Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 05 and April 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Eyooun-6931755-0
    Malware
    Eyooun downloads and installs additional malicious and non-malicious programs onto the system.
  • Doc.Malware.Sagent-6932497-0
    Malware
    Sagent launches PowerShell through macros in Microsoft Office documents. The PowerShell then downloads unwanted software from remote websites.
  • Win.Malware.Emotet-6933520-0
    Malware
    Emotet is a banking trojan that remains relevant due to its ability to evolve and bypass antivirus products. It is commonly spread via malicious email attachments and links.
  • Win.Worm.Scar-6934835-0
    Worm
    Scar will download and execute files to the system while attempting to spread to other machines by copying itself to removable media.
  • Win.Worm.Aspxor-6935052-0
    Worm
    Aspxor botnet has the capabilities to send spam, download and execute other samples. This botnet is known for collecting credentials from infected computers.
  • Win.Malware.Vbkeylog-6935273-0
    Malware
    This generic family will attempt to deceive the infected computer's users into receiving a payment or getting personal data.
  • Win.Malware.Zbot-6935412-0
    Malware
    Zbot, also known as Zeus, is trojan that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing.
  • Win.Ransomware.Cerber-6935713-0
    Ransomware
    Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
  • Win.Trojan.Winwebsec-6935682-0
    Trojan
    Winwebsec installs itself to a compromised system as a "anti-malware" software with desktop links and various persistence techniques (Windows service, Registry Run key, etc.). This family is known for using fake alerts for malware found on the system to deceive users into buying services before the "malware" can be removed.
  • Win.Malware.Tovkater-6936213-0
    Malware
    This malware is able to download and upload files, inject malicious code and install additional malware.

Threats

Win.Malware.Eyooun-6931755-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP6\PARAMETERS
Value Name: DisabledComponents 		34
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter 		23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\APPLICATIONDESTINATIONS
Value Name: MaxEntries 		18
<HKLM>\SOFTWARE\MICROSOFT\TRACING\WCLGSITA_RASAPI32
Value Name: FileDirectory 		8
<HKLM>\SOFTWARE\MICROSOFT\TRACING\WCLGSITA_RASMANCS
Value Name: FileDirectory 		8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\DIRECTDRAW\MOSTRECENTAPPLICATION
Value Name: ID 		7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: svchost.exe 		5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LYPWXAWN
Value Name: WOW64 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ISFCQMJB
Value Name: DisplayName 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IUGPWHEJ
Value Name: WOW64 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OJIKFFNJ
Value Name: name 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSCEGPBN
Value Name: DisplayName 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QSWARNLV
Value Name: WOW64 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ATDUWYIG
Value Name: WOW64 		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OTMYZEPH
Value Name: DisplayName 		2
MutexesOccurrences
CommLogDbgStrMutex 61
\BaseNamedObjects\CommLogDbgStrMutex 61
DBWinMutex 32
8Bc0E7-2F5D-49c0-A6D6-appadvert 19
Local\MSIMGSIZECacheMutex 14
openbox 12
adkuai8_client_newdown 11
adkuai8_newdown 11
04AEB7B0-04A8-04A82810F7B640-8A4A82810F7B6 10
Local\__DDrawCheckExclMode__ 7
Local\__DDrawExclMode__ 7
Local\DDrawDriverObjectListMutex 7
Local\DDrawWindowListMutex 7
Local\InternetExplorerDOMStoreQuota 2
Local\http://www.baidu.com/ 2
Local\DirectSound DllMain mutex (0x00000174) 1
fc23890639e7d704fbd1b52b749200a5 1
fccb83f4591c45a062aa5389a08b9eef 1
8e92460d25c534d048fd1c88e802f7e8 1
dbc843e527e2b5c81be3562287f89d3c 1
5d25335e7777648b50dc7504f83b06da 1
Local\DirectSound DllMain mutex (0x000005AC) 1
73b50e38332dbd8c708884de7b44d0f0 1
efc928dd753ae98b928ed12919a305ca 1
53279609cec7acce6827bdec60299b7d 1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
18[.]223[.]92[.]145 42
116[.]28[.]63[.]214 42
122[.]152[.]212[.]224 32
218[.]65[.]30[.]41 30
117[.]41[.]234[.]92 30
122[.]224[.]34[.]103 25
150[.]138[.]92[.]62 24
18[.]218[.]183[.]21 23
222[.]214[.]218[.]239 20
113[.]105[.]164[.]31 20
120[.]55[.]244[.]212 19
175[.]126[.]163[.]124 14
42[.]62[.]4[.]62 13
47[.]92[.]249[.]152 12
120[.]77[.]171[.]37 12
47[.]107[.]83[.]212 12
219[.]150[.]218[.]119 12
125[.]88[.]158[.]212 11
219[.]145[.]240[.]86 11
219[.]145[.]240[.]85 11
219[.]145[.]240[.]84 11
106[.]122[.]250[.]212 10
150[.]138[.]92[.]106 10
219[.]150[.]218[.]44 9
59[.]110[.]185[.]104 9
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
wj[.]center[.]oldlist[.]info 61
ecount[.]2019cn[.]com 54
nj9qq[.]cn 42
top[.]sefcg[.]com 23
pack[.]1e5[.]com 22
ad[.]uuuwin[.]com 19
ks2[.]we2019[.]com 14
imgwx4[.]2345[.]com 13
tv[.]2345[.]com 13
imgwx3[.]2345[.]com 13
imgwx2[.]2345[.]com 13
imgwx1[.]2345[.]com 13
imgwx5[.]2345[.]com 13
mini[.]sefcg[.]com 13
log2[.]nagirl[.]cn 13
LOG2[.]NAGIRL[.]CN 13
union[.]lm33[.]com 12
liosm231[.]com 12
list[.]adkuai8[.]com 11
p2p[.]adkuai8[.]com 11
down02[.]adkuai8[.]com 11
ipaddress[.]adkuai8[.]com 11
tongji[.]adkuai8[.]com 11
log[.]uinfo[.]soomeng[.]com 10
next[.]91xiaba[.]com 10
See JSON for more IOCs
Files and or directories createdOccurrences
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\desktop.ini 59
%TEMP%\SSL 40
%TEMP%\SSL\cert.db 40
%TEMP%\SSL\Small DigiCert Baltimore Root 2.cer 34
%SystemRoot%\SysWOW64\Log 31
%TEMP%\h2u31tg4.exe 30
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\config[1].zip 30
\PC*\MAILSLOT\NET\NETLOGON 23
%HOMEPATH%\Desktop\¿³°×Öí±¬9999¼¶ÉñÆ÷.lnk 23
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\190[1].ico 23
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\215[1].ico 23
\DosDevices\C:\Windows\System32\wfp\wfpdiag.etl 23
%System32%\wfp\wfpdiag.etl 23
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\procelist[1].ini 22
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\018[1].exe 19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V0100009.log 14
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000B.log 14
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000D.log 14
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000F.log 14
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\mini[1].htm 13
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\hideconfig[1].zip 13
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\classicTv_tvHotMini[1].htm 12
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\LOLO[1].png 12
%SystemRoot%\api-ms-win-cx0-l1-01-19.dll 12
%SystemRoot%\SysWOW64\del.bat 12
See JSON for more IOCs

File Hashes

  • 002a3ee5d238a80bd8c3759d8478d7d9098af54cbcbd264bcd78ad172c7fded5
  • 0066dccf58f6d2ea4e303e870aea20c25d0c945a4b5c6796548acb20ae2dd268
  • 015d9a05e3595d8902031dda87e999396a9a2b5267195e35f3752cef08a37b50
  • 0181a703fa74afdd4640b52de9338b0dd6e14446c0635bebf8883999cfa0be01
  • 090f9030986cdb1413bc9f5c6901952e23be5f6c48b7ce0f9858e92e91142d26
  • 09d3b0027fba2e0419841177734b811e506aed12d758d75d77a1f71ebb1b16bf
  • 09f0116a571ccf405cf2b83507fb2d3c139a8f9fe7ce9fc77595c7c66d4f9a53
  • 0f0d5f033b1096e209857c255edb94e30306087a172edb5816f4464c92a9870c
  • 1029ddb2e83f17e8318199afb81a4434de65e12728552f66255cd7814b7cce0f
  • 159a0f8cc9ed369de6b89806b3d29a287183dc15deb59ea916d246d736385684
  • 179662d10fbf28f36e7fbf9d61e20ecf01ea0efe03223e19aad2e24a4ae56bb0
  • 19fb21319fb6479eb23cf06f3298f991466dbd1954c320db749e6f4ee727a27c
  • 1ac81f029e1fc5c7c11045d910ba3882946bd6535369675c6b443c35ef2e5c18
  • 1f78e240a8cdfda72e443b39cbfdf4faab1ed8092cdf9b02bdc7456dffbe1f47
  • 1fb5ec3d10289d0f00460070da92853ba1d90dbebd6dc6a8266a09ad3c36a154
  • 208d2e1fdf8b87f1b37644e57f340b984c8d68de8ba02525c61b6158b9d6e539
  • 24b4b426368e29fe933d6b427d1ae47e31fb346b2392e2161a67add890bae196
  • 2d60ced2eef863bc23232f4c3a80be8545902f2efa4dd9eab7f680a5643d8289
  • 2ec0873e6ce50626bccb3217c8fe10fd421604dd5fe45fa58c6f54b90b369d6b
  • 30944e432f0f25fda774cfe7090a9cef872b02bd754636a1176e98f7298c5780
  • 3291d369e4f69353b221ef184731f93c80f3762de2114d4b4f1a6b200f66aab8
  • 388259027de10322e1da522901d84a83bc8a5585d2d61a47b4ecd9c87cc30d26
  • 3960aa9d31ec0dacc0f11edbebc8820e4f929bdfc2943aec52dea840c456e264
  • 39d8b6f916b96060c7e55c468fb066a51ccd5a8c1e0f3d43fa29dc12dad129f0
  • 3a328a6515c449cf1f1807ede10f790014b5905cda161828d3eea7750a7d2264
  • See JSON for more IOCs

Coverage


Screenshots of Detection AMP


ThreatGrid

Umbrella

Doc.Malware.Sagent-6932497-0

Indicators of Compromise

Registry KeysOccurrences
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: AutoDetect 		10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} 10
<HKCR>\INTERFACE\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} 10
<HKCR>\WOW6432NODE\INTERFACE\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} 10
<HKCR>\INTERFACE\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} 10
<HKCR>\WOW6432NODE\INTERFACE\{79176FB2-B7F2-11CE-97EF-00AA006D2776} 10
<HKCR>\INTERFACE\{79176FB2-B7F2-11CE-97EF-00AA006D2776} 10
<HKCR>\WOW6432NODE\INTERFACE\{4C5992A5-6926-101B-9992-00000B65C6F9} 10
<HKCR>\INTERFACE\{4C5992A5-6926-101B-9992-00000B65C6F9} 10
<HKCR>\WOW6432NODE\INTERFACE\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} 10
<HKCR>\INTERFACE\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} 10
<HKCR>\WOW6432NODE\INTERFACE\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} 10
<HKCR>\INTERFACE\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} 10
<HKCR>\WOW6432NODE\INTERFACE\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} 10
<HKCR>\INTERFACE\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} 10
MutexesOccurrences
Global\I98B68E3C 10
Global\M98B68E3C 10
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
89[.]188[.]124[.]145 10
190[.]117[.]82[.]103 10
190[.]0[.]32[.]206 10
104[.]18[.]35[.]163 7
104[.]18[.]34[.]163 3
43[.]229[.]62[.]186 1
104[.]2[.]2[.]153 1
201[.]165[.]102[.]49 1
187[.]189[.]210[.]143 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
xoso[.]thememanga[.]com 10
Files and or directories createdOccurrences
\EVENTLOG 10
%APPDATA%\Microsoft\Forms 10
%APPDATA%\Microsoft\Forms\WINWORD.box 10
%HOMEPATH%\80.exe 10
\REGISTRY\MACHINE\SOFTWARE\Classes\.doc 1
%System32%\WindowsPowerShell\v1.0\Certificate.format.ps1xml 1
%SystemRoot%\SysWOW64\A7Nx4PQT5.exe 1
%SystemRoot%\SysWOW64\N6yvu6lNl.exe 1
%SystemRoot%\SysWOW64\g6iqfJhcB0Xc88E.exe 1
%SystemRoot%\SysWOW64\f9XnJqVa5Bt6Sf.exe 1
%SystemRoot%\SysWOW64\9yMQn0Zw.exe 1
%SystemRoot%\SysWOW64\c33fB.exe 1
%SystemRoot%\SysWOW64\aThVJIMunDfvC.exe 1
%SystemRoot%\SysWOW64\SqxzR9tB3STZYB9o1.exe 1
%SystemRoot%\SysWOW64\WyFb5EUyZBFDn5Gb.exe 1
%SystemRoot%\SysWOW64\TYVGTeXwXGD.exe 1

File Hashes

  • 310c672343531ecc8fb2bc22b979a34f6e3c3d6c56eaad0dadeecade3e6c64d9
  • 60973bfc7ccac458d9ac4b7192a40774316b04d86cdb106b0c205d75778b7c65
  • b3ff81bf64f077e1b466d3696c3528f9c644d503b515473b16803610f240dd05
  • d1d756451258f60d10e1c46540438f9a7c9ad84bfe7b4a1cb944ae02e456d3aa
  • dfcb889cbff15a54eab56367f8f5da6855cf534ad732938eb4cc472a77c231a0
  • e39863e66ab0f1bf0b8d35f2715d3de220f6bb3d0c28b68d8f14d53ed1acb7e4
  • e8ca6c66c79cca9404a9f6a6920ff02010dc799435381a97fd5c57cf0c3abb41
  • e9a0aabcf4e854ca4b16e9ebd2d228b2e581abc12d27ef34b9f8a5978d224128
  • eba143b8f9ea163949037b683622c1cf9672e9a4e63513ecd20ebe1aff4e3ff5
  • f4282b6fc250485ebd045d3008195a5c3e2b385c5caaada93ea221f53326d3ec

Coverage


Screenshots of Detection AMP


ThreatGrid

Umbrella

Malware

Win.Malware.Emotet-6933520-0

Indicators of Compromise

Registry KeysOccurrences
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: AutoDetect 		16
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
Value Name: SavedLegacySettings 		16
<HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\sourcebulk 16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: Description 		16
<HKLM>\SOFTWARE\Microsoft\ESENT\Process\guiddefribbon\DEBUG 16
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
Value Name: WpadDecisionTime 		16
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\A4-E3-E4-11-EC-FD
Value Name: WpadDetectedUrl 		1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\2c-28-30-ca-41-e3 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\2c-28-30-ca-41-e3 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\c0-21-36-0e-b0-2b 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\c0-21-36-0e-b0-2b 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\c8-7c-48-93-48-f7 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\c8-7c-48-93-48-f7 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\24-f7-27-10-2d-94 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\24-f7-27-10-2d-94 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\dc-35-3c-bc-55-73 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\dc-35-3c-bc-55-73 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\46-b9-fc-8e-0c-36 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\46-b9-fc-8e-0c-36 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\e2-85-af-73-a1-bc 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\e2-85-af-73-a1-bc 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\46-B9-FC-8E-0C-36
Value Name: WpadDecisionTime 		1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\E2-85-AF-73-A1-BC
Value Name: WpadDecisionTime 		1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\24-F7-27-10-2D-94
Value Name: WpadDecisionTime 		1
MutexesOccurrences
Global\I98B68E3C 16
Global\M98B68E3C 16
\BaseNamedObjects\Global\M3C28B0E4 16
\BaseNamedObjects\Global\I3C28B0E4 16
Global\Nx534F51BC 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
43[.]229[.]62[.]186 15
190[.]0[.]32[.]206 15
187[.]189[.]210[.]143 15
201[.]165[.]102[.]49 15
89[.]188[.]124[.]145 15
104[.]2[.]2[.]153 15
190[.]117[.]82[.]103 15
208[.]100[.]26[.]251 1
5[.]196[.]133[.]206 1
198[.]187[.]30[.]249 1
104[.]236[.]135[.]119 1
71[.]78[.]158[.]190 1
190[.]219[.]231[.]69 1
208[.]180[.]217[.]173 1
181[.]31[.]182[.]138 1
201[.]249[.]117[.]123 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 16
%System32%\guiddefribbon.exe (copy) 2
%SystemRoot%\SysWOW64\SBp2VS8N7jU.exe 1
%SystemRoot%\SysWOW64\yXRDTc.exe 1
%SystemRoot%\SysWOW64\LvO5IJ1Sr5t.exe 1
%SystemRoot%\SysWOW64\5kQW.exe 1
%SystemRoot%\SysWOW64\Nsa7bjsedHZNrMyW.exe 1
%SystemRoot%\SysWOW64\MZ5WK.exe 1
%SystemRoot%\SysWOW64\FxiHy64z3NDOiHEgC.exe 1
%SystemRoot%\SysWOW64\hlaVhqNG.exe 1
%SystemRoot%\SysWOW64\Ahfk9lC4PqeGiyhY.exe 1
%SystemRoot%\SysWOW64\xdm5D3NLE.exe 1
%SystemRoot%\SysWOW64\2o75cQI.exe 1
%SystemRoot%\SysWOW64\oxJI2FKrOP.exe 1
%SystemRoot%\SysWOW64\MoSv9WL5Pn2Rd22eN.exe 1
%SystemRoot%\SysWOW64\LQRA42.exe 1
%SystemRoot%\SysWOW64\MVED6NriD.exe 1

File Hashes

  • 07bb6313dc4e4e47fffe542787f7e5f085f7a0b827a3614a666b8ba122895a5b
  • 1317735faa4586cd57e311b7fa5462675b19b6767898bbc9fd1ea438e9b269a1
  • 1cfb22555921bcd42ea2976527cedebe9b0a70a24ca2f4695d61496956a9fb65
  • 34dc74f395344d40e6ce6e08f73ea822d83107c276e230862aa7f20ec24677d9
  • 5bcbb702d1936de97fc26a33767f7d1b1973455d7a783dae80246fae99024b98
  • 6123a5957f13a02e1752a9242f68f2cec27443ea0e4fbea65edde4c05a48ec38
  • 642b1802bb2c429da4521e8fd159498cf814ab43df41d2213ccf4c8e7bf3a58f
  • 67121ec06c244e75ba3c217b6ec7c9ea795f71bb673c87ced115a7bae939b6a2
  • 67b8cdfe8f7b193723a6db03fb8f2246710ba6b4bfd2681134175f98150d307a
  • 7581c79cd28ae473538de22e69f00d8a0642937621a08d6a304e7bae7cc1f467
  • 86630ccb5c7e8d248e28446f27f2faf21d2712e18b3b6fb7749c9dd0d82c2752
  • 87989bca4fcdaf8bde36f1893ce293da2f11c330cdd0f9746956241d6fac63da
  • a8caf1e24c6972c1338eb4cc5d061fe7b6618657720b375e43385c9118b3aad9
  • bdc575561b7b6ccd315cc5aa6c0f05d346201917e05490ff9203ee804b9d4fd7
  • c6f1c07bbf320307ab784db15f0dc7ecc09c2f96150cda7126569a2d77935b2a
  • e1226793b90a2c765d227e365b24271282c85ba9b7b5eb642f9f4b145ba0b932

Coverage


Screenshots of Detection AMP


ThreatGrid

Win.Worm.Scar-6934835-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft 		32
MutexesOccurrences
DSKQUOTA_SIDCACHE_MUTEX 32
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
175[.]126[.]123[.]219 20
67[.]228[.]31[.]225 3
64[.]186[.]131[.]47 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
byvolker[.]co[.]cc 19
canappe[.]co[.]cc 1
getvolkerdns[.]co[.]cc 1
killervolk-dns[.]co[.]cc 1
Files and or directories createdOccurrences
\??\E:\autorun.inf 32
\autorun.inf 32
\AUTORUN.INF 32
\??\E:\AUTORUN.INF 32
%System16%\svcrcs.exe 32
\??\E:\UsbDrivers.exe 23
\UsbDrivers.exe 23
\??\E:\Setup.exe 8
\Setup.exe 8
\??\E:\open=Setup.exe 1
\open=Setup.exe 1

File Hashes

  • 0801e6c88de29d1418e3c7e89c72ff0e9147607f1c36ea657f60c557bc2ca91c
  • 08c755993f57b3c2adb4893504683394b81e9dba822ccd6bdad9dc9710155078
  • 096b4a3371120250dbd0c85c19730f92d0beaa3af16d73a44c6c81e81e0371f8
  • 11566d54a186019e24e0fe51ecfcc8a6e954c3ff0ec58e89130c81c2c9fe3652
  • 18bc9b638b1770d6b76de5be46ecc50d2b2a428053b131b02cf76d9feac9566f
  • 22afe3eae9acd98fa25f5e06a7f3fa2716aa6af527d1232e5ba4c95e199b851b
  • 25fb8e7a4039c200fa74246ae62629e6a1db5400e2c8ebe14b041f0dc2bc60f7
  • 391483fc42fa770ae9a6e0bb615536b9c3f1a908931d5222d4f1eab68a50c91f
  • 3b62f8abfdb792b3419ac346fcbc5d004a9b67dc1b5a93b2eda4da53fc27263d
  • 3be4799debfab2081853244700668d7303752272978941b551d21e6cfc476a69
  • 424c3baead90385b2fd8cc6ef98534119ce5ea41f9488c0e64d1829ae61ec957
  • 453b4a1818de6d3e8d67632e31bcca085cd8f5e44e775a7959246eaa4c925d2d
  • 4a800c7c54850630561ffe6d54a3390a93192c7fa6301f5d6ea9368f2c6421bb
  • 4ec4bcca36e92304469192ab25d97cacb192413f4092a37a5f1e76575beaa0de
  • 55562749de33d7cc4f93d0342514467c31b975907d9f0dcd8ec78f735ce6b1d8
  • 5b642baf8e06c96a72ee7e8e55f98bd25a6180fce57fa25c2691782a23c76794
  • 5efacdb03391aa114a6dcac90a6f8f8562c0a2e666185f1f8f63065364993143
  • 6178e5bcda89cd0c4760545b3208cf56ce26fc9fe51551d1389505d30de75830
  • 621bc4bb35821d5a7784bda820acd368d863b2430974952f83a14051693c2fda
  • 75504f094939ab33f14cdf1a6c1be3cad5ae7f89d48d925fca65222062ea27e5
  • 8320a5187226606270a82f0acf50449a11d3bc6bfed10618e7a7d79ea4564401
  • 86ebccdb2f90a5b5ca49911155eac4d05769138d8f72856d4cd9be2323037b29
  • 871aaaf9a80009c78539d2a8b1bbfee432c1afc08511d25e057373731f06a061
  • 8fd6c4a70953f044073299ad6ba883d94d7be1a723d8aaa908435318509cda05
  • 915c2d8d8bf3391aee7ee8a4d732cd861aa30eba8219b240b66041a860a32cc0
  • See JSON for more IOCs

Coverage


Screenshots of Detection AMP

ThreatGrid

Malware

Win.Worm.Aspxor-6935052-0

Indicators of Compromise

Registry KeysOccurrences
N/A -
MutexesOccurrences
2GVWNQJz1 25
Djjwy&22bsqobnaHhdGwemvt(&11839) 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
217[.]115[.]50[.]228 17
93[.]186[.]181[.]62 15
194[.]85[.]183[.]2 14
46[.]55[.]222[.]24 12
222[.]124[.]166[.]12 10
82[.]116[.]211[.]16 10
209[.]170[.]120[.]163 9
186[.]115[.]122[.]67 8
216[.]218[.]206[.]69 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Files and or directories createdOccurrences
%SystemRoot%\SoftwareDistribution\DataStore\Logs\tmp.edb 1
%HOMEPATH%\Local Settings\Application Data\ksgxpasi.exe 1
%HOMEPATH%\Local Settings\Application Data\joorwdum.exe 1
%HOMEPATH%\Local Settings\Application Data\unfdefqq.exe 1
%HOMEPATH%\Local Settings\Application Data\ahnatfuo.exe 1
%LOCALAPPDATA%\ffueegqn.exe 1
%LOCALAPPDATA%\hahxwkrq.exe 1
%LOCALAPPDATA%\erhipkjf.exe 1
%LOCALAPPDATA%\qrfcduvn.exe 1
%LOCALAPPDATA%\bbpikrlh.exe 1
%LOCALAPPDATA%\gbmscrrf.exe 1
%LOCALAPPDATA%\uhotvrfs.exe 1
%LOCALAPPDATA%\vwaffned.exe 1
%LOCALAPPDATA%\wscftndd.exe 1
%LOCALAPPDATA%\fapgaxbx.exe 1
%LOCALAPPDATA%\kselhlpe.exe 1
%LOCALAPPDATA%\lupjoaow.exe 1
%LOCALAPPDATA%\oxhojtxr.exe 1
%LOCALAPPDATA%\bgnifxtm.exe 1
%LOCALAPPDATA%\annimrmg.exe 1
%LOCALAPPDATA%\teconvea.exe 1
%LOCALAPPDATA%\jwclsdrd.exe 1
%LOCALAPPDATA%\txfqjufq.exe 1
%LOCALAPPDATA%\ridhufao.exe 1
%LOCALAPPDATA%\ndfgutar.exe 1
See JSON for more IOCs

File Hashes

  • 0212de9641f40da0e6bdad747f807eca71356ddc298263c20676321863326f70
  • 098631c475084bd57815d245af1252c70bb4b918df059844aa167ec189bc955b
  • 0c5634fd44849ef51ac6f7133cdea66da960a64a6c165bf038f17d97610ce5d9
  • 195b4c47c63c9d6fbd745da31721b086e931c0d60c1759e414c564cea4e1d6c2
  • 1ccb17748bc70035a00a5ea94d223e1e425163e191bfb92271d191d7ced3347d
  • 1f5286c16b783ebbcf24cd92cae2f1eb50d69e6f4cc0d0c97408f03abe1de161
  • 29614ffd96412f26a5cf2fee3648e4954c2ac095543b3633e03dfaab12d1ff60
  • 29de1a963a1f1bf15435da9020a2eadfa9d3054160e545b49b89135a6eaac2a9
  • 2c85e5a8a1c3e5c0e6fcf4902780824c9014298ff01f823ae8f4d2633f64c0b4
  • 2ebd4a5e0954ef8cfa8f338caf6bc6763e6519c9be2b71e31186f91b29312e13
  • 37d5963a73acccd5b60d59e27c19fc30c1806679724338e1d4962d04748934f9
  • 386ecf6b47b1f1d71b3797adb0335a806452d3346e108b758594f07dfcb49f97
  • 3b03b188ac995d7fcab65e70b9ada8d2b126313318a981ec396a2111a34bfd64
  • 40ebfa0f7b15bd9a0827c9c597340b1ab91a0b352232052094dbbf6e951617b9
  • 4ad58e6014e62529af11bdc456bd4fec94ee3138f6e8c679a963512709a72452
  • 5147b90fa72506bd6c47bed8b03f82f8eab5e6ab6f6216289680429ed915422e
  • 543cb5dba99c251147551c65e8db498b1b16f2084933596159006482ce1be633
  • 5d19478d27e1697220d54e158ecbe4190287c34f507d46717f06195acee8507d
  • 601d8a181beb7451b6d45b6938a398b8c09bfba4d858b5de52d79ad55ff733fc
  • 64816d8573edd50f3ba63d0c1b9e491e461dea9f4dab78b85986959346d7769c
  • 65f8b7cf030977bb60ae0e21b3514d4407090de968c505ccdaed0ea73d2b882d
  • 66bff41b7bad9cd835e0e698cfc574a576caf819a3c9abecc473eb8ec31a53a2
  • 68e6f59b6c52c804dcebebbc2eb54ad7a00c9e0302f429bfef2300d33abdc4a3
  • 6d610fd8891c60bd39978d90f76e803a878fd1bb36061e7a970ad79af20accd2
  • 70d71ecfbb763f5e97379bc3d75412e56aec4574affadc1d4bcb09a2fc70d923
  • See JSON for more IOCs

Coverage


Screenshots of Detection AMP


ThreatGrid

Win.Malware.Vbkeylog-6935273-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\DIRECT3D\MOSTRECENTAPPLICATION
Value Name: Name 		5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELL EXTENSIONS\CACHED
Value Name: {FFE2A43C-56B9-4BF5-9A79-CC6D4285608A} {00000122-0000-0000-C000-000000000046} 0xFFFF 		5
MutexesOccurrences
N/A -
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Files and or directories createdOccurrences
\TEMP\NewBitmapImage.bmp 2
\TEMP\taximg.bmp 1
\TEMP\tooooos.txt 1
\TEMP\jon.bmp 1
\TEMP\SureTools.txt 1
\TEMP\rum.txt 1
\TEMP\SLIPUSD124.985,67(1).jpg 1
\TEMP\TAXFILE.bmp 1
\SureTools.txt 1
\rum.txt 1
\tooooos.txt 1

File Hashes

  • 44414ef55e3f6368f1df92f06a5f29f4dda15554720b7cb4a7ad22ef73023ce6
  • 5164b6fd11a2fb210d88ee920b95a62e8ba0904797c015f2edf20fe519678777
  • 64ab1d27afd0c17215e56c0c97b2de6e8862573cf8663e60832d5d14ab9f635c
  • 940f6e0c84f2ea9db97ce376fdfd8b111f3fd50ddcac3d303b5b9d69a7a89dd5
  • 98408e5c6a013289ce93486234965b89f164c568f5f772d9082d6ddbfab7c506
  • 99773cfde40fbf0a2e681cbb27b64616c4e401b47ad88255be843c3084e41e29
  • b698ccf0db3ef9d598333cdb998beabbc0e59ba6a528e02a2870687b863ff0a3
  • dce28ef0578d3d8d14159a098ef4f8f15995996c2c2e512caa456d8c0f5114dd
  • f0b0138e46957c77c6b40f7c2ed6b16bf7aea25cd02ac62e4298b559de2b385b
  • f1632ccc48b023eeab044ed42093e748e501c0afdde9b97d22d27ad09b01dbea
  • f51e016793c920faad2abe8da9d14a6d6ecd1f73b8ccd68d583b4ddcbf9341fa

Coverage


Screenshots of Detection AMP

ThreatGrid

Malware

Win.Malware.Zbot-6935412-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: LoadAppInit_DLLs 		25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: aybbmte.job.fp 		25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AYBBMTE
Value Name: Index 		25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FF46FC7D-1E0D-46F8-87EC-94D0FDA83668}
Value Name: DynamicInfo 		14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{F2B28AC6-1443-43F4-9832-8315397F35E8}
Value Name: data 		14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{088B2EE3-A639-491E-B1E6-84AE447D785F}
Value Name: DynamicInfo 		7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{94669170-5F40-43E0-9D77-69BC9146DF72}
Value Name: data 		7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9C9693B0-E894-414D-8675-6B58133E665B}
Value Name: DynamicInfo 		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{6E1FF505-4705-412B-825D-ECE026885614}
Value Name: data 		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{48716312-C151-484D-9EC0-E5B4883DF1B7}
Value Name: DynamicInfo 		1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{90EA3D0B-BA3B-4356-A2CD-915E5BB4CF7B}
Value Name: data 		1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{65579417-B766-4127-BD16-88A7D90F9ADD}
Value Name: DynamicInfo 		1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{E4AA06C0-45E2-4E4D-B133-96D82B197EA1}
Value Name: data 		1
MutexesOccurrences
N/A -
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Files and or directories createdOccurrences
%ProgramData%\Mozilla\thfirxd.exe 25
%System32%\Tasks\aybbmte 25
%ProgramData%\Mozilla\lygbwac.dll 25
%HOMEPATH%\APPLIC~1\Mozilla\kvlcuie.dll 25
%HOMEPATH%\APPLIC~1\Mozilla\tfbkpde.exe 25
%SystemRoot%\Tasks\kylaxsk.job 25

File Hashes

  • 038925296d4fdaa55efcfa1ad8c02ce08d6f3673bc042fed1bd20d9f29fad5d3
  • 0ca97f5d0c9e6de090568cb7285db362d7210c45e2213be617fdd4ba2ae8dc7d
  • 109de4dba47129449293624f674a90a8d6381d5f827e4192f1efc97e4b08748e
  • 4155d902b22a775b172e7d86d4958e9088d571bfda7810fd6eceaa5bfb44e847
  • 56d02ae6de618c67968b5c6ca583372e1388c89424f2c2118aac6a8548b909ce
  • 5880016db066b6d864c72234d1404cb0ac8953a0ca35b1edae8fc1c8c6c8a7b2
  • 591e2322c4e4a65b02694f0066ef6c18ceff25c50ea0c118591170af3e4e9cce
  • 5a48b66eb3c6581073bd8b85f9a8151364f089dd91997d82ec42709f3f813def
  • 697000ba4047468f1005194dcbd2ae90e444a7e1a8b52c3904a3001358387af9
  • 89a3ecc59f1bd6d62f71b2dccbf03e433d99cee9f9e8d961e19d5e3ca7bb3f15
  • 95ce736766aa931ba16df831dabc530f64e9e9a6d1a134e6931987fa1c8fd544
  • a3309cb7bf90a6f6220bbf9a6b018d5f41334407a431b5101874e4d3436382ff
  • b28ca331d6466f83028b9e8c4e9fd6511dad0a599859ea21f8dd02618eabc1d4
  • c27265eca8f4f1d0606e3e6acc971721410f7430d3b8c487b128fee5a910f8cd
  • c6b0d5b496baca826833a12e9863292ecdd92931ce682d61a74ee62e97c39382
  • cf9e75a01b1ee5093c7ca244f5568becd535c6e9f56885a11a25dc1e9621d502
  • d5587aef2b6a77a22904f8cff993d6e35a832f7552f8f3124c772b1700077622
  • d7fb034de95b8ef46570d15391cb1c8181e2145076831813563a947d8d1616db
  • dc68ea18ef5b981d2fefd632a9e7fe51bc03c5058dcff708b9aa255e9ebbfe06
  • e1c784eada950c0b8a9ff1a533d95252bf4cf36314b8b52aaef1ce51c3fe3704
  • eb84091df0b6ea62d38e2240201dc93fbb5db4b878c595937cd9ff77508dacc1
  • ec5dd84f2cd6083165187eff18bb55f382719977092eaeea642868d062926970
  • ed8887e64560574df7491a6ba7feff32433fed157e02f39ce86fb8689d5a2207
  • f443021ba52b571fa16f440f171e85430eb6d925882bdffc339de6917b6e13b6
  • f4fd6c5f9fdeb3196e09b5ee9854f0c06d320c8cfe8c7fc04e234c35cfcc26b7
  • See JSON for more IOCs

Coverage


Screenshots of Detection AMP


ThreatGrid

Win.Ransomware.Cerber-6935713-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: Run 		54
<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
Value Name: AutoRun 		54
<HKCU>\CONTROL PANEL\DESKTOP
Value Name: SCRNSAVE.EXE 		54
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_00 		54
<HKU>\Control Panel\Desktop 42
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F95BF9F7-D3F3-4AC5-8A3F-4B59850DD369}
Value Name: DynamicInfo 		31
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{99EF6702-6773-48D3-992B-6F4C187FAC71} 17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELL EXTENSIONS\CACHED
Value Name: {FBF23B40-E3F0-101B-8488-00AA003E56F8} {000214FA-0000-0000-C000-000000000046} 0xFFFF 		12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE
Value Name: Blocked 		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE
Value Name: Blocked 		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE
Value Name: Blocked 		11
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN
Value Name: Window_Placement 		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\STAGINGINFO\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}
Value Name: Active 		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA
Value Name: Set 		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE
Value Name: LoadTimeArray 		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE
Value Name: LoadTimeArray 		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ipconfig 		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ipconfig 		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: ipconfig.job.fp 		2
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 54
Local\VERMGMTBlockListFileMutex 14
Local\!BrowserEmulation!SharedMemory!Mutex 14
Local\URLBLOCK_DOWNLOAD_MUTEX 14
Local\URLBLOCK_HASHFILESWITCH_MUTEX 14
cversions.1.m 14
GeneratingSchemaGlobalMapping 14
cversions.2.m 14
_SHuassist.mtx 13
{5312EE61-79E3-4A24-BFE1-132B85B23C3A} 13
Local\Shell.CMruPidlList 13
Local\InternetShortcutMutex 13
Local\ExplorerIsShellMutex 13
CDBurnNotify 13
Global\CDBurnExclusive 13
{C20CD437-BA6D-4ebb-B190-70B43DE3B0F3} 12
!PrivacIE!SharedMem!Mutex 11
ALTTAB_RUNNING_MUTEX 11
{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D} 8
_!SHMSFTHISTORY!_ 5
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1388 3
\BaseNamedObjects\shell.{3AFC1C93-3B52-BB89-3222-3835B13B7C57} 3
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1084 2
\BaseNamedObjects\shell.{2DA495A3-711D-597E-268E-77F8D29EB324} 2
\BaseNamedObjects\shell.{37AB6120-3C1B-909E-8A46-BA7ED26D587E} 2
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
31[.]184[.]235[.]95 31
31[.]184[.]235[.]94 31
31[.]184[.]235[.]93 31
31[.]184[.]234[.]90 31
31[.]184[.]235[.]92 31
31[.]184[.]234[.]91 31
31[.]184[.]235[.]91 31
31[.]184[.]234[.]92 31
31[.]184[.]235[.]90 31
31[.]184[.]234[.]93 31
31[.]184[.]234[.]94 31
31[.]184[.]234[.]95 31
31[.]184[.]234[.]96 31
31[.]184[.]234[.]97 31
31[.]184[.]234[.]98 31
31[.]184[.]234[.]99 31
31[.]184[.]235[.]99 31
31[.]184[.]235[.]98 31
31[.]184[.]235[.]97 31
31[.]184[.]235[.]96 31
31[.]184[.]235[.]214 31
31[.]184[.]235[.]215 31
31[.]184[.]235[.]212 31
31[.]184[.]235[.]213 31
31[.]184[.]235[.]218 31
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ipinfo[.]io 54
onion[.]to 23
cerberhhyed5frqa[.]onion[.]to 23
ip-api[.]com 19
freegeoip[.]net 18
en[.]wikipedia[.]org 5
www[.]collectionscanada[.]ca 5
alpha3[.]suffolk[.]lib[.]ny[.]us 5
www[.]archives[.]gov 5
www[.]vitalrec[.]com 5
www[.]cdc[.]gov 5
4kqd3hmqgptupi3p[.]u57u1e[.]top 1
4kqd3hmqgptupi3p[.]hlu8yz[.]top 1
4kqd3hmqgptupi3p[.]58na23[.]top 1
4kqd3hmqgptupi3p[.]132z80[.]top 1
4kqd3hmqgptupi3p[.]asd3r3[.]top 1
4kqd3hmqgptupi3p[.]h9ihx3[.]top 1
4kqd3hmqgptupi3p[.]ep493u[.]top 1
4kqd3hmqgptupi3p[.]h079j8[.]top 1
4kqd3hmqgptupi3p[.]fgkr56[.]top 1
4kqd3hmqgptupi3p[.]azwsxe[.]top 1
Files and or directories createdOccurrences
%HOMEPATH%\NTUSER.DAT 54
%HOMEPATH%\ntuser.dat.LOG1 54
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2} 54
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\json[1].json 54
%HOMEPATH%\ntuser.ini 38
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.html 37
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt 37
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.url 37
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.vbs 37
%HOMEPATH%\# DECRYPT MY FILES #.html 37
%HOMEPATH%\# DECRYPT MY FILES #.txt 37
%HOMEPATH%\# DECRYPT MY FILES #.url 37
%HOMEPATH%\# DECRYPT MY FILES #.vbs 37
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js 36
%APPDATA%\Adobe\Acrobat\9.0\TMGrpPrm.sav 36
%APPDATA%\Microsoft\Outlook\Outlook.xml 36
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.html 36
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.txt 36
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.url 36
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.vbs 36
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\# DECRYPT MY FILES #.html 36
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\# DECRYPT MY FILES #.txt 36
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\# DECRYPT MY FILES #.url 36
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\# DECRYPT MY FILES #.vbs 36
%APPDATA%\Microsoft\Outlook\# DECRYPT MY FILES #.html 36
See JSON for more IOCs

File Hashes

  • 0209aa718b9b606b5cad5f9783ef1eb441ab1b6ff63283855e8b6d74f4649ec5
  • 03050ca0e3c1e6fc7a9782b5791aeccc77a1f07a7a8a675feb6e756226174410
  • 04043499a4936537e774dc6a381ccaeab8bb853d84819b9be12de2931d6646de
  • 0468b2231ea7059a58566e1a77d170f9c3a7e417d0221e8d7ca0747607bba2c3
  • 0680c78425029623806a8fd8f305523564e52bb68779ccffd698b78e218e249e
  • 087fa7d28264fc9c06eb7031891b68794c67b7b571176194e313c227437a1ea8
  • 09b4791e9e2eed217cf3df60f0386b010dccfc12a0b8c67b3cd2007fdbfb8e74
  • 0adb55a70a4c9f9e2bfcd33bb7c7b7b2f5d309b5ad006e7364aca2fbcda6c505
  • 0ca6bf5961f23df78cd48d7cde29d58b7d23e22598f784d04a1ca0676a466c0a
  • 0cf92c126ff4860a912d3e5d9d21c546edf434b46a1ea8bdddaf1eace91bc7ce
  • 0d7b033bd7734735b8e101b820be42c37e6957dd556da8b26f05f50edc3cb96f
  • 0dc0bfebad2716cfc4eb1b6d2853929d110fa2589af4d662d0c35231e9e1e291
  • 0eb148582c01d74361a630671d8c4d7f2577cbf09bea123f16df962e4b7d3df8
  • 0fa00710b9232318f7288b3723436ccc51714089030fabe581a00cd057b71865
  • 0fcb3e096368ecbe9d96c2c88ef721c29b596db298a6790a27ccab7bffe5a12b
  • 103517b74d9bc58c6a54d0a635ef45417540aeb5d8b5809ad110abb4685b0c2b
  • 10de95456a338a6f0edc9cd277ed314380a335dcc8e921e6eb7b40b526bca0fc
  • 130cd09e0e050acf6b75411b57c1146cd6f177f765e8cde272bd45b641e068d8
  • 13f983ebe9787626f1fe2e6615ad9c8cbc997b363ad9c2f91a1295a9a1db65db
  • 1677324000e28746b206c781a6b653f87b69e144c18d5f366aa9f0f2af83a8b7
  • 1768e3f32fe5c938f3baed815000b18020b10dd8ac440aa4bef7258cab863395
  • 177644a4e59f0f0b468e176972895a55b724fc19db205f555e98c06851982084
  • 179f11a15d4a284bf8e10002663f744bee9903bb2c8eae9e22308a49bca9ff03
  • 17f46c0701439f25126d59dd4b3b8c4cb131e260cc199bb8bb61414128fd3aef
  • 18adeddd8205122987da070c640e8eaf72e2e4bc5f2f58491a5e83f7ed6c2c25
  • See JSON for more IOCs

Coverage


Screenshots of Detection AMP


ThreatGrid

Umbrella


Malware

Win.Trojan.Winwebsec-6935682-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify 		10
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start 		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start 		10
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System 10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: ConsentPromptBehaviorAdmin 		10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth 		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start 		10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\svc 10
<HKLM>\System\CurrentControlSet\Services\luafv 10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LUAFV
Value Name: Start 		10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: RPSessionInterval 		10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS DEFENDER
Value Name: DisableAntiSpyware 		10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: 98BE0FA9BB7E8E3C000098BD76F2948C 		10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: 98BE0FA9BB7E8E3C000098BD76F2948C 		10
<HKLM>\SYSTEM\CONTROLSET001\ENUM\WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_HARDDISK&REV_2.5+#1-0000:00:1D.7-2&0#
Value Name: CustomPropertyHwIdKey 		3
<HKCU>\Software\Microsoft\Installer\Products\98BE0FA9BD7E903C000098BD76F2968C 3
<HKCU>\SOFTWARE\MICROSOFT\INSTALLER\PRODUCTS\98BE0FA9BD7E903C000098BD76F2968C 3
MutexesOccurrences
98BE0FA9BB7E8E3C000098BD76F2948C 10
98BE0FA9BC7E8F3C000098BD76F2958C 3
98BE0FA9BCBE8F7C000098BD76F295CC 3
98BE0FA9BD7E903C000098BD76F2968C 3
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
123[.]108[.]108[.]42 10
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A -
Files and or directories createdOccurrences
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C 10
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C\98BE0FA9BB7E8E3C000098BD76F2948C.exe 10
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C\98BE0FA9BB7E8E3C000098BD76F2948C.ico 10
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C\98BE0FA9BB7E8E3C000098BD76F2948C 3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Care Antivirus\System Care Antivirus.lnk 3
%HOMEPATH%\Desktop\System Care Antivirus.lnk 3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Care Antivirus 3

File Hashes

  • 10b34c1a0b739cd6c12e2926372afcd0cbf6f95be9d1b45038144bd3efb5eb79
  • 1a448e78d2668f4dad016aca5092107f4d1ee19dadf8886e8a0ec4e2b550b317
  • 26a08a46deffe995ba67d9aaf547b55a265fe513a8293d51f3f9f0b3d944808c
  • 72f94e87b1fa1393360d9cacbdebb1ffebd5754c7d93121e0e887eacb8529c87
  • 8725d076eb421b4e4737792ad07647db9a263e4da2f0436bccd6c8ff9f752d39
  • b18e5830f0e557d72ba6ba2dbb59da23cf8e2539148efc51ed01a0364210b06d
  • b4b5fdc7fcf6f86a9ffba97a9d2e159f0078e9ffc090deb948660a3c8e5cdd07
  • d45ba937d7d532907d5da3fc979a96b1efa5e9c9a4c6b5c45f683925a9524ac2
  • d54730e93be5c4d17de56a904aa56610c06fdf425083277343c9ece4ecc922df
  • e165145377ae247117657cb0172fd7767907dd1ee5d4a698cbf58a6f4af03624

Coverage


Screenshots of Detection AMP


ThreatGrid

Win.Malware.Tovkater-6936213-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\System\CurrentControlSet\Control\Session Manager 14
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations 		14
<HKLM>\SYSTEM\ControlSet001\Control\Session Manager 10
MutexesOccurrences
N/A -
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
185[.]53[.]178[.]6 1
185[.]147[.]15[.]5 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
MIRRACLEZ[.]CLUB 10
mirraclez[.]club 10
zaltzburgopportunity[.]top 4
binocularhearing[.]top 4
CARIBZ[.]CLUB 2
flowergroup[.]top 1
binoculuz[.]club 1
BINOCULUZ[.]CLUB 1
backverge[.]top 1
gaslight[.]metimes[.]ru 1
BACKVERGE[.]TOP 1
frock[.]encours[.]ru 1
caribz[.]club 1
lurk[.]ecolleague[.]ru 1
simpledrive[.]top 1
Files and or directories createdOccurrences
masrra11.exe 8
imasrr13.exe 4
%LocalAppData%\Temp\nsnD405.tmp 2
%LocalAppData%\Temp\nscD4B1.tmp\nsJSON.dll 1
%LocalAppData%\Temp\nsnD010.tmp\INetC.dll 1
%LocalAppData%\Temp\nsnD010.tmp\Y gamemonitor.dll 1
%LocalAppData%\Temp\nsnD010.tmp\cmutil.dll 1
%LocalAppData%\Temp\nsnD010.tmp\colbact.dll 1
%LocalAppData%\Temp\nsnD010.tmp\icrub.exe 1
%LocalAppData%\Temp\nsnD010.tmp\nsJSON.dll 1
%LocalAppData%\Temp\nsiD435.tmp\INetC.dll 1
%LocalAppData%\Temp\nsiD435.tmp\X shmgrate.exe 1
%LocalAppData%\Temp\nsiD435.tmp\Y gamemonitor.dll 1
%LocalAppData%\Temp\nsiD435.tmp\Z shmgrate.exe 1
%LocalAppData%\Temp\nsiD435.tmp\cmutil.dll 1
%LocalAppData%\Temp\nsiD435.tmp\colbact.dll 1
%LocalAppData%\Temp\nsiD435.tmp\msimn.exe 1
%LocalAppData%\Temp\nsiD435.tmp\nsJSON.dll 1
%LocalAppData%\Temp\nsiD435.tmp\shmgrate.exe 1
%LocalAppData%\Temp\nsiD435.tmp\xantacla.exe 1
%LocalAppData%\Temp\nsiDC21.tmp\INetC.dll 1
%LocalAppData%\Temp\nsiDC21.tmp\X shmgrate.exe 1
%LocalAppData%\Temp\nsiDC21.tmp\Y gamemonitor.dll 1
%LocalAppData%\Temp\nsiDC21.tmp\Z shmgrate.exe 1
%LocalAppData%\Temp\nsiDC21.tmp\cmutil.dll 1
See JSON for more IOCs

File Hashes

  • 4f8cf035324575449ee73dcfcc1ecededc5d1f3f8a4cec2f0e85455516207eb0
  • 9fc837165be91f7c7042e1dbcc4db8dd38d002f9214b861db6214c636055bac4
  • a40c7290af61e7f34282faf839982f9fbb33db423751ce59d11a156140e711ef
  • bd9f2de34957bcd509e47fcd7cd7e7f2af01b0e5078c0823680cdcd1d753341a
  • c880d5254c7e1d5723862100c2d57bd3cbcaad6560437ac59bd1071172980197
  • cd69efb3bb139a1675b90690635f8584896fc10c1f85be17f92206f8d856289d
  • d6dc00609f709cc451cb61f1d77fc84e8572494ebc3ba0de80518f7ab234384e
  • e82dd6108b2272e13f6365d75943de81b4196cfa4d885a78a2ac3665249ba2c5
  • f102bc0d0ebe8adf4486b0567c9ab493faa619aa1ae48ac3572ecb23b2de9836
  • f997bc9973d1bac7be25513c9ef80783949069a00732fd630e74876a3019dd3b
  • fcec660083595a7956cc13f9815ce23edcfbfa3e82c150a2f0fe6c0449433ce0
  • fd7696f075bb712bd4d7f14dad9c297d99669d3b1c61e51ee2dae4cfa897b9ff
  • fdac4b0e291a27c91cd3050c4e811d4fe33bb2189e44015d0d5a88f168441815
  • fef0d09e80bce24d232f60977972934eb9b1a984f4b42fac5a9d9ebd93757127

Coverage


Screenshots of Detection AMP

ThreatGrid


Umbrella