Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 1 and Oct. 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Dropper.Tofsee-9899491-0
Dropper
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Dropper.Dridex-9899482-0
Dropper
Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Dropper.Lokibot-9899536-1
Dropper
Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from many popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.Gandcrab-9899541-0
Dropper
Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB," ".CRAB" or ".KRAB." Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
Win.Dropper.Gh0stRAT-9899606-0
Dropper
Gh0stRAT is a well-known family of remote access trojans that provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Dropper.TeslaCrypt-9899795-1
Dropper
TeslaCrypt is a well-known ransomware family that encrypts a user's files and demands a Bitcoin payment in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Threat Breakdown Win.Dropper.Tofsee-9899491-0 Indicators of Compromise IOCs collected from dynamic analysis of 108 samples Registry Keys Occurrences <HKU>\.DEFAULT\CONTROL PANEL\BUSES
108
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
108
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
108
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
108
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
108
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
108
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
108
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
108
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
108
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
108
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
108
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
108
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
96
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
96
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
96
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\xqekjrxm
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kdrxwekz
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tmagfnti
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dwkqpxds
5
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 43[.]231[.]4[.]7
108
193[.]56[.]146[.]188
108
193[.]56[.]146[.]41
92
193[.]56[.]146[.]42/31
92
77[.]222[.]55[.]43
92
92[.]38[.]129[.]26
92
185[.]49[.]68[.]143
92
157[.]240[.]229[.]174
66
142[.]250[.]80[.]100
61
208[.]76[.]50[.]50
54
208[.]76[.]51[.]51
49
40[.]93[.]207[.]0/31
49
208[.]71[.]35[.]137
48
192[.]0[.]47[.]59
46
216[.]146[.]35[.]35
43
125[.]209[.]238[.]100
39
199[.]5[.]157[.]131
38
23[.]90[.]4[.]6
34
144[.]160[.]235[.]143
28
195[.]46[.]39[.]39
26
103[.]224[.]212[.]34
24
209[.]244[.]0[.]3
23
209[.]88[.]198[.]133
22
104[.]47[.]53[.]36
22
163[.]172[.]32[.]74
22
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences 249[.]5[.]55[.]69[.]in-addr[.]arpa
108
microsoft-com[.]mail[.]protection[.]outlook[.]com
108
microsoft[.]com
108
lazystax[.]ru
108
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net
96
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
96
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
95
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org
94
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
94
www[.]google[.]com
88
www[.]instagram[.]com
67
whois[.]arin[.]net
46
whois[.]iana[.]org
46
aspmx[.]l[.]google[.]com
42
naver[.]com
40
mx1[.]naver[.]com
39
mail[.]h-email[.]net
31
al-ip4-mx-vip1[.]prodigy[.]net
28
park-mx[.]above[.]com
24
ip[.]pr-cy[.]hacklix[.]com
22
comcast[.]net
22
mx1[.]comcast[.]net
22
mx1[.]seznam[.]cz
20
seznam[.]cz
20
ameritrade[.]com
19
*See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%\SysWOW64\config\systemprofile
108
%SystemRoot%\SysWOW64\config\systemprofile:.repos
108
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>
108
%TEMP%\<random, matching '[a-z]{8}'>.exe
105
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy)
27
%TEMP%\<random, matching '[a-z]{4,9}'>.exe
5
%System32%\config\systemprofile:.repos
1
%System32%\odived\qoxyhdso.exe (copy)
1
File Hashes 00d3e2586d11de02101ab254773349c164e3ded45705bea1352caeee5e8209f1
011c36161dab3e0df978397c2ef7e47194dae0e81c720d40a730050486be8f93
02a7fc85f8caa94be6c501ccd0157b794986a723159f037072fbb6316baa0d1a
075dfe8f4a452b6520c676bc9cf82f7546d8b649bbebee17564dd517735064b7
097cf4858693e6345903098eedbdd083459a7ea3172909b35c84950640824af9
0cadd706fa77465afdf07e36cfe3155646a5ed2eee5fe326684ddbead8d64d94
0ddbc36271da1750c138a34257ef139eab4f510ac38f8dfa47d89ad56330fbde
0eaa6338d5401161ee9f22f3f55f6328da629c2a5c732642e792d84ed02cc3a4
0ef55c99542d466d852cc14457e2419fb836f71274efa7a31d8ad3a71ecd088f
114a5782411a472a5ba14390645f5f8b552d7a9e8b5ca6485bc8c6d49608b842
121df1f9649ff603598bd87ff377318f4c92d34c3b3c4469de0f60f9c9c9754d
13036cdb41f3eb48eb299c5fa8c4539588599ce7f0a290f20df7bc604c388912
16683e93ed9139d70d60b644c2e468183313492a9aa79f97941bee45301ca724
17b935eb6d91946ff5556574d69fbc49287c04b9797462c1774030c20a731979
18a43f208ee1789e6dfd1152545a462b2a061e7fc67504da436a277f0005deef
1969f6d7e39546e8ec8f434e507ed02621b43c8864e526b638e0dc0bbfeac41e
1f96ccecd63e8bf8957f7d8597c3ed27456d1aee168a374f5c5a221c733fedb4
20db0fa7c949b9fc79caee4f7138f293654d42cd33cef33859595b7756ff6a61
21047f040c1c215f6c659b6c4f8d207956ac24e00ff196ed9a3fa1bab4d046c1
2137ed65ca79dee769b7e95656a4aa9889f0079e21e8e906d96162e79458c92f
225d3db7a9fcf6a8def7db0399f1edb2d55f594b9fc83f4ebfe0d3c8d1e740ab
23f1f250500e857b77f5f0366dfb1f614532ba27381cb3d18f878c6da673150a
26b9b4114ced6c214d33444e857a5d10b0dda641cd27af14cd8966d83eaa1b02
28318fc422c34a5f04976c36b20220b9528ea9da0217fe8fd0235c0565592e87
293d66ac5f121f933a334bb29f6a328a4ee2c48fda3cb2a52856771501dd7aa8
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Dropper.Dridex-9899482-0 Indicators of Compromise IOCs collected from dynamic analysis of 27 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561}
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561}\SHELLFOLDER
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}\SHELLFOLDER
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER
27
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963}
27
Mutexes Occurrences {ac5b642b-c225-7367-a847-11bdf3a5e67c}
27
{24d07012-9955-711c-e323-1079ebcbe1f4}
27
{a2c9c140-d256-a4d5-6465-f62a6660f79e}
27
{a8af557b-6de9-c774-28f4-5c293f1b1769}
27
{b570fe85-587a-a133-ffc9-73821a57c0c1}
27
{<random GUID>}
9
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 116[.]203[.]16[.]95
1
103[.]59[.]105[.]226
1
Files and or directories created Occurrences %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5
27
%System32%\Tasks\Ryddmbivo
27
%APPDATA%\Adobe\Flash Player\NativeCache\J3V
1
%APPDATA%\Microsoft\Windows\Start Menu\4Yjq
1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\3f
1
%APPDATA%\Microsoft\Windows\Recent\YuAdpvk
1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\TlbqeZZemGp
1
%APPDATA%\Adobe\Flash Player\NativeCache\7DM
1
%APPDATA%\Microsoft\Templates\LiveContent\User\Document Themes\qGV5ng
1
%APPDATA%\Microsoft\Templates\LiveContent\User\Document Themes\dIT
1
%APPDATA%\Microsoft\SystemCertificates\My\CRLs\TsYbYwF
1
%APPDATA%\Microsoft\Proof\yiL
1
%APPDATA%\Microsoft\Templates\LiveContent\tqQhZWei
1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\Bs
1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\RP
1
%APPDATA%\Adobe\Acrobat\wzw
1
%APPDATA%\Microsoft\SystemCertificates\My\19
1
%APPDATA%\Microsoft\PowerPoint\h17CXv
1
%APPDATA%\Microsoft\Windows\Printer Shortcuts\Jr9GtRsxtn
1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\iOAi5
1
%APPDATA%\Microsoft\Signatures\fOXLc
1
%APPDATA%\Adobe\Flash Player\NativeCache\A8S
1
%APPDATA%\Microsoft\Windows\0qLx
1
%APPDATA%\Microsoft\SystemCertificates\My\CRLs\Zk4Yl3M
1
%APPDATA%\Adobe\Flash Player\NativeCache\e6H
1
*See JSON for more IOCs
File Hashes 076589afcaeead096130e5817323e5f43f00d564bc905b90450a04ba93624140
0c22b81f7b3eadbc09d2c75f5f1f4dcc8fd88f5fce866230970ba7b3c6cc9376
0d1fd5e49112b1a3b9d58cd517a1dafa2402d90f8d919f6561c7c778adfceed9
11978cd33f01e110451a0f887e276009b4cff086f3a925bff938d3a9576adc8f
21b2aeb74bbf4da535a960b13c5207a1eededcbdfb07c2c198719c746683a726
24c3cc304fb0a45e4ba0d0404ab592fbe356a7a68e01441d30dafde4c4a4171c
2b6508a674af4f0e0d6e4eb5461f4c5ce8eaf1e468a09620e44ff013acb29b20
2d0aabe4294012c66185728d3e77dcab5f58a08a17806fa2c7e7b5a22bf06b90
327980f43831763a75af17d42b339e05ffbdaedb30d3a2762726948ab94eeead
383965cd89e55e729aa8a4c72357135a78bd71939781f3c8f685998dba0996b7
3b65c64313d1e8a9f62543f5b4e9cd9cb365335d1f2c1e70c9d37aa9e9f2777c
419f31ead526b1580fe50f18b1836ea1e5463c817a0d78b69498f264258e8cef
42b19a6fc331945b6c4ce785a844d4654a1c54d817a80c26e7c80c662e59bbcb
43c156cf07c972335885535b771472572164ee8cd3f16ed722bec34045d959e8
4406bcd47a989235a1016c07f2d652b26a6f9919c560c4a2da4a473756f3e468
4484a9702247863bdc7cd46034a61a9de214e432427993c7240f21e63f5c4f6e
669d3ffd64b99035ca5bf82f66f45b60f93b444da573b54164ccd6319aad3e1f
690fa6a7b9914d9fcacc46a19e0c11ca0737e47ef32b1e47109008124c502b99
6cd9558958f50a478852008a522e7044c8321704fcfae29594badc527b9c5f63
6d5573d792e68c0f75e114010a2de989e5c79810385dd70b6ce8b66939670be0
7078056cae3950d01ead3c3a37bd720aafad90317e8d1fdc5d3ca4563840f5a3
90449707a9b52adea9f645a06e3d869d221fd2735965eeef8a1891d8d9f92ad4
9a0f1a4d3d8ec7491578250ec7fa830d98e7be7b9cef48890e43a1f8dac17bcb
9b6a5d46f0d8683a7498e88a3e61fb510bf381ee620fdf32fdc434747e9be880
9d78e1b888cffd2245ba502ba3703c3a2a6b3e7d896f9b4bb8113364ad570865
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Dropper.Lokibot-9899536-1 Indicators of Compromise IOCs collected from dynamic analysis of 16 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
16
Mutexes Occurrences 3749282D282E1E80C56CAE5A
16
9DAA44F7C7955D46445DC99B
14
79693E888AE71054CE29AEB2
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 103[.]207[.]39[.]31
2
208[.]89[.]132[.]27
1
65[.]254[.]254[.]55
1
45[.]33[.]83[.]75
1
78[.]128[.]92[.]142
1
213[.]91[.]128[.]133
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]zoicstudios[.]info
10
www[.]uzojesse[.]tk
2
jesicastreetdesign[.]com
1
freakybros[.]ml
1
zoicstudios[.]info
1
Files and or directories created Occurrences %APPDATA%\D282E1
16
%APPDATA%\D282E1\1E80C5.lck
16
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5
16
%APPDATA%\7C7955\5D4644.lck
15
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1160359183-2529320614-3255788068-500\a18ca4003deb042bbee7a40f15e1970b_24e2b309-1719-4436-b195-573e7cb0f5b1
15
%LOCALAPPDATA%\Microsoft\CLR_v2.0_32\UsageLogs\<exe name>.log
15
%APPDATA%\D282E1\1E80C5.exe
10
%APPDATA%\Microsoft\Windows\Start Menu\Programs\po.exe
4
%APPDATA%\Microsoft\Windows\Start Menu\Programs\notepad.exe
3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\service.lnk
2
%APPDATA%\Microsoft\Windows\Templates\service.exe
2
%System32%\Tasks\Application
2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\ord.exe
2
%HOMEPATH%\Desktop\ixplorer.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\bluetooth.exe
1
%HOMEPATH%\Desktop\iexplore.exe
1
%APPDATA%\88AE71\1054CE.hdb
1
%APPDATA%\88AE71\1054CE.lck
1
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2954551483-3315113752-1243454038-500\a18ca4003deb042bbee7a40f15e1970b_3fdaf6d6-5e28-4775-a0ef-1b24a9e5f483
1
%HOMEPATH%\Start Menu\Programs\notepad.exe
1
File Hashes 15b6c12ca88a2a31a267dd9c824ba7f491c23306fb40c8b2f04d5afd61e1875d
206c6eefae5bd720d295427fac6fc5a32b66376c549f85517d61d3af7f1c9af7
43c427a102f9c7e0ed68e03627bab7f07f59d2079ef19614e4336ddfb08e0b2d
534bd1f89febfc1ef3854e4da59987896dbd6aae60d2428d7821c49cff1a8a70
54231653fed288990289da541317a03ece89cbe74beaf553c81b22fed7ca1f6d
5dd5ae19ed3633a2cc1f25c7147ed83f689b52c560e501d792c4c04497786974
6dc77546c2242b37c67fc3107086ec18458b18fd44f8ee61146630b526e999b5
90eed2f3f5c8478d6f7c41c9f8fab7751f7b56761e118eb89daf4eca8ea1f3c3
95bebad60ef380056aa1a3bf89487f7e498facddd6001a485a9b4344258151e8
a286cfb5d372f21f2e2a8da8c69a032e1dedc7d8ef582657ce20a1d9e7150238
a46a5b4af1c83f1d59b970569dedeaa89c0c66affff2c36aa97332dc7e3372e9
aa789ba2c3414a3ec6bd26a430957c8c2b2c32793cd6a7867e0c6961fd68ec62
af4eb8fb340cc741dc6b0268c6913cf66e2e326027d3d1aa7d35c18c80498bb8
b23f6c80aecb4d77b0968d98e0fb2442d05cec35f4d0850d17c7dfc899ada367
c3d67ac3416635d4fa9a5f98ff598a6210338322cbdc66347c2a7ddb2526ae41
d52fae57110e31af1cec5987170f7f2cc1cc4b79ad89d745518d5765f96902ba
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Dropper.Gandcrab-9899541-0 Indicators of Compromise IOCs collected from dynamic analysis of 21 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
21
<HKCU>\SOFTWARE\KEYS_DATA
7
<HKCU>\SOFTWARE\KEYS_DATA\DATA
7
<HKCU>\SOFTWARE\KEYS_DATA\DATA
Value Name: public
7
<HKCU>\SOFTWARE\KEYS_DATA\DATA
Value Name: private
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: aclutxml
2
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\02BAB7FD-7931-84AC-1356-BDF8F7EA41AC
2
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\02BAB7FD-7931-84AC-1356-BDF8F7EA41AC
Value Name: Client
2
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\02BAB7FD-7931-84AC-1356-BDF8F7EA41AC
Value Name: {D7908994-4AF8-210B-0CFB-1EE5005F32E9}
2
<HKCU>\SOFTWARE\APPDATALOW\SOFTWARE\MICROSOFT\02BAB7FD-7931-84AC-1356-BDF8F7EA41AC
Value Name: {344BD002-037D-867E-2DA8-E71AB15C0BEE}
2
Mutexes Occurrences A4gds89g46dfgs
10
Local\{31F7CC8D-DC06-8BF4-6EF5-D0EF82F90493}
2
Local\{73A713E4-3646-1D08-D857-CAA18C7B9E65}
2
Local\{C955B29C-9464-E306-E60D-08C77A91BCEB}
2
{<random GUID>}
2
A4vds98f74sdvc89svwd
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 34[.]102[.]136[.]180
9
209[.]99[.]40[.]222
7
171[.]244[.]34[.]167
7
217[.]174[.]149[.]130
7
202[.]43[.]45[.]181
7
213[.]186[.]33[.]3
7
213[.]186[.]33[.]5
7
217[.]70[.]184[.]50
7
66[.]96[.]147[.]103
7
93[.]125[.]99[.]79
7
45[.]118[.]145[.]96
7
69[.]163[.]193[.]127
7
39[.]107[.]34[.]197
7
178[.]238[.]37[.]163
7
186[.]202[.]157[.]79
7
35[.]205[.]61[.]67
7
185[.]230[.]63[.]186
7
185[.]230[.]63[.]171
7
89[.]252[.]182[.]3
7
52[.]116[.]175[.]70
7
20[.]50[.]64[.]11
7
87[.]236[.]16[.]107
7
154[.]213[.]249[.]125
7
54[.]36[.]194[.]90
7
146[.]148[.]130[.]86
7
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences acbt[.]fr
7
alem[.]be
7
asl-company[.]ru
7
aurumwedding[.]ru
7
bellytobabyphotographyseattle[.]com
7
bethel[.]com[.]ve
7
big-game-fishing-croatia[.]hr
7
bloghalm[.]eu
7
blokefeed[.]club
7
boatshowradio[.]com
7
cevent[.]net
7
cyclevegas[.]com
7
dna-cp[.]com
7
h5s[.]vn
7
hoteltravel2018[.]com
7
krasnaypolyana123[.]ru
7
marketisleri[.]com
7
mauricionacif[.]com
7
nesten[.]dk
7
oceanlinen[.]com
7
picusglancus[.]pl
7
relectrica[.]com[.]mx
7
royal[.]by
7
smbardoli[.]org
7
test[.]theveeview[.]com
7
*See JSON for more IOCs
Files and or directories created Occurrences \$Recycle.Bin\KRAB-DECRYPT.txt
7
\KRAB-DECRYPT.txt
7
%HOMEPATH%\AppData\KRAB-DECRYPT.txt
7
%HOMEPATH%\Contacts\KRAB-DECRYPT.txt
7
%HOMEPATH%\Desktop\KRAB-DECRYPT.txt
7
%HOMEPATH%\Documents\KRAB-DECRYPT.txt
7
%HOMEPATH%\Documents\OneNote Notebooks\KRAB-DECRYPT.txt
7
%HOMEPATH%\Documents\OneNote Notebooks\Notes\KRAB-DECRYPT.txt
7
%HOMEPATH%\Documents\OneNote Notebooks\Personal\KRAB-DECRYPT.txt
7
%HOMEPATH%\Documents\Outlook Files\KRAB-DECRYPT.txt
7
%HOMEPATH%\Downloads\KRAB-DECRYPT.txt
7
%HOMEPATH%\Favorites\KRAB-DECRYPT.txt
7
%HOMEPATH%\Favorites\Links for United States\KRAB-DECRYPT.txt
7
%HOMEPATH%\Favorites\Links\KRAB-DECRYPT.txt
7
%HOMEPATH%\Favorites\MSN Websites\KRAB-DECRYPT.txt
7
%HOMEPATH%\Favorites\Microsoft Websites\KRAB-DECRYPT.txt
7
%HOMEPATH%\Favorites\Windows Live\KRAB-DECRYPT.txt
7
%HOMEPATH%\KRAB-DECRYPT.txt
7
%HOMEPATH%\Links\KRAB-DECRYPT.txt
7
%HOMEPATH%\Saved Games\KRAB-DECRYPT.txt
7
%HOMEPATH%\Searches\KRAB-DECRYPT.txt
7
\Users\Default\AppData\KRAB-DECRYPT.txt
7
\Users\Default\AppData\Local\KRAB-DECRYPT.txt
7
\Users\Default\AppData\Local\Microsoft\KRAB-DECRYPT.txt
7
\Users\Default\AppData\Local\Temp\KRAB-DECRYPT.txt
7
*See JSON for more IOCs
File Hashes 08828d3ef5c0b4b58fc7367d5afbbe44038b309af020d885b228ac74cc249676
0c833112edb5a3ee7bd50519d2691bcf2610f768ce9945a9b40adb80e5fb0f3e
11295933c58c8f9e3ba70a5947ceffa40fc7a906bc0e6c7450ed1ca6ec6276dd
12f938581e02501d6c3a5d814ef97ae9940d90c084672d80557a188b972f7f29
146566100789bbee3a97aad486f296ea6fb49efa918870f7819cc9d6ce7c8985
221fbd851184fadc69982812b52ed591caf8fbffd5c7b9e62848e8d4a2e08476
2e55f0f464ee3ef999585be34bedb35902fe5531c19912f02824d923aa3c9d3b
33a0f0a0399be997a6c70be74accf3d1798dffc366274cf41d5663175ae319ed
67c64eec7c531678f0f1c34d7edbe2e3884ea4ef6c61f9dd9ed7a1880297a08e
898d31fb1b7b39af8021c61fdf7214494d8a47349edd5fff2f2807018699284a
9e3b633084fe7872ba87e327cf26952b7874d0186c95af93e0501790cc5981a6
a2277ccbce73460705a3365a8152c2308b663a2877b5710d2a4a150dea9f7f45
a771f125adfc7975e4311ae53327d459a58a9b5807f8ba7f1bcc89f71d4df9f9
babe7415db87aed772a0abd04c60ded59ca6afa9fa0de095ebdfd409cead622d
c0d9c0fa4b8fe3f05702526d9e1b4ec98ec587123fbecad042bd3a1bb844decd
c14a372fdc3a4818a712bc9d8171f9fd85eabbee8a9816d56ef4279e7b065951
c4a587a8ac33adc711775771be5a2902593c25bb1503071cb6324c9789e06f05
d0f9e29a7eab87afe60e414f6880aa74bef58d2287f347c20489698bf28dd46c
d53e0d109a0a0d32020a84a2e76cab624b6cef629223852aa329d890acffd70d
eb9665c029c90e4fe5261ba52303817478253e1c1d4dea10dc312fd1db4cb855
f6eb973e121c175889753d884782fc63faeab2b47d91de6ac14720c97fe98dfe
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
Umbrella
MITRE ATT&CK Win.Dropper.Gh0stRAT-9899606-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
25
Mutexes Occurrences 110.34.174.66:8000
25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 110[.]34[.]174[.]66
25
Files and or directories created Occurrences %SystemRoot%\Tasks\conime.exe
25
File Hashes 087b0c3dd4df197b7b82c7d8cbff0afd226d2f49757525c98ceb20795db758c9
091a844869ce3a63a46e30ae84c2b04320cb869d060c2207bbe9b171510ea329
0c5aa061f209a8b8eae353721498d2a925ba3b7c3f53b864fba269896e68acc5
0f171772ee0fd5fb3c249785b07bbc7a5f1e489a6fc48a3e7000d6566dcc56e5
0f9f744f743f0436daad2bbc44d7932db38b268e4e6c43d60a44c1a97d95bb19
10e5535978908d189238917cba0e8067a565f66516c7b218da0e482bda2ac854
11f7c52c6803238333cca54f72a698ff35007885717453c8eae7677efd0f38ac
12d8595e51e44b9d18812e57c9101d91c7cc5211102f952f36ba667bae8c6521
1487928ef56a27ba12240dab1a83975d9d1a2939ee2bd96f43791998fb1a2b48
1587cc7f84bed37d1a927cd92bcd4d44697407bc561d805374c0f9b583294d47
18af1fc746241256268cd5d18a02c716358bc32deb1056433d3cbce4158bf865
18ed71ee519804c738c01240ef5e252d12374c13eccf43427d83b8fbb5fca087
1aa1f94a5f514b2e1d0445ee2faf0d5ba323c220d5988b1a7300cd0726f6acdc
2099d033be215d0e357ce4a28c294964010ed8cabaf5fa5b3371a43f89a5aa0b
26c5976cfda1b589508991c8febbe981ebe3d9e468fb22bd716299999c70bc3c
27bf62865dd8a2f727d5ca49f1422bdcb8d34bfddfa91375722f60d1820dc93c
2a22904a27225a19e27079cb195f17877ece1b3e920004ad6105dfd0638f94cb
2b635282d4957d455eb5684f842ab25578b8e37704e95ed2fdd40cafc0a64545
2e1c10ab8e4e40a26a33980a4c5675fd09fd9c7ecfad293e48dfad8bd3920d6f
316f3971f0a44404abdd13c9a2e2da3f5ef1a27a25f791ba97b31cb543fb939a
393b43b9e3d7ab32ad278ea4c9ea7f59a5eff215b1c95f7b9ab165c16a678e08
3a3c7379c43a11854f05211ad0756f33937596cda183fe21aa162b32b35664a1
3d9537f3edba191235b3e81150b9abbe5e533b063217d76fc7647970d665f1be
4220561b5f731dc7f88f64139ba1166fe92ada1b0475148c29ddb90ec980eefe
4460bf7fd915a3b61b9f2a631b3eccab1c952a9039d3d35f0a0df6c6a1e46372
*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP
ThreatGrid
MITRE ATT&CK Win.Dropper.TeslaCrypt-9899795-1 Indicators of Compromise IOCs collected from dynamic analysis of 11 samples Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections
11
<HKCU>\SOFTWARE\ZZZSYS
11
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
11
<HKCU>\SOFTWARE\ZZZSYS
Value Name: ID
11
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
11
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: umvqymwrabft
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: gftsrgpvpqcw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fpshdnaalymu
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ligehkudpmje
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dmlkiokvblig
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: prvgnedtkkfx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rvgnedtkkfxr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: agyvcbuvaglg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bohvwqrsedbp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: eucfpproubcd
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nedtkkfxrvga
1
Mutexes Occurrences 8765-123rvr4
11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 204[.]11[.]56[.]48
11
85[.]128[.]188[.]138
11
162[.]241[.]224[.]203
11
35[.]209[.]43[.]160
11
23[.]196[.]73[.]160
11
104[.]70[.]60[.]54
10
23[.]63[.]245[.]50
5
23[.]63[.]245[.]19
5
52[.]217[.]15[.]147
4
52[.]217[.]33[.]115
3
52[.]217[.]174[.]149
1
52[.]216[.]128[.]178
1
52[.]217[.]163[.]189
1
52[.]217[.]74[.]245
1
52[.]217[.]129[.]21
1
52[.]216[.]166[.]34
1
52[.]217[.]204[.]61
1
52[.]217[.]196[.]109
1
52[.]217[.]109[.]171
1
52[.]216[.]142[.]11
1
52[.]216[.]22[.]34
1
52[.]217[.]198[.]173
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences biocarbon[.]com[.]ec
11
imagescroll[.]com
11
music[.]mbsaeger[.]com
11
stacon[.]eu
11
surrogacyandadoption[.]com
11
worldisonefamily[.]info
11
x1[.]i[.]lencr[.]org
11
apps[.]identrust[.]com
11
a767[.]dspw65[.]akamai[.]net
10
e8652[.]dscx[.]akamaiedge[.]net
10
s3-website[.]us-east-1[.]amazonaws[.]com
8
Files and or directories created Occurrences %LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\1B4JJMD7.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\1JV85UNH.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\6TSOP6FP.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\6UIR535Q.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\778OELZF.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\BDDA1TQA.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\C8UQ3ILV.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\CKFULNYU.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\D3V8ZB0V.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\DFCMI390.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\DNZVO86A.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\EOZBRPJV.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\FF9U33OW.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\FRKK5EC8.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\GRVXVJCO.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\I9JT8I4P.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\JAQ17N5E.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\KBEKKOGQ.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LAYXCVQE.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LCB33LEZ.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LCBHCHSX.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LJTF3CDQ.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\LNTPAIO9.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\MJ9G33SY.txt.mp3 (copy)
11
%LOCALAPPDATA%\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCookies\N9FEOE2J.txt.mp3 (copy)
11
*See JSON for more IOCs
File Hashes 10eb5ab09f97821d85a98a48bb3a0d4d0aeda4ff439b6df205e7b0aa5d24b1cc
1653acce9121befe0127dac3d6d4b3d2cf0e8a53a4eae8952ef2a48e57237484
2a1f5fccc95cd0fc14a720a884458516799496b5dc0344578101dbe3a3126e24
445ea5c6ce2f671713db328f8fcb90f1d2825461185aa5facaa156c259353189
5d35cded7c61504c44430048ae0f8061c2a7a6cfe6f618177fcbcf713596a878
748dacb306ab28591852398c552b3ad36e80a8623effdf89b9108cc867f1641e
991ab49a7e414ae0edbe393cc7bb2ac78c613b3c008785e286a4ebf516a841a7
9c50af11523c026073dde45f066424f0033caa6744b82118f3e038e6f4580557
9d99788db3e3f5603f171726a9cdac0ffdbef3fe25707804ec1c5f029b4e82e1
bc4b5884283bfee1c83d614fb3327d84553aa22c548ceb84315504bc4b6c15a6
f60bdcf47992c08efa92a2f0bfec61ef32420dfb2ed32d561c639b28161836a8
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP
ThreatGrid
Umbrella
MITRE ATT&CK Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Process hollowing detected - (28541)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Expiro Malware detected - (10641)
Expiro malware is unique in that it infiltrates executable files on both 32- and 64-bit Windows systems by appending its viral code to the host. It can be used to install malicious browser extensions, lower browser security settings, and steal account credentials.
Crystalbit-Apple DLL double hijack detected - (6857)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Excessively long PowerShell command detected - (5627)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (3804)
A process associated with Microsoft Office, such as EXCEL.exe, OUTLOOK.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
CVE-2020-1472 exploit detected - (3451)
An attempt to exploit CVE-2020-1472 has been detected. Also known as "Zerologon". This is a privelege escalation vulnerability in Netlogon.
Reverse tcp payload detected - (2013)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Dealply adware detected - (1850)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Squiblydoo application control bypass attempt detected. - (803)
An attempt to bypass application control via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (771)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.