Lucene search

K
talosblog[email protected] (Alexander Chiu)TALOSBLOG:E19A22F37E2F320BDD9B4727A5209175
HistorySep 15, 2017 - 1:10 p.m.

Threat Round Up For Sept 8 - Sept 15

2017-09-1513:10:00
[email protected] (Alexander Chiu)
feedproxy.google.com
688

0.974 High

EPSS

Percentile

99.9%

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between September 08 and September 15. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.<br /><br />As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.<br /><a></a><br />The most prevalent threats highlighted in this round up are:<br /><br /><ul><li><b>Doc.Downloader.Agent-6336340-0</b><br />Office Macro Downloader<br />This set of downloaders uses string obfuscation in VBA to build a download command for the shell and execute it with the VBA Shell function.<br /> </li><li><b>Doc.Macro.Obfuscation-6336210-0</b><br />Office Macro<br />This cluster of Office Macro documents use the same obfuscation technique to prevent quick analysis. Unused strings and comments make up a majority of the script’s content.<br /> </li><li><b>Doc.Trojan.Valyria-6336191-0</b><br />Trojan<br />This set of downloaders uses string obfuscation in VBA to build a download command for a powershell command and execute it with VBA Shell function.<br /> </li><li><b>Rtf.Exploit.CVE_2017_0199-6335035-0</b><br />Exploit<br />These are RTF documents which contain an embedded OLE2 object. The authors try to obfuscate the OL2E object by inserting dummy command in between the object’s data in the RTF document. The OLE2 objects, in turn, contain links to another document. If the linked document is a .hta file, it is downloaded and executed in the context of the RTF document. This vulnerability is known as CVE-2017-0199. <br /> </li><li><b>Win.Malware.Cmig-6336177-0</b><br />Packer<br />Cmig is a packer that can be used to obfuscate a number of malicious payloads such as banking trojans. It has recently been used in recent phishing campaigns with filenames like ‘Transfer_copy.pdf.scr’ and ‘(PO) No.2029243EL0003.exe’.<br /> </li><li><b>Win.Malware.Ursnif-6336328-0</b><br />Trojan/Downloader<br />Ursnif is used to steal sensitive information from an infected host, but can also act as a malware downloader. We have seen an increase in its infection rate via a recent malspam campaign that is targeting Japanese recipients with an XLS downloader attachment. This particular variant relies on an excessively long main function for its unpacking, resulting in a CFG (control flow graph) that exceeds 1000 nodes. It also relies on API hammering & additional API resolution prior to copying the unpacked code to the heap for further execution.<br /> </li><li><b>Win.Trojan.Agent-1356499</b><br />Trojan<br />This sample is a Trojan and it tries to communicate with external servers. The samples are packed and they contains anti-VM checks. However the samples run in an instrumented environment. During the analysis, they contact many domains and among them VirusTotal. Surprisingly, they upload a sample for the scan. Moreover, the samples modify the IDT and download additional files.<br /> </li><li><b>Win.Trojan.Symmi-6336247-1</b><br />Trojan<br />This variant of Symmi creates additional binaries and gains persistence by creating a scheduled task and adding the path of a malicious DLL in the AppInit_DLLs registry value, which allows it to be loaded into each user-mode process running in the system.<br /> </li></ul><hr /><h2>Threats</h2><h3>Doc.Downloader.Agent-6336340-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>\BaseNamedObjects\Global\VLock</li></ul><b>IP Addresses</b><br /><ul><li>216[.]239[.]38[.]21</li><li>216[.]239[.]34[.]21</li><li>88[.]150[.]140[.]232</li><li>216[.]239[.]32[.]21</li><li>185[.]99[.]2[.]75</li><li>5[.]133[.]179[.]13</li><li>78[.]47[.]139[.]102</li><li>103[.]27[.]235[.]82</li><li>192[.]168[.]1[.]255</li><li>192[.]168[.]1[.]1</li><li>216[.]239[.]36[.]21</li><li>127[.]0[.]0[.]4</li><li>93[.]171[.]217[.]7</li><li>192[.]168[.]1[.]248</li></ul><b>Domain Names</b><br /><ul><li>12[.]242[.]40[.]8[.]zen[.]spamhaus[.]org</li><li>myexternalip[.]com</li><li>ipinfo[.]io</li><li>tregartha-dinnie[.]co[.]uk</li></ul><b>Files and or directories created</b><br /><ul><li>\Users\Administrator\Documents\20170913\PowerShell_transcript.PC.hwKj6ylW.20170913092128.txt</li><li>\Users\Administrator\Documents\20170913\PowerShell_transcript.PC.EvG+kj6G.20170913092130.txt</li><li>%AppData%\winapp\Modules\systeminfo64</li><li>%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\697359.cvr</li><li>%AppData%\winapp\Modules\injectDll32</li><li>%TEMP%\ytkqvnx_o.exe</li><li>%AppData%\winapp\qbmw.exe</li><li>%TEMP%\CVR40C2.tmp.cvr</li><li>%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\rcnx.exe</li><li>%AppData%\winapp\group_tag</li><li>%WinDir%\Tasks\services update.job</li><li>%TEMP%\gytdgo9.bat</li><li>%AppData%\winapp\Modules\injectDll64_configs\dpost</li><li>%System32%\Tasks\services update</li><li>%AppData%\winapp\Modules\injectDll64_configs\dinj</li><li>%AppData%\winapp\xsjpumw_n.exe</li><li>%AppData%\winapp\palv.exe</li><li>%AppData%\winapp\Modules\injectDll64</li><li>%AppData%\winapp\Modules\systeminfo32</li><li>%AppData%\winapp\client_id</li><li>%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\wvzyhlyh.bat</li><li>%AppData%\winapp\Modules\injectDll64_configs\sinj</li></ul><b>File Hashes</b><br /><ul><li>3efbea8e97b2e4c5b0c03bb940cbd6f9387627ed6977844bcc69613738089caa</li><li>a8d06bd505e658dd9274b4c8ba0805d8c9b19ee65a8eb7fe6a3c388487dc0875</li></ul><br /><h4>Coverage</h4><div><a href=“https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png”><img height=“297” src=“https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png” width=“400” /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div><a href=“https://4.bp.blogspot.com/-YTG_vujVbDY/WbwuHEX2nlI/AAAAAAAABTk/4_W5o0v_CPoAY15F-_B_9aR5mW5ze4pAwCLcBGAs/s1600/Doc_Downloader_Agent_6336340_0_amp.png”><img height=“272” src=“https://4.bp.blogspot.com/-YTG_vujVbDY/WbwuHEX2nlI/AAAAAAAABTk/4_W5o0v_CPoAY15F-_B_9aR5mW5ze4pAwCLcBGAs/s400/Doc_Downloader_Agent_6336340_0_amp.png” width=“400” /></a></div><div><br /></div><br /><b>ThreatGrid</b><br /><div><a href=“https://2.bp.blogspot.com/-3Pok6VblEB0/WbwuLOSx9iI/AAAAAAAABTo/MR88JZpmE6QxqmauCpkINMiSVg73N2deQCLcBGAs/s1600/Doc_Downloader_Agent_6336340_0_threatgrid.png”><img height=“400” src=“https://2.bp.blogspot.com/-3Pok6VblEB0/WbwuLOSx9iI/AAAAAAAABTo/MR88JZpmE6QxqmauCpkINMiSVg73N2deQCLcBGAs/s400/Doc_Downloader_Agent_6336340_0_threatgrid.png” width=“396” /></a></div><div><br /></div><br /><b>Umbrella</b><br /><div><a href=“https://4.bp.blogspot.com/-y4z0hRTRWtw/WbwuPeKTRII/AAAAAAAABTs/tGtBXJmw4d8W3NkLO9eZYbGMUFHSp2MQwCLcBGAs/s1600/Doc_Downloader_Agent_6336340_0_umbrella.png”><img height=“148” src=“https://4.bp.blogspot.com/-y4z0hRTRWtw/WbwuPeKTRII/AAAAAAAABTs/tGtBXJmw4d8W3NkLO9eZYbGMUFHSp2MQwCLcBGAs/s400/Doc_Downloader_Agent_6336340_0_umbrella.png” width=“400” /></a></div><div><br /></div><br /><b>Screenshot</b><br /><div><a href=“https://3.bp.blogspot.com/-W9JqX3RMYeA/WbwuTNRJXrI/AAAAAAAABTw/E-84rdu7sDko3t5pemcG39N8tvZKmJRIgCLcBGAs/s1600/Doc_Downloader_Agent_6336340_0_malware.png”><img height=“300” src=“https://3.bp.blogspot.com/-W9JqX3RMYeA/WbwuTNRJXrI/AAAAAAAABTw/E-84rdu7sDko3t5pemcG39N8tvZKmJRIgCLcBGAs/s400/Doc_Downloader_Agent_6336340_0_malware.png” width=“400” /></a></div><div><br /></div><br /><br /><br /><hr /><br /><h3>Doc.Macro.Obfuscation-6336210-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS</b></li><ul><li><b>Value: </b>dz~</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS</b></li><ul><li><b>Value: </b>oy~</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\DOCUMENTRECOVERY\42D7BE7E</b></li><ul><li><b>Value: </b>42D7BE7E</li></ul></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b><br /><ul><li>52[.]173[.]193[.]166</li><li>174[.]136[.]52[.]222</li></ul><b>Domain Names</b><br /><ul><li>tmsgroup[.]mx</li></ul><b>Files and or directories created</b><br /><ul><li>%TEMP%\myfileepepe.exe</li><li>\TEMP\propuesta_de_trabajo_795370.doc</li><li>\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40DVD2HR\sound[1].htm</li></ul><b>File Hashes</b><br /><ul><li>b980586f7fe22ae71badba8d2b202115f98821b743593ca36e15387fbda4f361</li><li>0dd881a73d020780715e7a4ee943288fe5174ff27ae3ae90405785e8f584c225</li><li>179d8ad5e80d814aa8d04633ac9c624b60f2273e50dcd6ae5fd7441522ea714e</li><li>52568babc56f75ce343d9d8bf5ecb51af0a6d9d31fa60a2875b116a81064ee78</li><li>6891e0c2fe9c3b7bf9c02fbd81950c60118df47cf8e7d80ca92853fae72d9178</li><li>7df129105042ea8a4270ca975b97456bc819264864bf2992538a2558c3da9146</li><li>9416f466a01d60b4bccaf8658b0a78bbe84a8de3a1bc1abb77e541e224a6c197</li><li>ad07da4920298c11f896748053f37a1a532d7b10077af762f4e0b8ca60d6b4a2</li><li>b2158897b2fcd2ab2e6304c5c9da2d7af506356ded5b9e63d4421c5565d11123</li><li>d0b4b36c3c50c58869ae58f34c9d05c4ae8333e20d29b6c35d85cc85a5d7e38c</li><li>d4a60bcec8d6317d30262bfaa2d5c425c60d1cc42827f37b2fc7fbb5795a1557</li><li>e03707413922ee8af0178296855bda42f2e0e86f1e34a63022dfd6e582cecd61</li><li>e9e03d8cf474e69197beefecdb5db453740cb4349535dffe4476febee8e5fc8b</li><li>012852f831aa5af389baf81195874e6423d87959989787fc6921823c1bfbe293</li><li>1a0d042c3e9c5a0e3b36981e436b30cf5b40139f61877f6011a2c6b8934dc5fa</li><li>321fb4eb45e839e819b923aebb59c20368dd5c232e1a429fd4a41b8ee70d785c</li><li>3d27ace6341c0756a8a57f915e6e71fd7fd21661f1b2f0b4019199f5ae5ac30d</li><li>40e07a6ac949b795a75c679811ace193aa3b53dcb29c4b88ca936b6a47a1f04d</li><li>428810965b8c6bb09b66c83369382106d76be71f5e706622f862afd130008fdb</li><li>4c45540ba41c37f6c4cc0c4385139b63e56e58798c1c3ac94ea9cfca15ab8a98</li><li>4f4e875d64ecbc8f2aa485118d64419c9070b237171805acd9de5b04594f524e</li><li>51e75edc5abe46280a4ef590047bb0bf4ab0d409da07711cbd2917b4ce103c59</li><li>5329d1922d2e40d124aea198b8b19baa2382b52f8990f2112a396a4f6250f765</li><li>582e025a0a45e73aa4568cbef75d53f402dd48a941256730ffb0dacfab5ac71b</li></ul><br /><h4>Coverage</h4><div><a href=“https://4.bp.blogspot.com/-WcjQB5z7azY/WPEvFYVUpfI/AAAAAAAAA2o/9A2DqIoERHYxdyq2wats6A7E36it0gBdACLcB/s400/no-netsec.png”><img height=“297” src=“https://4.bp.blogspot.com/-WcjQB5z7azY/WPEvFYVUpfI/AAAAAAAAA2o/9A2DqIoERHYxdyq2wats6A7E36it0gBdACLcB/s400/no-netsec.png” width=“400” /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div><a href=“https://1.bp.blogspot.com/-3AKaf7z-7lk/Wbwv5ImMDHI/AAAAAAAABT8/uiq7_mOepHcJBFQvQXR9zHmnhnXdsG8AwCLcBGAs/s1600/Doc_Macro_Obfuscation_6336210_0_amp.png”><img height=“272” src=“https://1.bp.blogspot.com/-3AKaf7z-7lk/Wbwv5ImMDHI/AAAAAAAABT8/uiq7_mOepHcJBFQvQXR9zHmnhnXdsG8AwCLcBGAs/s400/Doc_Macro_Obfuscation_6336210_0_amp.png” width=“400” /></a></div><div><br /></div><br /><b>ThreatGrid</b><br /><div><a href=“https://4.bp.blogspot.com/-RSmUHB1x2M4/WbwwBYZAQjI/AAAAAAAABUA/VLERN3RmAD8T3zajsZNiPXj75kbShu6MACLcBGAs/s1600/Doc_Macro_Obfuscation_6336210_0_threatgrid.png”><img height=“280” src=“https://4.bp.blogspot.com/-RSmUHB1x2M4/WbwwBYZAQjI/AAAAAAAABUA/VLERN3RmAD8T3zajsZNiPXj75kbShu6MACLcBGAs/s400/Doc_Macro_Obfuscation_6336210_0_threatgrid.png” width=“400” /></a></div><div><br /></div><br /><b>Umbrella</b><br /><div><a href=“https://4.bp.blogspot.com/-4fRtHX-yK-o/WbwwKoxgOLI/AAAAAAAABUI/NmumtUWwbNAiJmXZDcDsud_1ttO885opwCLcBGAs/s1600/Doc_Macro_Obfuscation_6336210_0_umbrella.png”><img height=“122” src=“https://4.bp.blogspot.com/-4fRtHX-yK-o/WbwwKoxgOLI/AAAAAAAABUI/NmumtUWwbNAiJmXZDcDsud_1ttO885opwCLcBGAs/s400/Doc_Macro_Obfuscation_6336210_0_umbrella.png” width=“400” /></a></div><div><span></span><span></span><br /></div><br /><br /><br /><br /><hr /><br /><h3>Doc.Trojan.Valyria-6336191-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b>HKU\Software\Microsoft\Windows\ShellNoRoam\MUICache</b></li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b><br /><ul><li>N/A</li></ul><b>Domain Names</b><br /><ul><li>workupe[.]us</li><li>kekeoffer[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\vhost.exe</li></ul><b>File Hashes</b><br /><ul><li>02a384b45673cf0c1e7dbe129fa397d92d43add25b22b080b4308def418e7927</li><li>0e0edccb33a141f7a9f2f57590c33eb22b599f3b2a070bf930083b5d0053fdb2</li><li>2c421d3fe1bce958f7a47ffa6a74ee7b6b6d0e90c95e230eced7a883d9db2505</li><li>31a70dff6c1abfc4a0074a72e2e45ad6e50cdb8cf9ab023655f21d4c770d6946</li><li>4c16cda58dbd96b74579eafe2a73740c6d98d588bdebee6a3830140d1326aafd</li><li>532b0c407a2c8ae3adf7c148ae64e63d8dd92fb624802d3f3992e87445274a73</li><li>568f8b461fe97728ebca0231b5b8b00bc85de9909ab83c7d2fc60d134739819f</li><li>59400bc70eab4810a1b7a5c8556879315cdc2233b51e812587fe259a3dde69a6</li><li>64b2b883632292f6d1bbbba7c95973a3f47c36bf70c940f262caaeb3422786c4</li><li>68edb052cd861ebe7dad58a9923723c1ed711ec4d965ba13a3cf10d70a90d11f</li><li>6df3fb420cba5fb279edfc1724af82cfd28a63c7121fb123846db6edf1594a17</li><li>7291b9989f4ef506f1792dd4bae6d7f8b1d4f7c770295552a05acf38a41c0b26</li><li>764b5f6e36f12e80dd801db166f6c1357745a1c7a5526c00e1a1eb057624f56c</li><li>7eed89f56f776f61421242f428edc4a93bd250e8b98fe44b6f71a67ec8a3fb08</li><li>80c33e29b5221557070d70c81c72b0866a7a916490fdc2bee4644f057e844283</li><li>8263c8ab8cf63264e39de0c237e26c7f08e36427ec47e0699f7ff8726af40db5</li><li>af2229c42175b9c6591427f82619564c8a8a1fcb1fa3f912502b098563c12643</li><li>af91e3a9413567bbea70a7d91b3ea4377608d0120a0e8feccab149dd2b4e497b</li><li>b6ba50de7e2573d32975f60905d3fcd3a67bd57d5f2925a3cf7fddefae174c6e</li><li>c9210ef989809971703aea1b0d12b83aa85fcc7e0547b877b6645456d4945051</li><li>e9d062f1b899f805c95b79165873b6c4e7eb6ec3185347ec0d67e2d30caff67b</li><li>f543e6e17ca16d883f3da521b9c8e0070ab7a1ee6c83eb8bca701bea7af6385f</li></ul><br /><h4>Coverage</h4><div><a href=“https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png”><img height=“297” src=“https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png” width=“400” /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div><a href=“https://3.bp.blogspot.com/-GpPWc65mGvg/WbwwUZeE0GI/AAAAAAAABUM/JLRmj2DKsTAdOZcNshcEU0Qrzt6yt-j3ACLcBGAs/s1600/Doc_Trojan_Valyria_amp.png”><img height=“272” src=“https://3.bp.blogspot.com/-GpPWc65mGvg/WbwwUZeE0GI/AAAAAAAABUM/JLRmj2DKsTAdOZcNshcEU0Qrzt6yt-j3ACLcBGAs/s400/Doc_Trojan_Valyria_amp.png” width=“400” /></a></div><div><br /></div><br /><b>ThreatGrid</b><br /><div><a href=“https://3.bp.blogspot.com/-o56XGJXX0ew/WbwwYeCj9sI/AAAAAAAABUQ/pIBNr39pVqcy_f2m_eRfxkd70puAo2txACLcBGAs/s1600/Doc_Trojan_Valyria_threatgrid.png”><img height=“400” src=“https://3.bp.blogspot.com/-o56XGJXX0ew/WbwwYeCj9sI/AAAAAAAABUQ/pIBNr39pVqcy_f2m_eRfxkd70puAo2txACLcBGAs/s400/Doc_Trojan_Valyria_threatgrid.png” width=“307” /></a></div><div><br /></div><br /><b>Umbrella</b><br /><div><a href=“https://1.bp.blogspot.com/-2QcK5G8o3GA/Wbwwcs1O6jI/AAAAAAAABUU/Rra6i8dRXf8GUy47GiYOOmZetierp4h2wCLcBGAs/s1600/workupe.us_umbrella.png”><img height=“148” src=“https://1.bp.blogspot.com/-2QcK5G8o3GA/Wbwwcs1O6jI/AAAAAAAABUU/Rra6i8dRXf8GUy47GiYOOmZetierp4h2wCLcBGAs/s400/workupe.us_umbrella.png” width=“400” /></a></div><div><br /></div><br /><br /><br /><br /><hr /><br /><h3>Rtf.Exploit.CVE_2017_0199-6335035-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b><br /><ul><li>172[.]16[.]1[.]57</li></ul><b>Domain Names</b><br /><ul><li>www[.]supernaturalspells[.]co[.]za</li></ul><b>Files and or directories created</b><br /><ul><li>N/A</li></ul><b>File Hashes</b><br /><ul><li>2d605f0e93b94536f6e2ae7060ebca59ead7dcde70dc3ea5dc99d2ed5a391afa</li><li>9b366a6ab581517c6d62c5195e606eba6cb764ff813df7c247f34455af7db567</li><li>148c4c8b544dce269b28f6d5166ff65a72d365045ce02ca36f0554834a07d7a5</li><li>29c4a742042b6065bc4e30c1d06c0b8b83218c87d922c024f172fc39764d1d5d</li><li>dc730f033912235910103a20eb1c46f4c4c50e221d985a156fb7ef384c5b1bc4</li></ul><br /><h4>Coverage</h4><div><a href=“https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png”><img height=“297” src=“https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png” width=“400” /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div><a href=“https://2.bp.blogspot.com/-9QyZg6f5UnQ/WbwwkuYgIRI/AAAAAAAABUY/4hkz8fj8dx8OQwAEliuRhYq8EB7dDM4WACLcBGAs/s1600/2d605f0e93b94536f6e2ae7060ebca59ead7dcde70dc3ea5dc99d2ed5a391afa_amp.png”><img height=“272” src=“https://2.bp.blogspot.com/-9QyZg6f5UnQ/WbwwkuYgIRI/AAAAAAAABUY/4hkz8fj8dx8OQwAEliuRhYq8EB7dDM4WACLcBGAs/s400/2d605f0e93b94536f6e2ae7060ebca59ead7dcde70dc3ea5dc99d2ed5a391afa_amp.png” width=“400” /></a></div><div><br /></div><br /><b>ThreatGrid</b><br /><div><a href=“https://2.bp.blogspot.com/-0EKEMktKj_Q/WbwwolnFIBI/AAAAAAAABUc/FTpxJd9PXKoAeu5qTx_x8jcIdbMTvBb0QCLcBGAs/s1600/2d605f0e93b94536f6e2ae7060ebca59ead7dcde70dc3ea5dc99d2ed5a391afa_threatgrid.png”><img height=“96” src=“https://2.bp.blogspot.com/-0EKEMktKj_Q/WbwwolnFIBI/AAAAAAAABUc/FTpxJd9PXKoAeu5qTx_x8jcIdbMTvBb0QCLcBGAs/s400/2d605f0e93b94536f6e2ae7060ebca59ead7dcde70dc3ea5dc99d2ed5a391afa_threatgrid.png” width=“400” /></a></div><div><br /></div><br /><b>Umbrella</b><br /><div><a href=“https://1.bp.blogspot.com/-wE_C-2DCz34/Wbwwr93xivI/AAAAAAAABUg/DYHgwCsuAj4ddq19QdpnzAgAyqr1mv7aQCLcBGAs/s1600/www.supernaturalspells.co.za_umbrella.png”><img height=“122” src=“https://1.bp.blogspot.com/-wE_C-2DCz34/Wbwwr93xivI/AAAAAAAABUg/DYHgwCsuAj4ddq19QdpnzAgAyqr1mv7aQCLcBGAs/s400/www.supernaturalspells.co.za_umbrella.png” width=“400” /></a></div><div><br /></div><br /><br /><br /><br /><hr /><br /><h3>Win.Malware.Cmig-6336177-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b><br /><ul><li>N/A</li></ul><b>Domain Names</b><br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>N/A</li></ul><b>File Hashes</b><br /><ul><li>01f78108dacea6db392dfc6700e987754cb15aaab6f8ff85ae9349f4fcef1044</li><li>05baa0dc22cf5b14b5a8e70c4a0183c50f366da7916fdee0f1b26835f48e43c1</li><li>0898ded2110056e9bc720860640282384f08d4064918322cf99c6e79554208f6</li><li>09e7612bce428fb51593cfc286d7e9904a1c372771a7ad1870538a4a72046d15</li><li>12b2c3dd430777d50966f542668eb022b2871a3c2ec77003911080fa90c32c5b</li><li>14eeda627d8c65edea9e8c7b3a02f381079f1c28be3f1408a0f6f4f0968da27c</li><li>1828387d77ccd498e318dc2bdf580a51ef8161dfda186651cb4c6300aea6ecf5</li><li>251984e04c9654cab912e5ab74f510c808a3fd34bc10d81f20eef7350dc51339</li><li>28c5bd99d92cf80443f93cb12344cade4e9685a89e936d490b9e04edd6207f1a</li><li>2b9d669d44fb21199c4ad9f51566d641cb1613907c1a8f66c49c3a0766fbd386</li><li>2fe55bd75831905bd35b0928ecd70f064330311ec0749bda01cff595b9af6b27</li><li>359c0c9d53f14552ede1a37f73b4554f8fa8004ec0a25a6b6741dfd4f2df5682</li><li>3706c1b476c5a7093dbf71f51daa053d817668b854b99ef8ab939f2498fe253f</li><li>3d3d7e837aafbd8f42ade61f867114cc28af14c5d4ace788f351df0ad58cadf1</li><li>3ee7edf180cc44da6f2f79f90cc965dddb0eee97e32d9e340e873c71ce3d57e0</li></ul><br /><h4>Coverage</h4><div><a href=“https://3.bp.blogspot.com/-66KH1jJlEqc/WPEt-Ko8v2I/AAAAAAAAA2g/GrNoHGx8SNUOC06ooqgWLzZkwpmkiUjjgCLcB/s400/amp-threatgrid-esa-only.png”><img height=“297” src=“https://3.bp.blogspot.com/-66KH1jJlEqc/WPEt-Ko8v2I/AAAAAAAAA2g/GrNoHGx8SNUOC06ooqgWLzZkwpmkiUjjgCLcB/s400/amp-threatgrid-esa-only.png” width=“400” /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div><a href=“https://4.bp.blogspot.com/-IPkrJJWPTzw/WbwwzZkQVII/AAAAAAAABUk/RgpNyYUWJLwg_x2JH3SCRp0_wBcBCzEEACLcBGAs/s1600/Win_Malware_Cmig_6336177_0_amp.png”><img height=“272” src=“https://4.bp.blogspot.com/-IPkrJJWPTzw/WbwwzZkQVII/AAAAAAAABUk/RgpNyYUWJLwg_x2JH3SCRp0_wBcBCzEEACLcBGAs/s400/Win_Malware_Cmig_6336177_0_amp.png” width=“400” /></a></div><div><br /></div><br /><b>ThreatGrid</b><br /><div><a href=“https://2.bp.blogspot.com/-cpwbKTtFpYs/Wbww6bGeuRI/AAAAAAAABUo/HG8eLWtW3zEOxzs5YeWfWlmzh-ZdH5iCACLcBGAs/s1600/Win_Malware_Cmig_6336177_0_threatgrid.png”><img height=“113” src=“https://2.bp.blogspot.com/-cpwbKTtFpYs/Wbww6bGeuRI/AAAAAAAABUo/HG8eLWtW3zEOxzs5YeWfWlmzh-ZdH5iCACLcBGAs/s400/Win_Malware_Cmig_6336177_0_threatgrid.png” width=“400” /></a></div><div><br /></div><br /><br /><br /><br /><hr /><br /><h3>Win.Malware.Ursnif-6336328-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><HKLM>\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication</b></li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b><br /><ul><li>N/A</li></ul><b>Domain Names</b><br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>N/A</li></ul><b>File Hashes</b><br /><ul><li>46da8289c027a187b14826f3648d61c187398ad170ef60ec3311b5dae3b52d61</li><li>6f2af5771522f2ce3843f57c2a72a2451e0b73a71505cd50abad031267915be3</li><li>a753a288318dd38709ac1c26374cdc1fdb930b8476788d2868a1cae79cc8f352</li></ul><br /><h4>Coverage</h4><div><a href=“https://2.bp.blogspot.com/-0lqSlixFz6w/WRNEvDBYhOI/AAAAAAAAA8g/ipzkzUpN9Ioo6QWiDDftf95zMLP66gt9QCLcB/s1600/amp-threatgrid-proxy.png”><img height=“297” src=“https://2.bp.blogspot.com/-0lqSlixFz6w/WRNEvDBYhOI/AAAAAAAAA8g/ipzkzUpN9Ioo6QWiDDftf95zMLP66gt9QCLcB/s1600/amp-threatgrid-proxy.png” width=“400” /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div><a href=“https://2.bp.blogspot.com/-zeDGX5NUKv8/WbwxAbEUHJI/AAAAAAAABUs/nO0pXX3dciMss6DH78MWTJwv24TVHW-oACLcBGAs/s1600/Win_Malware_Ursnif_6336328_0_amp.png”><img height=“272” src=“https://2.bp.blogspot.com/-zeDGX5NUKv8/WbwxAbEUHJI/AAAAAAAABUs/nO0pXX3dciMss6DH78MWTJwv24TVHW-oACLcBGAs/s400/Win_Malware_Ursnif_6336328_0_amp.png” width=“400” /></a></div><div><br /></div><br /><b>ThreatGrid</b><br /><div><a href=“https://1.bp.blogspot.com/-mJqP7MBdY18/WbwxEceWueI/AAAAAAAABUw/TnuTF3h6nAIzgFJmT326s0y8WaTq9IHqQCLcBGAs/s1600/Win_Malware_Ursnif_6336328_0_threatgrid.png”><img height=“110” src=“https://1.bp.blogspot.com/-mJqP7MBdY18/WbwxEceWueI/AAAAAAAABUw/TnuTF3h6nAIzgFJmT326s0y8WaTq9IHqQCLcBGAs/s400/Win_Malware_Ursnif_6336328_0_threatgrid.png” width=“400” /></a></div><div><br /></div><br /><br /><br /><br /><hr /><br /><h3>Win.Trojan.Agent-1356499</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32</b></li><ul><li><b>Value: </b>ConsoleTracingMask</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>AutoDetect</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS</b></li><ul><li><b>Value: </b>FileDirectory</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>UNCAsIntranet</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32</b></li><ul><li><b>Value: </b>FileTracingMask</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS</b></li><ul><li><b>Value: </b>ProxyEnable</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32</b></li><ul><li><b>Value: </b>FileDirectory</li></ul><li><b><HKU>.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\34\52C64B7E</b></li><ul><li><b>Value: </b>LanguageList</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS</b></li><ul><li><b>Value: </b>SavedLegacySettings</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>IntranetName</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS</b></li><ul><li><b>Value: </b>FileTracingMask</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS</b></li><ul><li><b>Value: </b>EnableFileTracing</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS</b></li><ul><li><b>Value: </b>ProxyServer</li></ul><li><b><HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections</b></li><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32</b></li><ul><li><b>Value: </b>MaxFileSize</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32</b></li><ul><li><b>Value: </b>EnableConsoleTracing</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS</b></li><ul><li><b>Value: </b>EnableConsoleTracing</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>ProxyBypass</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>IntranetName</li></ul><li><b><HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\34\52C64B7E</b></li><ul><li><b>Value: </b>LanguageList</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>ProxyBypass</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS</b></li><ul><li><b>Value: </b>AutoConfigURL</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS</b></li><ul><li><b>Value: </b>ProxyOverride</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32</b></li><ul><li><b>Value: </b>EnableFileTracing</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS</b></li><ul><li><b>Value: </b>DefaultConnectionSettings</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS</b></li><ul><li><b>Value: </b>MaxFileSize</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS</b></li><ul><li><b>Value: </b>ConsoleTracingMask</li></ul><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CTLs</b></li><li><b><HKCU>\Software\Microsoft\SystemCertificates\My</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLs</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs</b></li><li><b><HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Root</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CRLs</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs</b></li><li><b><HKCU>\Software\Microsoft\SystemCertificates\trust</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\CRLs</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\SmartCardRoot</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\Certificates</b></li><li><b><HKCU>\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\TrustedPeople</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Disallowed</b></li><li><b><HKCU>\Software\Policies\Microsoft\SystemCertificates\CA</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\CTLs</b></li><li><b><HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs</b></li><li><b><HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs</b></li><li><b><HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs</b></li><li><b><HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\CRLs</b></li><li><b><HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates</b></li><li><b><HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\trust</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\CTLs</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASAPI32</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates</b></li><li><b><HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CTLs</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs</b></li><li><b><HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs</b></li><li><b><HKCU>\Software\Microsoft\SystemCertificates\Root</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs</b></li><li><b><HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\CRLs</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\Certificates</b></li><li><b><HKCU>\Software\Microsoft\SystemCertificates\CA</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CTLs</b></li><li><b><HKCU>\Software\Microsoft\SystemCertificates\SmartCardRoot</b></li><li><b><HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople</b></li><li><b><HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs</b></li><li><b><HKLM>\System\CurrentControlSet\Services\EventLog\System\Schannel</b></li><li><b><HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Root</b></li><li><b><HKCU>\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\CTLs</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\Tracing</b></li><li><b><HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\TrustedPeople</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\Certificates</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\Certificates</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\AuthRoot</b></li><li><b><HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs</b></li><li><b><HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs</b></li><li><b><HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness</b></li><li><b><HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\Certificates</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\Certificates</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\CRLs</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\CA</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs</b></li><li><b><HKCU>\Software\Policies\Microsoft\SystemCertificates\TrustedPeople</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\CRLs</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASMANCS</b></li><li><b><HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA</b></li><li><b><HKCU>\Software\Policies\Microsoft\SystemCertificates\trust</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\CTLs</b></li><li><b><HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\Certificates</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates</b></li><li><b><HKCU>\Software\Policies\Microsoft\SystemCertificates\Disallowed</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Disallowed</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\Certificates</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\trust</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\CA</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLs</b></li><li><b><HKCU>\Software\Microsoft\SystemCertificates\TrustedPeople</b></li><li><b><HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Root</b></li><li><b><HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\trust</b></li><li><b><HKCU>\Software\Microsoft\SystemCertificates\Disallowed</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs</b></li><li><b><HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs</b></li><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs</b></li><li><b><HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\CTLs</b></li></ul><b>Mutexes</b><br /><ul><li>Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!</li><li>Local\WininetConnectionMutex</li><li>Local_!MSFTHISTORY!_</li><li>Local\ZonesLockedCacheCounterMutex</li><li>RasPbFile</li><li>Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!</li><li>Local\ZonesCacheCounterMutex</li><li>Local\WininetStartupMutex</li><li>Local\WininetProxyRegistryMutex</li><li>Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!</li></ul><b>IP Addresses</b><br /><ul><li>216[.]58[.]217[.]68</li><li>216[.]58[.]217[.]78</li><li>216[.]58[.]218[.]132</li><li>216[.]58[.]218[.]142</li><li>74[.]125[.]34[.]46</li></ul><b>Domain Names</b><br /><ul><li>www[.]virustotal[.]com</li><li>google[.]com</li><li>a6281279[.]yolox[.]net</li><li>ghs-svc-https-c46[.]ghs-ssl[.]googlehosted[.]com</li><li>www[.]google[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>\DAV RPC SERVICE</li></ul><b>File Hashes</b><br /><ul><li>0e9eeedbc7e293a83b9ebc3929b033e8c2061bdbacd8f17cd29b12505d2e777b</li><li>55acc591f5c6c0d2313ddd4ba47c25fe3b81bbcb64b4ad77c4668dfcc559748c</li><li>e26c807c8e5d5ba8b41de497a24da81b8db0325a0a2c64bb04ee7beaae12904b</li><li>5554e16e209aec408f7f7ba49caff85e568de76a05ebe41cf74002a7ca35d973</li><li>8b20f9e78855218c693ade8a89b9c74487304df9bfdbcdbe8c65b05bfaa5b71b</li><li>b001932b6938223033229e9d5bfbb5754680ab786c927396bb540e1a6db1ba7a</li><li>768ef3bae40d69715d2cfe3948fe3e9b0adb047525e8fa6d067269e859d0832b</li></ul><br /><h4>Coverage</h4><div><a href=“https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png”><img height=“297” src=“https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png” width=“400” /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div><a href=“https://2.bp.blogspot.com/-9dDtL90HWsY/WbwxUcoChHI/AAAAAAAABU0/a24Q1EGSZr8ORDC1Th_SgiIZyGuUxnqiQCLcBGAs/s1600/win_trojan_agent_amp.png”><img height=“272” src=“https://2.bp.blogspot.com/-9dDtL90HWsY/WbwxUcoChHI/AAAAAAAABU0/a24Q1EGSZr8ORDC1Th_SgiIZyGuUxnqiQCLcBGAs/s400/win_trojan_agent_amp.png” width=“400” /></a></div><div><br /></div><br /><b>ThreatGrid</b><br /><div><a href=“https://4.bp.blogspot.com/-VFWnUT2VgJY/WbwxXtZW1vI/AAAAAAAABU4/HlgY29wuOegdUNnL2lx63lp-4hWVdmsuACLcBGAs/s1600/win_trojan_agent_threatgrid.png”><img height=“301” src=“https://4.bp.blogspot.com/-VFWnUT2VgJY/WbwxXtZW1vI/AAAAAAAABU4/HlgY29wuOegdUNnL2lx63lp-4hWVdmsuACLcBGAs/s400/win_trojan_agent_threatgrid.png” width=“400” /></a></div><div><br /></div><br /><b>Umbrella</b><br /><div><a href=“https://4.bp.blogspot.com/-RGDz_YGUV5I/Wbwxce_dfTI/AAAAAAAABU8/MMZuc0m21AQcIURcyuk2Z32P8dSDMI-WQCLcBGAs/s1600/win_trojan_agent_umbrella.png”><img height=“122” src=“https://4.bp.blogspot.com/-RGDz_YGUV5I/Wbwxce_dfTI/AAAAAAAABU8/MMZuc0m21AQcIURcyuk2Z32P8dSDMI-WQCLcBGAs/s400/win_trojan_agent_umbrella.png” width=“400” /></a></div><div><br /></div><br /><br /><br /><br /><hr /><br /><h3>Win.Trojan.Symmi-6336247-1</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{084FBB2E-F87B-4A87-B07B-817B5979A462}</b></li><ul><li><b>Value: </b>Triggers</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS</b></li><ul><li><b>Value: </b>LoadAppInit_DLLs</li></ul><li><b><HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE{340E7911-BE16-495F-BCFC-77C4B88E2E62}</b></li><ul><li><b>Value: </b>data</li></ul><li><b><HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES</b></li><ul><li><b>Value: </b>aybbmte.job</li></ul><li><b><HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES</b></li><ul><li><b>Value: </b>aybbmte.job.fp</li></ul><li><b><HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP</b></li><ul><li><b>Value: </b>Collection</li></ul><li><b><HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{084FBB2E-F87B-4A87-B07B-817B5979A462}</b></li><ul><li><b>Value: </b>DynamicInfo</li></ul><li><b><HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{084FBB2E-F87B-4A87-B07B-817B5979A462}</b></li><ul><li><b>Value: </b>Path</li></ul><li><b><HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AYBBMTE</b></li><ul><li><b>Value: </b>Index</li></ul><li><b><HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AYBBMTE</b></li><ul><li><b>Value: </b>Id</li></ul><li><b><HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{084FBB2E-F87B-4A87-B07B-817B5979A462}</b></li><ul><li><b>Value: </b>Hash</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS</b></li><ul><li><b>Value: </b>AppInit_DLLs</li></ul><li><b><HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE{340E7911-BE16-495F-BCFC-77C4B88E2E62}</b></li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b><br /><ul><li>N/A</li></ul><b>Domain Names</b><br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>%System32%\Tasks\aybbmte</li><li>%AllUsersProfile%\Mozilla\thfirxd.exe</li><li>%System32%\config\TxR{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf</li><li>%AllUsersProfile%\Mozilla\lygbwac.dll</li></ul><b>File Hashes</b><br /><ul><li>10e8f34991079b2c40f2e72babdbd3d0fd97703870552061752b341b704153b3</li><li>17ae6bd9e77a9a783caf5bc398f03ff47691134f9a6c5600a903159057c78b17</li><li>2a6794ad2014b95abca5512d85f748aaaf08a1d1f9a7be3583987bd1523f5f1b</li><li>2c0f383fcc3b07a893fa0ce0cfbe025d31c6ebfe46979b129bd8090712256c42</li><li>4395a481c0e8afbc60cd6bf4eef233bb2067485581a47e56ff310cb7466ee681</li><li>4763992ecb0dc5bbda30d2d00dd99927fb8aa2be759c9058f2dafb691ccf0f0b</li><li>54ac75db11197dc919f3574eefb88fe8b653de92ee5a6ed99cf00eb1b373d622</li><li>5542e1e52c63ceea56446d3c2f1f9c12adc60033d92289bb5d3450a40e02acd5</li><li>5917eb033004f3a29a3ac843f9c90844cab3cf0520e78e8739cc8cbfff83ef02</li><li>6c51d2e568f033b8a8c6764d54583da5af6fcec7a21d283e536063861c156ff4</li><li>7156221c0787b78866de2621828fa2ea48ebdba2b06219576337db8bf342c6cf</li><li>848993b12b05369d0873975aded55f837dc0a583c3839c05abe96bc4c3b68408</li><li>89c9a8a7f47bb27a175632ad48317b93fe8a2b59502c73371df48982168a70db</li><li>90e0adc73ca753d91fe32b1d3761c3f6f6e7216f3b77a87fdbe2a8e7f5e889fc</li><li>983f1a853f5f7f1c7aa2e687761ae736d2a4397884dfd455685bbc5ae1d0b2ef</li><li>a6099ef0093736c0757c589890df229b39e4efbb38ebc63d460ea06186e09f69</li><li>a94ef67587dde19950297b9b69e90254f16cd5e6653fc596524044377a2e1193</li><li>c7fc560bff6d3fbc3a72355463836eaf9b3d7d18ade95ce72436926568626edc</li><li>d6d82c71a400735446318832a57f7a2573cfa4073aa31ec6a8b742d43f93e9dd</li><li>d778483fb3f3afdc4efd06ae0f605a53d7ee4e512459aa3b287cc246cc6097b5</li><li>d8a3df456b94acea22b8ebeb4f7f860687dd6ab4ac2b687631b63342f7cbf927</li><li>e5a8eba740a5acc1a6b5e11bb64be0be88a8556e48d78c292732048fa2c56003</li><li>e76a23d8d8e16a6e1cd78e28ad875f5ca61221f3d0c44dddf750e5920dc5acc2</li><li>e7eb60dd2d0830ae2d42a913afc5db98392a3d5846ef85ac32ec6fdd08b67fae</li><li>fc30aafd75f5bcf3d4a73a6336ba1f2fb150a410712e32f5887d2afe8504f717</li></ul><br /><h4>Coverage</h4><div><a href=“https://4.bp.blogspot.com/-lMcm16MfzdA/WRTPVW_BAII/AAAAAAAAA9I/TUwW9Ai4QFAh5FURDnAbZJXWJ_Pc0etyACLcB/s1600/amp-esa-proxy-tg.png”><img height=“297” src=“https://4.bp.blogspot.com/-lMcm16MfzdA/WRTPVW_BAII/AAAAAAAAA9I/TUwW9Ai4QFAh5FURDnAbZJXWJ_Pc0etyACLcB/s1600/amp-esa-proxy-tg.png” width=“400” /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div><a href=“https://3.bp.blogspot.com/-bl-P0yPrppc/Wbwx2jFaczI/AAAAAAAABVA/OU6V4B0YzwsdjEg7AQEYRscJwnfQlGYaQCLcBGAs/s1600/Win.Trojan.Symmi_6336247_1_amp.png”><img height=“272” src=“https://3.bp.blogspot.com/-bl-P0yPrppc/Wbwx2jFaczI/AAAAAAAABVA/OU6V4B0YzwsdjEg7AQEYRscJwnfQlGYaQCLcBGAs/s400/Win.Trojan.Symmi_6336247_1_amp.png” width=“400” /></a></div><div><br /></div><br /><b>ThreatGrid</b><br /><div><a href=“https://2.bp.blogspot.com/-g0zDVt1UrgI/Wbwx6d1McHI/AAAAAAAABVE/x1eG5XCQVBYtYg5H-SceVq1Ch5JBReHbACLcBGAs/s1600/Win.Trojan.Symmi_6336247_1_threatgrid.png”><img height=“165” src=“https://2.bp.blogspot.com/-g0zDVt1UrgI/Wbwx6d1McHI/AAAAAAAABVE/x1eG5XCQVBYtYg5H-SceVq1Ch5JBReHbACLcBGAs/s400/Win.Trojan.Symmi_6336247_1_threatgrid.png” width=“400” /></a></div><div><br /></div><br /><div>
<a href=“http://feeds.feedburner.com/~ff/feedburner/Talos?a=23UB9U0J3SU:I30nLuxnfjM:yIl2AUoC8zA”><img src=“http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA”></img></a>
</div><img src=“http://feeds.feedburner.com/~r/feedburner/Talos/~4/23UB9U0J3SU” height=“1” width=“1” alt />