Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 22 and Oct. 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Dropper.Remcos-9903810-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Tofsee-9903820-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Trojan.Xpiro-9903900-1 Trojan Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Emotet-9904032-0 Dropper Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Ramnit-9904041-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.
Win.Ransomware.Cerber-9904050-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.
Win.Dropper.NetWire-9904130-1 Dropper NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.TinyBanker-9904138-1 Dropper TinyBanker, also known as Zusy or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.

Threat Breakdown

Win.Dropper.Remcos-9903810-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: BrowserUpdateCheck
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MyApp
1
<HKCU>\SOFTWARE\REMCOS_IHHEGJWNJK 1
<HKCU>\SOFTWARE\REMCOS_IHHEGJWNJK
Value Name: EXEpath
1
<HKCU>\SOFTWARE\REMCOS-M9RNM0 1
<HKCU>\SOFTWARE\REMCOS-M9RNM0
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-M9RNM0
Value Name: licence
1
MutexesOccurrences
Global\{0f3d3d41-f68b-4ed8-a46e-7dd76651607e} 7
Remcos_Mutex_Inj 2
A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A 2
Global\{e715d547-af12-4ce5-907a-b3b380ee1dfd} 2
A16467FA-7343A2EC-6F235135-4B9A74AC-F1DC8406A 1
A2CF1074-2C1AFDB0-AF235135-45144883-7545030AF 1
A2CF10742-C1AFDB0A-F2351354-CC375AA2-D342E31C 1
remcos_ihhegjwnjk 1
Remcos-M9RNM0 1
Global\cf1da881-32ba-11ec-b5f8-00501e3ae7b6 1
A2CF10742-C1AFDB0A-F2351354-D28701BC-D992AA35 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
192[.]169[.]69[.]25 7
181[.]58[.]133[.]41 2
91[.]189[.]180[.]203 1
79[.]134[.]225[.]126 1
23[.]21[.]27[.]29 1
34[.]202[.]33[.]33 1
69[.]65[.]7[.]140 1
103[.]253[.]212[.]150 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
onpcsetup[.]duckdns[.]org 7
nickdns123[.]duckdns[.]org 2
checkip[.]amazonaws[.]com 1
checkip[.]us-east-1[.]prod[.]check-ip[.]aws[.]a2z[.]com 1
smkamsir1parepare[.]sch[.]id 1
fdsfsga[.]ru 1
fdsdfgdfgdf[.]ru 1
www[.]okugbawaha[.]icu 1
newrr[.]duckdns[.]org 1
Files and or directories createdOccurrences
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 9
%APPDATA%\24E2B309-1719-4436-B195-573E7CB0F5B1\run.dat 8
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 7
%APPDATA%\regam 6
%LOCALAPPDATA%\Restore-My-Files.txt 5
%TEMP%\Restore-My-Files.txt 5
%HOMEPATH%\Documents\Restore-My-Files.txt 5
%ProgramFiles(x86)%\Microsoft Silverlight\5.1.30514.0\Restore-My-Files.txt 5
%ProgramData%\Adobe\Updater6\AdobeESDGlobalApps.xml 5
%ProgramData%\Sun\Java\Java Update\jaureglist.xml 5
%APPDATA%\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\seed_cc.au3 5

*See JSON for more IOCs

File Hashes

0adee255e0d75eafd4befa87db81cc46a07418888f9908a254dcccbe2ee65cad
146c32defcfd375d34c705ed8f39e7c459059457ba2bee278db384d5f4d8d38a
322a50c38c2b13b93bbe2bcbc17e5af12a23c49d2e78e473086eeaaefe31a479
375a41be516e0214433a2ee50927e9f7733f60dc557f006f1bd73652abcac545
39f62d3f0199e801d3c7612486a4371b6cea2134f11bb9a966fa97f374e96e66
42bf74ca972fdd0d6ee1e42493696e221cb44023134662d09ab6794414394800
434eb217715b04f1583e261ae1023d0d6c3cb24114b5fef2a3dc748f825c3d92
5b143cc1d066931ed32c2b82a9bdb02c4f6ceb795c1cb9fcc4cde8d845b0d0b8
61d01c6125cb6cb20d0f1a93a4ffb7603d35a6c5cb1d50d718fa0028591d32ec
6391c49f4379c8c9a33d2d0deb17d270b729d22a638be7c89654f87032aebe53
92320317cc43d7cf8d9c485c416a936c3ac907b298c27ea9fa9972e8d680b099
95e3958d8fca23338b6e7f1cb9aa4e4d5437481a8a775405839f7f7da7ba7972
95f71c09cde2c012e0af23f981f10141dbcdc5962483a660ac0fadd8db1bb180
9be2ad4ee3778b598710f72fc125bf2efdc1075fa305715260637648e46d9c54
9c261172218d260c183ac2587231f4adb22e1ec6a278c05fe0786486aa0dda70
aa0449605517e7086f72462ee2dc9474d51ad41587053a702f91b10bbda6eb26
b2ea364c96bc619fcabd7897e894af02da8341fd8012b8642f9bc89c33725828
b5124674cda080ec6e8e4d9e88988e480d47a6a2f339b547920a2ab097f1eaa6
b82f27aa1371b225a4a0351a0aa408472635372a49b788074d7bb4b9f072226f
c327a026226ce7e6b73b16fa5d2ee2062eb57868697e5103cbbc003458d01025
d97ad431f6ebb87ebb48bdb99bf8d16483fd9475b4455dafd2de08ecabaa3074
dc63c1c703834654d3f0ae229c15c52230d6ff166ae6aba5675ea3e896211476
e09293bc1f34671b1971c8955674095fde6701c5691f4c5ec3fef3027242ebf0
e5f177f0c929ac35edd10a443083e201a526b706eba1a416d26f060427eac395
eacf104e7d08d20c3aa12cec79fc05881e257a26691f044e58f0ab965e4aea2c

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Dropper.Tofsee-9903820-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 30 samples
Registry KeysOccurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
30
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 30
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 30
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 30
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
30
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
30
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
30
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
30
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
30
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
30
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
30
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
30
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
30
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
30
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
30
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\oyavrjie
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\qacxtlkg
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mwytphgc
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\pzbwskjf
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\scezvnmi
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\cmojfxws
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dnpkgyxt
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vfhcyqpl
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nxzuqihd
1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
192[.]0[.]47[.]59 29
157[.]240[.]229[.]174 29
142[.]250[.]80[.]68 26
216[.]146[.]35[.]35 25
208[.]76[.]51[.]51 24
125[.]209[.]238[.]100 23
211[.]231[.]108[.]46/31 23
74[.]208[.]5[.]20/31 22
51[.]81[.]57[.]58/31 22
144[.]160[.]235[.]143 21
103[.]224[.]212[.]34 20
185[.]7[.]214[.]171 20
185[.]7[.]214[.]210 20
45[.]9[.]20[.]187 20
64[.]233[.]186[.]26/31 19
117[.]53[.]116[.]15 19
193[.]222[.]135[.]150 18
119[.]205[.]212[.]219 18
67[.]195[.]204[.]72/30 18
18[.]237[.]235[.]220 18
62[.]141[.]42[.]208 18
64[.]98[.]36[.]4 17
77[.]75[.]78[.]42 17
194[.]25[.]134[.]8/31 17
212[.]77[.]101[.]4 16

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 30
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 30
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 30
249[.]5[.]55[.]69[.]in-addr[.]arpa 30
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 30
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 30
microsoft-com[.]mail[.]protection[.]outlook[.]com 30
microsoft[.]com 30
whois[.]arin[.]net 29
whois[.]iana[.]org 29
mx1[.]naver[.]com 23
www[.]google[.]com 21
comcast[.]net 21
mail[.]h-email[.]net 21
mta5[.]am0[.]yahoodns[.]net 21
al-ip4-mx-vip1[.]prodigy[.]net 21
i[.]instagram[.]com 20
www[.]instagram[.]com 20
park-mx[.]above[.]com 20
naver[.]com 20
ameritrade[.]com 20
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 19
mx1[.]nate[.]com 19
nate[.]com 19
hanmail[.]net 18

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile 30
%SystemRoot%\SysWOW64\config\systemprofile:.repos 30
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 30
%TEMP%\<random, matching '[a-z]{8}'>.exe 30
%System32%\config\systemprofile:.repos 28
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 28

File Hashes

01fc1c8f3f7cb6015374861b028ae73178396d940953f3ab5afa2242abc95df0
0820080d9f8346315bfe9a958b577862678558a683bd2c4724b04448f955955c
096cdfbfa9455b7a44c027cb1682e4d1008e0cea374baf3c9f3e985a24d3da48
104b4931f03d918ec6410dc6710ed5ab17c6029b9fd2eb6f6a890daa18a9ee63
35ed761c9528f523ca32fa7fcd22a10a0054ca525b7dfb24d2fcfe608b74837e
522fe01ad713917e4576ebda811caa26e89afae82db6034c836d2117c0b8b8a1
567db456cb0db9f620e5fdd42fec68e00327ca0e11069620da3233629472d1bf
590415dd1dc8b31595de95ca4328594ba26b7f78bfe0407aecee603e95e6f4f8
6077319fa9b069c6a0e4d41193781ae7cadbb9b3c5d97c89537627f258649102
72f7f0fc6a2deb75f9f401886f95477873ca1ab52ededa3b042d72dfbee555c3
80d9b3331375859df94321d928da7383602aaad410c0b5a3d16846125751c22e
813595f55bb3f3c88c8cf018f6eee53dcc8a9bc7fd029b8c13976a700550104a
87dbb0c99ebefbb8a2292efabebb7e04ec47684e2487b973f2ebfe96bd4cdb28
88b561b1eeb26dba490582b2b686b660275b2a7d67170133b5dbf4bba0e53485
8b7e8ab369ba6b9f9802e7874200780e6d6bd66d7719b7dbe555747b78ea5cef
8bb3f20b1cc006972e2c9489f2f3bc97004b5c284c2357eabdc8101dd7644e13
8f462fea55d4034fe7ebd32fed7db24082064108819f138054292ecbe3481c6a
91546683682fc745a5014c7dd084257c0a1bbfa666037c04572b41982a0f42ef
97a79cfdc2677fbc046b14479aa871fd31924aae6f793e321546c5b70c5f84f4
9c44185d3a4b878d61a8518ed00cdae257651db418ec331fee24c17173c7d3e2
9d8ece641726807e30c28f2bbdb262448e713ef167fdac93aaeb5172b0ee988c
9da20873f73182ae31d412398ea5a2e05afa05fd22d509df95ba4cc22433a456
a58d391c6409bad0977e1f38afbd9b98c88bc05844d2d4cafd7dceb8e8381ba4
aeb9b262a6784843ddc06f100dffb1cb5ffbee6035660559bc74504935699c05
b36bb9cf9a882f97db72a01deeee93f7ef5d06ed35fea5e23bb44ab93b892f04

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Trojan.Xpiro-9903900-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 301 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start
301
<HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500 301
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
Value Name: EnableSmartScreen
301
<HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG
Value Name: Start
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHRECVR
Value Name: Start
301
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
Value Name: Startup
301
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USER SHELL FOLDERS
Value Name: Startup
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
301
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
301
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
301
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
301
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG
Value Name: ObjectName
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG
Value Name: Type
301
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHRECVR
Value Name: ObjectName
301
MutexesOccurrences
Global\mlbjlegc 301
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18 36
Global\Media Center Tuner Request 36
http://www.microsoft.com/windowsxp/mediacenter/ehtray.exe/singleinstancemutex 1
Global\MCStoreAddStoredType_a1d78cdcc411921ce3b07770aa2a0e0745789b11 1
Global\MCStoreCreateTable_a1d78cdcc411921ce3b07770aa2a0e0745789b11 1
Global\MCStoreOpen_b4cae1f9a3aead62bebb934ca33cadb730c8d3ed 1
Global\MCStoreSyncMem_02004a9f865399b5c2a02973d5e53544ed4ce2ea 1
Global\MCStoreSyncMem_5ea381292eeb3ed3e61dc84a3dbd4d7f59767eca 1
Global\MCStoreSyncMem_71bdfe29063ac557a4e7b3205ed180408457fcd4 1
Global\MCStoreSyncMem_7715dc857070a1523dea43f32f1fe67c1ce58e0b 1
Global\PVRDiskMonitorLock_a1d78cdcc411921ce3b07770aa2a0e0745789b11 1
Global\PVRLibraryLock_a1d78cdcc411921ce3b07770aa2a0e0745789b11 1
Global\PVRPriorityWriteLock_a1d78cdcc411921ce3b07770aa2a0e0745789b11 1
Global\PVRScheduleWriteLock_a1d78cdcc411921ce3b07770aa2a0e0745789b11 1
Global\PVRSchedulerWorkerBulkUpdateLock_a1d78cdcc411921ce3b07770aa2a0e0745789b11 1
Global\SAL.2562100796.65536.40906.gl 1
Global\SAL.2562100796.65536.40906.ofl 1
Global\SAL.2562100796.65536.40906.wof 1
Global\__?_c:_programdata_microsoft_ehome_mcepg2-0.db 1
Global\__?_c:_programdata_microsoft_ehome_mcepg2-0.db:x 1
Global\eHome_DbMutex_1 1
Global\eHome_DbMutex_2 1
Global\eHome_DbMutex_3 1
Global\eHome_DbMutex_4 1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
64[.]70[.]19[.]203 1
69[.]16[.]231[.]59 1
91[.]203[.]144[.]150 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
wpad[.]example[.]org 9
_ldap[.]_tcp[.]dc[.]_msdcs[.]example[.]org 6
computer[.]example[.]org 4
isatap[.]example[.]org 3
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 2
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 2
www[.]msftncsi[.]com 1
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 1
xezlifewvupazah[.]ws 1
aninamilixif[.]ws 1
amonuwezed-picriv[.]ws 1
ytocmoxjedkiciten[.]biz 1
r8decub-ydyg[.]ru 1
upojawnixly-muro[.]cc 1
juwlewrifithal[.]in 1
cakydofytipi[.]biz 1
r8gefa-bugin[.]com 1
aremumhumydoc[.]in 1
r8kegy-bikav[.]com 1
r8myjo-boneb[.]com 1
eletazade-ry[.]org 1
cekhupovoxijyr[.]com 1
Files and or directories createdOccurrences
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE 301
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 301
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 301
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 301
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 301
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 301
%System32%\alg.exe 301
%System32%\dllhost.exe 301
%SystemRoot%\ehome\ehrecvr.exe 301
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 301
%SystemRoot%\SysWOW64\dllhost.exe 301
%SystemRoot%\SysWOW64\svchost.exe 301
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock 301
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat 301
%LOCALAPPDATA%\rqboqelc 301
%LOCALAPPDATA%\rqboqelc\cmd.exe 301
%System32%\<random, matching '[a-z]{8}'>.tmp 301
%SystemRoot%\microsoft.net\framework\v2.0.50727\<random, matching '[a-z]{8}'>.tmp 301
%SystemRoot%\microsoft.net\framework64\v2.0.50727\<random, matching '[a-z]{8}'>.tmp 301
%SystemRoot%\microsoft.net\framework\v4.0.30319\<random, matching '[a-z]{8}'>.tmp 301
%SystemRoot%\microsoft.net\framework64\v4.0.30319\<random, matching '[a-z]{8}'>.tmp 301
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log 300
%SystemRoot%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog 300
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock 300
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat 300

*See JSON for more IOCs

File Hashes

02c5c3722753f5199e764a1a7401ef2169e4a04b120adfb3fcfa8fa8e573479c
033bd1f617ca2e15357131d1f5fd4e505664bf46e3bb9dcb560c3bf8bf568a17
04bcabb185bce64e2f16947523abd4af7ad708d5ae78565f0eb73f5541054376
058da98c0e7b459665d12444a920a5d1f9baa058abe0f20fc0b52ac5702f44bd
05fe3f283fdaaf87c10739474f229f4ff4e4fb3faf27a2599bcc0e877126e7e0
0668e8eb649e50f45514bba3828861883ea2fde549f4f029dd3f0d8a25bf85b1
066c9e3c5d45399cb40177bb57d9c9db1e350319622fa7f9013b54e3276ae612
06b2bda5827d59b5e5a5d5b9216a73670074077a48560a0c80451fbd347f3af4
080e5a3a63eded752c945560de8d9c0ee483d4644475ef3f991a7f659f7c1089
09fcc024ad6950ebf13abb355dd98dbc75f7fe45979d30266d52cedbb4053225
0a9f501b1ba5c895dd52b15dfc4bdd02400e8af17ae5bb0b8b0dc89cde3a0dc8
0abad4d1c7523a6632bd44cbd1743d46e76ec15ce086cb45d946deb9a1ce78a7
0abc363e5f395818891362bf2c0200ec52890c58b4bf84bcdedc5ec864942a74
0b27ef126716eb2b5de2befcca3dc912bd0bf26ac4b2a34e019989da54dbb355
0b82383984f6441d618b53e76c7f567cf332aee7151c077606c09fdce18fdf44
0d0e5dc20240ceceb5a0b05eacf1b8b487740e6c5c90d9c8934ae7183048b783
0e3f0782a244e2d5c6a4157bf48bbf2be3002f20039d7358221c376634767f5f
0e6cfeb5410e04e85319aefb89a2042ae74437d49ac8f8239eec199309216bfe
0eb6f8335e6aeb57fd17cc34c6fb00548837093741461342672406677b9defb8
11045cab7fff44d58d71b788c797dafda423cd72e4d1741154601ae9ffcdd579
13ba3bfd2ae2e1ea9707a6cae87d2249e0d41b3ce0edb8007c48384010d9984f
146317920bde26990c2dcaca68512bf46e5744ffc322be3d462017a216bb93de
15c30a22113a5b3bf858d2f165d2e3f419193d481c20e8776be3b3c3f897b856
16f3f4c7541732748f5214a2e1ce407c3c1247798a5b52522a1bf7af14b52b0d
179e5fe6dfcd5abe23404812805dccfb92121612eb1c31053fc48c28f8c005eb

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Dropper.Emotet-9904032-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: Type
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: Start
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: ErrorControl
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: ImagePath
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: DisplayName
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: WOW64
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: ObjectName
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: Description
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM 11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
5
MutexesOccurrences
<random, matching [a-zA-Z0-9]{5,9}> 13
Global\I98B68E3C 11
Global\M98B68E3C 11
MC8D2645C 11
{<random GUID>} 5
Global\M3C28B0E4 4
Global\I3C28B0E4 4
Global\M139D2E78 3
Global\I139D2E78 3
Global\M362912DC 3
Global\M7AF3996F 3
Global\M72B97ABC 3
Global\M373927C1 3
Global\M9B0091C 3
Global\I362912DC 3
Global\I9B0091C 3
Global\M5274C742 3
Global\I5274C742 3
Global\IAB68DB0 3
Global\I7AF3996F 3
Global\MAB68DB0 3
Global\I72B97ABC 3
Global\I373927C1 3
OLZTR-AFHK11 2
PLAX7FASCI8AMNA 2

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
192[.]81[.]212[.]79 11
77[.]73[.]1[.]167 11
104[.]236[.]252[.]178 11
173[.]212[.]192[.]45 11
77[.]244[.]245[.]37 11
195[.]201[.]179[.]207 5
142[.]250[.]72[.]110 5
216[.]58[.]206[.]78 2
128[.]31[.]0[.]39 1
208[.]83[.]223[.]34 1
194[.]109[.]206[.]212 1
154[.]35[.]32[.]5 1
171[.]25[.]193[.]9 1
23[.]6[.]65[.]194 1
46[.]165[.]254[.]206 1
208[.]100[.]26[.]245 1
23[.]36[.]85[.]183 1
104[.]96[.]220[.]112 1
49[.]12[.]121[.]47 1
104[.]18[.]164[.]34 1
23[.]199[.]71[.]185 1
23[.]199[.]63[.]11 1
104[.]96[.]220[.]120 1
104[.]104[.]85[.]211 1
173[.]231[.]184[.]122 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
google[.]com 5
ygqqaluei[.]com 4
atw82ye63ymdp[.]com 4
mdofetubarhorbvauf[.]com 4
warylmiwgo[.]com 4
caosusubld[.]com 4
bekvfkxfh[.]com 4
xomeommdilsq[.]com 4
wwyreaohjbdyrajxif[.]com 4
grbjgfprk[.]com 4
xxsmtenwak[.]com 4
ydchosmhwljjrq[.]com 4
r[.]driftinhishouse[.]com 2
www[.]bing[.]com 1
java[.]com 1
wgpvglbadxo[.]com 1
bphnopydih[.]com 1
fcvyvvbtdcswh[.]com 1
ntqchcmoegeif[.]com 1
mwqgwqcbllxhchd[.]com 1
wwteytsfaiyrrg[.]com 1
jhapjgvatltxunklfwk[.]com 1
htiobrofuirwkgn[.]com 1
kntkuamkkrwaknrusx[.]com 1
rmprupuvboixif[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%LOCALAPPDATA%\bolpidti 5
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 5
%LOCALAPPDATA%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\<random, matching '[a-z]{8}'>.exe 5
%ProgramData%\Microsoft\OFFICE\UICaptions\1036\WWINTL.REST.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\1036\XLINTL32.DLL.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\1036\XLINTL32.REST.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\1036\XLSLICER.DLL.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\ENVELOPR.DLL.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\GRINTL32.DLL.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\GRINTL32.REST.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\MAPIR.DLL.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\MOR6INT.REST.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\MSOINTL.DLL.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\MSOINTL.REST.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\OMSINTL.DLL.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\ONINTL.DLL.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\ONINTL.REST.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\OUTLLIBR.DLL.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\OUTLLIBR.REST.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\PPINTL.DLL.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\PPINTL.REST.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\PUB6INTL.DLL.trx_dll 2
%ProgramData%\Microsoft\OFFICE\UICaptions\3082\PUB6INTL.REST.trx_dll 2

*See JSON for more IOCs

File Hashes

1e7b2331ce1c272c693f287159933150f7ff9c0415b13840c39c9087b3880e06
2694b937d502c546d9bea8365c6cd8f4ad843365c70b969c40cecd1103de0fd1
278f6448fc8d3beab5f537508304de0eca1e2bf95d723a2cb864791a437f7eb1
2bb8160c770787dd46d4dab10ec832548fb4a60a96c483fcda8477ba253a1c1a
31a1f100d3615e61c1c719538b9e53e3126cd45d2f877681196c4838bf6163bc
37e4c70894c1d2386666744882551cc42b3e3133330dcf3f1981256f86977b88
3c718818fe2cc7d59a43a28e7a10304e0b21ac193ed2ec13c7b120630ba5f3b8
445597e0427b2b6db7fecceef1b91e2a2289add22ec43a37b8c61feeb8a93dcd
4d86aee89cfc9a7af96da45ba63e47bcc7b2250432465a95df95c603bddeb668
5cbee99bf7f5158e3eae2afad76cdc67089430713f3b01d43b8f6a492d7f7e2e
7824b747492a18e252d428839357ca45b3b3ba19f8cfe978dc09cc37902c7e57
78b7546003ea617ee9d8461f337e1f985db1fd9e739f2423fbaf6b02a2c015ba
79c24d9f1403edaec393dbd02779720b28f77be3dde30ee5bfd5e676b3bea9dd
97f7a8793af255312b12e9dd6effa67d5c9a42f4000fcffbe1d5783829337e85
99bca7652f3f3bdcd2bcdefa1d03afc95b9a945b6323b824c6b2afdb2baf6efa
a7da412a83ac2b4f50643abfffcc07ef8f446ace1651b5f8967b251d2d0b77ea
c1b891a7f829069109affb05adb30df12923df0d3246270676e447ca88c822a0
c52037c1692bc454db2fa3b4fefe2d3a0e9c40d7ea321b89e179730d984c87a6
d0cbb29592c5272e7dec8f7a2040e78ed3a9de6a375739c3c83d882727d9889c
d7286978ff19d9adc0ff6ea346f33b05309fd8f8828a01eb402245df24e83808
d83f353fbabcdf3aab12688722d3c2e297b54df0ae52b1db725a2b94655a1174
d8985454383839a91f804e2adb0237130cddf4f469aeed4e0e257b1e4ca6b101
e53614df0edec3391e6d30c102241a1977ae46489040a5aaabea55c0583f68bd
f09fe07deb613a6ca5e8fae75b6a344f7f4260996763cdad0b5c43e2e68ee46a
f6331bccf24e42e3ff6dbe82044cb53aec198396ebc067fc0b013e362f2d0878

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


Umbrella


MITRE ATT&CK


Win.Dropper.Ramnit-9904041-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
21
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 21
MutexesOccurrences
Global\SYSTEM_DEMETRA_CONTROL 21
Global\SYSTEM_DEMETRA_MAIN 21
Global\SYSTEM_DEMETRA_SHUTDOWN 21
Global\SYSTEM_DEMETRA_HOOK_00000000 21
Global\SYSTEM_DEMETRA_HOOK_00000004 21
Global\SYSTEM_DEMETRA_HOOK_000000CC 21
Global\SYSTEM_DEMETRA_HOOK_000000E0 21
Global\SYSTEM_DEMETRA_HOOK_000000EC 21
Global\SYSTEM_DEMETRA_HOOK_00000120 21
Global\SYSTEM_DEMETRA_HOOK_00000150 21
Global\SYSTEM_DEMETRA_HOOK_00000158 21
Global\SYSTEM_DEMETRA_HOOK_00000174 21
Global\SYSTEM_DEMETRA_HOOK_000001B0 21
Global\SYSTEM_DEMETRA_HOOK_000001B8 21
Global\SYSTEM_DEMETRA_HOOK_000001C0 21
Global\SYSTEM_DEMETRA_HOOK_00000218 21
Global\SYSTEM_DEMETRA_HOOK_00000258 21
Global\SYSTEM_DEMETRA_HOOK_0000028C 21
Global\SYSTEM_DEMETRA_HOOK_000002F4 21
Global\SYSTEM_DEMETRA_HOOK_00000324 21
Global\SYSTEM_DEMETRA_HOOK_0000033C 21
Global\SYSTEM_DEMETRA_HOOK_0000038C 21
Global\SYSTEM_DEMETRA_HOOK_00000424 21
Global\SYSTEM_DEMETRA_HOOK_00000448 21
Global\SYSTEM_DEMETRA_HOOK_0000045C 21

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
72[.]26[.]218[.]70 21
208[.]100[.]26[.]245 21
199[.]21[.]76[.]77 21
142[.]250[.]72[.]110 21
3[.]64[.]163[.]50 21
172[.]105[.]157[.]192 21
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
google[.]com 21
tybsrthynuyksrtvyaerb[.]com 21
waecybuojityer[.]com 21
qwreertyutifgjdfgsdvxcb[.]com 21
fget-career[.]com 21
eavytybstr[.]com 21
Files and or directories createdOccurrences
\autorun.inf 21
%ProgramFiles%\Java\jre6\Welcome.html 21
%CommonProgramFiles(x86)%\microsoft shared\Smart Tag\1033\MCABOUT.HTM 21
\Copy of Shortcut to (1).lnk 21
\Copy of Shortcut to (2).lnk 21
\Copy of Shortcut to (3).lnk 21
\Copy of Shortcut to (4).lnk 21
%ProgramFiles(x86)%\Adobe\Reader 9.0\Reader\ACE.dll 21
%ProgramFiles(x86)%\Adobe\Reader 9.0\Reader\AGM.dll 21
%ProgramFiles(x86)%\Adobe\Reader 9.0\Reader\Acrofx32.dll 21
%ProgramFiles(x86)%\Adobe\Reader 9.0\Reader\AdobeXMP.dll 21
%ProgramFiles(x86)%\Adobe\Reader 9.0\Reader\authplay.dll 21
%ProgramFiles(x86)%\Adobe\Reader 9.0\Reader\sqlite.dll 21
%CommonProgramFiles(x86)%\microsoft shared\Help 8\dexplmnu.dll 21
%CommonProgramFiles(x86)%\microsoft shared\Help 8\msenv.dll 21
%CommonProgramFiles(x86)%\microsoft shared\Help 8\vslog.dll 21
%CommonProgramFiles(x86)%\microsoft shared\MSEnv\VSCryptoInfo.dll 21
%CommonProgramFiles(x86)%\microsoft shared\MSEnv\VSFileHandler.dll 21
%CommonProgramFiles(x86)%\microsoft shared\OFFICE14\1033\README.HTM 21
%CommonProgramFiles(x86)%\microsoft shared\SQL Debugging\sqldbg.dll 21
%CommonProgramFiles(x86)%\microsoft shared\TRANSLAT\ESEN\MSB1ESEN.DLL 21
%CommonProgramFiles(x86)%\microsoft shared\TRANSLAT\FREN\MSB1FREN.DLL 21
%CommonProgramFiles(x86)%\microsoft shared\TRANSLAT\WTSP61MS.DLL 21
%CommonProgramFiles(x86)%\microsoft shared\VS Help Data\8.0\Resources\1033\InterstitialPage.htm 21
%CommonProgramFiles(x86)%\microsoft shared\VS7Debug\coloader80.dll 21

*See JSON for more IOCs

File Hashes

007d13ff7926dfde5f6b3757baa441c6bd2633d2b26f3e0031cdc938e579b5cf
025490a8ac47b544c4d2030f1ceb0a369cd5b6161ecde537b5ae03d6558cf75d
0c98c20c8c7e1484e44b09946f2af55a1979f213969d994a014683d8a5c8382e
0e2ca0a8674a2fc5f318347f339f3525af65b9543b1c0c54dd22e813ded8168d
1d5a4c8c847f267a41eb6c6d1934de99eb108bda67a992368613d39810a19981
1da2712c0b4eb0a0824b2163ab31c6c1adbc33435efdd5543b9d9d3956d1bf40
287b17f5324a1764d7a0899531f3dfe115e1e85a6c1151d5aedc07482451c08c
2baae7257378a9f85d570bc41e5064cb2764c5f26be880dbf31e827b8ddb4162
2c4f818ba5166ce52818a70cecf97db35e02c72f5382fe539cfbbd51ddf78abe
4f0635b26da361cb585fcf7dc0620cbaead4e23d19c507950db94af7ac9cba18
52b914bd367891ed5ea3c27655984684468c912fdd4052681bd540e3ebcf3ca5
54b94c1826b36e24d4936095eca687f9dc1f3f881cbddccea722187f88ac4132
5db1fdb253c9c8a24e48930e334cb82df4ed59f6788aaf1f88458cd7a1b9f75c
67373daaa1833e2ab5b3725cb5a915f4edd2e99e86c6af557070c82d06593744
6b4b44ceef4119c9026aaac6574feedf68175e91af499d60f4efd7226e7a0e80
74c4cf6e6d77a38b4aaf6ca8c05d36cd03b09ce1a9339952d9a62fcaf7c4b59e
796f854f1f5ec2486274d74512e94a513ab34c9cc6c696d24562b65a4bf1ed28
7bb4276e859ccd629fdc502e97263a965571829ab4827c68fe27fe7b566929d0
86e7acbfa5bfa32335a64b2a043dcc2139e259d2ac48ba21852e179c5384151b
8b5f41959082ef704b9a378e72a1cf2677ecd8ddfa839e3f0e52ef0785413294
9a1463868766e9c99ecf48022327536881215d14bc7bbc793701e1464791dfea
bc8b359f3ace8ee826709f03a5966823e34e4dc6e8558aefcc7a36d67eed75a8
c6280e93da86b00873298d61bc4197a2fe65764abf38fc3480fc884a198f6a71
ce24cf08029633f6f73ac1248da25d300bf3810456a360683f05daf21d0d25ab
d9e3f46049167dd1262afe1f061bdb36bed5f1aa9c0696f592fb9be6ece5d549

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Ransomware.Cerber-9904050-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 23
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 23
shell.{<random GUID>} 23
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
87[.]96[.]148[.]0/27 23
87[.]97[.]148[.]0/27 23
87[.]98[.]148[.]0/22 23
Files and or directories createdOccurrences
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 25
<dir>\_HELP_HELP_HELP_<random, matching '[A-F0-9]{4,8}'>_.hta 25
<dir>\_HELP_HELP_HELP_<random, matching '[A-F0-9]{4,8}'>_.png 25
%TEMP%\d19ab989 23
%TEMP%\d19ab989\4710.tmp 23
%TEMP%\d19ab989\a35f.tmp 23
%TEMP%\24e2b309\1719.tmp 23
%TEMP%\24e2b309\4436.tmp 23
%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat 23
%HOMEPATH%\documents\documents\resume.docm.b195 (copy) 23
%HOMEPATH%\documents\documents\resume.docx.b195 (copy) 23
%HOMEPATH%\documents\documents\resume.dot.b195 (copy) 23
%HOMEPATH%\documents\documents\resume.dotm.b195 (copy) 23
%HOMEPATH%\documents\documents\resume.dotx.b195 (copy) 23
%HOMEPATH%\documents\documents\resume.pdf.b195 (copy) 23
%HOMEPATH%\documents\documents\resume.rtf.b195 (copy) 23
%HOMEPATH%\documents\documents\resume.x.odt.b195 (copy) 23
%HOMEPATH%\documents\documents\resume.x.xml.b195 (copy) 23
%HOMEPATH%\documents\documents\resume.xml.b195 (copy) 23
%HOMEPATH%\documents\documents\resume.xps.b195 (copy) 23
%HOMEPATH%\documents\presentations\presentation 1.odp.b195 (copy) 23
%HOMEPATH%\documents\presentations\presentation 1.potx.b195 (copy) 23
%HOMEPATH%\documents\presentations\presentation 1.ppsx.b195 (copy) 23
%HOMEPATH%\documents\presentations\presentation 1.ppt.b195 (copy) 23
%HOMEPATH%\documents\presentations\presentation 1.pptx.b195 (copy) 23

*See JSON for more IOCs

File Hashes

1036095c07fd942d27575143696fa522c6f8bef674457c248b4df53d3bb563e1
1e8d2eccb3a01a44471688aaee8f99347069dce1e4f89f76c4f0c11d8c70fb74
238f2435f994c153ebad71936e91efdb21bf61702e70ea59e5a679ca2b4dc514
29498b8c9f45de702535c07fb583fe1364eee37224c4cb69db6fa38f3adb8fab
2b3823c2f449e2874bae09618323056733d5503069e8127d0be92be500bc5781
339cae8fb065cabd4fb47a7972cbb2b80970758261df86d0f900af07a9887855
36a3a182f5f2b885c4a5e7e854e72aeeafc189a8b41c97db2a9b2aa762d1861c
3e1a6225a7c1aff3b97cfca1d3ede48778521a143dcb6f6e4e202e070d3815d1
465ff098a7fa127c669a382fe6562d4fb78f1684c72818be4305efb0049bd786
525018dba30e535b6231ac8ebec4a7407077edb29ec78071cdfa07b201dcdb64
53257d93a166f5077754d481bcdd0698b8b6ebfe030fd908bff69f5b0cb289c3
5c20fc6a4df93f2ceabf85e7b8474fccdf0612307d57573c3432af8a9407cb9a
5dfd2eb76cf436a5b473b35ae2b2e4b07d3a26246fdd4b7f28a172e8fa793124
688889119f26a02827f377201ae1001c1eff189c6c2b01b7bd513e2f4b9b0d86
78931ad33a7493e34933aaa923e34a45f5fcff131196c9d1a974ccadac86f755
800fa7b43726164030d2bb6ae38731ec3b1ede65bb7c7cbdf0c50408b1210979
818285c055ddd68d1e72428e665528423a7918829292c130e59bb4befcb78676
8f0d450fcac1886485c6cf98a1b81cc0754a9fa7df0a54bbfb47a43d2a117496
9fb632669e5aec181bec9ac1f77faf867ee9c95765d5cd3d9f834006c6d12b11
a477e1f9b563a65476c4b1dde6ffd145f361ffee896aa141589972ff06aa95aa
a54c2c98dd8028901daa9ce984126104d27afabab04f7c4f3e2967e00d76489d
b02755d52246125db92b5864ced298022ad79d240633f7c3ef694cbfefebca7a
b2f93f40d4879e8279e629e62bfac6121081a0fb581b1c8fbc931c9e24b0b021
b64e1a3a0d5b0128dc86aefb9ad21e42027ec1a99536d7cdb6fbedb5e7e43b90
c0f219f3e039a0d323e43742b35e4570fed03c3ea0ef7bec0e7d0ca5b1af782e

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Dropper.NetWire-9904130-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples
Registry KeysOccurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 13
MutexesOccurrences
LhYsQRVA 13
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
194[.]5[.]98[.]126 12
37[.]0[.]11[.]206 1
45[.]144[.]225[.]219 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
akconsult[.]linkpc[.]net 13
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\.Identifier 13
%System32%\.Identifier 13
%TEMP%\gievkgcd 13
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\iqwkhtydexbloym.fr.url 13
%APPDATA%\ptiubpaand 13
%APPDATA%\ptiubpaand\iqwkhtydexbloym.exe 13
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 13

File Hashes

2ace44afe263673d30c1b4332eb216caacdf91bcf91d259aa6fe19790c22cf6e
2e2683ae6dda2e3c1c37bccc3444a0760ac6eba1113309ac061e2d6e2463d17e
3650c8bea0867e8ef3a552be9e6411d3521bcadca2100d249439443f6626ee68
3cd413a2dc08e1aa4c08e42b04c89d7faf993b95cab0496e01829281c561c898
5c429e7242da19c2858e3caff12ac8cbba02fdd03f62f086fe6873b96c452d4f
67f11aaaeb2c012cd89d9513b74b6fd8afd0e35b8306f1b781c5655245135742
87c7c23ff999c80b081423d40721ee44b8bf037d26d3452030b8a0f19837f27f
8a385de0e050fd0baadf553cef6954b1bfa3a3c0c2c626db5cf083ba2c7a56ba
a4f7d53656770506f416edb8c4255ab1efbb95562393f6cfd7d058684d390846
aed5bd1569dcb361962a0c81ee3a970c379851b1e5e235e44c1df16241bd7457
d384670a94bbd5ab329ffdcef1100850fd164b0cbf930e0828e18e84f7d2543b
de94a6c904d7e95a75f1bf47a81cc20ddfb2615a609c72614cc9d11db9b8ed98
f0fa6bd0560a7377384ae7f80e9607097618f93a66a5286f4637a859e1ac9dce

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Dropper.TinyBanker-9904138-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: EEFEB657
26
MutexesOccurrences
EEFEB657 26
<random, matching [a-zA-Z0-9]{5,9}> 11
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
216[.]218[.]185[.]162 2
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]google[.]com 1
brureservtestot[.]cc 1
Files and or directories createdOccurrences
%HOMEPATH%\AppData\LocalLow\EEFEB657 26
%APPDATA%\EEFEB657 26
%APPDATA%\EEFEB657\bin.exe 26
%APPDATA%\<random, matching '[A-F0-9]{8}'>\bin.exe 11

File Hashes

00982dc7c97f4158cba1fb20d95a8b97826139266cd2d1895d54e4648069e7b4
00dddb6b092764a7775019faf174697467fead76e5db83834d524195197eaa1a
010a4ad9a04ce4dd86a11c93a48f635d2545f0753946122707c8b0e9b8464262
0353a3c48402e081e7d896b4b34313d71a54d3abb82a90aa49e670290d10a3c3
040e4773a91e0d4cd51d47a0422f0708adb5257fd77e8c31875792530639c2a3
048f73724cfa93d233d2bf72c0b565099a4232daf892e2d07b61853683a9c0a4
04e07fc62178b960fef2d52ed86e25e8aa5bca82bb5e296241ec29aad06567b1
068db1e257b566428c46010f19a42dcd23ae6194c1d3c24a148868e0e0695e97
06c350a661c1d72399371845d8e48c29f347d2bc37546664df8134f1a06bd181
078b693ee78435fa7984119c3ecd13d27abc0a677b1e7d03897a86d28a296b69
0930e298a07704f7fddeae602013a450b7e3f79c618e63024e758346dee4fe65
0a424cb5af252c086a152acd983550457bfe0a18cb839419023281ff0022cb20
0c9a60dec3d6b10477ac4240d50c5570282a2d89041b757f33a1da9e37869dc9
0c9b88939ee497c0f1e063a8d04438a94c7e6d1afdc150204ecbedae95c846bc
0d1ece96794477cea3f688cb4c7fdf4124579e15b20954452056f38b6346a80b
0d8c3a4d4f8e9dcc88f36a3ec05e7ab45925667a04dfbdd57ba1d183e6d55721
0e14ed78f1b2323a7fddd7297256870f9ab897086cdf80f495ae34e883f7c273
0f15312f220172db0f3ef31761843e13bd4af33cbafc2b7eb5355a19508bf8ef
0f17aca648bc7dd690443ea4b2cd4ffbcadb18dce34d38899c865c3996d3dc4c
0f1f97f073debb3e0ddf328ec9130f420be182e9b482d0c11f1dcc3186f9110a
0fbb44a0c7ec8486c560b3159091d716a826bfecf8f6c2b361384e3dfd3e768b
1072b5519eee89e6698d0722bbfb0c80e51a709216bd13c3bb16b1ea79ba9a00
110dfe45bb084f5413cf0d955095742640a8824484d68a4c0e5336e5b3487ea3
117f71ce609fb833f6353c5acaf88c9ecada93f685ba5855bac7ff8ed2c320df
11924275f353655dd5b3aaeca3bf896bd59874076e9c058e724eac358b8598da

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


Umbrella


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (37280)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Expiro Malware detected - (7320)
Expiro malware is unique in that it infiltrates executable files on both 32- and 64-bit Windows systems by appending its viral code to the host. It can be used to install malicious browser extensions, lower browser security settings, and steal account credentials.
Excessively long PowerShell command detected - (5183)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (4451)
A process associated with Microsoft Office, such as EXCEL.exe, OUTLOOK.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Crystalbit-Apple DLL double hijack detected - (3570)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
CVE-2020-1472 exploit detected - (2997)
An attempt to exploit CVE-2020-1472 has been detected. Also known as "Zerologon". This is a privelege escalation vulnerability in Netlogon.
Dealply adware detected - (2217)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Reverse tcp payload detected - (2034)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Malware dropper detected - (1129)
A malware dropper has been detected. A dropper will download or unpack addtional malware during it's execution. A variety of techniques can be employed for the payload to gain persistence and escalate privelege if neccessary.
Kovter injection detected - (644)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.