Quantcast
Channel: Cisco Talos Blog
Viewing all articles
Browse latest Browse all 1948

Threat Roundup for April 5 to April 12

April 12, 2019, 9:53 am
$
0
0

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 05 and April 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Eyooun-6931755-0
    Malware
    Eyooun downloads and installs additional malicious and non-malicious programs onto the system.
     
  • Doc.Malware.Sagent-6932497-0
    Malware
    Sagent launches PowerShell through macros in Microsoft Office documents. The PowerShell then downloads unwanted software from remote websites.
     
  • Win.Malware.Emotet-6933520-0
    Malware
    Emotet is a banking trojan that remains relevant due to its ability to evolve and bypass antivirus products. It is commonly spread via malicious email attachments and links.
     
  • Win.Worm.Scar-6934835-0
    Worm
    Scar will download and execute files to the system while attempting to spread to other machines by copying itself to removable media.
     
  • Win.Worm.Aspxor-6935052-0
    Worm
    Aspxor botnet has the capabilities to send spam, download and execute other samples. This botnet is known for collecting credentials from infected computers.
     
  • Win.Malware.Vbkeylog-6935273-0
    Malware
    This generic family will attempt to deceive the infected computer's users into receiving a payment or getting personal data.
     
  • Win.Malware.Zbot-6935412-0
    Malware
    Zbot, also known as Zeus, is trojan that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing.
     
  • Win.Ransomware.Cerber-6935713-0
    Ransomware
    Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
     
  • Win.Trojan.Winwebsec-6935682-0
    Trojan
    Winwebsec installs itself to a compromised system as a "anti-malware" software with desktop links and various persistence techniques (Windows service, Registry Run key, etc.). This family is known for using fake alerts for malware found on the system to deceive users into buying services before the "malware" can be removed.
     
  • Win.Malware.Tovkater-6936213-0
    Malware
    This malware is able to download and upload files, inject malicious code and install additional malware.
     

Threats

Win.Malware.Eyooun-6931755-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP6\PARAMETERS
Value Name: DisabledComponents		34
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter		23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\APPLICATIONDESTINATIONS
Value Name: MaxEntries		18
<HKLM>\SOFTWARE\MICROSOFT\TRACING\WCLGSITA_RASAPI32
Value Name: FileDirectory		8
<HKLM>\SOFTWARE\MICROSOFT\TRACING\WCLGSITA_RASMANCS
Value Name: FileDirectory		8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\DIRECTDRAW\MOSTRECENTAPPLICATION
Value Name: ID		7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: svchost.exe		5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LYPWXAWN
Value Name: WOW64		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ISFCQMJB
Value Name: DisplayName		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IUGPWHEJ
Value Name: WOW64		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OJIKFFNJ
Value Name: name		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSCEGPBN
Value Name: DisplayName		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QSWARNLV
Value Name: WOW64		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ATDUWYIG
Value Name: WOW64		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OTMYZEPH
Value Name: DisplayName		2
MutexesOccurrences
CommLogDbgStrMutex61
\BaseNamedObjects\CommLogDbgStrMutex61
DBWinMutex32
8Bc0E7-2F5D-49c0-A6D6-appadvert19
Local\MSIMGSIZECacheMutex14
openbox12
adkuai8_client_newdown11
adkuai8_newdown11
04AEB7B0-04A8-04A82810F7B640-8A4A82810F7B610
Local\__DDrawCheckExclMode__7
Local\__DDrawExclMode__7
Local\DDrawDriverObjectListMutex7
Local\DDrawWindowListMutex7
Local\InternetExplorerDOMStoreQuota2
Local\http://www.baidu.com/2
Local\DirectSound DllMain mutex (0x00000174)1
fc23890639e7d704fbd1b52b749200a51
fccb83f4591c45a062aa5389a08b9eef1
8e92460d25c534d048fd1c88e802f7e81
dbc843e527e2b5c81be3562287f89d3c1
5d25335e7777648b50dc7504f83b06da1
Local\DirectSound DllMain mutex (0x000005AC)1
73b50e38332dbd8c708884de7b44d0f01
efc928dd753ae98b928ed12919a305ca1
53279609cec7acce6827bdec60299b7d1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
18[.]223[.]92[.]14542
116[.]28[.]63[.]21442
122[.]152[.]212[.]22432
218[.]65[.]30[.]4130
117[.]41[.]234[.]9230
122[.]224[.]34[.]10325
150[.]138[.]92[.]6224
18[.]218[.]183[.]2123
222[.]214[.]218[.]23920
113[.]105[.]164[.]3120
120[.]55[.]244[.]21219
175[.]126[.]163[.]12414
42[.]62[.]4[.]6213
47[.]92[.]249[.]15212
120[.]77[.]171[.]3712
47[.]107[.]83[.]21212
219[.]150[.]218[.]11912
125[.]88[.]158[.]21211
219[.]145[.]240[.]8611
219[.]145[.]240[.]8511
219[.]145[.]240[.]8411
106[.]122[.]250[.]21210
150[.]138[.]92[.]10610
219[.]150[.]218[.]449
59[.]110[.]185[.]1049
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
wj[.]center[.]oldlist[.]info61
ecount[.]2019cn[.]com54
nj9qq[.]cn42
top[.]sefcg[.]com23
pack[.]1e5[.]com22
ad[.]uuuwin[.]com19
ks2[.]we2019[.]com14
imgwx4[.]2345[.]com13
tv[.]2345[.]com13
imgwx3[.]2345[.]com13
imgwx2[.]2345[.]com13
imgwx1[.]2345[.]com13
imgwx5[.]2345[.]com13
mini[.]sefcg[.]com13
log2[.]nagirl[.]cn13
LOG2[.]NAGIRL[.]CN13
union[.]lm33[.]com12
liosm231[.]com12
list[.]adkuai8[.]com11
p2p[.]adkuai8[.]com11
down02[.]adkuai8[.]com11
ipaddress[.]adkuai8[.]com11
tongji[.]adkuai8[.]com11
log[.]uinfo[.]soomeng[.]com10
next[.]91xiaba[.]com10
See JSON for more IOCs
Files and or directories createdOccurrences
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\desktop.ini59
%TEMP%\SSL40
%TEMP%\SSL\cert.db40
%TEMP%\SSL\Small DigiCert Baltimore Root 2.cer34
%SystemRoot%\SysWOW64\Log31
%TEMP%\h2u31tg4.exe30
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\config[1].zip30
\PC*\MAILSLOT\NET\NETLOGON23
%HOMEPATH%\Desktop\¿³°×Öí±¬9999¼¶ÉñÆ÷.lnk23
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\190[1].ico23
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\215[1].ico23
\DosDevices\C:\Windows\System32\wfp\wfpdiag.etl23
%System32%\wfp\wfpdiag.etl23
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\procelist[1].ini22
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\018[1].exe19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V0100009.log14
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000B.log14
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000D.log14
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000F.log14
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\mini[1].htm13
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\hideconfig[1].zip13
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\classicTv_tvHotMini[1].htm12
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\LOLO[1].png12
%SystemRoot%\api-ms-win-cx0-l1-01-19.dll12
%SystemRoot%\SysWOW64\del.bat12
See JSON for more IOCs
File Hashes
  • 002a3ee5d238a80bd8c3759d8478d7d9098af54cbcbd264bcd78ad172c7fded5
  • 0066dccf58f6d2ea4e303e870aea20c25d0c945a4b5c6796548acb20ae2dd268
  • 015d9a05e3595d8902031dda87e999396a9a2b5267195e35f3752cef08a37b50
  • 0181a703fa74afdd4640b52de9338b0dd6e14446c0635bebf8883999cfa0be01
  • 090f9030986cdb1413bc9f5c6901952e23be5f6c48b7ce0f9858e92e91142d26
  • 09d3b0027fba2e0419841177734b811e506aed12d758d75d77a1f71ebb1b16bf
  • 09f0116a571ccf405cf2b83507fb2d3c139a8f9fe7ce9fc77595c7c66d4f9a53
  • 0f0d5f033b1096e209857c255edb94e30306087a172edb5816f4464c92a9870c
  • 1029ddb2e83f17e8318199afb81a4434de65e12728552f66255cd7814b7cce0f
  • 159a0f8cc9ed369de6b89806b3d29a287183dc15deb59ea916d246d736385684
  • 179662d10fbf28f36e7fbf9d61e20ecf01ea0efe03223e19aad2e24a4ae56bb0
  • 19fb21319fb6479eb23cf06f3298f991466dbd1954c320db749e6f4ee727a27c
  • 1ac81f029e1fc5c7c11045d910ba3882946bd6535369675c6b443c35ef2e5c18
  • 1f78e240a8cdfda72e443b39cbfdf4faab1ed8092cdf9b02bdc7456dffbe1f47
  • 1fb5ec3d10289d0f00460070da92853ba1d90dbebd6dc6a8266a09ad3c36a154
  • 208d2e1fdf8b87f1b37644e57f340b984c8d68de8ba02525c61b6158b9d6e539
  • 24b4b426368e29fe933d6b427d1ae47e31fb346b2392e2161a67add890bae196
  • 2d60ced2eef863bc23232f4c3a80be8545902f2efa4dd9eab7f680a5643d8289
  • 2ec0873e6ce50626bccb3217c8fe10fd421604dd5fe45fa58c6f54b90b369d6b
  • 30944e432f0f25fda774cfe7090a9cef872b02bd754636a1176e98f7298c5780
  • 3291d369e4f69353b221ef184731f93c80f3762de2114d4b4f1a6b200f66aab8
  • 388259027de10322e1da522901d84a83bc8a5585d2d61a47b4ecd9c87cc30d26
  • 3960aa9d31ec0dacc0f11edbebc8820e4f929bdfc2943aec52dea840c456e264
  • 39d8b6f916b96060c7e55c468fb066a51ccd5a8c1e0f3d43fa29dc12dad129f0
  • 3a328a6515c449cf1f1807ede10f790014b5905cda161828d3eea7750a7d2264
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Doc.Malware.Sagent-6932497-0


Indicators of Compromise


Registry KeysOccurrences
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: AutoDetect		10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} 10
<HKCR>\INTERFACE\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} 10
<HKCR>\WOW6432NODE\INTERFACE\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} 10
<HKCR>\INTERFACE\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} 10
<HKCR>\WOW6432NODE\INTERFACE\{79176FB2-B7F2-11CE-97EF-00AA006D2776} 10
<HKCR>\INTERFACE\{79176FB2-B7F2-11CE-97EF-00AA006D2776} 10
<HKCR>\WOW6432NODE\INTERFACE\{4C5992A5-6926-101B-9992-00000B65C6F9} 10
<HKCR>\INTERFACE\{4C5992A5-6926-101B-9992-00000B65C6F9} 10
<HKCR>\WOW6432NODE\INTERFACE\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} 10
<HKCR>\INTERFACE\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} 10
<HKCR>\WOW6432NODE\INTERFACE\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} 10
<HKCR>\INTERFACE\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} 10
<HKCR>\WOW6432NODE\INTERFACE\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} 10
<HKCR>\INTERFACE\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} 10
MutexesOccurrences
Global\I98B68E3C10
Global\M98B68E3C10
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
89[.]188[.]124[.]14510
190[.]117[.]82[.]10310
190[.]0[.]32[.]20610
104[.]18[.]35[.]1637
104[.]18[.]34[.]1633
43[.]229[.]62[.]1861
104[.]2[.]2[.]1531
201[.]165[.]102[.]491
187[.]189[.]210[.]1431
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
xoso[.]thememanga[.]com10
Files and or directories createdOccurrences
\EVENTLOG10
%APPDATA%\Microsoft\Forms10
%APPDATA%\Microsoft\Forms\WINWORD.box10
%HOMEPATH%\80.exe10
\REGISTRY\MACHINE\SOFTWARE\Classes\.doc1
%System32%\WindowsPowerShell\v1.0\Certificate.format.ps1xml1
%SystemRoot%\SysWOW64\A7Nx4PQT5.exe1
%SystemRoot%\SysWOW64\N6yvu6lNl.exe1
%SystemRoot%\SysWOW64\g6iqfJhcB0Xc88E.exe1
%SystemRoot%\SysWOW64\f9XnJqVa5Bt6Sf.exe1
%SystemRoot%\SysWOW64\9yMQn0Zw.exe1
%SystemRoot%\SysWOW64\c33fB.exe1
%SystemRoot%\SysWOW64\aThVJIMunDfvC.exe1
%SystemRoot%\SysWOW64\SqxzR9tB3STZYB9o1.exe1
%SystemRoot%\SysWOW64\WyFb5EUyZBFDn5Gb.exe1
%SystemRoot%\SysWOW64\TYVGTeXwXGD.exe1
File Hashes
  • 310c672343531ecc8fb2bc22b979a34f6e3c3d6c56eaad0dadeecade3e6c64d9
  • 60973bfc7ccac458d9ac4b7192a40774316b04d86cdb106b0c205d75778b7c65
  • b3ff81bf64f077e1b466d3696c3528f9c644d503b515473b16803610f240dd05
  • d1d756451258f60d10e1c46540438f9a7c9ad84bfe7b4a1cb944ae02e456d3aa
  • dfcb889cbff15a54eab56367f8f5da6855cf534ad732938eb4cc472a77c231a0
  • e39863e66ab0f1bf0b8d35f2715d3de220f6bb3d0c28b68d8f14d53ed1acb7e4
  • e8ca6c66c79cca9404a9f6a6920ff02010dc799435381a97fd5c57cf0c3abb41
  • e9a0aabcf4e854ca4b16e9ebd2d228b2e581abc12d27ef34b9f8a5978d224128
  • eba143b8f9ea163949037b683622c1cf9672e9a4e63513ecd20ebe1aff4e3ff5
  • f4282b6fc250485ebd045d3008195a5c3e2b385c5caaada93ea221f53326d3ec

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella



Malware



Win.Malware.Emotet-6933520-0


Indicators of Compromise


Registry KeysOccurrences
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: AutoDetect		16
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
Value Name: SavedLegacySettings		16
<HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\sourcebulk 16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: Description		16
<HKLM>\SOFTWARE\Microsoft\ESENT\Process\guiddefribbon\DEBUG 16
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
Value Name: WpadDecisionTime		16
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\A4-E3-E4-11-EC-FD
Value Name: WpadDetectedUrl		1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\2c-28-30-ca-41-e3 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\2c-28-30-ca-41-e3 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\c0-21-36-0e-b0-2b 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\c0-21-36-0e-b0-2b 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\c8-7c-48-93-48-f7 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\c8-7c-48-93-48-f7 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\24-f7-27-10-2d-94 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\24-f7-27-10-2d-94 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\dc-35-3c-bc-55-73 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\dc-35-3c-bc-55-73 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\46-b9-fc-8e-0c-36 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\46-b9-fc-8e-0c-36 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\e2-85-af-73-a1-bc 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\e2-85-af-73-a1-bc 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\46-B9-FC-8E-0C-36
Value Name: WpadDecisionTime		1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\E2-85-AF-73-A1-BC
Value Name: WpadDecisionTime		1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\24-F7-27-10-2D-94
Value Name: WpadDecisionTime		1
MutexesOccurrences
Global\I98B68E3C16
Global\M98B68E3C16
\BaseNamedObjects\Global\M3C28B0E416
\BaseNamedObjects\Global\I3C28B0E416
Global\Nx534F51BC1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
43[.]229[.]62[.]18615
190[.]0[.]32[.]20615
187[.]189[.]210[.]14315
201[.]165[.]102[.]4915
89[.]188[.]124[.]14515
104[.]2[.]2[.]15315
190[.]117[.]82[.]10315
208[.]100[.]26[.]2511
5[.]196[.]133[.]2061
198[.]187[.]30[.]2491
104[.]236[.]135[.]1191
71[.]78[.]158[.]1901
190[.]219[.]231[.]691
208[.]180[.]217[.]1731
181[.]31[.]182[.]1381
201[.]249[.]117[.]1231
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat16
%System32%\guiddefribbon.exe (copy)2
%SystemRoot%\SysWOW64\SBp2VS8N7jU.exe1
%SystemRoot%\SysWOW64\yXRDTc.exe1
%SystemRoot%\SysWOW64\LvO5IJ1Sr5t.exe1
%SystemRoot%\SysWOW64\5kQW.exe1
%SystemRoot%\SysWOW64\Nsa7bjsedHZNrMyW.exe1
%SystemRoot%\SysWOW64\MZ5WK.exe1
%SystemRoot%\SysWOW64\FxiHy64z3NDOiHEgC.exe1
%SystemRoot%\SysWOW64\hlaVhqNG.exe1
%SystemRoot%\SysWOW64\Ahfk9lC4PqeGiyhY.exe1
%SystemRoot%\SysWOW64\xdm5D3NLE.exe1
%SystemRoot%\SysWOW64\2o75cQI.exe1
%SystemRoot%\SysWOW64\oxJI2FKrOP.exe1
%SystemRoot%\SysWOW64\MoSv9WL5Pn2Rd22eN.exe1
%SystemRoot%\SysWOW64\LQRA42.exe1
%SystemRoot%\SysWOW64\MVED6NriD.exe1
File Hashes
  • 07bb6313dc4e4e47fffe542787f7e5f085f7a0b827a3614a666b8ba122895a5b
  • 1317735faa4586cd57e311b7fa5462675b19b6767898bbc9fd1ea438e9b269a1
  • 1cfb22555921bcd42ea2976527cedebe9b0a70a24ca2f4695d61496956a9fb65
  • 34dc74f395344d40e6ce6e08f73ea822d83107c276e230862aa7f20ec24677d9
  • 5bcbb702d1936de97fc26a33767f7d1b1973455d7a783dae80246fae99024b98
  • 6123a5957f13a02e1752a9242f68f2cec27443ea0e4fbea65edde4c05a48ec38
  • 642b1802bb2c429da4521e8fd159498cf814ab43df41d2213ccf4c8e7bf3a58f
  • 67121ec06c244e75ba3c217b6ec7c9ea795f71bb673c87ced115a7bae939b6a2
  • 67b8cdfe8f7b193723a6db03fb8f2246710ba6b4bfd2681134175f98150d307a
  • 7581c79cd28ae473538de22e69f00d8a0642937621a08d6a304e7bae7cc1f467
  • 86630ccb5c7e8d248e28446f27f2faf21d2712e18b3b6fb7749c9dd0d82c2752
  • 87989bca4fcdaf8bde36f1893ce293da2f11c330cdd0f9746956241d6fac63da
  • a8caf1e24c6972c1338eb4cc5d061fe7b6618657720b375e43385c9118b3aad9
  • bdc575561b7b6ccd315cc5aa6c0f05d346201917e05490ff9203ee804b9d4fd7
  • c6f1c07bbf320307ab784db15f0dc7ecc09c2f96150cda7126569a2d77935b2a
  • e1226793b90a2c765d227e365b24271282c85ba9b7b5eb642f9f4b145ba0b932

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Worm.Scar-6934835-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft		32
MutexesOccurrences
DSKQUOTA_SIDCACHE_MUTEX32
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
175[.]126[.]123[.]21920
67[.]228[.]31[.]2253
64[.]186[.]131[.]471
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
byvolker[.]co[.]cc19
canappe[.]co[.]cc1
getvolkerdns[.]co[.]cc1
killervolk-dns[.]co[.]cc1
Files and or directories createdOccurrences
\??\E:\autorun.inf32
\autorun.inf32
\AUTORUN.INF32
\??\E:\AUTORUN.INF32
%System16%\svcrcs.exe32
\??\E:\UsbDrivers.exe23
\UsbDrivers.exe23
\??\E:\Setup.exe8
\Setup.exe8
\??\E:\open=Setup.exe1
\open=Setup.exe1
File Hashes
  • 0801e6c88de29d1418e3c7e89c72ff0e9147607f1c36ea657f60c557bc2ca91c
  • 08c755993f57b3c2adb4893504683394b81e9dba822ccd6bdad9dc9710155078
  • 096b4a3371120250dbd0c85c19730f92d0beaa3af16d73a44c6c81e81e0371f8
  • 11566d54a186019e24e0fe51ecfcc8a6e954c3ff0ec58e89130c81c2c9fe3652
  • 18bc9b638b1770d6b76de5be46ecc50d2b2a428053b131b02cf76d9feac9566f
  • 22afe3eae9acd98fa25f5e06a7f3fa2716aa6af527d1232e5ba4c95e199b851b
  • 25fb8e7a4039c200fa74246ae62629e6a1db5400e2c8ebe14b041f0dc2bc60f7
  • 391483fc42fa770ae9a6e0bb615536b9c3f1a908931d5222d4f1eab68a50c91f
  • 3b62f8abfdb792b3419ac346fcbc5d004a9b67dc1b5a93b2eda4da53fc27263d
  • 3be4799debfab2081853244700668d7303752272978941b551d21e6cfc476a69
  • 424c3baead90385b2fd8cc6ef98534119ce5ea41f9488c0e64d1829ae61ec957
  • 453b4a1818de6d3e8d67632e31bcca085cd8f5e44e775a7959246eaa4c925d2d
  • 4a800c7c54850630561ffe6d54a3390a93192c7fa6301f5d6ea9368f2c6421bb
  • 4ec4bcca36e92304469192ab25d97cacb192413f4092a37a5f1e76575beaa0de
  • 55562749de33d7cc4f93d0342514467c31b975907d9f0dcd8ec78f735ce6b1d8
  • 5b642baf8e06c96a72ee7e8e55f98bd25a6180fce57fa25c2691782a23c76794
  • 5efacdb03391aa114a6dcac90a6f8f8562c0a2e666185f1f8f63065364993143
  • 6178e5bcda89cd0c4760545b3208cf56ce26fc9fe51551d1389505d30de75830
  • 621bc4bb35821d5a7784bda820acd368d863b2430974952f83a14051693c2fda
  • 75504f094939ab33f14cdf1a6c1be3cad5ae7f89d48d925fca65222062ea27e5
  • 8320a5187226606270a82f0acf50449a11d3bc6bfed10618e7a7d79ea4564401
  • 86ebccdb2f90a5b5ca49911155eac4d05769138d8f72856d4cd9be2323037b29
  • 871aaaf9a80009c78539d2a8b1bbfee432c1afc08511d25e057373731f06a061
  • 8fd6c4a70953f044073299ad6ba883d94d7be1a723d8aaa908435318509cda05
  • 915c2d8d8bf3391aee7ee8a4d732cd861aa30eba8219b240b66041a860a32cc0
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP



ThreatGrid



Malware



Win.Worm.Aspxor-6935052-0


Indicators of Compromise


Registry KeysOccurrences
N/A-
MutexesOccurrences
2GVWNQJz125
Djjwy&22bsqobnaHhdGwemvt(&11839)25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
217[.]115[.]50[.]22817
93[.]186[.]181[.]6215
194[.]85[.]183[.]214
46[.]55[.]222[.]2412
222[.]124[.]166[.]1210
82[.]116[.]211[.]1610
209[.]170[.]120[.]1639
186[.]115[.]122[.]678
216[.]218[.]206[.]691
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
%SystemRoot%\SoftwareDistribution\DataStore\Logs\tmp.edb1
%HOMEPATH%\Local Settings\Application Data\ksgxpasi.exe1
%HOMEPATH%\Local Settings\Application Data\joorwdum.exe1
%HOMEPATH%\Local Settings\Application Data\unfdefqq.exe1
%HOMEPATH%\Local Settings\Application Data\ahnatfuo.exe1
%LOCALAPPDATA%\ffueegqn.exe1
%LOCALAPPDATA%\hahxwkrq.exe1
%LOCALAPPDATA%\erhipkjf.exe1
%LOCALAPPDATA%\qrfcduvn.exe1
%LOCALAPPDATA%\bbpikrlh.exe1
%LOCALAPPDATA%\gbmscrrf.exe1
%LOCALAPPDATA%\uhotvrfs.exe1
%LOCALAPPDATA%\vwaffned.exe1
%LOCALAPPDATA%\wscftndd.exe1
%LOCALAPPDATA%\fapgaxbx.exe1
%LOCALAPPDATA%\kselhlpe.exe1
%LOCALAPPDATA%\lupjoaow.exe1
%LOCALAPPDATA%\oxhojtxr.exe1
%LOCALAPPDATA%\bgnifxtm.exe1
%LOCALAPPDATA%\annimrmg.exe1
%LOCALAPPDATA%\teconvea.exe1
%LOCALAPPDATA%\jwclsdrd.exe1
%LOCALAPPDATA%\txfqjufq.exe1
%LOCALAPPDATA%\ridhufao.exe1
%LOCALAPPDATA%\ndfgutar.exe1
See JSON for more IOCs
File Hashes
  • 0212de9641f40da0e6bdad747f807eca71356ddc298263c20676321863326f70
  • 098631c475084bd57815d245af1252c70bb4b918df059844aa167ec189bc955b
  • 0c5634fd44849ef51ac6f7133cdea66da960a64a6c165bf038f17d97610ce5d9
  • 195b4c47c63c9d6fbd745da31721b086e931c0d60c1759e414c564cea4e1d6c2
  • 1ccb17748bc70035a00a5ea94d223e1e425163e191bfb92271d191d7ced3347d
  • 1f5286c16b783ebbcf24cd92cae2f1eb50d69e6f4cc0d0c97408f03abe1de161
  • 29614ffd96412f26a5cf2fee3648e4954c2ac095543b3633e03dfaab12d1ff60
  • 29de1a963a1f1bf15435da9020a2eadfa9d3054160e545b49b89135a6eaac2a9
  • 2c85e5a8a1c3e5c0e6fcf4902780824c9014298ff01f823ae8f4d2633f64c0b4
  • 2ebd4a5e0954ef8cfa8f338caf6bc6763e6519c9be2b71e31186f91b29312e13
  • 37d5963a73acccd5b60d59e27c19fc30c1806679724338e1d4962d04748934f9
  • 386ecf6b47b1f1d71b3797adb0335a806452d3346e108b758594f07dfcb49f97
  • 3b03b188ac995d7fcab65e70b9ada8d2b126313318a981ec396a2111a34bfd64
  • 40ebfa0f7b15bd9a0827c9c597340b1ab91a0b352232052094dbbf6e951617b9
  • 4ad58e6014e62529af11bdc456bd4fec94ee3138f6e8c679a963512709a72452
  • 5147b90fa72506bd6c47bed8b03f82f8eab5e6ab6f6216289680429ed915422e
  • 543cb5dba99c251147551c65e8db498b1b16f2084933596159006482ce1be633
  • 5d19478d27e1697220d54e158ecbe4190287c34f507d46717f06195acee8507d
  • 601d8a181beb7451b6d45b6938a398b8c09bfba4d858b5de52d79ad55ff733fc
  • 64816d8573edd50f3ba63d0c1b9e491e461dea9f4dab78b85986959346d7769c
  • 65f8b7cf030977bb60ae0e21b3514d4407090de968c505ccdaed0ea73d2b882d
  • 66bff41b7bad9cd835e0e698cfc574a576caf819a3c9abecc473eb8ec31a53a2
  • 68e6f59b6c52c804dcebebbc2eb54ad7a00c9e0302f429bfef2300d33abdc4a3
  • 6d610fd8891c60bd39978d90f76e803a878fd1bb36061e7a970ad79af20accd2
  • 70d71ecfbb763f5e97379bc3d75412e56aec4574affadc1d4bcb09a2fc70d923
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Vbkeylog-6935273-0


Indicators of Compromise


Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\DIRECT3D\MOSTRECENTAPPLICATION
Value Name: Name		5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELL EXTENSIONS\CACHED
Value Name: {FFE2A43C-56B9-4BF5-9A79-CC6D4285608A} {00000122-0000-0000-C000-000000000046} 0xFFFF		5
MutexesOccurrences
N/A-
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
\TEMP\NewBitmapImage.bmp2
\TEMP\taximg.bmp1
\TEMP\tooooos.txt1
\TEMP\jon.bmp1
\TEMP\SureTools.txt1
\TEMP\rum.txt1
\TEMP\SLIPUSD124.985,67(1).jpg1
\TEMP\TAXFILE.bmp1
\SureTools.txt1
\rum.txt1
\tooooos.txt1
File Hashes
  • 44414ef55e3f6368f1df92f06a5f29f4dda15554720b7cb4a7ad22ef73023ce6
  • 5164b6fd11a2fb210d88ee920b95a62e8ba0904797c015f2edf20fe519678777
  • 64ab1d27afd0c17215e56c0c97b2de6e8862573cf8663e60832d5d14ab9f635c
  • 940f6e0c84f2ea9db97ce376fdfd8b111f3fd50ddcac3d303b5b9d69a7a89dd5
  • 98408e5c6a013289ce93486234965b89f164c568f5f772d9082d6ddbfab7c506
  • 99773cfde40fbf0a2e681cbb27b64616c4e401b47ad88255be843c3084e41e29
  • b698ccf0db3ef9d598333cdb998beabbc0e59ba6a528e02a2870687b863ff0a3
  • dce28ef0578d3d8d14159a098ef4f8f15995996c2c2e512caa456d8c0f5114dd
  • f0b0138e46957c77c6b40f7c2ed6b16bf7aea25cd02ac62e4298b559de2b385b
  • f1632ccc48b023eeab044ed42093e748e501c0afdde9b97d22d27ad09b01dbea
  • f51e016793c920faad2abe8da9d14a6d6ecd1f73b8ccd68d583b4ddcbf9341fa

Coverage


Screenshots of Detection

AMP



ThreatGrid



Malware



Win.Malware.Zbot-6935412-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: LoadAppInit_DLLs		25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: aybbmte.job.fp		25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AYBBMTE
Value Name: Index		25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FF46FC7D-1E0D-46F8-87EC-94D0FDA83668}
Value Name: DynamicInfo		14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{F2B28AC6-1443-43F4-9832-8315397F35E8}
Value Name: data		14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{088B2EE3-A639-491E-B1E6-84AE447D785F}
Value Name: DynamicInfo		7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{94669170-5F40-43E0-9D77-69BC9146DF72}
Value Name: data		7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9C9693B0-E894-414D-8675-6B58133E665B}
Value Name: DynamicInfo		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{6E1FF505-4705-412B-825D-ECE026885614}
Value Name: data		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{48716312-C151-484D-9EC0-E5B4883DF1B7}
Value Name: DynamicInfo		1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{90EA3D0B-BA3B-4356-A2CD-915E5BB4CF7B}
Value Name: data		1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{65579417-B766-4127-BD16-88A7D90F9ADD}
Value Name: DynamicInfo		1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{E4AA06C0-45E2-4E4D-B133-96D82B197EA1}
Value Name: data		1
MutexesOccurrences
N/A-
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
%ProgramData%\Mozilla\thfirxd.exe25
%System32%\Tasks\aybbmte25
%ProgramData%\Mozilla\lygbwac.dll25
%HOMEPATH%\APPLIC~1\Mozilla\kvlcuie.dll25
%HOMEPATH%\APPLIC~1\Mozilla\tfbkpde.exe25
%SystemRoot%\Tasks\kylaxsk.job25
File Hashes
  • 038925296d4fdaa55efcfa1ad8c02ce08d6f3673bc042fed1bd20d9f29fad5d3
  • 0ca97f5d0c9e6de090568cb7285db362d7210c45e2213be617fdd4ba2ae8dc7d
  • 109de4dba47129449293624f674a90a8d6381d5f827e4192f1efc97e4b08748e
  • 4155d902b22a775b172e7d86d4958e9088d571bfda7810fd6eceaa5bfb44e847
  • 56d02ae6de618c67968b5c6ca583372e1388c89424f2c2118aac6a8548b909ce
  • 5880016db066b6d864c72234d1404cb0ac8953a0ca35b1edae8fc1c8c6c8a7b2
  • 591e2322c4e4a65b02694f0066ef6c18ceff25c50ea0c118591170af3e4e9cce
  • 5a48b66eb3c6581073bd8b85f9a8151364f089dd91997d82ec42709f3f813def
  • 697000ba4047468f1005194dcbd2ae90e444a7e1a8b52c3904a3001358387af9
  • 89a3ecc59f1bd6d62f71b2dccbf03e433d99cee9f9e8d961e19d5e3ca7bb3f15
  • 95ce736766aa931ba16df831dabc530f64e9e9a6d1a134e6931987fa1c8fd544
  • a3309cb7bf90a6f6220bbf9a6b018d5f41334407a431b5101874e4d3436382ff
  • b28ca331d6466f83028b9e8c4e9fd6511dad0a599859ea21f8dd02618eabc1d4
  • c27265eca8f4f1d0606e3e6acc971721410f7430d3b8c487b128fee5a910f8cd
  • c6b0d5b496baca826833a12e9863292ecdd92931ce682d61a74ee62e97c39382
  • cf9e75a01b1ee5093c7ca244f5568becd535c6e9f56885a11a25dc1e9621d502
  • d5587aef2b6a77a22904f8cff993d6e35a832f7552f8f3124c772b1700077622
  • d7fb034de95b8ef46570d15391cb1c8181e2145076831813563a947d8d1616db
  • dc68ea18ef5b981d2fefd632a9e7fe51bc03c5058dcff708b9aa255e9ebbfe06
  • e1c784eada950c0b8a9ff1a533d95252bf4cf36314b8b52aaef1ce51c3fe3704
  • eb84091df0b6ea62d38e2240201dc93fbb5db4b878c595937cd9ff77508dacc1
  • ec5dd84f2cd6083165187eff18bb55f382719977092eaeea642868d062926970
  • ed8887e64560574df7491a6ba7feff32433fed157e02f39ce86fb8689d5a2207
  • f443021ba52b571fa16f440f171e85430eb6d925882bdffc339de6917b6e13b6
  • f4fd6c5f9fdeb3196e09b5ee9854f0c06d320c8cfe8c7fc04e234c35cfcc26b7
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Ransomware.Cerber-6935713-0


Indicators of Compromise


Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: Run		54
<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
Value Name: AutoRun		54
<HKCU>\CONTROL PANEL\DESKTOP
Value Name: SCRNSAVE.EXE		54
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_00		54
<HKU>\Control Panel\Desktop 42
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F95BF9F7-D3F3-4AC5-8A3F-4B59850DD369}
Value Name: DynamicInfo		31
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{99EF6702-6773-48D3-992B-6F4C187FAC71} 17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELL EXTENSIONS\CACHED
Value Name: {FBF23B40-E3F0-101B-8488-00AA003E56F8} {000214FA-0000-0000-C000-000000000046} 0xFFFF		12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE
Value Name: Blocked		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE
Value Name: Blocked		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE
Value Name: Blocked		11
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN
Value Name: Window_Placement		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\STAGINGINFO\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}
Value Name: Active		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA
Value Name: Set		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE
Value Name: LoadTimeArray		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE
Value Name: LoadTimeArray		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ipconfig		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ipconfig		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: ipconfig.job.fp		2
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF}54
Local\VERMGMTBlockListFileMutex14
Local\!BrowserEmulation!SharedMemory!Mutex14
Local\URLBLOCK_DOWNLOAD_MUTEX14
Local\URLBLOCK_HASHFILESWITCH_MUTEX14
cversions.1.m14
GeneratingSchemaGlobalMapping14
cversions.2.m14
_SHuassist.mtx13
{5312EE61-79E3-4A24-BFE1-132B85B23C3A}13
Local\Shell.CMruPidlList13
Local\InternetShortcutMutex13
Local\ExplorerIsShellMutex13
CDBurnNotify13
Global\CDBurnExclusive13
{C20CD437-BA6D-4ebb-B190-70B43DE3B0F3}12
!PrivacIE!SharedMem!Mutex11
ALTTAB_RUNNING_MUTEX11
{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}8
_!SHMSFTHISTORY!_5
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_13883
\BaseNamedObjects\shell.{3AFC1C93-3B52-BB89-3222-3835B13B7C57}3
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_10842
\BaseNamedObjects\shell.{2DA495A3-711D-597E-268E-77F8D29EB324}2
\BaseNamedObjects\shell.{37AB6120-3C1B-909E-8A46-BA7ED26D587E}2
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
31[.]184[.]235[.]9531
31[.]184[.]235[.]9431
31[.]184[.]235[.]9331
31[.]184[.]234[.]9031
31[.]184[.]235[.]9231
31[.]184[.]234[.]9131
31[.]184[.]235[.]9131
31[.]184[.]234[.]9231
31[.]184[.]235[.]9031
31[.]184[.]234[.]9331
31[.]184[.]234[.]9431
31[.]184[.]234[.]9531
31[.]184[.]234[.]9631
31[.]184[.]234[.]9731
31[.]184[.]234[.]9831
31[.]184[.]234[.]9931
31[.]184[.]235[.]9931
31[.]184[.]235[.]9831
31[.]184[.]235[.]9731
31[.]184[.]235[.]9631
31[.]184[.]235[.]21431
31[.]184[.]235[.]21531
31[.]184[.]235[.]21231
31[.]184[.]235[.]21331
31[.]184[.]235[.]21831
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ipinfo[.]io54
onion[.]to23
cerberhhyed5frqa[.]onion[.]to23
ip-api[.]com19
freegeoip[.]net18
en[.]wikipedia[.]org5
www[.]collectionscanada[.]ca5
alpha3[.]suffolk[.]lib[.]ny[.]us5
www[.]archives[.]gov5
www[.]vitalrec[.]com5
www[.]cdc[.]gov5
4kqd3hmqgptupi3p[.]u57u1e[.]top1
4kqd3hmqgptupi3p[.]hlu8yz[.]top1
4kqd3hmqgptupi3p[.]58na23[.]top1
4kqd3hmqgptupi3p[.]132z80[.]top1
4kqd3hmqgptupi3p[.]asd3r3[.]top1
4kqd3hmqgptupi3p[.]h9ihx3[.]top1
4kqd3hmqgptupi3p[.]ep493u[.]top1
4kqd3hmqgptupi3p[.]h079j8[.]top1
4kqd3hmqgptupi3p[.]fgkr56[.]top1
4kqd3hmqgptupi3p[.]azwsxe[.]top1
Files and or directories createdOccurrences
%HOMEPATH%\NTUSER.DAT54
%HOMEPATH%\ntuser.dat.LOG154
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}54
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\json[1].json54
%HOMEPATH%\ntuser.ini38
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.html37
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt37
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.url37
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.vbs37
%HOMEPATH%\# DECRYPT MY FILES #.html37
%HOMEPATH%\# DECRYPT MY FILES #.txt37
%HOMEPATH%\# DECRYPT MY FILES #.url37
%HOMEPATH%\# DECRYPT MY FILES #.vbs37
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js36
%APPDATA%\Adobe\Acrobat\9.0\TMGrpPrm.sav36
%APPDATA%\Microsoft\Outlook\Outlook.xml36
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.html36
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.txt36
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.url36
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.vbs36
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\# DECRYPT MY FILES #.html36
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\# DECRYPT MY FILES #.txt36
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\# DECRYPT MY FILES #.url36
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\# DECRYPT MY FILES #.vbs36
%APPDATA%\Microsoft\Outlook\# DECRYPT MY FILES #.html36
See JSON for more IOCs
File Hashes
  • 0209aa718b9b606b5cad5f9783ef1eb441ab1b6ff63283855e8b6d74f4649ec5
  • 03050ca0e3c1e6fc7a9782b5791aeccc77a1f07a7a8a675feb6e756226174410
  • 04043499a4936537e774dc6a381ccaeab8bb853d84819b9be12de2931d6646de
  • 0468b2231ea7059a58566e1a77d170f9c3a7e417d0221e8d7ca0747607bba2c3
  • 0680c78425029623806a8fd8f305523564e52bb68779ccffd698b78e218e249e
  • 087fa7d28264fc9c06eb7031891b68794c67b7b571176194e313c227437a1ea8
  • 09b4791e9e2eed217cf3df60f0386b010dccfc12a0b8c67b3cd2007fdbfb8e74
  • 0adb55a70a4c9f9e2bfcd33bb7c7b7b2f5d309b5ad006e7364aca2fbcda6c505
  • 0ca6bf5961f23df78cd48d7cde29d58b7d23e22598f784d04a1ca0676a466c0a
  • 0cf92c126ff4860a912d3e5d9d21c546edf434b46a1ea8bdddaf1eace91bc7ce
  • 0d7b033bd7734735b8e101b820be42c37e6957dd556da8b26f05f50edc3cb96f
  • 0dc0bfebad2716cfc4eb1b6d2853929d110fa2589af4d662d0c35231e9e1e291
  • 0eb148582c01d74361a630671d8c4d7f2577cbf09bea123f16df962e4b7d3df8
  • 0fa00710b9232318f7288b3723436ccc51714089030fabe581a00cd057b71865
  • 0fcb3e096368ecbe9d96c2c88ef721c29b596db298a6790a27ccab7bffe5a12b
  • 103517b74d9bc58c6a54d0a635ef45417540aeb5d8b5809ad110abb4685b0c2b
  • 10de95456a338a6f0edc9cd277ed314380a335dcc8e921e6eb7b40b526bca0fc
  • 130cd09e0e050acf6b75411b57c1146cd6f177f765e8cde272bd45b641e068d8
  • 13f983ebe9787626f1fe2e6615ad9c8cbc997b363ad9c2f91a1295a9a1db65db
  • 1677324000e28746b206c781a6b653f87b69e144c18d5f366aa9f0f2af83a8b7
  • 1768e3f32fe5c938f3baed815000b18020b10dd8ac440aa4bef7258cab863395
  • 177644a4e59f0f0b468e176972895a55b724fc19db205f555e98c06851982084
  • 179f11a15d4a284bf8e10002663f744bee9903bb2c8eae9e22308a49bca9ff03
  • 17f46c0701439f25126d59dd4b3b8c4cb131e260cc199bb8bb61414128fd3aef
  • 18adeddd8205122987da070c640e8eaf72e2e4bc5f2f58491a5e83f7ed6c2c25
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella




Malware



Win.Trojan.Winwebsec-6935682-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify		10
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start		10
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System 10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: ConsentPromptBehaviorAdmin		10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start		10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\svc 10
<HKLM>\System\CurrentControlSet\Services\luafv 10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LUAFV
Value Name: Start		10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: RPSessionInterval		10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS DEFENDER
Value Name: DisableAntiSpyware		10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: 98BE0FA9BB7E8E3C000098BD76F2948C		10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: 98BE0FA9BB7E8E3C000098BD76F2948C		10
<HKLM>\SYSTEM\CONTROLSET001\ENUM\WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_HARDDISK&REV_2.5+#1-0000:00:1D.7-2&0#
Value Name: CustomPropertyHwIdKey		3
<HKCU>\Software\Microsoft\Installer\Products\98BE0FA9BD7E903C000098BD76F2968C 3
<HKCU>\SOFTWARE\MICROSOFT\INSTALLER\PRODUCTS\98BE0FA9BD7E903C000098BD76F2968C 3
MutexesOccurrences
98BE0FA9BB7E8E3C000098BD76F2948C10
98BE0FA9BC7E8F3C000098BD76F2958C3
98BE0FA9BCBE8F7C000098BD76F295CC3
98BE0FA9BD7E903C000098BD76F2968C3
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
123[.]108[.]108[.]4210
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C10
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C\98BE0FA9BB7E8E3C000098BD76F2948C.exe10
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C\98BE0FA9BB7E8E3C000098BD76F2948C.ico10
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C\98BE0FA9BB7E8E3C000098BD76F2948C3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Care Antivirus\System Care Antivirus.lnk3
%HOMEPATH%\Desktop\System Care Antivirus.lnk3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Care Antivirus3
File Hashes
  • 10b34c1a0b739cd6c12e2926372afcd0cbf6f95be9d1b45038144bd3efb5eb79
  • 1a448e78d2668f4dad016aca5092107f4d1ee19dadf8886e8a0ec4e2b550b317
  • 26a08a46deffe995ba67d9aaf547b55a265fe513a8293d51f3f9f0b3d944808c
  • 72f94e87b1fa1393360d9cacbdebb1ffebd5754c7d93121e0e887eacb8529c87
  • 8725d076eb421b4e4737792ad07647db9a263e4da2f0436bccd6c8ff9f752d39
  • b18e5830f0e557d72ba6ba2dbb59da23cf8e2539148efc51ed01a0364210b06d
  • b4b5fdc7fcf6f86a9ffba97a9d2e159f0078e9ffc090deb948660a3c8e5cdd07
  • d45ba937d7d532907d5da3fc979a96b1efa5e9c9a4c6b5c45f683925a9524ac2
  • d54730e93be5c4d17de56a904aa56610c06fdf425083277343c9ece4ecc922df
  • e165145377ae247117657cb0172fd7767907dd1ee5d4a698cbf58a6f4af03624

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Tovkater-6936213-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\System\CurrentControlSet\Control\Session Manager 14
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations		14
<HKLM>\SYSTEM\ControlSet001\Control\Session Manager 10
MutexesOccurrences
N/A-
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
185[.]53[.]178[.]61
185[.]147[.]15[.]51
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
MIRRACLEZ[.]CLUB10
mirraclez[.]club10
zaltzburgopportunity[.]top4
binocularhearing[.]top4
CARIBZ[.]CLUB2
flowergroup[.]top1
binoculuz[.]club1
BINOCULUZ[.]CLUB1
backverge[.]top1
gaslight[.]metimes[.]ru1
BACKVERGE[.]TOP1
frock[.]encours[.]ru1
caribz[.]club1
lurk[.]ecolleague[.]ru1
simpledrive[.]top1
Files and or directories createdOccurrences
masrra11.exe8
imasrr13.exe4
%LocalAppData%\Temp\nsnD405.tmp2
%LocalAppData%\Temp\nscD4B1.tmp\nsJSON.dll1
%LocalAppData%\Temp\nsnD010.tmp\INetC.dll1
%LocalAppData%\Temp\nsnD010.tmp\Y gamemonitor.dll1
%LocalAppData%\Temp\nsnD010.tmp\cmutil.dll1
%LocalAppData%\Temp\nsnD010.tmp\colbact.dll1
%LocalAppData%\Temp\nsnD010.tmp\icrub.exe1
%LocalAppData%\Temp\nsnD010.tmp\nsJSON.dll1
%LocalAppData%\Temp\nsiD435.tmp\INetC.dll1
%LocalAppData%\Temp\nsiD435.tmp\X shmgrate.exe1
%LocalAppData%\Temp\nsiD435.tmp\Y gamemonitor.dll1
%LocalAppData%\Temp\nsiD435.tmp\Z shmgrate.exe1
%LocalAppData%\Temp\nsiD435.tmp\cmutil.dll1
%LocalAppData%\Temp\nsiD435.tmp\colbact.dll1
%LocalAppData%\Temp\nsiD435.tmp\msimn.exe1
%LocalAppData%\Temp\nsiD435.tmp\nsJSON.dll1
%LocalAppData%\Temp\nsiD435.tmp\shmgrate.exe1
%LocalAppData%\Temp\nsiD435.tmp\xantacla.exe1
%LocalAppData%\Temp\nsiDC21.tmp\INetC.dll1
%LocalAppData%\Temp\nsiDC21.tmp\X shmgrate.exe1
%LocalAppData%\Temp\nsiDC21.tmp\Y gamemonitor.dll1
%LocalAppData%\Temp\nsiDC21.tmp\Z shmgrate.exe1
%LocalAppData%\Temp\nsiDC21.tmp\cmutil.dll1
See JSON for more IOCs
File Hashes
  • 4f8cf035324575449ee73dcfcc1ecededc5d1f3f8a4cec2f0e85455516207eb0
  • 9fc837165be91f7c7042e1dbcc4db8dd38d002f9214b861db6214c636055bac4
  • a40c7290af61e7f34282faf839982f9fbb33db423751ce59d11a156140e711ef
  • bd9f2de34957bcd509e47fcd7cd7e7f2af01b0e5078c0823680cdcd1d753341a
  • c880d5254c7e1d5723862100c2d57bd3cbcaad6560437ac59bd1071172980197
  • cd69efb3bb139a1675b90690635f8584896fc10c1f85be17f92206f8d856289d
  • d6dc00609f709cc451cb61f1d77fc84e8572494ebc3ba0de80518f7ab234384e
  • e82dd6108b2272e13f6365d75943de81b4196cfa4d885a78a2ac3665249ba2c5
  • f102bc0d0ebe8adf4486b0567c9ab493faa619aa1ae48ac3572ecb23b2de9836
  • f997bc9973d1bac7be25513c9ef80783949069a00732fd630e74876a3019dd3b
  • fcec660083595a7956cc13f9815ce23edcfbfa3e82c150a2f0fe6c0449433ce0
  • fd7696f075bb712bd4d7f14dad9c297d99669d3b1c61e51ee2dae4cfa897b9ff
  • fdac4b0e291a27c91cd3050c4e811d4fe33bb2189e44015d0d5a88f168441815
  • fef0d09e80bce24d232f60977972934eb9b1a984f4b42fac5a9d9ebd93757127

Coverage


Screenshots of Detection

AMP



ThreatGrid




Umbrella



Search
Viewing all articles
Browse latest Browse all 1948

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

February 16, 2017, 4:24 pm

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

January 5, 2014, 10:34 pm

Ominde Commission Report and Recommendations – Ominde Report of 1964

March 16, 2015, 5:14 am

Bureau of Internal Revenue: Regional Offices (Directory)

January 9, 2014, 11:06 pm

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

March 26, 2017, 11:23 pm

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

October 17, 2016, 7:20 am

Mp3 Download: Mdu - Kunjenjenjena

December 7, 2017, 8:16 am

How the kill the job , when DTP request running for long hours.

July 26, 2013, 2:41 am

Microsoft Intune から展開しているアプリのアップデートについて

October 17, 2016, 4:11 am

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

September 1, 2017, 10:00 pm

Car crash in Dunton Bassett leaves driver in critical condition

October 7, 2014, 7:51 am

Macky 2, Two Others In Road Accident

March 29, 2015, 5:34 am

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

May 14, 2015, 11:27 pm

Detroit mafia: D’Anna Brothers agree to plea deal

April 21, 2016, 6:56 am

Delivery block field greyed out using VA02

January 26, 2016, 2:52 pm

Muloraki Au

June 22, 2016, 1:44 am

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出w【リベンジポルノ】@PornHub

October 12, 2017, 2:23 pm

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

February 9, 2018, 4:56 am

FIAT 500 B0111 B0112

July 5, 2018, 10:31 am
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>