Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 14 and July 21. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Doc.Downloader.Agent-6333860-0
Document Macro obfuscation
These document downloaders are Excel worksheets which use obfuscated macros to trigge Shell functions and leverage cmd calling powershell. The execution chain typically is Excel -> CMD -> PowerShell download and execute.
Doc.Dropper.Agent-6333859-0
Office Macro Downloader
This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable.
Doc.Macro.Obfuscation-6332451-0
Office Macro
Malware authors leverage Office documents to compromise a target system. To bypass anti-virus products they will employ obfuscation techniques. This cluster uses Arrays to indirectly access data and reform it into the required data to evaluate.
Js.Dropper.sPowerShell-6333821-0
Dropper
sPowerShell is a JavaScript dropper for both ransomware & information stealers that are written as PowerShell scripts. The script itself is encoded with Base64; the original JS script is responsible for decoding it. Once decoded, the PowerShell ransomware gets to work on encrypting files based on an inclusion list for file extensions. It will not change the file extension for affected files, & it's up to the user to discover these modified files or the ransom note that is left for them. There is no automatic prompt for the dropped ransom note.
Win.Trojan.Agent-1388716
Trojan
This polymorphic sample is a dropper that will create copies of itself on the hard drive under different random names to ensure persistence. It can carry different malicious payloads, so it can be used as a delivery mechanism for different types of threats.
Win.Trojan.AutoIT-6333854-0
Trojan
This is an AutoIT malware which is packed in a self-executing RAR archive. The malware is using process hollowing to hide itself from a debugger, is communicating with a remote web server, steals passwords from Firefox' password store and adds an autorun registry key to achieve persistence.
Win.Trojan.DelphiSpamDown-6333856-0
Downloader
This sample is a Delphi downloader. It is spread in the wild and it is related to a massive spam campaign. The binary is written in Delphi and contains anti-debug and anti-vm tricks and tries to contact a remote server to download additional resources.
Win.Virus.Virlock-6332874-0
Virus
VirLock and its variants are polymorphic ransomware that not only encrypts the files on the system, but also infects them by inserting a modified version of its own code at the beginning of each file. It will replace each file by an executable disguised as the original file, with the same icon and its "exe" extension hidden. Once executed, it will infect the system and show the contents of the original file. Additionally, it locks the screen and asks the user to pay a ransom. It will try to connect to google.com to check if it gets redirected to some localized google page such as google.co.uk or google.au. It will also try to spread to network shares or cloud storage platforms, in an attempt to increase the damage and potentially infect other users that may inadvertently open shared infected files.

Threats

Doc.Downloader.Agent-6333860-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

52[.]14[.]80[.]76
52[.]173[.]193[.]166

Domain Names

farmona[.]co

Files and or directories created

%TEMP%\CVR668.tmp.cvr
%AppData%.exe

File Hashes

01c4f96c8117df219cf9f50723454ace242edcf2d22b09e8e72c5d0c92aad540
01ed6302a7ea8d4c54d439b7016b99b6dca275f85d22611811bac8c135309d41
0634216b34baf0fdc293002632932312293fc4854701b143c6f4735e8cd98b45
070e56e7170fc63c1c42c3b0b37df5a25f5c7e2e0a5fd454e8e8e63de2b71bdf
07aa3365d733098e11e91ece1628130217414488d3fce0e2e261bfb29ab6fed9
0be6e5bb277cbe815beced059aa5fb5160954dc8fd3fef918746caf276cc82a3
0fc8af1a3deb4d2895b9bb202278299369a16950239288577472bc06fbf07e4b
13fd575d1474ae579f55615733f75fa50231447b8653e6eb58678103ee82e99e
1b01632e1a44445124165ed61592527fe649a32ed889ee75fdb73d07bf396812
2248f89b848781c0405cc0cead60172ec75e035aca12e8c147818192fde2266d
204ecc72a94c1d1ef60a08ccb132a5123d2e8dcfc16ef1cacebb20887049ec2d

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Doc.Dropper.Agent-6333859-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

atlon-mebel[.]ru
ayurvoyage[.]com
enzyma[.]es
inormann[.]it
kms2017[.]com
pta-babel[.]net
studio80[.]biz
sxmht[.]com
test[.]atlon-mebel[.]ru
tidytrend[.]com
westsussexcentre[.]org[.]uk
wizbam[.]com

Files and or directories created

%TEMP%\proshuto8.exe
%TEMP%\~DFFD1107AB284DD884.TMP
%TEMP%\serenade8.TEMP

File Hashes

026b944764ec5f0f342b2f532e18093627930a1c9810d235a4893ecbbbe4eaee
04f5160bf3126ad52a819a86cf4807dc83c89a4e5a2643b49b3fe60bf01c8419
09a43a41f182b0677d28b7e9cc685d1217f5c1fca63af4418f0a9ef776f6dd0a
0a0bf44d664575b194063536138d0b5ea9d3583e956e675462b55decf4ad73a9
0ea9107334209b304b650ff86854862d4eed68e616aec015618853b1d6a3c001
1c32493b72d3c3da9b7d4b9022edfdec445a7feaa261e621799c1e45241b5b2f
1dd941235ba3aae55c0f876131d6381ef47c4c37f6be0116b61a5ff0ddf4da6a
201a567836576380edc8d7a1b7f2e70c4127faa7ea541da4d7e0457401b2b492
2debe28ebdeea8789a136170782018789d7ba6e8d07b8289231c8b6aa509a839
351376c7a04ab7bf3f4a22b124165c4817d7fefe35dd2d0834cd3fcf3c580043
36ac209d2115d4b64b3b2b41b8731235168ac71d744740dbbc73f6c13cc85bab
3ceb74963648d8adf4b47303d74d344628257dc36cf87a4330099fc264fe6ae5
46bdd38ab49faaed1aa40c17d17e2a45ba87236dee0802c6e9e1385bfc1fe261
4aca7a72441a2100f4d40348e813ce0bcdb87e7d311e4e2e3b1dc53eecd9f149
4b62feae568e3aaf8510897ab6c674283a7d133d4e72b4aaa4864a465bd88807
4d4906439c50c3c8e80b40e0f1135f3c6df31b1fa596f668d4f8c48ead902dc3
5e7442c9c6b95f9a7af5ce9a08b1d61852e1da901ddf96e1604374be36d823c1
6274606653a2bb4470d3acdd72f11af37827253f5a728d539da9be0a6fb12db3
631e4b651c157a1179bd28fc71cc072a933ec7a9be962fa4e758963c4f450673
6994c078ad88915221a6679dcab25f942a6799c998bfffd36004f500faf1d2aa
69fee7f159df45b2f3fe177b0e4f8377b2f281d907c15ce69b3f5fd43592d297
6a7fcf70672bec03c73443dc26ad8cd5dbed6227de7073d7d37d2c920d3ca5b7
77deb4917f19577c06643e0268b96b12050d6814c07e961f84bd143189ba23b8
7b28472b8552e2f9f63126a66ef1bec226acf49919e821c8204e0142864af7c2
7c31ebd234e9ea4e8e5176cca74f95cf6d0f8ebdad6f5bae0aa07229cff3557a
8046e1b4a24d714812f4fcfa7f7debfa2057a83c8631b7e2112d37653c83aa04
8902a87a99470edc2210af7f660ae3f1d032a4e764ae5415f00b3de4e873715b
9217691c969ca90bba7e68648c5d52c1fec4183f2837adb407b55e6957cc62c8
95dfa7cb08275d55c2daa3dab39cd3502ed8e9221501ccd43096c4dcb69574df
9a7972ec543717861bf0030e35069c5d672ed0447a1f7690f8e3992329b4e08f
a5067cd834500ad631443d66f52a8454adedcc316bdd9a9f340587efe3d71862
a912eebe77cd06413744e8bca95c7bc4d7200a82097178cbfd478778d89afc16
af598ffbba3c59ce109d2ddd9ef58425bd3a8a70bbbea48b14460dcef21704d7
b1828e83a4d01b45adb238165e17520f5853a2a8d1ac083d2f6130be8813e5fb
ba9ae0515d7d720634114de6f669bcb9c9bc8bebb9b30df98585b8c2751cb419
d34e29aeae628324e27067f1b0ed9895b335a99eed2bad836b2cb08cc311276e
d3a1dc1018514102ce83b054374a0422328ba812f78a9fee7d17b224a7b7fb9b
e3a122deee0913710df8e2d8137f089123e455195a6d71dac072343fc8e48c2e
ec67964a20940b42a58a3149327e519c97505ae0227566d31a72e94a31add0b4
ed8779e9e0231c4882152bae2be367a9cac0d2b270a5fba8d9dd56ccd6ddcb34
ee5b16b15dd712ff7e0ada9e6b93da04fcfe9043e53a605d0ace1fe365f0bd54
f0892554e22c923645f20e9de0920199a791f744dee18f9c8df7f0b0ffa954e0
f921d1fd16fe5735f1abab55e836fd6817e9d6e340d0d056af25b7214559cf7b
ff29411724d4cac3a6553ab621180f8a2c05cf01573c97873061b9df9ba57246

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Doc.Macro.Obfuscation-6332451-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

185[.]165[.]29[.]36
52[.]173[.]193[.]166

Domain Names

Files and or directories created

%TEMP%\CVR65CC.tmp.cvr

File Hashes

41b9c93fed52bffe68d03abbcbe42086a9baf743d56f9262abd5b4c7fcbff951
4c5f92378c3fe002163abb763ab30de3b167512255af8f90c0ab7ca85e15fe7f
8c0559c86e7879ecf25442bc0a8105193d44e9641ac939077d43f6c4dcfc4e9c
727d8957c910dd733b4960f22535e61375e417cc521b820ae8a917597af86295
a84e3659977948b8f14cb2bfacef19d997463e779fed8750fa2d44b4342584b4
a4e076bdea2bdc1028d232079b0bcf42a9b4997fb43e78fbda745f6bb047612c
404de9c0ea3f8061c69e0dac80c6706e9ad263059ed845f1d69fc77b367a51aa
7ac2d7693119e8e07ee9ab0979a219f99763deb2b4134e8a6c18cec7aba1a76a
29015d08a221749ca7cd1b9526ae4c434457199ac3226236f9e57fdb01b21213
1259e834561574787f5e8c6f0fd7e3af62ce566317275ad6e0484b2d2d02904e
341b86bd427dfca140ef6b3f47c7f269fe3ada974692237cc038f5910326d806
5d91e7426fb87e5f2c9a5aa575d8bc0e98b7e1a09947dcb4e4943c5c047933d9
f11534d903c19da7f9b951419fb31fc8027c27f7ed7e3fdb89a923004a838ca1
513a70f9692100bab9aee761125a446c7a7fb2ddd8395810f64c73cedd664f8e
f2fee82c08af4579275a7bfd7859bd9031c43a4c871ab6bb1d3fe1d699c020ca
a0b29989213e1c2e08bcb136d77164251fcff105c640a9ba75f9ed87c6a0407b
f04ce92cb9f190f8c06d444ac5431f637b6ea8ba864201a549903e3115968403
3743bc035609dc41608e2580bd9ee1555bbd8e9311dcf879e12821ce40727db5
ab004137cd4eeff2528c749bc80fa8c05be279fbadf54fd48eb433a63ba9ebaf
2611831b22f6b0df892e363d429a666b5a4bb9303a97b30c527fb4f43379a462
0dd337e3bef51dd39867317b47870076c8bda3efede772fc571b48d59ff79bcf
ec0aba7dec0510afc007260370f08f166f6aeadbf0e38206aef3b2df96c6fddb
58bcd393831d35adf5343ddeaedc3de4f9b4c11565cbcb21e220ef20d34061d6
7531238a3e7a788700bef153d999c6527975c108176e435a0ca200e15fa08d5a
5702fa93b08399d8f8d7d1ef1eb2902e7f37a9bbaaf5d9aa6b85a2844224662e

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Js.Dropper.sPowerShell-6333821-0

Indicators of Compromise

Registry Keys

HKLM\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP

Value: Collection

Mutexes

Sessions\1\BaseNamedObjects\_SHuassist.mtx
Sessions\1\BaseNamedObjects\DBWinMutex

IP Addresses

Domain Names

joelosteel[.]gdn
ipcaservices[.]xyz

Files and or directories created

%USERPROFILE%\Desktop\_README-Encrypted-Files.html
%USERPROFILE%\Documents\_README-Encrypted-Files.html

File Hashes

7a6d5ae7d7bc2849ea40907912a27e8aa6c83fafd952168f9e2d43f76881300c
cce0da7814b5966ffacfecacec0e87aec83989889b56e4dc37eed7873b51617f

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Win.Trojan.Agent-1388716

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

Files and or directories created

%SystemDrive%\e86nw5.exe
%SystemDrive%\4kh4ht.exe
%SystemDrive%\ucrr38u.exe
%SystemDrive%\fllx91x.exe
%SystemDrive%\9f2c5u7.exe
%SystemDrive%\022240c.exe

File Hashes

6ffc7684a7ce4e263d0018310e03f4c81df776cd2ad1fdb26e0cb46ee5a9d899
588d681952c3d07a6f2dd740e6253a6160a37ec3d80d376f742b2f1c9e9fa3a5
0c27abc4b32cd84d8ed11907d8b47e0caa41af884efbe599e287978ad56cc6d4
56fc60eff1ce21bc0662abce0ce74834e530b4baf297f055bdfdc5bb77c22ec6

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.AutoIT-6333854-0

Indicators of Compromise

Registry Keys

<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Mutexes

IP Addresses

Domain Names

cn67975[.]tmweb[.]ru

Files and or directories created

%TEMP%\fjs\[a-z]{3}.(ppt|xl|icm|pdf|txt|bat|docx|mp4|bmp|ico|jog|dat)
%TEMP%\667796.bat
%TEMP%\fjs\svu-mkc

File Hashes

927bd28d825adc6569d1e307bd3709f73350b3ca2b0f98bbbdd2370526ae19b6
bb51a0200e84137fb1c07e39fbd7f0ded1eda78d3c95cfa1e16887f0762ab665
2cd44a3204106c4fa3e11c310f21a3d0a89795ae90cad00117c779386ea619fd
83a482b1771474915838db7251d00cf12ae5171c04966621bba82c5829e57b4a
a831d5503c549917d333d45c72532f0407ed306ca5c95478dad11cb34342ca60
f8305d63f8d4ebc4b4c4bea7c3dd75b3d3c3f53aa2f28cc789a2573d55b83613
ea047fca20938acaeaf82d7753a86bdf9c6ed1bcb6573634d8f515d15b6ddd13
62f72450c470bd01096766ac25e8b6ca4edb79683c2ee5b2cc89ec2234983c44
38dfdc80844d6f6b0d1a73843f1a4704d7bb12cf2ca61d98a54d1cdb5722ac66
f81a37d816c639fd977d7781f7fe54cc51e2e34aa3bb8bc877c74ae140025003

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.DelphiSpamDown-6333856-0

Indicators of Compromise

Registry Keys

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP

Value: Collection

HKU\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKU\Software\WinRAR

Mutexes

DBWinMutex

IP Addresses

92[.]53[.]96[.]122

Domain Names

cg51478[.]tmweb[.]ru

Files and or directories created

\samr
%System32%\wdi\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{debd4f12-5573-4e21-a11a-2adccd61a055}\snapshot.etl
%System32%\wdi\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}\{bc3d8877-b46d-4746-b041-b538af5e2cf0}\snapshot.etl
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\713906.bat
\TEMP\scan sample.exe

File Hashes

d603a19fb425aa77308ee7d3527f03e0a455667aed2030b4fc2c46388a230dad
f23220f487d021aed897deee04e7aaada2521d096406517cd3adcacf4754beac
72464898f83126f1a89d76cf76b2867b58655b3b316c2000dd185f2c31a4d786

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Virus.Virlock-6332874-0

Indicators of Compromise

Registry Keys

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VOSIYOAG

Value: ObjectName

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VOSIYOAG

Value: DisplayName

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VOSIYOAG

Value: Type

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VOSIYOAG

Value: Start

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: rgwIEcIs.exe

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VOSIYOAG

Value: ImagePath

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: IMMwgswc.exe

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED

Value: HideFileExt

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED

Value: Hidden

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VOSIYOAG

Value: WOW64

HKU\Software\Microsoft\Windows\CurrentVersion\Run
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VosIYoaG
<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Mutexes

\BaseNamedObjects\OeoQEIQU
\BaseNamedObjects\JMcsAgIg
\BaseNamedObjects\eKQoMYQM
\BaseNamedObjects\rgQAYgUk
\BaseNamedObjects\juAkwAUg
\BaseNamedObjects\WUUMAwEY
\BaseNamedObjects\LIAAoosI

IP Addresses

Domain Names

Files and or directories created

%SystemDrive%\Documents and Settings\Administrator\mYAMwMEo\aYEsEocI.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eAsoAsoc.bat
%SystemDrive%\Documents and Settings\All Users\xEQswAgE\hEEskAMI.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\file.vbs
%SystemDrive%\Documents and Settings\All Users\keAQYows\Ngwockko.exe
%SystemDrive%\Documents and Settings\All Users\eCQoYwsY\cOIkcIIs.exe
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\f1d2_appcompat.txt
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HAIgcwYY.bat
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JikQIUos.bat
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1aba_appcompat.txt
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\BywQYkYY.bat
%System32%\wdi\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}\{a69f0170-8245-4aed-a99e-3b0aad202ce2}\snapshot.etl
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vgMUkcEw.bat
%SystemDrive%\Documents and Settings\Administrator\HQcwsEQk\iUEAMAQY.exe
%SystemDrive%\Documents and Settings\All Users\wkkIwsUo\FcIoIUwU.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\oiwwooMU.bat
%SystemDrive%\Documents and Settings\All Users\UUkwYskE\tIAMksoQ.exe
%SystemDrive%\Documents and Settings\All Users\TiggsEgM\iigYwggc.exe
%SystemDrive%\Documents and Settings\Administrator\josYsEwI\IEkIQAgg.exe
\TEMP\f903440f2b8e05fde78b17ad34bdae047604a33af999aaee8954dc1f689d3298.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\B291D.dmp
%SystemDrive%\Documents and Settings\All Users\OUkAAEIY\qaMAkEQc.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NuYsMUAc.bat
%SystemDrive%\Documents and Settings\All Users\ymYgUYAo\PqUEkQUs.exe
%SystemDrive%\Documents and Settings\Administrator\SKsYAMwU\OugokkEo.exe

File Hashes

81bec8df30db0bd694ecf01d3950fbe91823854ab017c0cb176d32c9ada3f202
d49a98d35bcb6ff16206c6d1e1495d4ddf9f1911f785bccda24c2b1e0bfe3d03
6cff1fdde90a5708301b2d3c48729ebf3be7bb4a8f0e6992406affe034ad0a0f
94549c01f4ca88d7169141b7a8aaa0a79a28e2770811ef84febd639af70c7a74
824eed3471a9f86836ac4bced8a5ce7f57df95048a995dc0219feab771404f28
db2415f2259b7ec9aaa6ab004a659753ad51dafccbc8696f0a5e906750304efc
faaa74146e151d525e94e536ee2605a76c8a0d1699024979181712a03b249f25
7cd99c34887ea6213f18347720d7b1d257969f821bc78f6ad128f55ff137096c
61012a5ae49bcfc6c31110b0117c9ed3d3f810cb8053857ef3017b403aeb4ad0
6161ca5b2cd218ae1c277e6fcc509f571cc409ae4b2aba007d0e1ef28057fd7d
cacc1b16c233ad74c95b051edb5542a2824441314aba3f12e0397b857222c0a9

Coverage

Screenshots of Detection

AMP

ThreatGrid

Screenshot

Query Builder