Lucene search

K
talosblog[email protected] (William Largent)TALOSBLOG:97F975C073505AE88655FF1C539740A6
HistoryNov 08, 2019 - 2:31 p.m.

Threat Roundup for November 1 to November 8

2019-11-0814:31:14
[email protected] (William Largent)
feedproxy.google.com
90

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov. 1 and Nov. 8. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.Remcos-7376444-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. Remcos is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Kovter-7376187-0 Dropper Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Dropper.Emotet-7375156-0 Dropper Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Trickbot-7374019-1 Malware Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.
Win.Malware.Phorpiex-7373816-1 Malware Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, including malware that sends spam emails, ransomware and cryptocurrency miners.
Win.Malware.Zbot-7373691-1 Malware Zbot, also known as Zeus, is trojan that steals information such as banking credentials using methods like key-logging and form-grabbing.
Win.Malware.DarkComet-7371375-1 Malware DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user’s machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Packed.ZeroAccess-7370742-1 Packed ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.

Threat Breakdown

Win.Dropper.Remcos-7376444-0

Indicators of Compromise

Registry Keys Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Snk ` 8
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Snk ` 8
`<HKCU>\SOFTWARE\XLR4615DFT-CRBSFT
Value Name: exepath ` 6
`<HKCU>\SOFTWARE\XLR4615DFT-CRBSFT
Value Name: licence ` 6
Mutexes Occurrences
Remcos_Mutex_Inj 8
XLR4615DFT-CRBSFT 8
Global\0e3e6d21-fc20-11e9-a007-00501e3ae7b5 1
Global\96ab2081-00fe-11ea-a007-00501e3ae7b5 1
Global\d24f50c1-00fe-11ea-a007-00501e3ae7b5 1
Global\77238861-00fe-11ea-a007-00501e3ae7b5 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
179[.]33[.]68[.]255 4
179[.]33[.]152[.]127 3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
proyectobasevirtualcol[.]com 8
Files and or directories created Occurrences
%TEMP%\install.vbs 8
%APPDATA%\System32 8
%APPDATA%\System32\Snk.exe 8
%APPDATA%\Runtime3 6
%APPDATA%\Runtime3\1627.dat 6
%TEMP%\&lt;random, matching '[a-z]{4,9}'&gt;.exe 5

File Hashes

01f18d1d2a28f1fa3df286d745ebe04521031af989db17818db42f6118417f60 1c74e101e6c49184a2766afafc33ab421900927ca39bfb8afc6e0c29c1d4bc4a 2993970ed0df750fb8ead03397e7d209d50c790ccea889f8cd3a57a3257d229a 2a0933719e5f6762061641d337324fe2b9778e13ac4785dfce00b10e3134a7de 3a725a79cc91e882a52237eda542e29d44734c64fce0edd924e1fee62e69bead 44a4d693d208abf527c5d286fdb45791d6bc97fbda6857f2d952a659a39f02fd 46eb980bd84f49f16aab9a9af815caedfffe92ddf0db272b330f6a9b625716cf 5752b25814c46d5084fa204ab381a18ebfb75fd0229ddac048fc673607ae52c1 622bb6dc7e751fc9352e7a23c9bc3ccd2e1855f6d5c37656516a54fe63ae6230 70ee3b93a10475214f534c162c6923ccdff92873709e2912ffd208ad12d447fb 7df44706454b41154f074f55a4bb5c42942a7e4a2dd244dd3d979dd28f81c602 99f7c0b78dac66e3fb5c571c466004e97ef6a75662ed2b1a7e49d17f85fa66f0 a6f8cd54dcd6a563c2195964cf1a65ce0d558ef753d0d9d25618cf5bb24332d9 b1b18b3fb4c4da002c4f8449042569a53be13971036b2b15bccb8a31392e8ce8 d78ec2e34df6a80321bac318055f095f49f244117f0307e3c59aa7326f834ca7

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


Win.Dropper.Kovter-7376187-0

Indicators of Compromise

Registry Keys Occurrences
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE
Value Name: DisableOSUpgrade ` 25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE
Value Name: ReservationsAllowed ` 25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ssishoff ` 25
&lt;HKCR&gt;\.16A05D 25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vrxzdhbyv ` 25
&lt;HKCU&gt;\SOFTWARE\XVYG 25
&lt;HKLM&gt;\SOFTWARE\WOW6432NODE\XVYG 25
`<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: tbqjcmuct ` 25
`<HKCU>\SOFTWARE\XVYG
Value Name: tbqjcmuct ` 25
`<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: xedvpa ` 25
`<HKCU>\SOFTWARE\XVYG
Value Name: xedvpa ` 25
`<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: svdjlvs ` 25
`<HKCU>\SOFTWARE\XVYG
Value Name: svdjlvs ` 25
&lt;HKCR&gt;\7B507\SHELL\OPEN\COMMAND 25
`<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: lujyoqmfl ` 25
`<HKCU>\SOFTWARE\XVYG
Value Name: lujyoqmfl ` 25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting ` 25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting ` 25
`<HKCU>\SOFTWARE\XVYG
Value Name: tnzok ` 25
`<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: tnzok ` 25
`<HKCU>\SOFTWARE\XVYG
Value Name: usukxpt ` 25
`<HKLM>\SOFTWARE\WOW6432NODE\XVYG
Value Name: usukxpt ` 25
&lt;HKCU&gt;\SOFTWARE\&lt;random, matching '[a-zA-Z0-9]{5,9}'&gt; 21
`<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob ` 7
`<HKCU>\SOFTWARE\YNRVKCYV3
Value Name: kwS6y5 ` 1
Mutexes Occurrences
EA4EC370D1E573DA 25
A83BAA13F950654C 25
Global\7A7146875A8CDE1E 25
B3E8F6F86CDD9D8B 25
408D8D94EC4F66FC 20
Global\350160F4882D1C98 20
053C7D611BC8DF3A 20
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
48[.]35[.]9[.]231 2
24[.]6[.]47[.]86 2
53[.]51[.]100[.]34 2
103[.]72[.]170[.]215 2
100[.]65[.]74[.]134 2
214[.]157[.]80[.]109 2
53[.]189[.]39[.]167 2
171[.]50[.]101[.]82 2
186[.]88[.]125[.]16 2
103[.]3[.]144[.]29 2
191[.]63[.]106[.]220 2
132[.]142[.]20[.]146 2
185[.]144[.]48[.]120 2
74[.]188[.]12[.]194 2
151[.]185[.]129[.]250 2
123[.]193[.]218[.]247 2
7[.]184[.]47[.]209 2
11[.]19[.]158[.]101 2
89[.]73[.]101[.]218 2
104[.]7[.]70[.]162 2
111[.]104[.]240[.]101 2
187[.]41[.]98[.]16 2
39[.]158[.]228[.]212 2
67[.]110[.]140[.]230 2
87[.]88[.]172[.]42 2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness Occurrences
cp[.]aliyun[.]com 2
netcn[.]console[.]aliyun[.]com 2
help[.]dreamhost[.]com 1
api[.]w[.]org 1
gmpg[.]org 1
panel[.]dreamhost[.]com 1
fonts[.]gstatic[.]com 1
www[.]cloudflare[.]com 1
httpd[.]apache[.]org 1
www[.]dreamhost[.]com 1
apps[.]digsigtrust[.]com 1
apps[.]identrust[.]com 1
cacerts[.]digicert[.]com 1
www[.]wdos[.]net 1
www[.]wddns[.]net 1
www[.]wdcdn[.]com 1
www[.]wdlinux[.]cn 1
community[.]cambiumnetworks[.]com 1
www[.]cambiumnetworks[.]com 1
x[.]ss2[.]us 1
www[.]wdcp[.]net 1
docs[.]atlassian[.]com 1
www[.]atlassian[.]com 1
staging[.]theplaylist[.]net 1
www[.]10dang[.]com 1

*See JSON for more IOCs

Files and or directories created Occurrences
%LOCALAPPDATA%\39b03\6a5cc.16a05d 25
%LOCALAPPDATA%\39b03\7cbdf.bat 25
%HOMEPATH%\Local Settings\Application Data\2501\1ffa.41d68 20
%HOMEPATH%\Local Settings\Application Data\2501\aae7.bat 20

File Hashes

07f6d9e83f537600594c31b3602732e673876773d011ad3827d3b4bfd90263b3 09decefe05efe8d4de76c83d2d25b3688a7aa8a5b64a66d9beda52f1cb84d3e1 1034ec321ee9aacbac4c6eb13c9b7c337ee203f7690c75b03be96f45e7131854 1b027ad776520157003006129c70ffcb5a6df709784553abffc39e231cc35ba4 32ef3ff9e7f8879fac649e0bd47c943c5c9ae41f92ee11223bcdf3e735fcdd4d 4bfd91dbacfc04dd91dd43c00209141b6b33b3ce7d7fce5a40a39190e1020044 535870f540ccf5fa55b7d45b46e12c7f6cca475d7d1ed53a825bf4a74a8deaad 568ed4d9b0ecc820f370f364a9135cb99fe5cc61b953156c8abf2d8b4455ea35 5dc8da99651c7a508063c24d05724b8ce59ad6ae5a7b71d3acf27aa9a46937e0 6159c80c21256280b87b9be98bce4ce08a62712a5472ce88ab91ec58a889a998 670d2eef908fdaccbad25d40f7fc35deaa8a27667c8ae9c64c3c8c3f7b47715f 699f6b25a4d720eec442dab827192c5c3089da861c3c891f08c327918e0034c3 6e99630d9605ab0cdd26b273edc288e70b9b927fbd10bb4c531bdbaedb832842 716ca25938088e90d7529d396391ea45971e7716244684b7e431b46fae5d2f88 72301c500af238cd544b8208e3c5ea02d562143ab58a4fc7d429fb6dbdb5433a 77e117c5483524cd6bf8dcfa0b072d93644f71f15931b8f65be912dd2d4e0ac3 7803321e0e650f836a0260bd38dcac456e0bf822bd7d9159a03f509700f274a9 78bff6ee1f123cf5394c52b22f8bf282258684dc065d6fb3a6f7f11bb0dbb44c 7f9c7a64e9d7e46b31d842401064701c4cbaeee2d231b80e5221bc9b6dcad91c 886db07fb244827ecebfb8a0c807fc418d4e75699fe59d0a33203b2cacc30e08 94107471babcc12730005b1e70af6f59559229a0d2d325c18f88e8990c54a73b 9c3bc6fffc73ce25bd3f178daf44625b1ee681c7593ceef31e76fb5a2387ecb5 9d5304e56d130aeef6505442550c7cf49e3710f2ab7f31a7dd7db4a151fc5862 9f8721f77785853fded20778388a436d3ddc74a5200265a95ce7e168318b5f6c a1885a9e550677d9bdfbfa79590d9025c006940e540a795ab3700d3e960dc3e0

*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


Win.Dropper.Emotet-7375156-0

Indicators of Compromise

Registry Keys Occurrences
&lt;HKLM&gt;\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS 115
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: Type ` 115
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: Start ` 115
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: ErrorControl ` 115
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: ImagePath ` 115
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: DisplayName ` 115
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: WOW64 ` 115
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: ObjectName ` 115
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPOOLERIPSPS
Value Name: Description ` 115
Mutexes Occurrences
Global\I98B68E3C 115
Global\M98B68E3C 115
Global\M3C28B0E4 42
Global\I3C28B0E4 42
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
173[.]194[.]68[.]108/31 74
189[.]189[.]21[.]214 60
17[.]36[.]205[.]74/31 59
74[.]202[.]142[.]71 53
185[.]94[.]252[.]27 50
45[.]55[.]82[.]2 50
37[.]187[.]5[.]82 50
190[.]120[.]104[.]21 40
172[.]217[.]10[.]83 38
23[.]229[.]115[.]217 38
74[.]202[.]142[.]33 37
45[.]33[.]54[.]74 37
54[.]38[.]94[.]197 33
62[.]149[.]128[.]200/30 32
74[.]202[.]142[.]98/31 29
74[.]208[.]5[.]14/31 29
172[.]217[.]3[.]115 28
191[.]252[.]112[.]194/31 28
74[.]208[.]5[.]2 27
176[.]9[.]47[.]53 27
196[.]43[.]2[.]142 27
193[.]70[.]18[.]144 26
220[.]194[.]24[.]10/31 25
50[.]22[.]35[.]194 24
173[.]201[.]192[.]229 22

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness Occurrences
smtpout[.]secureserver[.]net 69
smtp[.]prodigy[.]net[.]mx 54
smtp[.]alestraune[.]net[.]mx 37
smtp[.]infinitummail[.]com 33
secure[.]emailsrvr[.]com 32
smtp[.]dsl[.]telkomsa[.]net 30
imail[.]dahnaylogix[.]com 28
smtp[.]orange[.]fr 28
smtp[.]mail[.]com 27
smtp[.]office365[.]com 26
mail[.]cemcol[.]hn 25
smtp[.]1and1[.]com 24
smtp-mail[.]outlook[.]com 23
smtp[.]mail[.]ru 22
mail[.]aruba[.]it 21
pop3s[.]aruba[.]it 21
correo[.]puertotuxpan[.]com[.]mx 20
smtp[.]zoho[.]com 19
smtp[.]techcommwireless[.]com 19
zmail2[.]tikona[.]co[.]in 19
smtpout[.]asia[.]secureserver[.]net 18
smtp[.]mail[.]me[.]com 18
smtp[.]qiye[.]163[.]com 18
mail[.]outlook[.]com 17
smtp[.]aol[.]com 17

*See JSON for more IOCs

Files and or directories created Occurrences
%SystemRoot%\SysWOW64\spooleripspsb.exe 2
\TEMP\694.exe 2
%SystemRoot%\SysWOW64\spooleripspsa.exe 1
\TEMP\L6WtzMgB.exe 1
\TEMP\wdEnqutV.exe 1
\TEMP\pzcc3lk.exe 1
\TEMP\p1cvp.exe 1
\TEMP\ux68b0c6lxc0fow.exe 1
\TEMP\z825f3w9uh.exe 1
\TEMP\gcb5of4v1tlz.exe 1
\TEMP\ezxnt4.exe 1
\TEMP\39v3vti54d.exe 1
\TEMP\tdr3z0u10.exe 1
\TEMP\yqr4645h3g.exe 1
\TEMP\70vol09busiw7g.exe 1
\TEMP\2bn1wg8bam49.exe 1
\TEMP\afoly3.exe 1
\TEMP\yumjilsuex5ce.exe 1
\TEMP\2gb7kk6.exe 1
\TEMP\f80gj19dm6pg.exe 1
\TEMP\itb9yhf.exe 1
\TEMP\sd0ew7kemxl.exe 1
\TEMP\9b65hy6s.exe 1
\TEMP\5q1otsijpw2d6rr.exe 1
\TEMP\002109r7ga.exe 1

*See JSON for more IOCs

File Hashes

02fc8369a88b82e3f3071515dacd5d66dac4a7bbc30c0273ce94f1d1c17016c2 0358ed9153522829b222680b6308ca2bfbb9af02f7577527d290bd6b5a45741a 05813a34ed66ce894edfe1283dcbb4aac108a27a9d100cd1beda364c3a9a14d8 05cb5ec98746d64d138330942f339979762f3d9e2103176927e5298aab38b44d 068c95ddf6682151bfac5a348f3cdc83dd28dbb3636945893c40919e5c2529f6 06bee1b52d91c40d92e37313f5a41dd75ccfe06f4081c8d82cc150de85afa8fc 07ee440c02863990aa804fe41894616f5a660a07cea93bf9f4e21b379637cd04 08a60b24edee93c10a2f7f88f771cada9d5fdb220e236ac7685bc5467187cc7d 09b5cd03af0aeff661f64799a67a1e4b68fe95ed8c19f33b9f79c6ba891e1961 0aef359713281304cb60b92f7f9a4f046e7ae0902809830a306e683830c0621e 0cc6fb091ca3119744ef99cc1a75bf093351962ede75fe01d9689ad6e611eed7 10f54c55d5df2aba0a5f86addb10e2b6022040f9e30541e865e823456526d181 1360747298f09ad4a3231036c557fddae2e65e0544fa2bcd42847fd13793eeeb 15683fc25f400427b06f471235d0080d9b340760e1cf0e53b402cc3f92724904 179dcfe6679c7d9e7527dbc7280807c7abe2ab8b6cd74671ca3a240bdb9f9b13 197b6142da885afd536a49e192dd6259abdb324bd3a278850c74b54d3ad819a4 1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d 1d92855b93ac6e841ca7afe057ceef7c6a52eb1aa511c47c523d25c7f542785b 2089c98c6d15a5c669795eea5a310ec83cbf7614be2aae5bc1ed1721e406360d 2175ae9fcf2321d5855a81146a650a9fe69d622a3d0303076fbfe32ddc645bd1 2275693f9a5b245d54030abaaa757f799c369df22b26cce4a8df84d1497b682b 23f18138a5aa4ff7284e25faa8490b14706170a7980b73a2cb69527fa19a9655 25da27f6d266e9986c93a48d93be82632fdfc607416d42e183c27b404591a808 26213f98dda98e08963a7a2934a6eadb665121a23aa14493cc45f5c6b23e7099 2a80f80c219f9554c9779e86c47a51a27858a767bb7b1c45b1d52055f6b9a30a

*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP

Umbrella


Win.Malware.Trickbot-7374019-1

Indicators of Compromise

Registry Keys Occurrences
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER
Value Name: DisableAntiSpyware ` 26
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag ` 26
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start ` 26
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableBehaviorMonitoring ` 26
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableIOAVProtection ` 26
&lt;HKLM&gt;\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER 26
&lt;HKLM&gt;\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION 26
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableOnAccessProtection ` 26
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableScanOnRealtimeEnable ` 26
`<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob ` 11
Mutexes Occurrences
Global\316D1C7871E10 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
72[.]22[.]185[.]208 17
72[.]22[.]185[.]200 9
116[.]203[.]16[.]95 5
216[.]239[.]32[.]21 4
216[.]239[.]36[.]21 3
82[.]146[.]46[.]153 3
107[.]173[.]6[.]251 3
78[.]155[.]207[.]139 3
216[.]239[.]34[.]21 2
176[.]58[.]123[.]25 2
177[.]124[.]37[.]208 2
201[.]184[.]69[.]50 2
179[.]189[.]241[.]254 2
36[.]66[.]115[.]180 2
177[.]36[.]5[.]7 2
185[.]86[.]150[.]130 2
149[.]154[.]70[.]202 2
195[.]123[.]246[.]188 2
185[.]117[.]119[.]163 2
172[.]217[.]12[.]179 1
104[.]20[.]17[.]242 1
185[.]248[.]87[.]88 1
80[.]173[.]224[.]81 1
103[.]122[.]33[.]58 1
177[.]107[.]51[.]162 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ip[.]anysrc[.]net 5
myexternalip[.]com 4
ipecho[.]net 4
api[.]ipify[.]org 4
ident[.]me 2
checkip[.]amazonaws[.]com 2
www[.]myexternalip[.]com 1
icanhazip[.]com 1
api[.]ip[.]sb 1
wtfismyip[.]com 1
ipinfo[.]io 1
Files and or directories created Occurrences
%APPDATA%\wnetwork\settings.ini 26
%System32%\Tasks\Windows Network 26
%APPDATA%\wnetwork 26
%APPDATA%\WNETWORK\&lt;original file name&gt;.exe 26

File Hashes

0997acfd174ab60400f87700683b13a8e30003187a1ac95f8e03e7ef42722ed0 16a4034a84ee8568cb2f8eb5dadabc4602c0a8e8868f73672d50dfbf1a7f4d58 1b4e99fdce2dd1e3fec9d2544d998991b7db608fc546f3fcd095116c74abf5a6 1d004310b4da6128d37fbbc500fd2edaaac340ad0c02a6d955bb865b6bbf5a36 22a575f49efea2455bba405158a36e037ffb74a54d19a3594b9b91496235b94a 33174b58598cbfad8263865a35541f8cb45fb8c6bfef793fe8cf959386a01f5d 3614608cb133bd6ee5c664d32a70a4f6daabd51c5aa3e8305481a2c8e8e5e050 3be01a7decf86e147148172f9fd49a1dddb0fc61fa19f1f513200bef005d5621 533fbff0ab14351994eda4fdbfd54521f69b26aea55f1f4cbdc0a766ea665475 63fc0be214ba24b78e8af0c3fcc739bc65f2c93f47f2c0fd5fc36fab7c3b1ee9 6664ecbb04496f8769bd64664cc927aa5b3da2d8db2c90c74f9115d13611f2ee 690160e08d961b5eb173e8d83489182ff1bc593fbacc1ccef29d34b2c123f852 6f9d90e562dbc99bf48c6da0f62acca06483e4cc237f823fd420972e4cab8acb 84b2e1dadf6434fbd682ad5443c07fd584e9ba90ca78cff4e34453da08f9b1a0 8a8e4c0576135b4d7e53e8d371cbaa3044d04aa7487b5165d3a25c7ceb98ef40 8b3ce83864c0fe181a9dc5fc05db1ed0f5b8fa8afb21bf47e13cb42012f99d37 90343d4a110021355c361ba1187512cd992644f1f563451014c330b6100c31bb 918b82b76908de34fc26f1addda953604c608071d2e960aa7ac024dac36b445a 93c68821eea7086225918c163c8480f2f49f3a6b155a221af7211c795ce6b32e 977cc7fd45f54546066ab08ae04f31876d2347948b2631a011756f2a45f8588e 99aad62bb62905258fd7b9ee63811f16c0cb686dc86b49e5f33e0d465d2ecc0b a169e851112a15be3a17a6059e50cfedccd2928a7a2afde40aa21a13bbb31dd5 a77f072f98bba728809627c5cce0408dffd1e6277a5febf654f11c8e5a63f6c7 a94fb77c70d6d08e50aa251e619f7f6a2bd0983322677a5f0b38ba3cd2c46abb aa2709ee07f4479a85e0d64e8f4f08c87ff747fe658f8e93e30713ab6d46724c

*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


Win.Malware.Phorpiex-7373816-1

Indicators of Compromise

Registry Keys Occurrences
&lt;HKLM&gt;\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 13
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Service ` 12
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Service ` 12
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\system32\rundll32.exe ` 3
&lt;HKLM&gt;\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY 3
&lt;HKLM&gt;\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PIXEDFU 3
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PIXEDFU
Value Name: Impersonate ` 3
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PIXEDFU
Value Name: Asynchronous ` 3
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PIXEDFU
Value Name: MaxWait ` 3
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PIXEDFU
Value Name: DllName ` 3
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\PIXEDFU
Value Name: Startup ` 3
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pixedfu ` 3
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
Value Name: FFC6F26321 ` 1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: BCC6F26321 ` 1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: *BCC6F26321 ` 1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 00FFC6F26321 ` 1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
Value Name: C6F26321 ` 1
Mutexes Occurrences
.:-Tldr-:. 10
A9MTX7ERFAMKLQ 3
A9ZLO3DAFRVH1WAE 3
AhY93G7iia 3
B81XZCHO7OLPA 3
BSKLZ1RVAUON 3
F-DAH77-LLP 3
FURLENTG3a 3
FstCNMutex 3
GJLAAZGJI156R 3
I-103-139-900557 3
I106865886KMTX 3
IGBIASAARMOAIZ 3
J8OSEXAZLIYSQ8J 3
LXCV0IMGIXS0RTA1 3
MKS8IUMZ13NOZ 3
OLZTR-AFHK11 3
OPLXSDF19WRQ 3
PLAX7FASCI8AMNA 3
RGT70AXCNUUD3 3
TEKL1AFHJ3 3
TXA19EQZP13A6JTR 3
VSHBZL6SWAG0C 3
chimvietnong 3
drofyunfdou 3

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
92[.]63[.]197[.]106 10
66[.]199[.]229[.]251 3
216[.]58[.]206[.]81 3
141[.]101[.]129[.]46 3
141[.]101[.]129[.]45 3
172[.]217[.]7[.]174 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ofoanefubehauufdu[.]ru 11
osgohfoeaugfoauef[.]ru 8
dio[.]shojnoc[.]com 3
dia[.]shojnoc[.]com 2
ieguaoeuafhoauedg[.]ru 1
Files and or directories created Occurrences
\_\DeviceManager.exe 12
\.lnk 12
E:\.lnk 12
E:\$RECYCLE.BIN 12
E:\_ 12
E:\_\DeviceManager.exe 12
%SystemRoot%\T-580580975794906058 12
%APPDATA%\winsvcmgr.txt 12
%SystemRoot%\T-580580975794906058\winsvc.exe 12
%HOMEPATH%\Local Settings\Application Data\pixedfu.dll 3
%LOCALAPPDATA%\pixedfu.dll 3
%TEMP%\323221246224071.exe 2
\$Recycle.Bin\_HELP_INSTRUCTION.TXT 1
%HOMEPATH%\AppData\_HELP_INSTRUCTION.TXT 1
%APPDATA%\_HELP_INSTRUCTION.TXT 1
%HOMEPATH%\Desktop\_HELP_INSTRUCTION.TXT 1
%HOMEPATH%\Documents\_HELP_INSTRUCTION.TXT 1
%HOMEPATH%\Downloads\_HELP_INSTRUCTION.TXT 1
%HOMEPATH%\Favorites\_HELP_INSTRUCTION.TXT 1
%HOMEPATH%\Links\_HELP_INSTRUCTION.TXT 1
%HOMEPATH%\Saved Games\_HELP_INSTRUCTION.TXT 1
%HOMEPATH%\_HELP_INSTRUCTION.TXT 1
%PUBLIC%\Music\Sample Music\12EAEF0D255F4C3289F8C16727C42FE6.BACKUP 1
%PUBLIC%\Music\Sample Music\20410F1A046679B6EE5BB84B050B5D6A.BACKUP 1
%PUBLIC%\Music\Sample Music\CD5F520B00FF264246AA4685031109F6.BACKUP 1

*See JSON for more IOCs

File Hashes

01800a0b77486384e49b910debe10f7cee0b315bcf58fde71697f0dd4ec3540e 2032430a872c8bf354dcd1d6ae0f7aca4d02f5b4f0dcfa43ce3d1f795c8c9c72 43503180b734d83a724db448cd4d94b1b4a3096dabec6b9411af061337af8c35 5cf483ced208bc37ee1e71346a22615c88ee294a8b3b411b5d11e77571e2e4fd 7aa31bf90f13024bbcb547c126115b112b17a130fc8169712351c418f93516ca 86d2c77b7dc01092d3591f95f99a7ba79c06e06e83759b7965d18032102a823a 8e56d2ba3bf9e86c66e0eeafe453a8c36f692b4f22edb9e96fecaaef8e894d51 94179eab10b3a394790f3bfd5cf10c5bcabb16cd534997f6361064ac5e686342 af69f159ac7741ff8c72ea41fe76436512c84f7de6870caa6268ca28ac87aabd c6365099edb25124ad0ac0ffbe5a246d3d27a15c42e5bebb3a6a5994797611ef ca4a36212c31444ed2f0c173c0fb9a2ca43a8cfdf2ba7663b3eea52e150a02f3 cea3556aa39780fa88283ac4b89f75bb9e0070fc870f8c2f2940d74c124999ca d70bed520eccb3afa3ebaac4a1644e1b603e407c386a5a3dfeee864acc8be52d e1ef644770cf7cb312df7b2112a140386e246e6bb8c5fb607707e08bc1ad31ad e96f931910f1f64cadda65519f52c5ccd2311cd9d4aa705815b28a21559a4f18 f00fe52b605c93783f69f8ff95605484c73600a0c4ef33336b565e3adfd7bf8b f22b9841d6cfca96f89543e43f6dce478dbed764c3083b7a2dce8ba42e8a2b34

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


Win.Malware.Zbot-7373691-1

Indicators of Compromise

Registry Keys Occurrences
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: LoadAppInit_DLLs ` 48
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: AppInit_DLLs ` 48
Files and or directories created Occurrences
%System32%\Tasks\aybbmte 48
%ProgramData%\Mozilla\thfirxd.exe 48
%ProgramData%\Mozilla\lygbwac.dll 48
%HOMEPATH%\APPLIC~1\Mozilla\kvlcuie.dll 42
%HOMEPATH%\APPLIC~1\Mozilla\tfbkpde.exe 42
%SystemRoot%\Tasks\kylaxsk.job 42

File Hashes

0008d767954ff4cd48317862040f44a8550279d2f80730db9d8c9a6c3e6f69f7 01b1b04fd8af635ddc5953b9c3bd87d510c38476477f201fa59b6ac1ebc89265 02e089e46e5d3a515394aec09a6f8a37cb8be989730bc9a7c29660bfe8f2e1aa 0878a61c44c6f24ea9b7455e663c9ae1f059f5581067957564af8cc90d7bead1 08c3aed6e3b36b219a22d80947cb02a1da27cdd955dcab8938f366c938641d99 0a586547643e008b351990181c6434a4ad1b1d91e2d8cfd2dcc654459e415652 0be41d1d76850b8b1bd55121ecb12c43b20493e7ef00a83d366092998b126a66 1142bde6260aacc7770f40931f1b10a3d72e479e482536590df5c8af3fe7cdb2 11f76ef08d086a6e3f87466f8a77c7bc63dd754dbd5aaf27deaf4e78abe46c4e 12ccd85f6d507d2b558259c0e987c1c0d104dddd62af38b6597c21055bb35f7e 13235beb6e3d194b599cc7cb1eb82ced9cad5ee17ddac09ae13942aed2b4ff14 143471cc5a4f7299a4009841fb1b92ec52bec2f78b426281d0bacc02946855b7 171fdd6c8d3e43050ab23eb0327fd74094ec7d813c5fb4f2f5668a6650e5088a 1be73946fc11127b9587440b45b8ba9452273c1b47698060562f5d6b0c914514 1ed93147bbaf222006509898c620b1cb65866d1f57d12c7f69a0db49cb459730 20a5e8c87d9d5f9c4f212c8324e1c51941c2c92e4193bb460454451c43763c65 23a1c96747d375ef9098389078a48ffe53305fce872ae8d056697aa1f4aee4bf 23f6e421ea4cdb20ba4d0f1b94100847dd67537fa438d0b0579579bca2aa9e64 249534c79cd24e2d4f756ee051f5fa3da34a85ac4d60b24afc19d0d01b03f446 24cfdb52074fedadb316ec85968e36576f44660b618edc8582c4a9d1134a4344 25bac99d7d11cb4a6da8d9a1742da2e31bc59751ed7d557677a11c5ec251a149 285c4a1f783602c538395337b0724f384806f308be12fef1654f77f667762412 29286b6965a37a18bb510f2ceff996456133395c0af62e2d87e58c86877b7a5b 296d4d39691aa73e5392b57a1dff3cf34f7f1e3548ab38d22e7c1bcceb30fc11 2bf03d005dc768b24c4a27218e41c5781902edd872f934d24c02958fd172fbc0

*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


Win.Malware.DarkComet-7371375-1

Indicators of Compromise

Registry Keys Occurrences
&lt;HKCU&gt;\SOFTWARE\DC3_FEXEC 16
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall ` 1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr ` 1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications ` 1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA ` 1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify ` 1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify ` 1
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start ` 1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel ` 1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools ` 1
&lt;HKCU&gt;\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 1
&lt;HKLM&gt;\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION 1
&lt;HKLM&gt;\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN 1
Mutexes Occurrences
DC_MUTEX-F54S21D 10
DC_MUTEX-&lt;random, matching [A-Z0-9]{7}&gt; 6
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
88[.]67[.]72[.]218 5
189[.]24[.]196[.]171 3
187[.]14[.]155[.]193 1
Files and or directories created Occurrences
%TEMP%\dclogs 12
%TEMP%\tmpcmd.bat 1

File Hashes

198fd0be4b6734556acf2ac56b3caff28d402ef10c0875180ab02a62d320b9c1 3201cfb883cd1c3b8f13b639a40cd08b3a701df41d6488228b586d7909a6f9c3 384fb4c37f5649edff99a8ce89b65b66a74fffe0e27dc8ad0abc6b949391e7e6 386a72805830c4e97a5970ab2c50e973394d2f0c2d89f1be33219a79ae988ab5 3ca6b7c42876362f7c1b27c86e45f5d95443a385ffa01226ab25cea998176219 42b444b7738492be745183895147d005f825dfa44c4b2cb1e256f6a146e3fa63 54f3ab508247399214721d27e61b5f9be1797cf54e1f80590a6075f1086df697 6283cb17aa670de5710f160fe411ba49cd8d6f12ec96141c787311f03d3dbfa0 7175a539ad4450790dcb7fc70b3a83c8fb85001b2fca89e5bdef6b106175c586 7d82900300161ba47eb3ec68e9ebea0f55986a33affff5bbe43e0dd5fee2d907 a7b843e8ece17f12410ed58e1de94c03126d74192d3732dae6071aefb6b190f2 b18d500a121437df8d1170fdf315b8dbe53d0f69214963a665c484bc47a1d3cd b7cfcc21847f1be733342c7c635d30152e3cbc7ac456d44faeb3d0d61933f02d d4c3d0934d55956d694a8097bcd0b69c4743e681ab1985e689d71827514fdd63 dcfc58bbe29cd4d7634c21ac390cca9c3f12becaf8584ac3d3a90da2cd329585 fbaf7fd94f82e6f9dc6de640564350f00b0901763249e14ad29748a79bc41a43

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


Win.Packed.ZeroAccess-7370742-1

Indicators of Compromise

Registry Keys Occurrences
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start ` 8
`<HKCR>\CLSID{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32
Value Name: ThreadingModel ` 8
&lt;HKCR&gt;\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 8
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender ` 8
&lt;HKLM&gt;\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000010
Value Name: PackedCatalogItem ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000009
Value Name: PackedCatalogItem ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000008
Value Name: PackedCatalogItem ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000007
Value Name: PackedCatalogItem ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000006
Value Name: PackedCatalogItem ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000005
Value Name: PackedCatalogItem ` 8
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000004
Value Name: PackedCatalogItem ` 8
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
180[.]254[.]253[.]254 8
166[.]254[.]253[.]254 8
135[.]254[.]253[.]254 8
117[.]254[.]253[.]254 8
119[.]254[.]253[.]254 8
134[.]254[.]253[.]254 8
206[.]254[.]253[.]254 8
222[.]254[.]253[.]254 8
182[.]254[.]253[.]254 8
190[.]254[.]253[.]254 8
184[.]254[.]253[.]254 8
197[.]254[.]253[.]254 8
66[.]44[.]141[.]253 8
183[.]254[.]253[.]254 8
158[.]254[.]253[.]254 8
204[.]254[.]253[.]254 8
230[.]254[.]253[.]254 8
71[.]17[.]221[.]85 7
217[.]209[.]16[.]149 7
84[.]40[.]68[.]14 7
75[.]64[.]4[.]243 7
24[.]145[.]85[.]120 7
83[.]233[.]106[.]6 7
24[.]176[.]111[.]7 7
24[.]92[.]71[.]93 7

*See JSON for more IOCs

Files and or directories created Occurrences
\systemroot\assembly\GAC_32\Desktop.ini 8
\systemroot\assembly\GAC_64\Desktop.ini 8
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8 8
%SystemRoot%\assembly\GAC_32\Desktop.ini 8
%SystemRoot%\assembly\GAC_64\Desktop.ini 8
\$Recycle.Bin\S-1-5-18 8
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f 8
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@ 8
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L 8
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U 8
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n 8
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f 8
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@ 8
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L 8
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U 8
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n 8
%ProgramFiles%\Windows Defender\MSASCui.exe:! 8
%ProgramFiles%\Windows Defender\MpAsDesc.dll:! 8
%ProgramFiles%\Windows Defender\MpClient.dll:! 8
%ProgramFiles%\Windows Defender\MpCmdRun.exe:! 8
%ProgramFiles%\Windows Defender\MpCommu.dll:! 8
%ProgramFiles%\Windows Defender\MpEvMsg.dll:! 8
%ProgramFiles%\Windows Defender\MpOAV.dll:! 8
%ProgramFiles%\Windows Defender\MpRTP.dll:! 8
%ProgramFiles%\Windows Defender\MpSvc.dll:! 8

*See JSON for more IOCs

File Hashes

1d2d42263d68f09b1946be33971dcc04706ccc597993007b59806c3a23f1ffac 4f59080cc3450aab4dbfae69f1223e79069e3c315bac2df45ea845a68439bcde 559ecb68cce08a6d1d5b27d96295fc81ddc3df2edf1dbf3d765a9831262402c5 907c8629bcd73adf85f6163bacf17831830f0410f7e9840a146b364fb0bb2945 9117e953fe785d1b5c2f350921bd8ec6e14f1e34c0a26059c66c4abfb98e7a55 a026a103b42e4fd2a1b1b21931983d477e53b94210900f2a464cf71dd4868f27 b05d35fe02909b09b6a2c347f619430495530617f209ddba7b357db26cd154d1 d038daa7418565e12cd449a5c13d9f36eef7c3cf76c7739db4f41df68649837f e8a06267aade079e638ab09d0ca9b2697079be1292c237846f93bf802d9c8746 ec683faba46071aa2c11667714ee9d1abbbc1b4a6d6d024b77fc97e497eb5673

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (47418)

An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Atom Bombing code injection technique detected - (522)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Process hollowing detected - (244)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Kovter injection detected - (196)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Installcore adware detected - (99)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Excessively long PowerShell command detected - (90)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Gamarue malware detected - (89)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Fusion adware detected - (43)
Fusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware.
Reverse http payload detected - (33)
An exploit payload intended to connect back to an attacker controlled host using http has been detected.
Dealply adware detected - (31)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

Related for TALOSBLOG:97F975C073505AE88655FF1C539740A6