Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
talosblog[email protected] (Alexander Chiu)TALOSBLOG:F661E733634AB3D9655B38A94F050A82
HistoryJan 05, 2018 - 11:46 a.m.

Threat Round Up for December 29 - January 5

2018-01-0511:46:00
[email protected] (Alexander Chiu)
feedproxy.google.com
140

0.97 High

EPSS

Percentile

99.7%

JSON

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between December 29 and January 05. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

  • Doc.Downloader.Trickbot-6412300-1
    Office Macro Downloader
    This downloader was submitted to ThreatGrid more than 50 times on December 26. This office document downloads a multipayload Trickbot loader. This post-Christmas gift is not something that somebody just back from the holiday wants to open.

  • Doc.Dropper.Agent-6412231-0
    Office Macro Downloader
    This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable. The sample was unable to download the next stage so no further analysis is available.

  • Doc.Macro.Necurs-6412436-0
    Downloader
    Another wave of OLE based downloaders spiked in prevalence just prior to the new year. The samples use obfuscated VBA macros to download various malware families distributed for the Necurs botnet, including Locky.

  • Ppt.Downloader.CVE_2017_8759-6413368-0
    Office Macro Downloader
    These PowerPoint files contain an XML, located in ppt/slides/_rels/slide1.xml.rels, with a malicious SOAP WSDL definition that leverages CVE-2017-8759. If the file is saved as a PPSX, the slideshow will automatically start on opening, triggering the malicious code.

  • Win.Ransomware.PolyRansom-6413978-0
    Ransomware
    PolyRansom variants continue to thrive in 2018. PolyRansom is polymorphic ransomware that spreads by infecting other executables. It gains persistence through an installed service, and run keys added to the registry. Its primary infection vectors are share network drives, removable media, and email.

  • Win.Trojan.Generic-6414413-0
    Trojan
    This cluster provides generic detection for the Emotet Trojan downloaded onto a targets machine. Emotet is a banking trojan that has remained relevant due to its continual evolution to by pass antivirus products.

  • Win.Trojan.Multi-6413508-0
    Trojan
    This trojan will potentially connect to one or more servers to receive instructions and download additional malware.

Threats

Doc.Downloader.Trickbot-6412300-1

Indicators of Compromise

Registry Keys

  • N/A
    Mutexes

  • 316D1C7871E00

  • Global\552FFA80-3393-423d-8671-7BA046BB5906

  • \BaseNamedObjects\C1A8DFE67F9832960
    IP Addresses

  • 89[.]161[.]153[.]74
    Domain Names

  • jas-pol[.]com[.]pl
    Files and or directories created

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\Inue8.bat

  • %AppData%\localservice\Wn-lbzpms.exe

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\mo-r.exe

  • %AppData%\localservice\mo-r.exe

  • %TEMP%\Ecmjtqf.bat

  • %AppData%\localservice\Modules\injectDll64_configs\sinj

  • %AppData%\localservice\Modules\injectDll64_configs\dinj

  • %TEMP%\Wn-lbzpms.exe
    File Hashes

  • 3e5a5c672052182d9d10b0d094f07ec67f182939556c90f66236d75d4e795cd6

  • 07a1d83e2fdce0b0383fc05e2931d3aa557e3eeeeca50762258431ecf6fc2c50

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Doc.Dropper.Agent-6412231-0

Indicators of Compromise

Registry Keys

  • N/A
    Mutexes

  • N/A
    IP Addresses

  • N/A
    Domain Names

  • weekendfakc[.]top
    Files and or directories created

  • N/A
    File Hashes

  • 024782b5d080879af2a7a4280d262929e85e9815b2b37e9aeb6384a26e97895e

  • 0ad1db5a012d54fe11b06cf8b8822135e5285e21ab99e7ae5c8ca1892836375b

  • 1283fc95f56f1f32dcfeb5ec042a53f6e0dbd05d49c5bbc892e389cfc5613d9a

  • 1a5257c6cd2e03848758d9541cbf4918194ff33669029a06baee9317d1a9a527

  • 211e5c8d07af1e6b61acb7af8bb1e0fefe25bee88275f2db8d53f868dc991e0e

  • 23c8026cd6414fa083f83c856c9142af5905747eabb32d0d0d839e21f941bf3e

  • 25191548ef2032df4acb687d940854f134de3aa738b69fc578e5397e95496afd

  • 28f9a67de7f6b79b4bf66da9d114c723e16d619f6787257eff856c71b1c7047f

  • 29062cd2c2d09199fc0716485e0e3a1fff880195a92c78ecd5f0e5184ac07820

  • 2b24aa417d6ab02fa9f82be1a41bc8c2e5de814057ed76074e2960d74f31d2d1

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Doc.Macro.Necurs-6412436-0

Indicators of Compromise

Registry Keys

  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce****Mutexes

  • Groove:PathMutex:tzanqCjN6dCs1QGzbKslin0UfIk=
    IP Addresses

  • 98[.]124[.]252[.]145
    Domain Names

  • pragmaticinquiry[.]org
    Files and or directories created

  • %TEMP%\ASPNETSetup_00001.log…doc

  • \Users\Administrator\AppData\Local\Adobe\Acrobat\9.0\Updater\updater.log…doc

  • \Users\Administrator\Read___ME.html

  • %TEMP%\ASPNETSetup.log…doc

  • \Users\Administrator\AppData\Local\Adobe\Acrobat\9.0\Updater\Read___ME.html
    File Hashes

  • a3f68a31db23b9c7312219990bfe27bf9bb7c158fde4200c0af7a985bd7ac97d

  • d4a8da30821df543407bcbbc25bf2a89db3d3f5c8d49fddeddaecd3b47c111ef

  • a9db16baffc0b92aacae6647952fc2d32673998fc035493d50d32bad5bceb516

  • f07f747978b7d8bed904ccadbcc49f184bc16e872f22d7b53b1030bc22ebd794

  • 9b48b6bc6ee491a2b180d6b353ae8f8da230f27a0cdfc1757c58a4819664b790

  • 0c51e3df0b09f14e04b268102afc9342c35fcc2460c645f9c8d21b2413910d32

  • 0cfdad54484cf1d4ff9be267469edefdb98e963ffabd6beeb081a208e3fca9ac

  • 1c2f0a28b5c13eb2967078d947924c9a4a5f8f845d3899986df19e8a166d3ec0

  • 241f83caf5c5a23a1d7adbeaa8c392da0edadff362f41bbb5727dc71887048c4

  • 305790984d5ffa713794c1732eea4f83f18da6926e415a490b2fc090f2c4e8dc

  • 305f855ff8d47be5cc2d57e137a436bb2e17b1783f6cc5b8302c2df56b75afd7

  • 32d85f3dded85d0375965a50991ddb7b608166f51a12b297ae981348119512da

  • 36fc2029280816810324e3be9cf3a4257f0dbb1a8b11eaffdbacdead863aaf44

  • 3abdf9d8249e3cc7507529aec80d93551f1fcd714a61861a69c059662aa39e9f

  • 495b93c1a9940e94c14063b1e52877864d54fb544a3a32e923b0530cb03c96cf

  • 4c04d8aeebdd0eb1747a9a66b10e4681328a03edcbcbd0e9921c4a74367bbd08

  • 580b05987531aa4ef4bed150bd51fdbbcad5f95abb63e8439e3d4bb07eb68598

  • 5c4d5f6d7d0a8d4e805c1341cadf76a924aa2fe6437d432d96f103c4319e84c2

  • 6e35534f8b79187dbe2fbdd1b0a21b03752a89df5981cb6fb89154eb7b34a087

  • 8f36a3ebcb2714d7f6d99d8d0672bcdf16980da788331953cba52c21fde64efb

  • 962beb562acef288c5ef09f14e366d7ff3f51a00dd28b3dc5c0e388c92d3c0a2

  • c2f482372523031b880b7a4f1909b30b5aa20304d0a691309484ad49a0c451d5

  • cab8fcbe8bce311464418e2fcd05e55353255c511e698726e009f075de82e2ea

  • ce5d33fb70fc7834d8faa7749d5cedbcb6b0958105ebe94633e2daba897612ef

  • d18256e9f4062259e941028c531c5219b63446a35c524ef00554c69de2110e98

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Ppt.Downloader.CVE_2017_8759-6413368-0

Indicators of Compromise

Registry Keys

  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN *Value: VRGTQMutexes

  • N/A
    IP Addresses

  • N/A
    Domain Names

  • u[.]teknik[.]io

  • kistags[.]com

  • graceland2017[.]com

  • 0i3tenrainy[.]loan

  • goochandhousego[.]pro

  • dayi-yc[.]com
    Files and or directories created

  • %ProgramFiles%\Rfjd\confighbch.exe

  • %TEMP%\dsruxkfs.0.cs

  • %TEMP%\dsruxkfs.cmdline

  • %TEMP%\dsruxkfs.err

  • %TEMP%\i02bp4bi.0.cs

  • %TEMP%\i02bp4bi.cmdline

  • %TEMP%\i02bp4bi.dll

  • %TEMP%\i02bp4bi.err

  • %TEMP%\tmp95D4.exe

  • %TEMP%\tmp970E.exe

  • %AppData%\Roaming\982PQQP9\982logrc.ini

  • %TEMP%\dsruxkfs.out

  • %TEMP%\svchost.exe

  • %AppData%\Roaming\982PQQP9\982logim.jpeg

  • %AppData%\Roaming\982PQQP9\982logrv.ini

  • %AppData%\Roaming\tmp.exe

  • %SystemRoot%\SysWOW64\com\SOAPAssembly\http100u4teknik4io0HUKzO4png.dll

  • %SystemRoot%\SysWOW64\com\SOAPAssembly\http100u4teknik4io0HUKzO4png.pdb
    File Hashes

  • 22ae9fc528b63ecfe163c2b4c472e68869e049023be009ef118c59346247082d

  • 129bddde9c3cb01c69d92d9029d5da963a0dd5a72143054f9fa97471a388e9c0

  • 2d92ee55d56e96822aca748c7d69344d90a663e0db77e7ddd0ce9befa54aba98

  • 3894ba1250493f0798f9212fc20e96e8114dcc218850fef13979410dc63affba

  • 3a26d63160a43b64ee4f4adba0a5c19cb3ee6db2dc44c0ffb7b72b621548c4f8

  • 4b4efd1527b404064604707dbf7a143745d764629d6cfcc05a6c204b66238db8

  • 56b951fe25e1d0266dd49eba6b127efe63c49d71063533cee2ba3bb7eac08744

  • 56ede7ef1d1e5216231c847eead200bc8b5c5f8ef7ac8389b7dc5f069b37831d

  • 650abb87b45b41a344c677c0d6bb6a13cbe9a66785b87a0f2ff3fb378220448c

  • 72399fbb24239a2e1897132ad0e3270103c727253275009e010c74a94f36700d

  • 7b58861aab0a53cac5ac90af09723703fb47fda584fc66212ff663c52a8150a4

  • 7ed5fec1aabe2e91524a9a84d2c4f4d29a8da5777289023c40ffbcc7810b2ee8

  • 84593a125442a9541b2992a2934f4db5cbe1a87b6e5f5edd17982e677667c53f

  • 9f9217702cc1d59edc29007f745eeec78118941f3d4f99b2f664a9677867ffb6

  • b28a3bd9be8ec8d9dec980896002d84e2544acb2625e1acbbe8351d57b2b6cfc

  • c0ed86aab56032d1ba313aa6b5eaabcd687caa28937f56f23832206f81ec1271

  • c5b450ac63234f3d23ace0379486a33788187f14b47801971ad96ace76f85410

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Ransomware.PolyRansom-6413978-0

Indicators of Compromise

Registry Keys

  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSCGIYAL ***Value: **Type

  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN ***Value: **FacAQkYU.exe

  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSCGIYAL ***Value: **Start

  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\zscgIYAL****Mutexes

  • \BaseNamedObjects\mMkUAokE

  • Âë@

  • MkUUAgkc1

  • ºë@

  • poAUcoMg1

  • \BaseNamedObjects\lEwoEIAg

  • \BaseNamedObjects\sgwQgcAM0

  • ²ë@

  • fusUgwwA

  • oskQowMk

  • ¢ë@

  • \BaseNamedObjects\hYsQEUYI0

  • \BaseNamedObjects\ @

  • ªë@
    IP Addresses

  • N/A
    Domain Names

  • N/A
    Files and or directories created

  • %SystemDrive%\Documents and Settings\All Users\Lgwg.txt

  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nOowsYQI.bat
    File Hashes

  • cd32c7982ceca8711ec2f6c7ad83103db41b5d2c644b9beee07c81f92efa30a5

  • 1ff90f71632162646145cd91a22fdb24683cb25e54254f9c311d54cbc633fb92

  • 377a4c54239536019cef4c3fb2ed835a0142f58d64bc0bf49063440b7700a0b7

  • aff6517827847137411d37bafc0aee2915e87b9d2494493c1723634ba1014792

  • 38c7c22fd8526dd108422befd6fd38212ef45fb30db3272d5016fa942cd2323d

  • 3ab0d96b041b994d6f32a4351120b822d39b681d2c5133f12bb507fe2fb66e19

  • ca8eb5e89426e3c6771a72cffac6998abce9ca2a6011207691e47df1738cdeb6

  • 8957b057803dd6369f877c359b96423b61129fa3f68257c272644e1d56c7c667

  • c4471377f58643e454ef33f21dc65f696567bf8700ae120caac5086f85bfeace

  • 64fac9307649854e520f733df3df40ed960650103a78b8460488319156e059cf

  • 1dd699b7fdb082c35677938f6f064e02e226033f995189889799adac08811a18

  • 9ca5fd8ee403b418f92118836171b72a334caeb94fae9b5b46d6246742bf1345

  • 78286db82473a9f1eddba51f39333a77c2b30fb582e9fe3e71d2924e060eb273

  • 7e888fabc1451dce556864690cc55e70c8236db2a7b01b8726af0a5700ebafea

  • 6f15dc426b87da591d0a2d4965558a22857e2b1c8e1e6fdfe9c36c8a4b50a99c

Coverage

Screenshots of Detection

AMP

ThreatGrid

Screenshot

Win.Trojan.Generic-6414413-0

Indicators of Compromise

Registry Keys

  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN ***Value: **internat.exe

  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN ***Value: **Microsoft Windows Manager

  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND ***Value: **Start

  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN ***Value: **Microsoft Windows Manager

  • <HKU>\Software\Microsoft\Windows\ShellNoRoam\MUICache *<HKU>\Software\Microsoft\Windows\CurrentVersion\Run *<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List *<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Mutexes

  • \BaseNamedObjects\b11

  • b11
    IP Addresses

  • 220[.]181[.]87[.]80

  • 69[.]49[.]96[.]16
    Domain Names

  • www[.]murphysisters[.]org
    Files and or directories created

  • \DAV RPC SERVICE

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\H3T7LZRL\m[1].exe

  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cymycvgmtt.exe

  • ;Z:000000000000d46c\192.168.0.1\vm9-116\_\DeviceConfigManager.exe

  • %AppData%\winmgr.txt

  • ;Z:000000000000d46c\192.168.0.1\vm9-116\autorun.inf

  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ftoidjlwgv.exe

  • ;Z:000000000000d46c\192.168.0.1\vm9-116\DeviceConfigManager.bat

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\H3T7LZRL\b11[1].exe

  • %WinDir%\M-5050572947025827857375865240\winmgr.exe

  • %TEMP%\phqghumeay

  • ;Z:000000000000d46c\192.168.0.1\vm9-116\.lnk

  • %TEMP%\rgjqmvnkyr

  • %TEMP%\edakubnfgu

  • ;Z:000000000000d46c\192.168.0.1\vm9-116\DeviceConfigManager.vbs

  • %TEMP%\gwhroqkhwu

  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rdwpamlgaz.bat
    File Hashes

  • 22bcff79015a6f2d450ff4713bc1a195f6333444e96e616fb070ccf885f790ad

  • c06da956f726a78aff82e8c2ec2ed7989f227ac560511512fd609574685f6c4f

  • e474e51a6f29b9e32702445797ef4baaa96b1e30fa3f212ae2953bbb843a559b

  • c9329790645ae7404cd3c746b9a26bcd667b6c1c45f727e504d0833d04726488

  • b95a5e8f1dc23677e9e700b44d014aeee127869e46af6a674f93d34da3c606d0

  • f3ee9f0be76f80faaa683ef580e3f018e1e0108e5b4457bad379e99dda2c627f

  • b010ae9122a8651be194c5bc3d49540d51287040f1a1f066e193835f942277a9

  • d775f05eb68ce4ef44776de0ad2b3c6181ad6a99813612a1ce3cc8b453359482

  • a3940c00bd3e8d07eb70cd23148d030a473f134a7aa19ff6b777862af6d5f8e3

  • 2104784585c92828df37feab86fcabddf3ffdb2718dfc3718ae529ad9c4956e0

  • 43d2b149b3e4fd33b03321d2bfb6980734d3725483fee21cd996f280618865d9

  • 9e7ae2436474bbad1e9ce20f8fc7a294586fde89c39b3bd2e2fd257d269ca636

  • 10c96fcbeee7e93309abc9616958ef214953f512f236ddff2db39f12a8f4a817

  • 08c9fedfcf1100f8450ad930a55a2cbf7dcc0fa88b646da2c5916ff42565c575

  • 113e003896939e85f048e528b6f50fa9e984009fe2677143c7cfaad9ee693293

  • 0d136160f510d87af7edeeb1533979a5cdc1d1511528798d5871bbb88bb1f0f4

  • 33fd94f82800a1f8551e73aebbbac4169c3c08cbe12c69e9fab52875d56c96bc

  • 1b6651d1e43c7ff8dd291d178b8bad9fbfd1bb426d49da419ee7e4a4d7912ba1

  • 1cfd3043ecc8fd7c254201fcafe6865dfdb1c0d6ccc343d0e62e1cab261fefa3

  • 201c0ca83973186aab93376147f1b60d009ef13ec827d0de5d19b483d3c0f353

  • 23db71997ed2f558e06232f600d3cc7b4e5eb58f18039923127c5b4fa7fec2f9

  • 26f1a92cb36e4caff3fccc45fba269647410fbee71cc4f4a00e5d4c282ba01f8

  • 2ab47d6d82225c62487054db91e804418060b3334531e09d96dc6d3630fa54b3

  • 34ae5c841f6e992fe09979fff521d2e8367385260cf73112e79ce656e952bbb5

  • 564ace4ef8e2c3aab367969748e02a0dee555733e9085fcc0a86b9f1b70fb7b3

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.Multi-6413508-0

Indicators of Compromise

Registry Keys

  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN ***Value: **Logman

  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS ***Value: **load

  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS ***Value: **run

  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ***Value: **ProxyServer

  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN ***Value: **internat.exe

  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ***Value: **AutoDetect

  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS ***Value: **ProxyOverride

  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS ***Value: **DefaultConnectionSettings

  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN ***Value: **Session Manager

  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN ***Value: **lsm service

  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN ***Value: **ClipSrv

  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run *<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run *<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion **<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap* *<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings *<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    Mutexes

  • N/A
    IP Addresses

  • N/A
    Domain Names

  • www[.]wholists[.]org
    Files and or directories created

  • %System16%\lsm.exe

  • %AppData%\clipsrv.exe

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\lsm.exe (copy)

  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1\MICROS~1\Windows\dllhost.exe (copy)

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\spoolsv.exe

  • %SystemDrive%\Documents and Settings\All Users\Microsoft\RCX2.tmp

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\RCX8.tmp

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\spoolsv.exe (copy)

  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1\MICROS~1\Windows\RCX6.tmp

  • %AppData%\ieudinit.exe

  • %SystemDrive%\DOCUME~1\ALLUSE~1\clipsrv.exe

  • \TEMP\d0a08beb99882af4b1771426905ee556.exe

  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1\MICROS~1\Windows\dllhost.exe

  • \Users\Administrator\AppData\Local\Microsoft\dllhst3g.exe

  • %System16%\smss.exe

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\RCX4.tmp

  • %WinDir%\SysWOW64\drivers\ieudinit.exe

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\lsm.exe

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\dllhst3g.exe

  • %SystemDrive%\Documents and Settings\All Users\Microsoft\mstinit.exe (copy)

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\esentutl.exe

  • %SystemDrive%\DOCUME~1\ALLUSE~1\clipsrv.exe (copy)

  • %SystemDrive%\Documents and Settings\All Users\Microsoft\mstinit.exe

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\dllhst3g.exe (copy)

  • %WinDir%\spoolsv.exe (copy)

  • \Users\Administrator\AppData\Local\Microsoft\rsvp.exe

  • %WinDir%\logman.exe

  • %WinDir%\spoolsv.exe

  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\esentutl.exe (copy)
    File Hashes

  • ec3075ac9775e3c41bc8227a00ef76905bbd96a62b813c99f277865ff353c5ce

  • f4b6b76dec96cc9d530dd6cb64bdd743a115a12a7b03e41f7ec737e4d80b6850

  • b1da876da56ba09770d594765727d167bf1a655247f094360e032a35d3d41461

  • b82ebd17236c41d9e457f640a2871695326ef8014ebd71b7a5f37d8b2c3a4522

  • b3f5ad44f682104d536c60832d2064f71d3261ffbf0e1555c236a36b505619d3

  • a27376262110767a28e376b723caa46d3cc50d33da60029df8e7af024ff67be9

  • f1b2bbf13bde9ce65cbe1cee7e3d86a61e0511f206ae74589329dc1fffc5f7e0

  • 17023d977e2b041c8a1994e7ae69b65e10f7097febefc9b47817dd9f7985cd52

  • e5c95545895dc13626b3f20b47fe2f0f1b5dc3915fef44c3c7a5352e95beb382

  • 6d1b40fbdcad0c96c687f661469e39b7b10a0b083a9ea3c9f6bb959c284df149

  • 7d1ae051d633a3ed3c0991aaa3ed63357804a80e67dd19ae5deab71e525947a6

  • 799e5b77de09f7971f0187b69266e45f70e0cda170c615c604806ec2444ab89a

  • 910b590e28bc72bc14c05d47a026ed56928ea8b6608f626555d955beccb719c8

  • 7d326add0d36be4543317c4d14823e2cb380f7b07bacc1f893ec86bdd0b04468

  • 5af23d9dedc83e1fe8c808fe62d858767dd95f2b9402fa785072cc7247a2e4c6

  • bf828a8f3fb1a27532aa9f3fb0383a1ce3418f7dd52cefa4264ab2e3e941e8d9

Coverage

Screenshots of Detection

AMP

ThreatGrid

Related

trendmicroblog 2
openvas 14
mskb 32
checkpoint_advisories 1
myhack58 3
mmpc 4
symantec 1
exploitpack 1
mssecure 2
nessus 8
kaspersky 1
cve 1
cisa_kev 1
cert 1
msrc 1
packetstorm 1
attackerkb 1
zdt 1
mscve 1
prion 1
exploitdb 1
talosblog 2
fireeye 5
malwarebytes 2
seebug 1
thn 3
threatpost 3
krebs 1
securelist 10
canvas 1
qualysblog 3
ics 1
trendmicroblog
trendmicroblog
This Week in Security News
2017-11-22 14:00:16
TippingPoint Threat Intelligence and Zero-Day Coverage – Week of September 11, 2017
2017-09-15 14:59:53
openvas
openvas
Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040980)
2017-09-13 00:00:00
Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040975)
2017-09-13 00:00:00
Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040972 and KB4040971)
2017-09-14 00:00:00
mskb
mskb
Security and Quality Rollup for .NET Framework 3.5 for Windows Server 2012 (KB 4040979)
2017-09-12 07:00:00
Security and Quality Rollup for the .NET Framework 2.0 SP2, 4.5.2, and 4.6 for Windows Server 2008 SP2: September 12, 2017
2017-09-12 00:00:00
Description of the Security Only update for the .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 for Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2: September 12, 2017
2017-09-12 07:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft .NET Framework Remote Code Execution (CVE-2017-8759)
2017-09-12 00:00:00
myhack58
myhack58
Microsoft the Microsoft . NET Framework flaws vulnerability bug(CVE–2017–8759)alerts-a vulnerability alert-the black bar safety net
2017-09-15 00:00:00
The latest exposure of the RTF vulnerability beside the use of research to explore the topic guide-vulnerability warning-the black bar safety net
2017-09-21 00:00:00
The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net
2019-06-13 00:00:00
mmpc
mmpc
Exploit for CVE-2017-8759 detected and neutralized
2017-09-12 18:46:50
Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’
2017-12-04 14:00:07
Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’
2017-12-04 14:00:51
symantec
symantec
Microsoft Windows .NET Framework CVE-2017-8759 Remote Code Execution Vulnerability
2017-09-12 00:00:00
exploitpack
exploitpack
Microsoft Windows .NET Framework - Remote Code Execution
2017-09-13 00:00:00
mssecure
mssecure
Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’
2017-12-04 14:00:07
Office 365 Advanced Threat Protection defense for corporate networks against recent Office exploit attacks
2017-11-21 13:46:01
nessus
nessus
Security and Quality Rollup for .NET Framework (Sep 2017)
2017-09-12 00:00:00
Windows 2008 September 2017 Multiple Security Updates
2017-09-12 00:00:00
Windows Server 2012 September 2017 Security Updates
2017-09-12 00:00:00
kaspersky
kaspersky
KLA11101 Arbitrary code execution vulnerability in Microsoft .NET Framework
2017-09-12 00:00:00
cve
cve
CVE-2017-8759
2017-09-13 01:29:00
cisa_kev
cisa_kev
Microsoft .NET Framework Remote Code Execution Vulnerability
2021-11-03 00:00:00
cert
cert
Microsoft .NET framework SOAP Moniker PrintClientProxy remote code execution vulnerability
2017-09-13 00:00:00
msrc
msrc
CVE-2017-8759 のエクスプロイトの検出と無効化
2017-09-27 07:00:00
packetstorm
packetstorm
Microsoft .NET Framework Remote Code Execution
2017-09-14 00:00:00
attackerkb
attackerkb
CVE-2017-8759
2017-09-13 00:00:00
zdt
zdt
Microsoft Windows .NET Framework - Remote Code Execution 0day Exploit
2017-09-13 00:00:00
mscve
mscve
.NET Framework Remote Code Execution Vulnerability
2017-09-12 07:00:00
prion
prion
Remote code execution
2017-09-13 01:29:00
exploitdb
exploitdb
Microsoft Windows .NET Framework - Remote Code Execution
2017-09-13 00:00:00
talosblog
talosblog
SWEED: Exposing years of Agent Tesla campaigns
2019-07-16 05:47:33
Microsoft Patch Tuesday - September 2017
2017-09-12 15:41:00
fireeye
fireeye
Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign
2018-01-17 12:00:00
FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY
2017-09-12 13:00:00
Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign
2018-01-17 17:00:00
malwarebytes
malwarebytes
PSA: New Microsoft Word 0day used in the wild
2017-09-13 22:49:19
Decoy Microsoft Word document delivers malware through a RAT
2017-10-13 15:00:41
seebug
seebug
FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY
2017-09-14 00:00:00
thn
thn
Hackers Use New Flash Zero-Day Exploit to Distribute FinFisher Spyware
2017-10-16 04:52:00
Hackers Exploiting Three Microsoft Office Flaws to Spread Zyklon Malware
2018-01-17 07:25:00
Immediately Patch Windows 0-Day Flaw That's Being Used to Spread Spyware
2017-09-13 00:09:00
threatpost
threatpost
Attackers Use Microsoft Office Vulnerabilities to Spread Zyklon Malware
2018-01-17 18:26:01
Adobe Patches Flash Zero Day Exploited by Black Oasis APT
2017-10-16 11:46:13
Microsoft Patches .NET Zero Day Vulnerability in September Update
2017-09-12 15:59:40
krebs
krebs
Adobe, Microsoft Plug Critical Security Holes
2017-09-13 16:42:30
securelist
securelist
Threat Landscape for Industrial Automation Systems in H2 2017
2018-03-26 10:00:27
IT threat evolution Q3 2017. Statistics
2017-11-10 10:45:04
BlackOasis APT and new targeted attacks leveraging zero-day exploit
2017-10-16 14:28:47
canvas
canvas
Immunity Canvas: OFFICE_WSDL
2017-09-13 01:29:00
qualysblog
qualysblog
September Patch Tuesday: 27 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches
2017-09-12 18:23:49
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
2019-12-27 18:01:22
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR
2022-02-23 05:39:00
ics
ics
Top 10 Routinely Exploited Vulnerabilities
2020-05-12 12:00:00

0.97 High

EPSS

Percentile

99.7%

JSON
Related for TALOSBLOG:F661E733634AB3D9655B38A94F050A82
trendmicroblog2openvas14mskb32checkpoint_advisories1myhack583mmpc4symantec1exploitpack1mssecure2nessus8kaspersky1cve1cisa_kev1cert1msrc1packetstorm1attackerkb1zdt1mscve1prion1exploitdb1talosblog2fireeye5malwarebytes2seebug1thn3threatpost3krebs1securelist10canvas1qualysblog3ics1