUpdate.exe 1

File Hashes

0f27f4a2455b55152e7b404c0acc99afcbf002c8894e992ab12fbd6e0e062d40 1bd95919ccc3875aac3d72cd67d7e0ea158678916a56b2ac402e878a8f9fbe2d 2796812c31cd869a8d122241936dbb66ddd5ed778204ed7ddc6cbba0c92aee00 2fcb2a749466742700d001f7a3cb4b7f4d6e0dd1b5cf99bcf5d44d9bf3e5f384 419c5bfa3f6898f9ecfa4e7c489efb3aa5da89aa445c5e56b0e106c5e13d90b3 4cdca0fbdec2de715767e024507ba487e952ae59a2305b506f56671feca7c842 5cbf776dcec3c814b2393b705e090f443ecaee73af240f11c90e82089cfa3f50 5d6befb3909604abcedeb0afde29a5c34a5f99b0da83f010c52995cfe4d6518b 5e523204b6ca3f278e1af9e5ada03fcfe2a392ea29e91f0b7c7bcca29a46935c 7468d140ae54adef47548baf0554b2ff358775addd50f01de1ca3a21348a028c 84edea902ff8ed8b6a4e5c6779afd64e08a03608366b7a18bcb08ca6be3be0f6 8ddb9ff090306f5d4f7412b7955d6e7a848ec435daba5c13c6e75e5f14801204 8e964c3196143d3c336ef46e37fa1178a7954ff3d568c74f652acdf65811a595 b3e675ffafeecc5d9f9ff900b68f0c6906d13203fd30d8f970a6aee88b8850ca ba3b5d70f865fd7e2bfe99452dfa18669927cd0b2775bb4520b1b55645f13b8b c15c9bc1dc3e61e9a6bf8830d0ddbf6a703e0fae79da8861dc5f11918d7c4695 c443cb8103e30dd20263a04864693e3e5b8c7bad43505a9a06cca3284fcf7a69 e12006c113fb43000e62a10ac9df2702b0f7d96854265ddc7227a1836a4ab016 ee523560106eb897f07bef54bf5f2cec7ad7bf23c26fb2d47f81764d5127bf9c fed5383f222147e5cecd225869faa67157700960a45a4f686817c2f26b69eeb7

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK


Win.Packed.Zusy-9867730-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK 25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bd63ad6b
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bf228d17
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: f7b512d3
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 79eea72
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 7a96a5f8
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: c22ac29d
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 5dfca0e
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 88fc7d25
25
Mutexes Occurrences
Global\{06253ADC-953E-436E-8695-87FADA31FDFB} 25
{06253ADC-953E-436E-8695-87FADA31FDFB} 25
{357206BB-1CE6-4313-A3FA-D21258CBCDE6} 25
Files and or directories created Occurrences
%APPDATA%\Microsoft\Xtuou 25
%System32%\Tasks\hlqrckolgw 1
%System32%\Tasks\udgchvlz 1
%System32%\Tasks\kuzrhfhf 1
%System32%\Tasks\lcmwwxy 1
%System32%\Tasks\muqozvpu 1
%System32%\Tasks\kjpdywvy 1
%System32%\Tasks\xcxpplwrom 1
%System32%\Tasks\zmipddc 1
%System32%\Tasks\tpvtkhgk 1
%System32%\Tasks\tyrsiuvdls 1
%System32%\Tasks\rikvwugudu 1
%System32%\Tasks\kcyllwgek 1
%System32%\Tasks\wbnxygjgzb 1
%System32%\Tasks\hoprilusj 1
%System32%\Tasks\xahqpifih 1
%System32%\Tasks\stqrtoly 1
%System32%\Tasks\zdeevbtokx 1
%System32%\Tasks\dvfrljst 1
%System32%\Tasks\zjroxrqoi 1
%System32%\Tasks\ipshgtbkl 1
%System32%\Tasks\uiwjynvqf 1
%System32%\Tasks\rcwwexthc 1
%System32%\Tasks\awosuqjdx 1
%System32%\Tasks\xjtpoioz 1
*See JSON for more IOCs

File Hashes

02e01109701ec01740188db6838010f6d5850b81ef6cd0eb154d67c314bd218f 1dcb0ae0e7c7482e0fcb5c723daade41a175cf59abb216566984123f7bc60496 1eef296818c79b4b6700469a63bcdb102e0a1ef7d05b7099b39b31455280a344 1fbce35d654cdcfa38597230cfb519d5a8fe28bddf370e1bd8529121a18f02d4 22cf76937043b616cb4c67bec58e329fecc91015329799f7b85abda1b2f6fde2 24cce8e51d283f2fe3738f2b68dd5ae64d0173dfaa8ac94084bd96f6805ccaab 369227b9605550bed80ce5f51e39e20da2669499021dd19d0d91f099c34a20ef 3dd13a7ac7e2249f933efe211a4eb64dce0c13811da83e7c41f11c28d3aeac03 43905a1a0beb58cda91702a99cad031ba6589356bb2caa0e3e7c49650b24af25 49741374da47b47d02883262d28ecbe31b624fbcfe6cac801ae3e8a88fc3f389 4d0747c6197abf5ae0aa98e9e3441e158a02382f8c751720904c1967fadc3679 5266889b46f337f6a0c9c755558efa96bfa95acf193d8e3e85a8cc382c7b70f1 57f3a05e6f515ba55cb131907cc835dfaa84ce1e2b4dfcb9edd0545de9368627 5f486e965612eff4d5f9b61609be0ca2c4141f06d61c7cfc4e5eb28354c5c02e 6a3ef320b007b94175b3d7eefc83ca569b8920a26d115ac894ebedeba825a44b 72e133ad9898765a885df6a1d51b93ea2f24eacdee359c5c4c5fbf9fc88695eb 7ac60c9dbf18f84ffea6d00012957aecbb1d8538502c57089b140e7c21017149 8d1505cff10c8fd709d08b83c290d516c7603affdb6e94fd2f5d878e13ef48ca 9467f35249585b7d52b0e0c07ea9380241df2ae6644c36b85ace0f59e09f6164 983450a2f7a63974ae6365eb8ca0862307d0a5cbf4c66d00a24cc5ec30be5fdd 9d830f4614e8a466922321311feb420bdd68b9c2caeba68898c14b025e000ed7 a029b2907d7a7c9de458102fd320118d0cf5c1b0a7ce6fc857a2f7dda8eccf83 b8956ef894b04dd207f6d9fa2a9f900dba0b54ba61f647310e45256a59b56be5 c73ab42843805e42fbb064aa09103862233166e2c79731cc785cc7d2a70614e4 cf6a4925529897090e29d48e023a1ef25158044e52d18782934ffe7c58e86f49
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK


Win.Dropper.Tofsee-9866292-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 34 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
28
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 26
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
26
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
26
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu
3
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 3
<HKCU>\SOFTWARE\MICROSOFT\KPQL 3
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
3
<HKCU>\SOFTWARE\MICROSOFT\KPQL
Value Name: efp
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ibpvucix
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\cvjpowcr
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nguazhnc
1
Mutexes Occurrences
Local\{<random GUID>} 3
{2754DAA7-1D63-E20C-C326-7B483F5EB7C5} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
43[.]231[.]4[.]6/31 27
217[.]172[.]179[.]54 22
144[.]76[.]108[.]82 22
212[.]22[.]87[.]191 22
51[.]178[.]207[.]67 22
195[.]242[.]110[.]99 22
87[.]251[.]71[.]150 22
91[.]203[.]5[.]144 22
157[.]240[.]18[.]174 21
104[.]47[.]54[.]36 14
216[.]239[.]36[.]126 14
172[.]217[.]11[.]4 13
172[.]217[.]10[.]228 11
163[.]172[.]32[.]74 10
98[.]136[.]96[.]76/31 9
104[.]215[.]148[.]63 8
40[.]76[.]4[.]15 8
172[.]217[.]10[.]35 8
37[.]1[.]217[.]172 8
142[.]250[.]64[.]99 8
67[.]195[.]228[.]106 7
67[.]195[.]228[.]94 6
104[.]47[.]17[.]161 6
104[.]47[.]53[.]36 5
188[.]125[.]72[.]73 5
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft[.]com 28
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 26
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 26
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 26
249[.]5[.]55[.]69[.]in-addr[.]arpa 26
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 26
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 26
microsoft-com[.]mail[.]protection[.]outlook[.]com 26
www[.]google[.]com 26
www[.]instagram[.]com 25
app[.]snapchat[.]com 14
ip[.]pr-cy[.]hacklix[.]com 10
work[.]a-poster[.]info 8
biigx[.]net 3
mlcooji[.]in 3
zdotznqdqbo[.]net 3
yirdozxixb[.]in 3
fvrcbo[.]net 3
ygwgvpwo[.]net 3
fraawex[.]net 3
vpfswmz[.]net 3
iudfsyckmn[.]com 3
maigtn[.]net 3
iohmm[.]net 3
fadkzbbjwsd[.]net 3
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 28
%TEMP%\<random, matching '[a-z]{8}'>.exe 27
%SystemRoot%\SysWOW64\config\systemprofile 26
%SystemRoot%\SysWOW64\config\systemprofile:.repos 26
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 20
%ProgramData%\ph 3
%ProgramData%\ph\eqdw.dbc 3
%ProgramData%\ph\fktiipx.ftf 3
%TEMP%\gocf.ksv 3
%TEMP%\kpqlnn.iuy 3
%ProgramData%\jzk\icolry.ylg 3
%TEMP%\qnvgtx.eww 3
%ProgramData%\jzk\betrwq.wot 3
%TEMP%\xyubi.zds 3
%TEMP%\vsdpjko.exe 1
%TEMP%\yvgsmnr.exe 1
%TEMP%\qnykefj.exe 1
%LOCALAPPDATA%\jwwypdla\rdolaguq.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\rdolaguq.exe 1

File Hashes

0f34d841ec65f3223ee9b90f6234ffb9b750d192df7c1ca220ba1b1ccc31392f 183f726fa0b91a909ebafbec9b6abb43255d2d289690ce07e1d5533750b86a93 1ae8c1dff0378414e010a6870e4e2a4b3eb75621f613b7a35ceefb50344ae688 1af1d29f5f10dfce1034633d52d68ff290374a3dfcfdad002be12c1d257b3a36 1d9fb88e7ac7b54338a705b75f9e097a5e13ed4f607ee6f840e23e08036d2854 307763d34fe4ce6373ee37f421e8fcf5a6676171ba19a2f34c784ad6b520dc85 3628585ec95c3d2ef28f2b57a4c473eb78c42ce7bcd7fabd3f54d763ed194bb7 3d0cfb90b917022529807948bcbf1571fe6f6b3d56c609c184ff38287a220f08 3f797e77274459adf792d8cf191d08ddf2e1d276bbaefec9fe224d60e3db0882 4abfd59d3522d8a8ad8b4e5e2ddc00ed37d96270d9ba350c673462e8b8cb4ef6 5298f1f1f1d848898d8bdb910a5714dc291d48188c3be94984f8136547db7312 5454cfd15ffd05fa064af1bb30b96aee1d3eba456274971b40c51ba99491c3bf 6a8689bc159a41982ec4d8c1f9c3984f78a9c95907ba20471e42a3acd767363f 6ae17ebd7550186ded814994f420a35bcfaca4d4e381ee66ae2ea9f8a2fd816f 6b0553f765df31fb7b315dd5c36613cf403303b7179317403a7053e4e7ddba89 6ec11f709a1d474f62d89ae58c8f7f31248fc47659628a2352aca3cc245533de 7d397c9648504c6a93e599503df9b918da31c6d4ad5d53a4319078418c9b7052 8479a94e6af1e8b0786ca41f2eed20c341d1f64750d51a02f1984330f6f3af1b 86afd4fa7c92453154bd0a2079389c854fd9a7eb9ff12ba15ca5f3a56af63048 9bcdc1149a05fdc837daca2ec49a2b3b9427a5213e774fb6c14b8d100d2c93bc 9fe6a93cb5ebd2b73a5b03a944d120977b6948e31ef66472811304f19c882af1 a01026323fc3348661a237e4379cbc5b0b9c932ff3b976ad583aef65e1e0fb01 a7fcd14c4c7e17ba61a8a6c1fd4d12e97e24690f213bcbfa91fac2ca96a853c1 a98f3a33758b5443ce8f78d472fbb893f5bfe23ac9e74128bf1524bff581537a b0caedab25f5e231b19b69be8c88895db2d5c473c0229f3c19a9e7425ea13ac0
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK


Win.Packed.Dridex-9865326-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
25
Mutexes Occurrences
<random, matching [A-Z0-9]{10}> 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]11[.]46 25
104[.]23[.]98[.]190 13
104[.]23[.]99[.]190 12
72[.]21[.]81[.]240 9
172[.]217[.]197[.]138/31 7
172[.]217[.]197[.]100/31 6
172[.]217[.]197[.]113 4
172[.]217[.]197[.]102 4
23[.]3[.]13[.]88 2
173[.]194[.]207[.]139 1
173[.]194[.]175[.]94 1
173[.]194[.]207[.]94 1
23[.]3[.]13[.]154 1
172[.]217[.]197[.]132 1
209[.]85[.]201[.]94 1
209[.]85[.]201[.]139 1
209[.]85[.]144[.]106 1
173[.]194[.]207[.]84 1
173[.]194[.]5[.]199 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pastebin[.]com 25
w[.]google[.]com 25
www3[.]l[.]google[.]com 19
cs11[.]wpc[.]v0cdn[.]net 9
www[.]z4wzhpqyvn[.]com 2
www[.]fjmzadzjrz[.]com 2
www[.]wcrdnr6eq4[.]com 2
www[.]51ihqtmot3[.]com 2
www[.]yinbd282ty[.]com 2
www[.]iaojhmhmaw[.]com 2
www[.]g9ijggtbch[.]com 2
www[.]hrwgfkzykj[.]com 2
www[.]efyyyupdjs[.]com 1
www[.]ya5sbh3sqt[.]com 1
www[.]wqymaufby0[.]com 1
www[.]qh9mxz1yvn[.]com 1
www[.]ycpjmfth5c[.]com 1
www[.]4w1mvj8zig[.]com 1
www[.]hvzucmfsmm[.]com 1
www[.]lc2fqjwbev[.]com 1
www[.]pcuyg4erhj[.]com 1
www[.]x1ocwl0soc[.]com 1
www[.]fn3fpnnatl[.]com 1
www[.]v1my9fjls5[.]com 1
www[.]4ljhqiyeaz[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
<malware cwd>\old_<malware exe name> (copy) 25
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0768_notdimmed.jpg (copy) 2
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\~ockScreen___1024_0768_notdimmed.tmp 2

File Hashes

0254b7ce3b4536cb34d9e86d3c6b154266fcb8dce343bdb6e013eb9a23405017 06e00fc1d84002c374c949e75fa3c1e864bc3c128f4a44bdfaaaa594cd11907c 0926f24616146d7ce4313f796c96f5cdf35a27382abde43f30c03fb3d2426748 0d8b29f2057a759e3eaa90c8e5707e9e18e77591ef8eb5ab7e53da7fc340b76b 121323040f99ccf614075afeed2035d14b052f7df73f90499d11f0b78aeef7d9 15373af1f8213f54eee4880dd4cc6ad5d712e373fd15ea1dce2cbda880d7b114 1a1d7bbfa4c10537c9a01ff5870e2e42351e15baaa9df46ef63eae690152db62 20e855c43cbf7c554dff9432aefd2e093331fdf1f892800f2ae35c5d22a901d2 2348f9496633876ace4fc2fbbac7121eb914c7516201f86c386af24acc1e7373 24b58c2a8e8962f34d8484d10c0bda8a7a2a5e6789196e21cd0d7fcc89626784 28848205d34d018ad6e850d38b10735fc777978afa4b2c61f26d1ed5b0b81235 2be8beca5fd09d286c1b2e42510cf33a24defa865dcd723b16864ddf3fd052bf 2cf2c046172602182de25e7e05866705d5286f413178829f06cc5d1b78947c8c 2cfb2dd17eaab30aaad9ac24f073123bf845dbdf2ebb5e3b9f1d9c770ccd0d0a 352f853baab07817067645372c9d6c1d8eb720ae5ee42ca12255353f6cbd4fae 364a46b4978330382b93ca177bd890594072806c863d9424637a4b59ff1e99f6 3a5593b9d6c99c73d2aee5620b618d13a7dbb2f2091d465edf5e05368e3308fc 3ad494086c6fedb6c50b84134b0e8adaa4dd2d41f987700cab55e820f856d027 3f703fc11695619e389ba9485371213a5c2ad82951786c1455779bb263d4ea74 41700f3c7a5fe30ba1de03aaa57dcb61879369fbade060e98f278560d3f125bc 45eaba2e79050a78bccd3b57f12b1c3e4b1c78bf35cb3886c74b87d871c30703 483c96b12b7d1523bfcb05384ea4bbe36596737ff151a4ecc09c2ec03be19160 4f15cc9179acae075c41f1c90d2ff7c08e6c41e81949ea96f05a1c5873949c63 57e13a4e674937d61fbfaed67736e20b73289e6449d715187570717805682faa 5c18243f68ee274dc2f954c48ccb8b41e91e484423396e5da9476969b19983aa
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK


Win.Malware.Nymaim-9867802-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 25
<HKCU>\SOFTWARE\MICROSOFT\KPQL 25
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
25
<HKCU>\SOFTWARE\MICROSOFT\KPQL
Value Name: efp
25
Mutexes Occurrences
Local\{180BBEAD-0447-044A-68BD-247EB6D0E352} 25
Local\{18DD7903-1E96-FEAF-92BF-014008A1248C} 25
Local\{8B75523D-CAF4-D06B-A2AD-13EEF593AC52} 25
Local\{D2CC4CCA-CB77-CF10-8293-17C78DEC853F} 25
Local\{B13D69F8-F0AA-A818-5093-74D6601607EE} 25
Local\{364979D3-CCFF-AEC0-03C9-4C6906B10346} 25
Local\{E55AD28E-29DB-FB2A-7AB3-28939E6ED727} 25
Local\{2108A98F-ACBD-2FE7-D53C-93FC5D6695D7} 25
Local\{4899F29A-B7BA-F314-6D9A-858BAF4735BE} 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
173[.]194[.]207[.]95 1
52[.]114[.]128[.]43 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
uydfbjpthdtq[.]net 25
qaazcllx[.]net 25
dptutldzq[.]net 25
nxunam[.]net 25
dsfrgrcva[.]net 25
qcobkflauih[.]com 25
foiogpm[.]pw 25
dpwteyrfydnb[.]net 25
kakobcq[.]net 25
wzdcm[.]in 25
zbypgqcam[.]net 25
nmjbnr[.]in 25
rhhxx[.]net 25
wpjbzmww[.]com 25
befekren[.]pw 25
vgzpnpovynaw[.]pw 25
kznaejcpk[.]pw 25
lukupgu[.]in 25
xzvuyfea[.]pw 25
rkmlqmzehtbz[.]in 25
emwoy[.]in 25
fhogp[.]net 25
jaawlybulwse[.]pw 25
sulwjhezi[.]com 25
ovgmopokzko[.]pw 25
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramData%\ph 25
%ProgramData%\ph\eqdw.dbc 25
%ProgramData%\ph\fktiipx.ftf 25
%TEMP%\gocf.ksv 25
%TEMP%\kpqlnn.iuy 25
%ProgramData%\jzk\icolry.ylg 25
%TEMP%\qnvgtx.eww 25
%ProgramData%\jzk\betrwq.wot 25
%TEMP%\xyubi.zds 25

File Hashes

02b6213f28193d14250876375a628037afb3e34ea572cc554cd5aab708b785ab 0337c52766f4942d188bd6101b475487ea212983e9c55e769cee83d60dcb1d8e 0368a0c1c032c8afc5a407633323408883b15620c69feac017992a2f538c6a75 0791ce41b1b0fbe8b2d29d0c9777aebc004b22f6ea59249556638129246af14b 084a76b560b06bd7bbcf7b7e4b07a4485fb452d691e928557baa724aa4413a17 0b4e19b2eacf0cbcc4ac855ee0055e61123d51a91836d994236bb7ae4f103906 0b729bc086df1477d6b3f4a49c7ed3972d6e2a0bd5494c3582744fabc52c4ee6 0d00cbd2fa635ab876a0cf19d3268e8a7c4632a947403f9279f0e460c200992d 0ddc71164c0b3c76b39d39ac8dc2af71cc46b125c8ac96b428e881023fae50f8 112146fe7e30c07ed6f22093a693a301c2f633732167f57e1686cb45b24adbe8 113fe2ba713aa8084f0d660d974e82c5279b9f2248862c0a163d43f3743f3325 11a312998a917f6f398cfae1c43c493fa43cc850f858fb5cf0c5510f82ced622 14fbd3efc569e398d3863ff5e7bd204c97192ef8eb42645435a9e91c2c50a42a 15d872f9788568a5e4c1af520ec6bfa2fb41b584152e5a1cea6b0b83c16348e4 160a59f34d275b271f2cc61657a4b652803cc541aeae65bd6d00fa38cb68bef8 1926b61724ae11882d62f46a993545bbcdf7cbccc352841198d1f30a4079d466 1c3020e530498dc64e64154da5b089b6a6564b2542aa8d2507f95aaa5f00003f 1db91e1dc47df8ba3de19a6385e13959bfab6fc6ec86b5d097f2177a5e35f034 1dd809c7e63ddf2ffa4416a0ca3a5ea678b10dbf802a35fbcb6f60f781cd403f 1f3384e9df8a653593c662e5b293968c7271beef6daa49604eb3fd8b2a14d94b 2031dc1c77f2ccc437156494e8dd33146ded7b23d9b9f1cb33c97f458920e3cb 22924e0f0996e5704148f8863c6e8aeb6b72e6c6abb8de3d73abb65c1d718a22 264be9e71078cce3bd550d9f090b52dbe21fab38cc01ba9df26e11e15119a764 287a3efdc5eaf0ab784f4524312a878dab744f300c51e5c51a7c9d8d18e363ff 2ccbefb18f24d825b524ebcfaace361576f013fdc4eb60d8cf36e7711955c2fe
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK


Win.Trojan.Zegost-9865428-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 44 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: ConsentPromptBehaviorAdmin
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: PromptOnSecureDesktop
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BEEP
Value Name: BEEP
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BEEP
Value Name: ErrorService
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BEEP
Value Name: svcname
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ConnectGroup
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EL5DST3F\PARAMETERS 8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: El5dST3F
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EL5DST3F\PARAMETERS
Value Name: ServiceDll
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BIGBE3HE\PARAMETERS 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: BIgbe3he
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BIGBE3HE\PARAMETERS
Value Name: ServiceDll
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\HP5SEKDI\PARAMETERS 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: HP5SEkDi
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\HP5SEKDI\PARAMETERS
Value Name: ServiceDll
5
Mutexes Occurrences
Global\KFIStart Menu 25
86IRDTISDKVTE5cguP/5w5c17ftqETlRDHi= 3
yeY5uO/Sveo17jITE6lSmTIsETE1u-DgCTAP/m== 3
CK8TDjZpBKIpmTIsETE1u-DgCTVRDKkh 3
86ZpDjITE6tPDScgveHRmOcewKNQDTyZ/m== 2
1
wPVpDjysEjZ1EjITESc2yOhqETlRDgi= 1
86tODK8TDThZEidsEjETmOgT7jNPDjVs/m== 1
EjATDjVpDTZSmTIsETE1u-DgCTVRDKoh 1
yfANCKtpE6tSDjV1EjITESc2yOhqC6lZD/i= 1
86VNDT8QBKtPE5cgveHRmOcewKNZBKUh 1
yfAZCKZSBKANCKl1EjITESc2yOhqETEZBHi= 1
y6VSCKEZDjEPEidsEjETmOgT7jNZDKkh 1
86yPE6IND6E1EjITESc2yOhqDjhQ/m== 1
wPUUxOD1u6yODjhQmTIsETE1u-DgCTVRDKoh 1
8eAZE6yPDjIQDScgveHRmOcewKNZDKlR/m== 1
yf/eD68sE6lSD68QmTIsETE1u-DgCTVRDKkh 1
y68REjZZEjhTD5dsEjETmOgT7jNSE6lS/m== 1
86ySDThSEjANCJdsEjETmOgT7jNZDKlR/m== 1
86hZETVNEThpDJdsEjETmOgT7jNSEjIZ/m== 1
y6yPETIRE6l17zYUxJc17ftqBKlRDHi= 1
y6yPETZRCKV1EjITESc2yOhqD6ER/m== 1
yfhsE6EODjlpCKh1EjITESc2yOhqBKlR/m== 1
y-7pu-7bveARmTIsETE1u-DgCTVRDKkh 1
86VsC6INETARDJdsEjETmOgT7jNZDKlR/m== 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
157[.]122[.]62[.]205 5
59[.]42[.]71[.]178 4
14[.]210[.]222[.]241 3
189[.]163[.]17[.]5 2
183[.]236[.]2[.]18 1
188[.]5[.]4[.]96 1
77[.]4[.]7[.]92 1
23[.]89[.]5[.]60 1
219[.]132[.]66[.]14 1
183[.]44[.]163[.]231 1
113[.]103[.]214[.]31 1
14[.]210[.]98[.]141 1
59[.]35[.]32[.]87 1
219[.]132[.]74[.]85 1
14[.]113[.]128[.]191 1
64[.]106[.]148[.]71 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
452799839[.]3322[.]org 3
a306310821[.]gnway[.]net 2
qiangqiang32101[.]3322[.]org 2
q503983725[.]3322[.]org 1
a450526783[.]3322[.]org 1
312789691[.]3322[.]org 1
qq444914178[.]3322[.]org 1
a846578461[.]gicp[.]net 1
qq849181440[.]3322[.]org 1
q814287263[.]3322[.]org 1
a6613452[.]3322[.]org 1
zxcvbnm65777[.]3322[.]org 1
aa81667376[.]gicp[.]net 1
qwe553101557[.]3322[.]org 1
a997321466[.]gicp[.]net 1
a616713144[.]3322[.]org 1
a782842790[.]3322[.]org 1
q6623010[.]gicp[.]net 1
q6629048[.]3322[.]org 1
qw312570947[.]3322[.]org 1
suyoujia0[.]3322[.]org 1
a839342100[.]3322[.]org 1
Files and or directories created Occurrences
%System32%\<random, matching '[a-zA-Z0-9]{6}'>.pic 44
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu 25
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 25
%ProgramFiles(x86)%\MSN 25
%SystemRoot%\SysWOW64\systemwin.log 25
%TEMP%\wqewqe.dat 25
%SystemRoot%\SysWOW64\<random, matching '[a-zA-Z0-9]{6}'>.pic 25
%TEMP%\<random, matching '[0-9]{9}'>.bmp 25
%TEMP%\<random, matching '[0-9]{9}'>.lz 25
%TEMP%\<random, matching '[0-9]{6}'>.bmp 20
%TEMP%\<random, matching '[0-9]{6}'>.lz 20
%TEMP%\<random, matching '[0-9]{6}'>.jpg 6
%TEMP%\<random, matching '[0-9]{9}'>.jpg 5
%TEMP%\91531.lz 1
%TEMP%\88875.lz 1
%TEMP%\88890.bmp 1
%TEMP%\85546.lz 1
%TEMP%\85562.bmp 1
%TEMP%\87906.bmp 1
%TEMP%\87906.lz 1
%TEMP%\91796.bmp 1
%TEMP%\91796.lz 1
%TEMP%\89671.lz 1
%TEMP%\89687.bmp 1
%TEMP%\92531.bmp 1
*See JSON for more IOCs

File Hashes

03221a44767c018311b56cc2dd52a656f68c2a82edac26a35a526a12d02efe55 05aaf5534e5755e9a1ccd33f98b501996e9c95e678aca9b08b10437fd02f742b 0dbe5b849434d15c423005e73b99f7ec01f6d87d1fca437e45a526a7b4a35949 13b9a471ed6c65cd3459ec0d61a24426b13fdbd1b11439810696735820bc3f45 1e2a3ccd1ec4b61410b6b25462353e42ef5497f1e68ba42722c4f95f085c6251 22381dcc47f682a96b7eb227ba17970e848a06bd3672025761a46043b55ecb8b 238794824497f63b6be25ade28b09b442e8a22b0762a81617004de7e6daefc58 24f54e86fe02c42f220fc4409fd27f7f4dbcbda4647e058a106b6dead9402135 27c55e598c8fd51fd55900fe32031d3a1067966337de9f55c68aa6dfefb5ab6b 2a231a53300e818227e2f5b2c24e361fbf191e5cdbfcf75fc1f17d1d6100afd3 3060de24eee6cc6b787542449d3dbd9776b96f2eafaf49e49fb803f8618040cd 33b3dfc398dbcf097a9857d9beb823194a2dd64f42d4de80077e2b24841c5339 417ba4d301ab99369ddcb5534ed6b9e95c52a7b071848fbf7c624db2ce17a1a2 422aeebf8d9fbd5f4a6140bf6a78563b224c3811116547eb30629f9f53d0da22 463300ad6d07e70f4dcc2dfc7b034173cd8e14bdc2796f068ab0c80a4d83a95e 47e7b910863c9fdcb7c170d285543f8ebf7163c79640f37fcc884c0cf0758754 54d1e4cabf546cb80b660a9df6ab3e7a3a2593bd66c748bc68f5b526e933dd92 57e7c6204658482c676b36d8ec11c62cbe44b23c81ba74909ea887b928833e4d 5bd0605867e662b8a32943db9ad2bf3df3b0524e3448ee65b2be7290442dee97 60af0304708602c1dc121f4067b6953de45bcf56dcb611ee496b62797f2943e5 63d0b752fa53dd45e0cd65e26fa952046be86fbeafdf3a63a8f8d838ed3e4b84 6865d809278b555dd6ce0db09421f5a4be871caa8420dd191638952f6bccc4fd 68bb4f6151b25933933e871d5619ae26dba2015b9499d89f66d1c9d5835ceaea 691682d25a004976d062e9cb1530d39408e52e8a0f25fd80cf6176870e6ba68f 7014b674bbccd49f3741ae51016a21c7d6d65ec2333b9fe05aea2f0672831369
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK


Win.Trojan.Redline-9865594-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 4
<HKLM>\SYSTEM\CONTROLSET002\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Shell
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
4
<HKU>\<User SID>
Value Name: Shell
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JavaSoft
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: JavaSoft
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: JavaSoft
2
<HKLM>\SYSTEM\CONTROLSET002\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: JavaSoft
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 36412
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JavaSoft
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: JavaSoft
2
<HKLM>
Value Name: JavaSoft
2
<HKU>\<User SID>
Value Name: JavaSoft
2
<HKCU>\SOFTWARE\MICROSOFT\CTF\MSUTB
Value Name: Top
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RELIABILITY\SHUTDOWN
Value Name: Comment
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RELIABILITY
Value Name: 6005BT
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RELIABILITY
Value Name: LastAliveStamp
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\AUTHENTICATION\LOGONUI\LOGONSOUNDPLAYED
Value Name: LogonUIChecked
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: RunLogonScriptSync
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: RefCount
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMGMT\PARAMETERS
Value Name: ServiceDllUnloadOnStop
1
Mutexes Occurrences
SSS 4
2562100796 2
lol 2
Local\MSCTF.Asm.MutexWinlogon0 1
Local\MSCTF.CtfMonitorInstMutexWinlogon0 1
Local\TASKMGR.879e4d63-6c0e-4544-97f2-1244bd3f6de0 1
asd-6+094997_ 1
1064473250 1
1544990097 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
69[.]16[.]231[.]57 2
52[.]185[.]71[.]28 1
52[.]137[.]90[.]34 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
synthetic-lab[.]biz 4
football-x[.]org 4
psport-live[.]biz 4
redir[.]update[.]microsoft[.]com[.]nsatc[.]net 2
usa[.]cc 2
pandcity[.]usa[.]cc 2
www[.]bing[.]com 1
sa22[.]ircqforum[.]com 1
staysafeonlinebeta[.]com 1
Files and or directories created Occurrences
%ProgramData%\Local Settings 2
%ProgramData%\Local Settings\Temp 2
%APPDATA%\JavaSoft 2
%System32%\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb 1
%System32%\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb 1
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini 1
%TEMP%\RarSFX0 1
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe 1
%ProgramFiles(x86)%\Local Settings\Temp\msskjib.com 1
%ProgramFiles(x86)%\Local Settings\Temp\mscipgo.bat 1
%TEMP%\RarSFX0\andr2.exe 1
%TEMP%\~ZY61E1.tmp 1
%ProgramData%\Local Settings\Temp\msczyqc.com 1
%APPDATA%\Netscape 1
%TEMP%\~ZYD78D.tmp 1
%ProgramData%\Local Settings\Temp\mszebvyo.com 1
%APPDATA%\7-Zip 1
%CommonProgramFiles%\System\Ole DB\..bat 1
%CommonProgramFiles%\System\Ole DB\System.exe 1

File Hashes

25cd32964f39ba838cbcc4f81f749dadafb36e81929d79745a5e001fa58e0163 292347e8204d0bf8a709742556d4a3aa5ad34724eedd4fcbd33576a3e4a10b96 43e14ee3db4152685816f5301a8d18eae59951d9c9fa17b224ae8e641a65bce3 44e817b81b018ba644e35a62eaa6c7c8bc08915beb46d8e71ccb5ab203ceca98 487428e5e2b2ca08d973da0418b31e92b294a38243978d82e71d0396bfdb822a 51f18dd80d453b91934f8e4ca806905ea98af082d7534dc13aad893ffd63887c 5aca473e34daf2a7d64039178cbe2c1ae8b54a982da04383fbe28265eae4e5d4 5b0762597fe15bca62a5aa834c1f765ded808bd8fe206c3d9d8845067ec066a3 63ec1cea606e844bc746ca0172d147f4a4530333b4b7a7b95844bef5fac3135e 85952003c748747aea633ef8c13bf9f4d93d446770d46e51a053a568b9a5d94a 878cd1e94d0983169547c75c9ab7713e5a905feb1e0d9e973f1aa8f0167e3523 8d81083a76b3cc788cc4a7ccfd2d5c83cd0c6645ee9d0b024a523d59d906f7db a6bcaf6fe26146598c60d0430a9118720496386ab6da8113689af69b432aa44a b3232645cca495f5ce5d8646ddb95e22a0eb3d758f3835d61d4e61a5a91493eb dc89a612fe241189db763698de778a0478b8b4b01986f974b0eefee0dbfcdda0 dd0228aff78c19db5b36b10701322009c35d0c37c07442a42ed56d972c1c2794 e248e293d98bea901c71c5473a23520c6d4d9ebc1489933a72e63aa2591c21b2 eed70b7b023212cea7b7a82809e13065944f2b3e2083f85331fde2c6241ca223 f6aec02d7ceb1105fc00076ebaa2b75f21e155c08d19a8b2e6ea39681a70e4b9

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP

ThreatGrid

Malware

MITRE ATT&CK


Win.Trojan.Zbot-9866263-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 51 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svmhost.exe
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svmhost.exe
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1d98184acc9c185e3d95774d5986a39b967ce6c86fa8ac92c2592bd406910741
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Explorer
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Explorer
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 21bee7f4354a84842fa9237018c797dbec89eebd280a67d4a1ca1ce748232934
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 294120eceb789b113510e1bd3e59c5ea9f87d7a14b553c94de88a95567516b68
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: RjU4MDUxOTg2OUQxNDkyN0
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wdm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 2e2b20cab29fc0d8f048f905656f2491404726fa9a8952e3c06005b05e8eaee3
1
Mutexes Occurrences
FvLQ49IlzIyLjj6m 3
d35ada68-Mutex 3
2
sexynewmutex 2
sexynewmutex-readfile 2
RURFRTY5OENCQTFBNUUxQk 1
RjU4MDUxOTg2OUQxNDkyN0 1
ED4B36BE3214F1690DF2545709CB1BD576A4159F 1
BC17A4AEE5F9DA5B7CDA6592CEAAF7CC17AE5070 1
CF1759C4F2A8F2DB557D60E88CEBC7BF65A0B433 1
58DD08C98F1670E1F1859B893C58A7305F84FE20 1
776786997A6F8E9EB25A95A1D7295C5B4DE00A33 1
DC_MUTEX-C8B30ES 1
\Sessions\1\AppContainerNamedObjects\S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708\d35ada68-Mutex 1
FFE08814A455404ADFBE0F71E5127E5A52B8680B 1
2594A7B1C59091E487BE104F798852D10EF7322B 1
E2C84B61B854E01E14175710963048B3604ACB09 1
F5790099EA681EA0D1C983A6BDC8C36A593EB9E5 1
2594A7B1C59091E487BE104F798852D178A7939B 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
52[.]137[.]90[.]34 7
212[.]83[.]168[.]196 3
184[.]105[.]192[.]2 2
69[.]172[.]201[.]226 1
199[.]184[.]144[.]150 1
45[.]60[.]77[.]201 1
18[.]207[.]9[.]28 1
78[.]132[.]127[.]83 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
redir[.]update[.]microsoft[.]com[.]nsatc[.]net 7
windowsupdate[.]microsoft[.]com 7
gamefans[.]eu 7
baszodjmeg[.]me 7
api[.]wipmania[.]com 3
hipsdontlie[.]info 3
tvinshot[.]info 3
newtvcast[.]com 3
yaboyyoshi[.]info 2
new[.]pusikuracbre[.]me 2
www[.]wheretowatch[.]com 1
www[.]motionpictures[.]org 1
hotfile[.]com 1
www[.]mpaa[.]org 1
m31[.]sytes[.]net 1
m3[.]sytes[.]net 1
5yzfsyz[.]x[.]incapdns[.]net 1
Files and or directories created Occurrences
%APPDATA%\<random, matching [A-Fa-z0-9]{5,8}.exe 18
\autorun.inf 2
E:\autorun.inf 2
%System32%\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb 2
%System32%\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb 2
%System32%\sru\SRU.chk 2
%System32%\sru\SRU.log 2
%System32%\sru\SRUDB.dat 2
E:\{Administrator-sexynewmutex} 2
E:\{Administrator-sexynewmutex}\svmhost.exe 2
\{Administrator-sexynewmutex}\svmhost.exe 2
%APPDATA%\svchost64.exe 2
%SystemRoot%\Temp\scs3A.tmp 1
%SystemRoot%\Temp\scs3B.tmp 1
%SystemRoot%\Temp\scs3C.tmp 1
%SystemRoot%\Temp\scs3D.tmp 1
%SystemRoot%\Temp\scs3E.tmp 1
%SystemRoot%\Temp\scs3F.tmp 1
%SystemRoot%\Temp\scs42.tmp 1
%System32%\sru\SRUtmp.log 1
%System32%\SRU\SRU.log (copy) 1
%System32%\SRU\SRU000A8.log (copy) 1
\Documents and Settings\All Users\rkocyytl.exe 1
%SystemRoot%\Temp\scs40.tmp 1
%SystemRoot%\Temp\scs41.tmp 1
*See JSON for more IOCs

File Hashes

041e050527ab3b5ea399a653047c3f9e807150a906ae9bcf003708a47b428459 04889e36744db4c8ef9fbac9c9df31079a88a3193d4fd8cf5737da540e3d2b6c 07f6dcca019dc3176cef931fe6a4096d181a46d34bfeefe6d313afdfdc618757 0decbb67882ed6f0eb91d494143812c564fa33645e3328826d2341f5cb90be2f 0f657f903426387c5ed7bfea90f9599e4bd2797e7e6ee833a8b74483f0710939 0f8be58d177570ea54f3db7c124371f6b0ececbb7f5edbceaec96d33be051fc3 101436347c1f5ae90b71588c8ae4edf02e4e4b39ee6d17dc1db6a8fc331a4edb 101f9892f3a2c67dc6986a9ef91c7cdb7edb6103d59d38fe892514090cb83f52 144ab6e94424b99eab4f72f95b5a36a8316eb58f7b02ac9d0712c3eb466a5a7c 1d98184acc9c185e3d95774d5986a39b967ce6c86fa8ac92c2592bd406910741 1f4f370c22fd22bedb5ae21d303949b6d4ad0f0a7592ce7b5be3b1b9e27c91ca 213f22d557d98f23b8573623ac42bb3ab0d9609bd2e90ddc2f66c8f8d712239e 21bee7f4354a84842fa9237018c797dbec89eebd280a67d4a1ca1ce748232934 223e9b18e7568c83854e6541fe77cc471b4be6794e60289fa67f3793c02710cc 228b9abfd26515bedf33156702694fbc4f622aa9109f7cdb88ee86c651c1849a 25e3940b23c7d9ee63f868288037610f456097670669547c5db5dde5dfc162a9 2758cfb7b62d148f0089924952a2364e63004af9c9bb1778d6e7f2d99d3b60cd 27cbb79e3a547dc9149fce9815c46240596cab31bbe1cbdb4b5b63964b03fe19 2826c12d87996736a6ff12b0302ba5512f2595f91573ff75218a839f3d1302a0 28864ce0a517483100d63c5047ecf2884ed5840a8ae5d20326c3e5d9b3d2b242 2890638c0de9ef2c08a65012ce9aa0a65cdea13df189b0055c258cbe5cde05c0 294120eceb789b113510e1bd3e59c5ea9f87d7a14b553c94de88a95567516b68 2941c046af0435b5929f753f2601ef71294c0eeb74328fc978b91dc33a24b5b3 2a3289e757c6b82aca5791aad5a31875d95dee4940181acc0894f0df00eeabed 2e2b20cab29fc0d8f048f905656f2491404726fa9a8952e3c06005b05e8eaee3
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK


Win.Virus.Xpiro-9865848-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0 14
<HKLM>\SOFTWARE\MICROSOFT\OFFICE\COMMON
Value Name: MID
14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\TRUSTCENTER 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\TRUSTCENTER\EXPERIMENTATION 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENTECS 14
<HKLM>\SOFTWARE\MICROSOFT\OFFICE\COMMON\EXPERIMENT 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENTECS\OVERRIDES 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENTECS\OFFICECLICKTORUN 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENTECS\OFFICECLICKTORUN\OVERRIDES 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENTECS\ALL 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENTECS\ALL\OVERRIDES 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\COMMON\CLIENTTELEMETRY 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\COMMON\CLIENTTELEMETRY\RULESLASTAUDIENCEREPORTED 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENTCONFIGS 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENTCONFIGS\ECS 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENTCONFIGS\ECS\OFFICECLICKTORUN 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENTCONFIGS\EXTERNALFEATUREOVERRIDES 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENTCONFIGS\EXTERNALFEATUREOVERRIDES\OFFICECLICKTORUN 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENTCONFIGS\FIRSTSESSION 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENTCONFIGS\FIRSTSESSION\OFFICECLICKTORUN 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENTCONFIGS\ECS\OFFICECLICKTORUN\CONFIGCONTEXTDATA 14
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENT 12
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\EXPERIMENT\OFFICECLICKTORUN 12
<HKCU>\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\IDENTITY 12
Mutexes Occurrences
kkq-vx_mtx55 12
kkq-vx_mtx56 12
kkq-vx_mtx57 12
kkq-vx_mtx58 12
kkq-vx_mtx59 12
kkq-vx_mtx60 12
kkq-vx_mtx61 12
kkq-vx_mtx62 12
kkq-vx_mtx63 12
kkq-vx_mtx64 12
kkq-vx_mtx65 12
kkq-vx_mtx66 12
kkq-vx_mtx67 12
kkq-vx_mtx68 12
kkq-vx_mtx69 12
kkq-vx_mtx70 12
kkq-vx_mtx71 12
kkq-vx_mtx72 12
kkq-vx_mtx73 12
kkq-vx_mtx74 12
kkq-vx_mtx75 12
kkq-vx_mtx76 12
kkq-vx_mtx77 12
kkq-vx_mtx78 12
kkq-vx_mtx79 12
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]42[.]23 12
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
config[.]edge[.]skype[.]com 12
Files and or directories created Occurrences
%LOCALAPPDATA%\Microsoft\Office\16.0 14
%TEMP%\PC-<datetime in format YYYYMMDD-MMSS>.log 14
%System32%\alg.exe 11
%System32%\<random, matching '[a-z]{8}'>.tmp 11

File Hashes

036795412a7cbfc1f5f9bbb07f10da6c3bfd0633ba9df5c62b9b4daa59c714d4 2193a6e1b9cddd381f5f6f9b416d9e91c2a0d63ea2c4b1aa8b74e6da57d96f56 249d80e8dfbb29e545d50980ea31afad50f96ed8d94095e628cd90980a77089b 25231cc105f6a68131889260eb4149bcc4a1aec161e7485438de9b8176d2516f 300e0593ce2eaba403829afcd4913c955db9dd1c526c745c3f2476258bdffee6 4acd6c270a50e1abeb0ff1f978699101dfde225210538c4cf4ab3a7d44207307 51b8e5b10da5e56bb55b6234e750230447ffdf598069f8fbd103250e2c70559f 6c53baa9240daa1c0dba2db1fca9d0120e98be5a266b4dd24474be1e0f858ccf 83b7d7e733d27f0a7199bb95dc03e9f5d0678ddb4eb431be451539d481da2f38 8ab104c5aedbee37d22ddcc53fbc0b4344086f85c1321801102ab2772937b23f 90ab34cb1c7a39cae0187d3b586f294174893502e4682d4555dc96bca4a8bf8c bd43d101142ab04f22e04aac987430b53cc62c5a78e8e66b02c83c8b11f97b4f d1fd5987461ed40a0feed9983da5524d0aa929d1e3151a174e0c60a844e88ab8 f670b25c1e3b394beb0f6fcf9fb47481451fd9eafd7af02fb70ff1e9bd0c8a2c fe21a1fa1a0e2eaddb2c0bf1eb324c9ba188387ceb75b81a6074258c7a789aee

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (10733)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (5502)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Reverse tcp payload detected - (3040)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Crystalbit-Apple DLL double hijack detected - (1740)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
A Microsoft Office process has started a windows utility. - (600)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Kovter injection detected - (562)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Trickbot malware detected - (376)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Dealply adware detected - (236)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Gamarue malware detected - (126)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
CVE-2019-0708 detected - (105)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.