Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 4 and May 11. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
The most prevalent threats highlighted in this round up are:
- Win.Dropper.Zbot-6533101-0
Dropper
Zeus (AKA Zbot) is a trojan horse malware package used to carry out many malicious and criminal tasks. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. - Win.Dropper.Khalesi-6535750-0
Dropper
A Trojan is a program that gains privileged access to the operating system while appearing to perform a desirable function, but instead drops a malicious payload, often a backdoor allowing unauthorized access to the system. Trojans may steal information or infect the host systems. They are commonly distributed via spam, drive-by downloads or embedded into games or internet-driven applications. - Win.Dropper.Gandcrab-6530134-0
Dropper
Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB" or ".CRAB". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
THREATS
Win.Dropper.Zbot-6533101-0
INDICATORS OF COMPROMISE
Registry Keys
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyServer
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: AutoDetect
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyOverride
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyEnable
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: AutoConfigURL
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- Value: SavedLegacySettings
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- Value: DefaultConnectionSettings
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
- Value: CheckSetting
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
- Value: CheckSetting
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
- Value: CheckSetting
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
- Value: CheckSetting
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
- Value: CheckSetting
- <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
- Value: CleanCookies
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value: internat.exe
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value: {1BBA4DA8-81FD-E86C-47AD-DE1A52F353F7}
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- Value: CachePrefix
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- Value: DhcpNetbiosOptions
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- Value: DhcpNameServerList
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- Value: DhcpDefaultGateway
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- Value: DhcpDomain
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- Value: DhcpNameServer
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- Value: DhcpSubnetMaskOpt
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- Value: DhcpInterfaceOptions
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- Value: CachePrefix
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
- Value: DhcpDomain
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
- Value: DhcpNameServer
- <HKCU>\SOFTWARE\MICROSOFT\NAEGOP
- Value: Kypuubb
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: UNCAsIntranet
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: AutoDetect
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: ProxyBypass
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: IntranetName
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS
- Value: DhcpScopeID
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: ProxyBypass
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: IntranetName
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- Value: CachePrefix
- <HKU>\Identities\{20DF22BC-6CEF-4DC3-9D67-B017F18A4D87}\Software\Microsoft\Outlook Express\5.0
- <HKU>\Software\Microsoft\Bole
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\4
- Value: 1609
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\4
- Value: 1406
- <HKU>\Software\Microsoft\Internet Explorer\PhishingFilter
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2
- Value: 1609
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2
- Value: 1406
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\1
- Value: 1609
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\1
- Value: 1406
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
- Value: Collection
- <HKCU>\SOFTWARE\MICROSOFT\Naegop
- <HKCU>\SOFTWARE\Microsoft\Naegop
- <HKU>\Software\Microsoft\Internet Explorer\Privacy
- <HKCU>\Software\Microsoft\Windows\Currentversion\Run
- <HKU>\Software\Microsoft\WAB\WAB4
- <HKU>\Software\Microsoft\Windows\CurrentVersion\Run
- <HKCU>\Software\Microsoft\Internet Explorer\Privacy
- <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- <HKCU>\SOFTWARE\Microsoft
- <HKU>\Software\Microsoft\Bole
Mutexes
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-A687-6AA2864FE740}
- \BaseNamedObjects\Local\{A3B40D9B-F602-0E7A-E1A6-CDF8C16E401A}
- \BaseNamedObjects\Local\{A3B40D98-F601-0E7A-E1A6-CDF8C16E401A}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-0E81-6AA22E49E740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-AE83-6AA28E4BE740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-FE84-6AA2DE4CE740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-E682-6AA2C64AE740}
- \BaseNamedObjects\Local\{881268A9-9330-25DC-E1A6-CDF8C16E401A}
- \BaseNamedObjects\Global\{C252BB8C-4015-6F9C-E1A6-CDF8C16E401A}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-6680-6AA24648E740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-8A81-6AA2AA49E740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-4E82-6AA26E4AE740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-D287-6AA2F24FE740}
- \BaseNamedObjects\Global\{C252BB8D-4014-6F9C-E1A6-CDF8C16E401A}
- \BaseNamedObjects\Global\{2A12683C-93A5-87DC-E1A6-CDF8C16E401A}
- \BaseNamedObjects\Global\{CEBE6CB8-9721-6370-E1A6-CDF8C16E401A}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-9283-6AA2B24BE740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-2683-6AA2064BE740}
- \BaseNamedObjects\Global\{CEBE6CB7-972E-6370-E1A6-CDF8C16E401A}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-9A82-6AA2BA4AE740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-368F-6AA21647E740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-5E8A-6AA27E42E740}
- \BaseNamedObjects\Global\{A86A58AE-A337-05A4-E1A6-CDF8C16E401A}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-BE86-6AA29E4EE740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-2E8D-6AA20E45E740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-8E85-6AA2AE4DE740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-C684-6AA2E64CE740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-4686-6AA2664EE740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-1A83-6AA23A4BE740}
- \BaseNamedObjects\Global\{D1EC3E61-C5F8-7C22-9284-6AA2B24CE740}
- \BaseNamedObjects\Global\{320B4DE2-B67B-9FC5-E1A6-CDF8C16E401A}
- \BaseNamedObjects\Global\{3D11D76B-2CF2-90DF-E1A6-CDF8C16E401A}
IP Addresses
- 185[.]24[.]234[.]54
Domain Names
- N/A
Files and or directories created
- %LocalAppData%\Temp\tmp60e9fbcd.bat
- %AppData%\Neku
- %AppData%\Neku\amto.exe
- %AppData%\Leolo
- %AppData%\Leolo\peogh.vus
File Hashes
- f5dd87d465516dd03308ae2e7673681fc497d4c30751e5a0fcefdf320761b56e
- 48fcb5ce8670e1829205abd6a911937a9b591d079067c8b25f6867bac059897c
- a6b52e4b6803092c91f81aeff5093cdee346b810b415b7b82a24afd63a33c309
- 59de88ff962f019ad7b0bc2b242120ff0c916743c975f74c169247809ae2cfa5
- 158a7f507f494481083c4137dbb11474d7d8625c4ca45d0554caa4fcbb903992
- 8298f4cfb3d5d6838bdebc4642e6b3aba2b1e74562014be11f6fc106af1be491
- 28a2e64885f1aa2d81fefb0fda91ae7eb2801dfdbf4d9dc65f3848e4bdbf4d65
- a3a4c038aa654a5dac595465222404deef3f133828f6209f42ea8395156205da
- 5f9afad7831895772534737ac2c036b1b65d02a46bc0f91ea0ef2879de3ba8fb
- 1392b5afc478adfc11e6690ff6b6f9d55658bb2edf064b1cfbf655e674dcdc0f
- 7326ec6dcf89d8e86d797ab70d4a8ad1a08b672af0c0a45cfb315ef83685cf43
- 908f86c043b0bb012e639d6c2b102a6af11288b7596c574abc4734213f5d95cb
- dd8c0af99b112521bfebdb19afa5fe130925d158703180063c2b2c027b8adbc9
- 38a951f8f57f1028a92d658841df63068d0a59aa9f140087870b2b6450002baa
- f92989215865e61e5cfed94d716d37b4b9fdd92ddd3699ab269b2dad39d0e93a
- 03eaea48946117d85dde3d2a4668eb24b94323a255bc1fb7536b1de2bd888e74
- 8db0ff52b62f3f07bc3c7a359dd06cf78e875a18f8b5120107a7f39bed3243b9
- 6baab60dcfdbd2ee3dbb012b1a00d063a4b05305a444f7ffe633d6175dca6852
COVERAGE
SCREENSHOTS OF DETECTION
AMP
ThreatGrid
Win.Dropper.Khalesi-6535750-0
INDICATORS OF COMPROMISE
Registry Keys
- <HKU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Mutexes
- N/A
IP Addresses
- 204[.]11[.]56[.]48
- 74[.]220[.]215[.]63
- 184[.]168[.]221[.]42
- 198[.]54[.]117[.]217
- 187[.]84[.]225[.]36
Domain Names
- www[.]backpackerdesi[.]info
- backpackerdesi[.]info
- www[.]lovelouevents[.]com
- parkingpage[.]namecheap[.]com
- www[.]riopumpen[.]com
- riopumpen[.]com
- www[.]shungavietnam[.]com
- lovelouevents[.]com
- www[.]tourniquetleash[.]com
Files and or directories created
- %LocalAppData%\Temp\~DF84B5AD10771E60C5.TMP
File Hashes
- db560e6239674b9b4ea242d13e83269bc7cc26972bfc36d1ca729a95bec86311
- 214252466a63120c1473180e5f4d2558f59a6a12aa8f3c38d3d5f45712965d7c
- 093bd942ba8d60e579f1f6ec68f997e609d1ec2d1dee37369ea61e33d175ab0b
- 8c668d6ec3c6a619342d674e6f696403bcb872342fa17d7b18642861b4c9b596
- f40486fa225ebc8fdfc133136453d84649860c55bdb03966f58500030c4d50d7
- 58182cbb334d50f9758cd669ead059ddd8902fe0902bc8e3a9b5d9ad21906a0d
- ef52d2737ded930694deb98880041e97a22be13240e143e9fe7c665dd8ba486d
- ba8e4a8555628171ee51b9730e3d5fb549936921645b34e4bc5669573fa1fccd
- 6972e8b418b60905c630c80c8476b43c941eafab0e0f79ebe6a985e3e60bdb00
- f047a66647005edfb80ce99ce23dfab6874989081d3ff33c0795ccfddb47b0c7
- 8aeecbac14b07c7498a0a14ec5f6faba3586ef253e63a6ff035090e937cee4ad
- cf0425375056e906b8cb739d432d724ac30870995915342bc275d047637ea54d
- 1b8f2e90a2be6bfbcb409b0a87236abddfdeb6c8f1e43c87dea1ad384b3853ac
- eb8f9802493874e099e8b026be2736f2bb15ecb5c3bc0e82a967fdcf1f319fdf
- 606d305ed683a5b6b32fb3d4d8f1567416b3e6e0cc57b2a2ae22abc23563fc13
COVERAGE
SCREENSHOTS OF DETECTION
AMP
ThreatGrid
Win.Dropper.Gandcrab-6530134-0
INDICATORS OF COMPROMISE
Registry Keys
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- Value: SavedLegacySettings
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- Value: DefaultConnectionSettings
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- Value: CachePrefix
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: UNCAsIntranet
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: AutoDetect
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: ProxyBypass
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: IntranetName
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: _FileId_
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: _ObjectLru_
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: _Usn_
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: _ObjectId_
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: AeFileID
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: _UsnJournalId_
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: AeProgramID
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
- Value: ObjectLru
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
- Value: ObjectId
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\100000000967D
- Value: AB5
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
- Value: _IndexName_
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- Value: CachePrefix
- <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST
- Value: CurrentLru
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- Value: CachePrefix
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE
- Value: _CurrentObjectId_
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
- Value: zcwgnjwshlm
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\DEBUG
- Value: ExceptionRecord
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyServer
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: AutoDetect
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyOverride
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyEnable
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: AutoConfigURL
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: ProxyBypass
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: IntranetName
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
- Value: 100000000967D
- <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
- Value: PnpInstanceID
- <HKLM>\SOFTWARE\MICROSOFT\RAS AUTODIAL\Default
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LruList
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\ObjectTable
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\100000000967D
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\IndexTable
- <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- <HKLM>\Software\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug
- <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\Indexes
- <HKU>\Software\Microsoft\Windows\CurrentVersion\RunOnce
Mutexes
- \BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=359814f23c28b0e4
IP Addresses
- 66[.]171[.]248[.]178
Domain Names
- zonealarm[.]bit
- ns2[.]corp-servers[.]ru
- 1[.]0[.]168[.]192[.]in-addr[.]arpa
- ipv4bot[.]whatismyipaddress[.]com
- ns1[.]corp-servers[.]ru
- ransomware[.]bit
Files and or directories created
- %LocalAppData%\CrashDumps
- %AppData%\Microsoft\jczhdq.exe
- %LocalAppData%\CrashDumps\82128b025ada18df07ae8ea6b24f3cb3a22ff91d8795a697cf03ca28f0601eb3.exe.2772.dmp
- %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\7TZAD419.htm
- %LocalAppData%\Microsoft\Windows\WER\ReportQueue\AppCrash_82128b025ada18df_4525121b7779449a024bea365e36f36721b3e46_9a496044\Report.wer
- %LocalAppData%\Microsoft\Windows\WER\ReportQueue\AppCrash_82128b025ada18df_4525121b7779449a024bea365e36f36721b3e46_9a496044
- %WinDir%\SysWOW64\rsaenh.dll
File Hashes
- 82128b025ada18df07ae8ea6b24f3cb3a22ff91d8795a697cf03ca28f0601eb3
- 8b0122198f51599af74f7e40783bf8f8273e8c5bd1a0e0747161bb3fb74bff75
- 1c69810013cb87242df28f48ff1b80bd006b2bd0cec8bdcb3ad0c0441a9c48a7
- 9ba83f1273348883e47f60b3497d14f259656d366cd9c38be1b15c99a4887433
- 4f5d759ad38c44b01c5442a985f25c10b2863ac890d26f42a3661a39eb6233d3
- 5cd57d70b048fa751d8d093614cb86096567958778c7bd99ac6ff0355b699d19
- a17fba572e8a74bc22061711196df78b603d6a857f8b687f55da21296b3cbba3
- 6637106cacc9767350a3ad1518e513996accbf45daeb9bebdffb699ae2d89dac
- a332b560a01b6e07a5810ec6428314c23e426ea4292280ee0d06bfc2201ac47b
- a7250b307556cb0e6716312dce166ce8d6329cdbbe1e7a7ec7d9ad8dc37bef1c
- ba7cc79a6b9ee4973b90ce17f4552a6c8a869ebcda495109e7558788f5dd4581
- 722d9b3b235c118fd93c35d76535310f32ef383037645f9539dd46eedbe908a1
- 749cc6d350bccd23970b70463abcd9efb782a35da7c03bc8de5c555f2bdda430
- e4b1789755f543b508745baaa7325e337e6b7f132cc5e051985ca677836cc571
- fd2de37d51a398725239f1c9943604506d52bb623ecfcbc40f6fb474cde9fbd0
COVERAGE
SCREENSHOTS OF DETECTION
AMP
ThreatGrid