SecurityVendor

Threat Roundup for July 30 to August 6

Yanac

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between July 30 and Aug. 6. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date tof publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are: Threat Name Type Description Win.Malware.Autoit-9882353-0 Malware This signature covers malware leveraging the well-known AutoIT automation tool, widely used by system administrators. AutoIT exposes a rich scripting language that allows attackers to write fully functional malicious software. This family will install itself on the system and contact a C2 server to receive additional instructions or download follow-on payloads. Win.Dropper.Remcos-9882391-1 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. Win.Packed.njRAT-9882468-1 Packed njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim’s webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014. Win.Malware.Nymaim-9882470-0 Malware Nymaim is malware that can deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. Win.Malware.Tofsee-9882650-1 Malware Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the botnet’s size. Win.Packed.Dridex-9882835-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine. Win.Dropper.TrickBot-9882885-0 Dropper TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. Win.Trojan.Gh0stRAT-9882928-1 Trojan Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks. Win.Trojan.Zusy-9883232-0 Trojan Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and “winver.exe.” When the user accesses a banking website, it displays a form to trick the user into submitting personal information. Threat Breakdown Win.Malware.Autoit-9882353-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samplesIP Addresses contacted by malware. Does not indicate maliciousness Occurrences 195[.]181[.]248[.]12 25 120[.]136[.]10[.]20 12 192[.]35[.]177[.]64 10 172[.]67[.]75[.]27 8 104[.]26[.]13[.]247 7 72[.]21[.]81[.]240 6 104[.]26[.]12[.]247 6 23[.]3[.]13[.]154 2 205[.]185[.]216[.]42 1 23[.]3[.]13[.]88 1 Domain Names contacted by malware. Does not indicate maliciousness Occurrences vinyamars[.]sk 25 arm[.]com[.]ng 13 www[.]arm[.]com[.]ng 13 www[.]colorsshoes[.]jp 12 apps[.]digsigtrust[.]com 10 apps[.]identrust[.]com 10 cs11[.]wpc[.]v0cdn[.]net 6 cds[.]d2s7q6s2[.]hwcdn[.]net 1 Files and or directories created Occurrences %TEMP%home1.txt 25 File Hashes 0025aadfbab17e9687aa21d13da1b3972ff0b05569113bd0f373f4dd5c04bfbb 02ae2648ac9571b2b18844d2bf7fc2aeecb53263989de07c4e93dfdff5166062 08a681b6f8cc5011ca675abb9b5b99c48bbab97d075669ddf03a4a28f66504d9 08de65041c75a3e1b6951d883b8ee4feb137d888e3cc96819a9b724fc823a3ea 0d173043a7a895a4551a647342bdfc5d8704d1f0de0f1e58cd1325aeb513e8aa 12263633d16689d353523c83d4972641131a84a8f1094c16e70747828c5431e3 13ec4ce498080a5da47b8d855c4c1c865c4089beaef8b3a9b7769ef0fa6b79a3 14dab213bb0a092a4c222256e8487db3a2b83a486d8d61b57c14b914b2ac5841 21dca2f8354dec2b5a8ae5c32ec827f0be94eab422c46ca701661dbf22cbcbdd 243cb7fdb9df4a65e04de6712c95c04fe4208117d952e6c6cc02f89f637e118f 25bc944b81f1352034884cb55c1ccaf466d0d00760982e6ade22f05d57d3ab25 25c9ea663a127d974aeb2c88fc639621c447065491afaaf04142f20d28eba6c6 3147e4788081de73f80e166f3ab8f73874b8f964a23494fa9188d871d28f445d 33f644cc90d3d00bb814ac384cd514f4fa3ef929af50d313956b3249d4d4f007 3b83bd58b6ba911509543bde8c8d90cd8d38fca1e4560638f6366bc1de751e2a 3bead316c0445f9dd471f4f0f5c33882a27eda7fe66e8f396aead28b6a8b9c72 47d67692c31d652b234f68193abc32fb88616a8ef5ec74993f9ff97e5d909727 5a1dcaa1bb293aaee77bccb58092737cd315630f2f72518d90b41e1b78abebf7 5b463fc0169d6e820bd9c8693007db122e6dd8cbf30c3928961e77fc6d50cdf6 5eb862fe7432753e26a817d792bd69969ad66197c2a5ca88e407dd3306771256 66cf8494899f61d715b089f70beb49394e7c2806762aac8ff54444ad1375b578 6b75cbd329cf7660e88a463e5ae9c2e4fdf5c56a2753d3696bb93d8f67c18205 6dcd111c8a4d37f5e11544e05b11604bdd672fdc09bff5f8b0f4013f4bcd89c7 6ea8c3820def15e695358a42a26ce3bd1307cbb7ffbd5b14c63a55b801b016b1 6f0ace6dea53f7b4f0effa1b1dd43ec3c9838dbe6facd5b61043d4c19db6cd78 *See JSON for more IOCs Coverage Product Protection AMP Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Threat Grid Umbrella N/A WSA N/A Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Win.Dropper.Remcos-9882391-1 Indicators of Compromise IOCs collected from dynamic analysis of 138 samplesRegistry Keys Occurrences <HKCU>SOFTWAREREMCOS-0S5XD9 128 <HKCU>SOFTWAREREMCOS-0S5XD9 Value Name: licence 128 <HKCU>SOFTWAREREMCOS-0S5XD9 Value Name: exepath 128 Mutexes Occurrences Remcos_Mutex_Inj 128 Remcos-0S5XD9 128 BCevEgBhzLGKaNZWXfH 128 Globald5a46aa1-eedf-11eb-b5f8-00501e3ae7b6 1 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 173[.]194[.]68[.]156 1 140[.]82[.]112[.]4 1 20[.]36[.]253[.]92 1 52[.]85[.]144[.]86 1 65[.]55[.]44[.]109 1 199[.]232[.]38[.]217 1 52[.]85[.]144[.]68 1 172[.]217[.]222[.]138 1 185[.]199[.]109[.]133 1 54[.]81[.]163[.]76 1 44[.]230[.]27[.]49 1 23[.]38[.]131[.]139 1 44[.]238[.]161[.]76 1 52[.]114[.]158[.]50 1 5[.]61[.]37[.]41 1 95[.]216[.]195[.]92 1 23[.]78[.]173[.]83 1 193[.]56[.]146[.]41 1 193[.]56[.]146[.]42 1 Domain Names contacted by malware. Does not indicate maliciousness Occurrences thankyoulord[.]ddns[.]net 128 github[.]com 1 e11290[.]dspg[.]akamaiedge[.]net 1 e13630[.]dscb[.]akamaiedge[.]net 1 go[.]microsoft[.]com 1 docs[.]microsoft[.]com 1 wcpstatic[.]microsoft[.]com 1 www-google-analytics[.]l[.]google[.]com 1 www[.]google-analytics[.]com 1 w[.]usabilla[.]com 1 web[.]vortex[.]data[.]trafficmanager[.]net 1 a3[.]shared[.]global[.]fastly[.]net 1 cdn[.]speedcurve[.]com 1 web[.]vortex[.]data[.]microsoft[.]com 1 stats[.]l[.]doubleclick[.]net 1 c-msn-com-nsatc[.]trafficmanager[.]net 1 stats[.]g[.]doubleclick[.]net 1 c[.]bing[.]com 1 c1[.]microsoft[.]com 1 avatars[.]githubusercontent[.]com 1 js[.]monitor[.]azure[.]com 1 browser[.]events[.]data[.]microsoft[.]com 1 skypedataprdcolwus02[.]cloudapp[.]net 1 Files and or directories created Occurrences TEMPtest.exe 129 %System32%TasksUpdates 128 %System32%TasksUpdatesvXAlJeWc 128 %APPDATA%vXAlJeWc.exe 128 %TEMP%tmp<random, matching [A-F0-9]{1,4}>.tmp 128 test.exe 56 %LOCALAPPDATA%MicrosoftCLR_v4.0_32UsageLogstest.exe.log 55 %LOCALAPPDATA%MozillaFirefoxProfilesogpxv0ba.defaultstartupCachescriptCache-child-new.bin 1 %LOCALAPPDATA%MozillaFirefoxProfilesogpxv0ba.defaultstartupCachescriptCache-child.bin (copy) 1 %LOCALAPPDATA%MozillaFirefoxProfilesogpxv0ba.defaultstartupCachescriptCache-new.bin 1 %LOCALAPPDATA%MozillaFirefoxProfilesogpxv0ba.defaultstartupCachescriptCache.bin (copy) 1 %LOCALAPPDATA%MozillaFirefoxProfilesogpxv0ba.defaultstartupCachestartupCache.4.little 1 %LOCALAPPDATA%MozillaFirefoxProfilesogpxv0ba.defaultstartupCacheurlCache-new.bin 1 %LOCALAPPDATA%MozillaFirefoxProfilesogpxv0ba.defaultstartupCacheurlCache.bin (copy) 1 %APPDATA%MozillaFirefoxProfilesogpxv0ba.defaultaddonStartup.json.lz4 (copy) 1 %APPDATA%MozillaFirefoxProfilesogpxv0ba.defaultaddonStartup.json.lz4.tmp 1 %APPDATA%MozillaFirefoxProfilesogpxv0ba.defaultbroadcast-listeners.json (copy) 1 %APPDATA%MozillaFirefoxProfilesogpxv0ba.defaultbroadcast-listeners.json.tmp 1 %APPDATA%MozillaFirefoxProfilesogpxv0ba.defaultcrashesstore.json.mozlz4 (copy) 1 %APPDATA%MozillaFirefoxProfilesogpxv0ba.defaultcrashesstore.json.mozlz4.tmp 1 %APPDATA%MozillaFirefoxProfilesogpxv0ba.defaultdatareportingaborted-session-ping (copy) 1 %APPDATA%MozillaFirefoxProfilesogpxv0ba.defaultdatareportingaborted-session-ping.tmp 1 %APPDATA%MozillaFirefoxProfilesogpxv0ba.defaultdatareportingsession-state.json (copy) 1 %APPDATA%MozillaFirefoxProfilesogpxv0ba.defaultdatareportingsession-state.json.tmp 1 %APPDATA%MozillaFirefoxProfilesogpxv0ba.defaultextensions.json (copy) 1 *See JSON for more IOCs File Hashes 02321739421cbb09b54d680e335185f7de92b600091b98329513d93105b52cf9 056f7e71e78e17cb0aa79b64da08286b964f2178d2090d64911c6642c36814c2 05d17139b921ae02f19e54781b300706557784df832ddbc079b3fe7536a31e53 0629ae9ce719b554c6424aa99ddb7846c84c5d974ab154b86b93a02fae8b9e7f 0d7a9543ec582ffc43374849315420543f2cc965dd4bb2e5e35ab4184d2e2ca1 0e51d9a05ced1a052a3d1e040c77d7e2159f5337739d69521d14dacbb599a0bd 11fa1333306fce3fa0d07f67f7889a07c9ff46c2bea22d5fe6ccfb1a1e09fad7 14a3210351da92f62bcb1fdf17488d3c43256e32707927c93a6491919e30db94 166532feecaa14575279d728da2c9988049a8a7ea5d479e04c588a554a097809 1ae5c64428959fef8b3478d1122637582a8194c5e34f8c3d038bf1373e003151 1e7978e1cb0ba4b5299d27d02c24d1ffa5db3b71eb908b8140f06eb081d658dd 218157900d57ddfce9598f8d49b0a8ccae080585cf19e01566ed73e2396131b1 22097730f40c3674a5b6050cfe2cf4ffed317d655e1c5c0d2a421fde7b07cfc4 2215b8b4b20a409c462e851f8597a12979781c8944204f26110e966860556b36 2247a83cbf55716bdd74aa1e05de9e4f89c802b8eb86590da762dd2f789b6831 254c9b7ed45741e81a5dbeb2a2214c57fbe43c10fab1da1a74f8549c64280ae5 2733f90b77a0b67f033a5188ca6d1a46e754dff03b5656dafb034d523e121c92 282b00987afb9dc3b65e035b1bd657ecc5ac7e52e9aee19c70f2f9265646fae7 2ada77612f68d343b4bcf228680b62ec266d00475446059729ce9ab7c68a154b 2c2b86f171fc93e574ba1a061ac87a0a3fca981f469104fa3cfbad54f313faa7 2c4bbc96d9a6d42c0b43e55735bfb7f90f891d97eee01b0c3520fdaf8f32c2fa 313ea6fc3c74e6c22980ddeaf1cea19f7ee7edeae2c71c4c1256ecf015d7189a 31e51fcfaaac27c60699174b6ab7e62beb11c6bc956c77a5cf85122a58c11487 3382824ce7a07e71dceae6980e76a716b1b8a00f746022d18545e50cae6b0984 33fc3a1693034d07cf75662a8e2245a895448d1db5249626129c660774263f14 *See JSON for more IOCs Coverage Product Protection AMP Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Threat Grid Umbrella N/A WSA N/A Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Win.Packed.njRAT-9882468-1 Indicators of Compromise IOCs collected from dynamic analysis of 25 samplesRegistry Keys Occurrences <HKU>S-1-5-21-2580483871-590521980-3826313501-500 Value Name: di 17 <HKCU>ENVIRONMENT Value Name: SEE_MASK_NOZONECHECKS 16 <HKCU>SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONWINLOGON Value Name: ParseAutoexec 16 <HKCU>SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: 5cd8f17f4086744065eb0992a09e05a2 2 <HKLM>SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: 5cd8f17f4086744065eb0992a09e05a2 2 <HKCU>SOFTWARE7CC1F7C2D4BAE6BC7887F26D77AA018C 2 <HKCU>SOFTWARE7CC1F7C2D4BAE6BC7887F26D77AA018C Value Name: [kl] 2 <HKCU>SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: 212683d986fb740ad6a40184df48e604 1 <HKLM>SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: 212683d986fb740ad6a40184df48e604 1 <HKCU>SOFTWARE212683D986FB740AD6A40184DF48E604 Value Name: [kl] 1 <HKCU>SOFTWARE212683D986FB740AD6A40184DF48E604 1 <HKCU>SOFTWARE7C8F800C2AE443A9C83B151599F29C82 1 <HKCU>SOFTWARE7C8F800C2AE443A9C83B151599F29C82 Value Name: [kl] 1 <HKCU>SOFTWAREE1785F1E26AD1CA79573011E0FF02E70 1 <HKCU>SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: e1785f1e26ad1ca79573011e0ff02e70 1 <HKLM>SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: e1785f1e26ad1ca79573011e0ff02e70 1 <HKCU>SOFTWAREE1785F1E26AD1CA79573011E0FF02E70 Value Name: [kl] 1 <HKCU>SOFTWAREAB1AAA0BFE3591BECA82BFE474A8F47B 1 <HKCU>SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: ab1aaa0bfe3591beca82bfe474a8f47b 1 <HKLM>SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: ab1aaa0bfe3591beca82bfe474a8f47b 1 <HKCU>SOFTWAREAB1AAA0BFE3591BECA82BFE474A8F47B Value Name: [kl] 1 <HKCU>SOFTWARE886B3912F2BB02C6693C574C429F051 1 <HKCU>SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: 0886b3912f2bb02c6693c574c429f051 1 <HKLM>SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: 0886b3912f2bb02c6693c574c429f051 1 <HKCU>SOFTWARE886B3912F2BB02C6693C574C429F051 Value Name: [kl] 1 Mutexes Occurrences <32 random hex characters> 17 5cd8f17f4086744065eb0992a09e05a2 3 Globalc5a41e1-f0e9-11eb-b5f8-00501e3ae7b6 1 Globalccf23c1-f0e9-11eb-b5f8-00501e3ae7b6 1 Globalcf9fc81-f0e9-11eb-b5f8-00501e3ae7b6 1 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 94[.]73[.]33[.]36 1 94[.]73[.]41[.]240 1 78[.]159[.]131[.]121 1 41[.]200[.]143[.]212 1 Domain Names contacted by malware. Does not indicate maliciousness Occurrences kinghonza[.]no-ip[.]biz 2 ramisy[.]ddns[.]net 2 zzzzaaaa[.]ddns[.]net 1 mhmd[.]ddns[.]net 1 hacker7[.]ddns[.]net 1 computer[.]no-ip[.]biz 1 maazxmbm[.]ddns[.]net 1 lkshkht1[.]myftp[.]biz 1 wassim1202[.]ddns[.]net 1 pouti1[.]no-ip[.]biz 1 ramisy[.]myq-see[.]com 1 abdullahss[.]no-ip[.]biz 1 noor85[.]no-ip[.]biz 1 kishk00[.]ddns[.]net 1 Files and or directories created Occurrences %TEMP%e653d73e45833b6c 25 %LOCALAPPDATA%MicrosoftCLR_v4.0_32UsageLogs<exe name>.log 21 %TEMP%server.exe 9 %TEMP%<random, matching ‘[a-z]{4,9}’>.exe 8 REGISTRYMACHINESOFTWAREClassesTypeLib{565783C6-CB41-11D1-8B02-00600806D9B6}1.2 3 %TEMP%Trojan.exe.tmp 3 %APPDATA%MicrosoftWindowsStart MenuProgramsStartup5cd8f17f4086744065eb0992a09e05a2.exe 2 REGISTRYMACHINESOFTWAREClassesTypeLib{565783C6-CB41-11D1-8B02-00600806D9B6}1.2 1 %APPDATA%server.exe 1 %TEMP%system32.exe 1 %TEMP%server1.exe 1 %APPDATA%MicrosoftWindowsStart MenuProgramsStartup886b3912f2bb02c6693c574c429f051.exe 1 %APPDATA%MicrosoftWindowsStart MenuProgramsStartup4fc66b344f8529857a68b59448691734.exe 1 %APPDATA%MicrosoftWindowsStart MenuProgramsStartup9fcc88f1f248b4dbfd803b65f449acf3.exe 1 %ProgramData%zzzz.exe 1 %LOCALAPPDATA%MicrosoftCLR_v2.0_32UsageLogs500965600.exe.log 1 %LOCALAPPDATA%MicrosoftCLR_v2.0_32UsageLogsWindows.exe.log 1 %APPDATA%MicrosoftWindowsStart MenuProgramsStartup5b2cd92f335e3944d2dfa471de408b34.exe 1 %APPDATA%MicrosoftWindowsStart MenuProgramsStartupd1e729a473975eff06a55a309c2013cd.exe 1 File Hashes 105c3207f7516582d02c26428e32e64181c3d258dbb2358ab17b69e7b2e89b2d 12abcf56af00731447ed0cffbb7951e66d562cf39cd135b243dbfe595e37fc91 1af8edb622dbf1c1e60b1811ec4f8447c512a1aecd5cc00b3d6615eba4ca9588 1bc839f6a608310224dd06d66900a6314ffe6f6fc8cd4bfd0a0b3cda6e589ce9 24b5fbba292e1209a1b00497f14d6bc21e4b25a1adad781788505fe9be6f5178 29751d69e6beb986895de10afbefd17885e9f5fa4aa0f281f5a03948f8c76cc7 2b2ecd7bf3a04c8ce24a51c001b28006f00259665644ce828992c24def0559de 4266fcb85ba8c4bd6c13dcdf2833e9477b10fdcf554448f0a5c2992a2686c172 43f46de7cb7594b013a83601648544a3047b5d77e09e05f34b286f8c6960ba52 4dc216750b20e0594c18cdb52f5578413d918c8f4e032541badcbdbc28a9d555 53e739f663ee64dbff220383811d3255300b7a8c459d3acd47d1e539fec04f45 576cb07ae49d569971075bfcb4781e499c5c09cf5c5fa84d72dae2ebf050b819 613050981c98182bae457f83bc0513ecbc1f92da6ed3eaf84449969cfebee58e 6a4c7065537bcf08a36a6b88fd2ae85937061d9d963e8af70af1341d45a5c052 6d59405409e92fc6bc71bce7027f69148666e0e730ea16e60d5327a91b09f73f 6f3d01c3edc8681f835c00baca862d5b37b2c8e9949c3a1e0691b256a5b1e1d1 71b2ebba1f2cf21e2514e99449d0e41ac32d72baba7b71d49b014b275158da1b 7a925a4f0f083b9b4969c0974ec64bffb7049b46854fd578e488af32eab4518b 94a8250c4b36e57767ac6a204e6e8c7a322941576e7530e9b88dcf3c3e4529ae 9616f7c07cd16bb46cadadedc01328d69ec7f42feab2d994d137d93c555b5635 978fbdc3fb2ba585d221a57d1d48bd829e7a1a6cc6f012ebfbe87e5245c8cf96 985926c2a2d61cf9d28f0fae4f8c4ca68a5761fded38343e4e3fd093d47e3507 a510164d2a47b9f5c4ea2f86f210f523df91b956ccd54e7ee44f38b5a542adf6 b9e792fbb80a256fbcf6fa9a3361b17c81c40fdfd56f8b046f50ecb4d49bc9be caf13a878409702e6eec3958e40f0f9ec85ee173fa326f6fcd0f32e45f59af77 *See JSON for more IOCs Coverage Product Protection AMP Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Threat Grid Umbrella N/A WSA N/A Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Win.Malware.Nymaim-9882470-0 Indicators of Compromise IOCs collected from dynamic analysis of 22 samplesRegistry Keys Occurrences <HKCU>SOFTWAREMICROSOFTGOCFK 22 <HKCU>SOFTWAREMICROSOFTKPQL 22 <HKCU>SOFTWAREMICROSOFTGOCFK Value Name: mbijg 22 <HKCU>SOFTWAREMICROSOFTKPQL Value Name: efp 22 Mutexes Occurrences Local{180BBEAD-0447-044A-68BD-247EB6D0E352} 22 Local{18DD7903-1E96-FEAF-92BF-014008A1248C} 22 Local{8B75523D-CAF4-D06B-A2AD-13EEF593AC52} 22 Local{D2CC4CCA-CB77-CF10-8293-17C78DEC853F} 22 Local{B13D69F8-F0AA-A818-5093-74D6601607EE} 22 Local{364979D3-CCFF-AEC0-03C9-4C6906B10346} 22 Local{E55AD28E-29DB-FB2A-7AB3-28939E6ED727} 22 Local{1597A4DE-9B90-FFD9-AEFD-35162EE2C568} 22 Local{1E3C2A10-A2FE-DF24-DAA2-BB385E44D2D0} 22 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 52[.]85[.]144[.]32 1 Domain Names contacted by malware. Does not indicate maliciousness Occurrences luuypgmmlndq[.]in 22 ruqcdr[.]in 22 modsbicfioxd[.]pw 22 cwfjj[.]pw 22 atmnjoted[.]com 22 uudoonnyycw[.]net 22 zfougwzcl[.]net 22 ptudgjdocbd[.]pw 22 rsuamdj[.]in 22 eafjh[.]pw 22 vmpqvbrhlri[.]in 22 fincbuu[.]net 22 ryheqdimmr[.]in 22 mvtforxht[.]com 22 ggtwx[.]com 22 vrboynwrdl[.]net 22 rarcraaisq[.]pw 22 rbtnpeutu[.]in 22 otjyzplh[.]net 22 iukobk[.]net 22 ehtsftixqw[.]pw 22 twkzd[.]net 22 pylxcogkv[.]net 22 zzosavwbgu[.]in 22 ymqkldw[.]net 22 *See JSON for more IOCs Files and or directories created Occurrences %ProgramData%ph 22 %ProgramData%pheqdw.dbc 22 %ProgramData%phfktiipx.ftf 22 %TEMP%gocf.ksv 22 %TEMP%kpqlnn.iuy 22 %ProgramData%jzkicolry.ylg 22 %TEMP%qnvgtx.eww 22 %ProgramData%jzkbetrwq.wot 22 %TEMP%xyubi.zds 22 File Hashes 04426c542165b0e1c07f2e8e801ca192c3ef1a9c475a7f485d08a4033af74443 0ebfd8829fa188bd0a53a65ba221488bcf5f1f6db8b57ff266d53bfe8da265ff 17fca7a9ec40e60e5fb2441e042922cc59e5b8e6f73f546d47f737370abb4eef 185c3c7ba7da54fa83f5a035fdd44f0d4dce0e91188397517f34396f1cde6d73 1872256a0cb790891c1f96daa46b8f1f219b6063320d43ea584ffe59f1e32110 2e0fb025627eca4ed6cc6377c4b8e0580942240d64a7f52d9a6f62841309cbb3 3cafad60eee5f93e3024e3abec3f133d75853620f19e8f14f9a956ba60b185f5 40817b2e65047486a312050597b3ee05a793ca6a6e24d385f1aaa241eadd6f52 40df42d98a57b4b7c43a3970e9ad231aa93be4b2c781c779931b2c61b180f541 4c9c0f80f3360d1fb7d9e681cccd29fe8ce3935852cb7a2360c2c92d5f526aa9 5256b8458d8e291bf7858456d649b9bfe1675b0b510d135beec3e99f2136ec60 659aacb6a44be99f42a9d52d636bfec5546a5f77108345169abb23b8dec3a9cf a4836eff3b1d1db27cd528f41a7d2f162d0303136b1b29ef0655514f9264666a a725814dfadf22b1d0664accf93ab194d9a9094842e916f456d5283a32aba74b b32d6c9f170e2754d10e9465280b8a4680c35d822ac922c7cdf2b68ae1bcbb2a bb94fe556c5824fbf7a64ebb396e13cbd88fc94bc19c9467d18204e57cff446b bd69acc18442d95eb3d8b71b2ebb56183b9083be1f40ad7edc7b7fb457f925a3 cba28cc59d4decafbfa163d72e60130924075b14df1ca69bb42e0d08e02eca3a cbd9fab20a3d689ee86169e0e1be21a30f8712834f08a12dae3629c793345771 d2cde7c24cc0c67578363a1f5ea93f7fda830db8b0b67e53892f087b2dbcb230 f669bcb9ad35d41e048b4b6ee4ac4e5a6256fdab0e92a045e124825be792d151 fd94efbc06c729bb9e05005b8d799550524225a05bc71f6059df7d480d68c46e Coverage Product Protection AMP Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Threat Grid Umbrella N/A WSA N/A Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Win.Malware.Tofsee-9882650-1 Indicators of Compromise IOCs collected from dynamic analysis of 300 samplesRegistry Keys Occurrences <HKU>.DEFAULTCONTROL PANELBUSES 299 <HKU>.DEFAULTCONTROL PANELBUSES Value Name: Config4 212 <HKLM>SYSTEMCONTROLSET001SERVICES<random, matching ‘[A-Z0-9]{8}’> 62 <HKLM>SYSTEMCONTROLSET001SERVICES<random, matching ‘[A-Z0-9]{8}’> Value Name: Type 62 <HKLM>SYSTEMCONTROLSET001SERVICES<random, matching ‘[A-Z0-9]{8}’> Value Name: Start 62 <HKLM>SYSTEMCONTROLSET001SERVICES<random, matching ‘[A-Z0-9]{8}’> Value Name: ErrorControl 62 <HKLM>SYSTEMCONTROLSET001SERVICES<random, matching ‘[A-Z0-9]{8}’> Value Name: DisplayName 62 <HKLM>SYSTEMCONTROLSET001SERVICES<random, matching ‘[A-Z0-9]{8}’> Value Name: WOW64 62 <HKLM>SYSTEMCONTROLSET001SERVICES<random, matching ‘[A-Z0-9]{8}’> Value Name: ObjectName 62 <HKLM>SYSTEMCONTROLSET001SERVICES<random, matching ‘[A-Z0-9]{8}’> Value Name: Description 62 <HKLM>SYSTEMCONTROLSET001SERVICES<random, matching ‘[A-Z0-9]{8}’> Value Name: ImagePath 26 <HKLM>SOFTWAREMICROSOFTWINDOWS DEFENDEREXCLUSIONSPATHS Value Name: C:WindowsSysWOW64fymsrzfu 19 <HKLM>SYSTEMCONTROLSET001SERVICESFYMSRZFU Value Name: Type 19 <HKLM>SYSTEMCONTROLSET001SERVICESFYMSRZFU Value Name: Start 19 <HKLM>SYSTEMCONTROLSET001SERVICESFYMSRZFU Value Name: ErrorControl 19 <HKLM>SYSTEMCONTROLSET001SERVICESFYMSRZFU Value Name: DisplayName 19 <HKLM>SYSTEMCONTROLSET001SERVICESFYMSRZFU Value Name: WOW64 19 <HKLM>SYSTEMCONTROLSET001SERVICESFYMSRZFU Value Name: ObjectName 19 <HKLM>SYSTEMCONTROLSET001SERVICESFYMSRZFU Value Name: Description 19 <HKLM>SYSTEMCONTROLSET001SERVICESFYMSRZFU 19 <HKLM>SOFTWAREMICROSOFTWINDOWS DEFENDEREXCLUSIONSPATHS Value Name: C:WindowsSysWOW64rkyedlrg 18 <HKLM>SYSTEMCONTROLSET001SERVICESRKYEDLRG Value Name: Type 18 <HKLM>SYSTEMCONTROLSET001SERVICESRKYEDLRG Value Name: Start 18 <HKLM>SYSTEMCONTROLSET001SERVICESRKYEDLRG Value Name: ErrorControl 18 <HKLM>SYSTEMCONTROLSET001SERVICESRKYEDLRG Value Name: DisplayName 18 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 43[.]231[.]4[.]7 300 192[.]162[.]246[.]7 209 5[.]61[.]37[.]41 209 95[.]216[.]195[.]92 209 142[.]250[.]72[.]100 181 104[.]47[.]54[.]36 153 104[.]47[.]53[.]36 146 104[.]44[.]194[.]232/30 127 193[.]56[.]146[.]40/30 90 209[.]85[.]202[.]26/31 88 65[.]9[.]117[.]69 85 31[.]13[.]65[.]174 80 173[.]194[.]68[.]26/31 80 64[.]233[.]186[.]26/31 80 208[.]71[.]35[.]137 79 67[.]195[.]204[.]72/31 79 192[.]0[.]47[.]59 77 104[.]44[.]194[.]236/31 77 98[.]136[.]96[.]76/31 76 208[.]76[.]50[.]50 74 64[.]233[.]184[.]26/31 72 208[.]76[.]51[.]51 70 40[.]113[.]200[.]201 69 199[.]5[.]157[.]131 68 216[.]239[.]36[.]126 67 *See JSON for more IOCs Domain Names contacted by malware. Does not indicate maliciousness Occurrences microsoft[.]com 300 lazystax[.]ru 300 249[.]5[.]55[.]69[.]in-addr[.]arpa 299 microsoft-com[.]mail[.]protection[.]outlook[.]com 299 249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 213 249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 212 249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 212 249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 212 249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 212 www[.]google[.]com 209 mta7[.]am0[.]yahoodns[.]net 194 mta6[.]am0[.]yahoodns[.]net 187 mta5[.]am0[.]yahoodns[.]net 186 mx2[.]hotmail[.]com 173 mx3[.]hotmail[.]com 165 mx4[.]hotmail[.]com 162 mx1[.]hotmail[.]com 161 authserver[.]mojang[.]com 89 alt2[.]gmail-smtp-in[.]l[.]google[.]com 88 alt1[.]gmail-smtp-in[.]l[.]google[.]com 81 www[.]instagram[.]com 80 gmail-smtp-in[.]l[.]google[.]com 79 alt4[.]gmail-smtp-in[.]l[.]google[.]com 79 whois[.]iana[.]org 78 whois[.]arin[.]net 76 *See JSON for more IOCs Files and or directories created Occurrences %SystemRoot%SysWOW64configsystemprofile 299 %SystemRoot%SysWOW64configsystemprofile:.repos 299 %TEMP%<random, matching ‘[a-z]{8}’>.exe 281 %SystemRoot%SysWOW64<random, matching ‘[a-z]{8}’> 62 %System32%<random, matching ‘[a-z]{7,8}’><random, matching ‘[a-z]{6,8}’>.exe (copy) 40 %SystemRoot%SysWOW64fymsrzfu 19 %SystemRoot%SysWOW64rkyedlrg 18 %TEMP%<random, matching ‘[a-z]{4,9}’>.exe 18 %SystemRoot%SysWOW64lesyxfla 16 %SystemRoot%SysWOW64buionvbq 15 %SystemRoot%SysWOW64piwcbjpe 14 %SystemRoot%SysWOW64unbhgouj 14 %SystemRoot%SysWOW64yrflksyn 14 %SystemRoot%SysWOW64xqekjrxm 13 %SystemRoot%SysWOW64cvjpowcr 13 %SystemRoot%SysWOW64dwkqpxds 13 %SystemRoot%SysWOW64nguazhnc 13 %SystemRoot%SysWOW64qjxdckqf 11 %SystemRoot%SysWOW64athnmuap 11 %SystemRoot%SysWOW64ibpvucix 11 %SystemRoot%SysWOW64kdrxwekz 11 %SystemRoot%SysWOW64haoutbhw 11 %SystemRoot%SysWOW64jcqwvdjy 11 %SystemRoot%SysWOW64tmagfnti 10 %TEMP%llkqbpwz.exe 5 *See JSON for more IOCs File Hashes 00c7f220cf3fccf7a8e5d2ac53cb27be3126b53563bdb2defc3ce67c4cd6ba9d 00fe2d96de4434f3e36ffd74887738104393026f9f363500e3dded2c3b7b1a13 018728665b1aa4d0e306c7c7e361aface06d082a81b8240cdd5f2abfbfd04a3f 02b5ede133f717db614704dafabdebf710b8e2400acb2673ec4f04729804720a 04f15bd44ab9bd713f12069d5e9180b7cbc1df381b51694e7fba4972e39c7721 061870b1ab7a55281e5667651353b7ab7b670a66616209dfb477403c9df64534 0634c076a93cdb11dc93ffdbc315a89ed4c1f2eda3d3a15641b95482dc938c61 076843dd6d91105a079d8f8e26685a1af1121fbd8a48174fb253c762c476f0ea 092e599884795dd6bf7b107016567dc949039e05f842f03fcbc6bde337942ad7 0997c8562ff6d8d9f553b1e4b796bb6e46a7ad41faa17df9a8413e1dd0e00f42 0a91030bff0cc170a6a0aaa3cdf6ad5825230633ab4f4d339a9972d039a493e4 0d1e2e73ae22017ae11d2cbaf1f6d2695a48fe778ce84feece581ca6745d8cbe 0d354fc77a1bea07d4435c7e4368f8d5332aef4b066684236928bcb0113be2c1 0d868fbe90f7a54ae38246fefaa0cc7b20d515a883247fa78af205f045bff23c 0e2404e39bdc4330cfc3d2ec6c9dfe7991fb5e771345941cc04fe42fe7a1c85f 0f128f14781c434604962a0659fd904a222f7fe429c857a87becd4b2d906225b 0ffbffe8f66a655ea5c9f5357b8bda77094bea1a1b5df43bbebb54ba25d82f9f 12697881977defa45bfe2793f13fb56e842fbadfa0a80dc1307eea7c5edf82f0 12fa54a3cfe4894fcfeead54b56416504b37a5fa52cf2a61994340890b9c3344 14583b1e6c65555600bebf7a9fa4844c4c664ab0f100675eb3235879e91fcb04 15f99544c62d303229ddd19fa3aae1570da60db57cae3405a8d43df84f746fa2 1607c665d8d28c4db39d29c8c07a8b8c7fe21fe8e0e37e2f3b0ad622955d3b4a 16ada43aa8e46b888b125de40eaf7f748a38dce334592a0287d9d0b52ec66fbf 16f50ef7e0b66db5a4318c4191674e90848c5b6ab0320b900000f79491d2f3cc 179f865770c398df1b63df901dc9acaa626d1cf8715f53a7efec30b26361d7e2 *See JSON for more IOCs Coverage Product Protection AMP Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Threat Grid Umbrella WSA Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Win.Packed.Dridex-9882835-1 Indicators of Compromise IOCs collected from dynamic analysis of 21 samplesRegistry Keys Occurrences <HKLM>SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUNONCE Value Name: trkcore 21 <HKLM>SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONPOLICIESSYSTEM Value Name: DisableTaskMgr 21 <HKCU>SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0 Value Name: CheckSetting 21 Mutexes Occurrences <random, matching [A-Z0-9]{10}> 21 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 142[.]250[.]72[.]110 20 104[.]23[.]98[.]190 11 104[.]23[.]99[.]190 10 209[.]85[.]144[.]100/31 7 23[.]3[.]13[.]88 3 8[.]253[.]132[.]120/31 3 209[.]85[.]144[.]138/31 3 23[.]3[.]13[.]154 2 209[.]85[.]144[.]113 2 172[.]217[.]12[.]238 1 8[.]253[.]131[.]120 1 8[.]253[.]45[.]214 1 Domain Names contacted by malware. Does not indicate maliciousness Occurrences pastebin[.]com 21 w[.]google[.]com 21 www3[.]l[.]google[.]com 12 auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 5 www[.]3uvexiaty7[.]com 1 www[.]domnz7vvnb[.]com 1 www[.]ve8ou79uye[.]com 1 www[.]xghhacdq0w[.]com 1 www[.]chqh6mv3sb[.]com 1 www[.]tvszhrwjoe[.]com 1 www[.]dunngvjplt[.]com 1 www[.]xmvxawrtqw[.]com 1 www[.]ezgk3dsdcj[.]com 1 www[.]da5hxzevov[.]com 1 www[.]agnkbjftop[.]com 1 www[.]myi2gu7xf1[.]com 1 www[.]4bgue0iyon[.]com 1 www[.]gbxewhyjj3[.]com 1 www[.]q3cbd5fxkt[.]com 1 www[.]a7hgyy5um9[.]com 1 www[.]pubpioxdsn[.]com 1 www[.]fbhyhbahbl[.]com 1 www[.]ictmfkicjt[.]com 1 www[.]whlzqsc1pr[.]com 1 www[.]f4zsmgym4n[.]com 1 *See JSON for more IOCs Files and or directories created Occurrences <malware cwd>old_<malware exe name> (copy) 21 %ProgramData%MicrosoftWindowsSystemDataS-1-5-18ReadOnlyLockScreen_ZLockScreen___1024_0768_notdimmed.jpg (copy) 1 %ProgramData%MicrosoftWindowsSystemDataS-1-5-18ReadOnlyLockScreen_Z~ockScreen___1024_0768_notdimmed.tmp 1 File Hashes 1371aef7db34c881e16b76273a93cff90fbacf51245ff57aca4b226c42a18624 15d67bcb8c8ecc6c2bdab5e567e6ce72803dc45db7e045b7705661f036104638 2053ed6a5d21fb60d25cc2a3c72259c1d1b351e5073000fb2600fa0adff3a1c7 31f3f5a32812614305d4897d56ce82fe1e28a42d1b0deca193fb33e8b6e81561 37694b61b246f2edcb5f468330722eb493886c95be002b537309ec93d8c6cfab 38d93c508d5fb88ace23f6e43f846020aa46e36984eda79f21bf9b5c22d8e72e 3feeed35025505f33ab03fab117af7facdd414d8df8277ae9328301d44518fd1 628995256555303acb50444d50da073d9d937b43023a88ef0fb338517bdf75e2 8d9ad8f6812215694e95740f34de8f44e74bfa19b750a18b6cc1e24804672bfa 9e29f0549d33b313fd51aeac5636beccfa97af032f24ad9082f41e367acedfe6 9f228283bb9e6e650cd543725dd51606f3bc1e6f88503fbd1a42e2b045caa262 a1514a33fc936b1a84e99d65a9ca25e27835db5fe88fb4c811f7da77f176df23 a5617abde6bccdfad7765c6cbcf30be7398838a9267eb085bf659427546a1d00 b48e16bfd3fa581dbb3a87a1ed312dbc14483659aa6650cd003e85762fc42166 c31b80567d3d47c6144ef8bbeae4526d6f5d5418be2bdab406dcf7f878332f8f cdc0996bd445e0a60d4b9b859a32616c60e1b55d09d346624060e22b70cc612a df1dc9da3077d9c9399e9a34b2c0b098717afa5f43b2b83abad2b06160c3740c e3561ef1633239d601fb0320e59d7561d3388ba96ada6a247e87ec095fd8e55a e3cbd8a4ad64d0fbfc339fa66949fa5d253f422e0a05e9ce1831250993072fdf ece2043926079ed0a4d3cee8eb4fc92525a4f0d05a3061af1d1a23fe0f42284a edca0c39cd739068f6785bfd2dc2ffdbfe76da2409e0110d2b3d4fbafe5bfa41 Coverage Product Protection AMP Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Threat Grid Umbrella N/A WSA N/A Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Win.Dropper.TrickBot-9882885-0 Indicators of Compromise IOCs collected from dynamic analysis of 41 samplesRegistry Keys Occurrences <HKLM>SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDER Value Name: DisableAntiSpyware 26 <HKLM>SYSTEMCONTROLSET001SERVICESWINDEFEND Value Name: DeleteFlag 26 <HKLM>SYSTEMCONTROLSET001SERVICESWINDEFEND Value Name: Start 26 <HKLM>SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION Value Name: DisableBehaviorMonitoring 26 <HKLM>SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION Value Name: DisableOnAccessProtection 26 <HKLM>SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION Value Name: DisableOnRealtimeEnable 26 <HKLM>SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION Value Name: DisableIOAVProtection 26 <HKLM>SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDER 26 <HKLM>SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION 26 Mutexes Occurrences Global316D1C7871E10 26 Global551AB680DA010 1 Global9A0C978E5E3932960 1 GlobalD870604C8131128 1 Global7EBA1BA86EA10 1 Global1B255F507D410 1 Global8935F1F8C7E10 1 Global8776A26A89932960 1 Global6ED45B7A6DE932832 1 Global31E23F4EFD3932960 1 GlobalFF7252924A4932832 1 Global90833FACFEB1128 1 Global18F38E8E3A3932960 1 GlobalCA2F252894A10 1 Global62A27AD0EB410 1 Global9192F476D1D932960 1 Global4A39609A826932832 1 GlobalB5C24E9E3A7932960 1 Global4CA57236C8D932960 1 GlobalAE1D8E4E393932960 1 Global7D4C23448D11128 1 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 72[.]22[.]185[.]208 14 72[.]22[.]185[.]200 12 200[.]122[.]209[.]78 2 181[.]209[.]88[.]26 2 193[.]0[.]178[.]20 2 85[.]209[.]162[.]216/31 2 51[.]38[.]101[.]194 1 201[.]184[.]69[.]50 1 51[.]77[.]92[.]215 1 80[.]173[.]224[.]81 1 85[.]143[.]219[.]128 1 173[.]247[.]238[.]184 1 200[.]54[.]14[.]61 1 181[.]129[.]136[.]226 1 Domain Names contacted by malware. Does not indicate maliciousness Occurrences crl[.]microsoft[.]com 26 Files and or directories created Occurrences %APPDATA%MicrosoftCryptoRSAS-1-5-21-2580483871-590521980-3826313501-500a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 26 %ProgramData%MicrosoftCryptoRSAS-1-5-186d14e4b1d8ca773bab785d1be032546e_d19ab989-a35f-4710-83df-7b2db7efe7c5 26 %System32%TasksMs nocsys tools 26 %APPDATA%nocsys 26 %APPDATA%nocsysdata 26 %APPDATA%NOCSYS<original file name>.exe 26 %APPDATA%MicrosoftCryptoRSAS-1-5-21-1160359183-2529320614-3255788068-500a18ca4003deb042bbee7a40f15e1970b_24e2b309-1719-4436-b195-573e7cb0f5b1 20 %ProgramData%MicrosoftCryptoRSAS-1-5-18396de868fa3d0eba3f5795cb816e1bfd_24e2b309-1719-4436-b195-573e7cb0f5b1 20 %APPDATA%nocsyssettings.ini 20 %TEMP%<random, matching ‘[a-f0-9]{3,5}’>_appcompat.txt 17 %TEMP%<random, matching ‘[A-F0-9]{4,5}’>.dmp 17 %System32%MicrosoftProtectS-1-5-18Userd023035f-3867-4126-9856-b88eb9a40592 12 %System32%MicrosoftProtectS-1-5-18Usera5e679cf-af20-480c-a0f2-3963fe5675cc 7 %System32%MicrosoftProtectS-1-5-18User9591d337-3013-42e2-b0fa-2b12dfad32af 2 %System32%MicrosoftProtectS-1-5-18User6d307590-6983-4c3e-9384-847ea5ded675 2 %System32%MicrosoftProtectS-1-5-18Usera14115dc-1d88-41cc-a6ae-38c59745a977 1 %System32%MicrosoftProtectS-1-5-18Usered05a357-d1a3-479c-87c4-d96ade21ea7b 1 %System32%MicrosoftProtectS-1-5-18User64c5cd5b-a5ba-4a94-8081-f82e182251b0 1 File Hashes 0136236ef8ed1ff776d345f3ef007e8907fc56b507068824e34281880f340e22 02dd2fe1cd74b60e822ae700a1c4be45139a6aa88a5f81ce5e9a6644d6b2d2d8 057ffc3a33d129bbb509f49bbff396c750f0a5186b30633fee9b05ac544a1a52 0909cc85312268a10d2705100ea2ed5b95eb7ab5f765e41a3a6eb7e4dc5eeaf0 0abccd961e1dd93ab520cd88c2e07a7a2ec4e8a6138f7bcd714cd1cd2743be6f 10005a523b5298601829bd9a87989edefcd5183dc2a305bfcfbdf21b343fd8f0 14c0fd429ed69daddb8b66b41cc4d1630f7dbf5951b52ab1ced2289449fa1b55 14c64c9047b71fce74225216653b3491861d8f9274afa3519ae1976f2b8d76a0 19bf967bfb68ab4aa59264559e857708ab244837403c4797a0f12e9a57221f40 19e74a92942859c1f9d23cf1a924d5232663226e44a64f90712f6d7653d03f25 1afc3ee244bda23d65c3495c30a3ebad2b7a716f6eb62bc02b6ac036082af227 20e629334895d966d0f8dca1835568445b2a06b9ec6830d83861e843effd50bb 214580349cf3ae05528d81615694f7369c76f1d56a6f21f7b8b80ffac6367d2b 220f84942fe3b88473899182473327480a04c25dd27212a97c26c49072c503ca 2224cc59bb76c875cfcf04df8ad82f6c3c4c5418ab0a281bd0cd1ba73d685a1f 27acdc8a6518e083365a5cebd518a98f5755fb2a4b588257b3f052ed3aca2b47 27e3ba58cbb7ab7628e97dab88836edf3525a0137360056fc05e869dac57711a 284b939dbd6258063b3a4d43911635e28926667947435a9697b93661417884e8 287a910ea787f13609d4c8002a0ac86b8068a6fca8bfadb0c1d2b1fb63436b96 2d465c82cfcd0f6121a68ff352d9f97aaa74c7c74527b6d8a9df2514a9ae0797 307e3804d8a677f1c176534c8eb85e63f89421e6a1bf4477485c0a4e3eb9e9d1 32ed191361a69cf8d93f2431fe449a822e812a5f08c9c7e8bb04acc543443a92 3359b593b46b2c55971ab4f5a10228ffd462a8f5fd8b9357a71955b6a1e1e477 36412fd9e0365bd704819e5cdad73b09fd25d1c25014830124d3a9e1bfb1e302 388946f92b46ccb90ceea484407419a9df296d0968a7db7f54c4f859a88e6a4f *See JSON for more IOCs Coverage Product Protection AMP Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Threat Grid Umbrella N/A WSA N/A Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Win.Trojan.Gh0stRAT-9882928-1 Indicators of Compromise IOCs collected from dynamic analysis of 25 samplesRegistry Keys Occurrences <HKLM>SYSTEMCONTROLSET001SERVICESDEFGHI KLMNOPQR TUV Value Name: Description 15 <HKLM>SYSTEMCONTROLSET001SERVICESDEFGHI KLMNOPQR TUV Value Name: Type 15 <HKLM>SYSTEMCONTROLSET001SERVICESDEFGHI KLMNOPQR TUV Value Name: Start 15 <HKLM>SYSTEMCONTROLSET001SERVICESDEFGHI KLMNOPQR TUV Value Name: ErrorControl 15 <HKLM>SYSTEMCONTROLSET001SERVICESDEFGHI KLMNOPQR TUV Value Name: DisplayName 15 <HKLM>SYSTEMCONTROLSET001SERVICESDEFGHI KLMNOPQR TUV Value Name: WOW64 15 <HKLM>SYSTEMCONTROLSET001SERVICESDEFGHI KLMNOPQR TUV Value Name: ObjectName 15 <HKLM>SYSTEMCONTROLSET001SERVICESDEFGHI KLMNOPQR TUV Value Name: FailureActions 15 <HKLM>SYSTEMCONTROLSET001SERVICESDEFGHI KLMNOPQR TUV 15 <HKLM>SYSTEMCONTROLSET001SERVICESDEFGHI KLMNOPQR TUV Value Name: MakeTime 15 <HKLM>SYSTEMCONTROLSET001SERVICESDEFGHI KLMNOPQR TUV Value Name: ImagePath 15 <HKLM>SYSTEMCONTROLSET001SERVICESMNOPQR TUVWXYAB 9 <HKLM>SYSTEMCONTROLSET001SERVICESMNOPQR TUVWXYAB Value Name: Type 9 <HKLM>SYSTEMCONTROLSET001SERVICESMNOPQR TUVWXYAB Value Name: Start 9 <HKLM>SYSTEMCONTROLSET001SERVICESMNOPQR TUVWXYAB Value Name: ErrorControl 9 <HKLM>SYSTEMCONTROLSET001SERVICESMNOPQR TUVWXYAB Value Name: DisplayName 9 <HKLM>SYSTEMCONTROLSET001SERVICESMNOPQR TUVWXYAB Value Name: WOW64 9 <HKLM>SYSTEMCONTROLSET001SERVICESMNOPQR TUVWXYAB Value Name: ObjectName 9 <HKLM>SYSTEMCONTROLSET001SERVICESMNOPQR TUVWXYAB Value Name: FailureActions 9 <HKLM>SYSTEMCONTROLSET001SERVICESMNOPQR TUVWXYAB Value Name: Description 9 <HKLM>SYSTEMCONTROLSET001SERVICESMNOPQR TUVWXYAB Value Name: MakeTime 9 <HKLM>SYSTEMCONTROLSET001SERVICESMNOPQR TUVWXYAB Value Name: ImagePath 9 <HKLM>SYSTEMCONTROLSET001SERVICESQRSTUVWX ABC 1 <HKLM>SYSTEMCONTROLSET001SERVICESQRSTUVWX ABC Value Name: Type 1 <HKLM>SYSTEMCONTROLSET001SERVICESQRSTUVWX ABC Value Name: Start 1 Mutexes Occurrences f’ Ìð-q’?È Wö°Ãîg¾Ým^ÂÅe $½{ HÀ9Snó–Qt¸G½ 15 f’ -q ? W g m^ e $ { H 9Sn Qt G 15 f’ Ìð-q’?È Wö°Ãîg¾Ým^ÂÌn 3¤` WÙ”Jyú†A 9 f’ -q ? W g m^ n 3 ` W Jy A 9 r: ×®p,œyˆR 1 r: p, y R 1 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 205[.]209[.]171[.]248 24 Domain Names contacted by malware. Does not indicate maliciousness Occurrences zxl520[.]f3322[.]org 24 new[.]lmshusheng[.]com 1 Files and or directories created Occurrences %ProgramData%MicrosoftOrhig 8 %ProgramData%MicrosoftQyqku 6 %ProgramData%MicrosoftOrhigmrbtbz.exe 4 %ProgramData%MicrosoftOrhigwbflvv.exe 4 %ProgramData%MicrosoftSfzmi 4 %ProgramData%MicrosoftUmiow 4 %ProgramData%MicrosoftQyqkuewqcyk.exe 3 %ProgramData%MicrosoftQyqkuummkeo.exe 3 %ProgramData%MicrosoftMkygs 3 %ProgramData%MicrosoftAaaaaaaaaaa.exe 2 %ProgramData%MicrosoftWmiwykkesuw.exe 2 %ProgramData%MicrosoftMkygsewqcyk.exe 2 %ProgramData%MicrosoftSfzmioguusg.exe 2 %ProgramData%MicrosoftSfzmimrbtbz.exe 2 %ProgramData%MicrosoftUmiowummkeo.exe 2 %ProgramData%MicrosoftUmiowwbflvv.exe 2 %ProgramData%MicrosoftSldswuhvxbf.exe 2 %ProgramData%MicrosoftKjtksobdhpx.exe 1 %ProgramData%MicrosoftSyqswuuikos.exe 1 %ProgramData%MicrosoftYtrymsfpjxl.exe 1 %ProgramData%MicrosoftIpxiegtfdzv.exe 1 %ProgramData%MicrosoftYgeymsscwky.exe 1 %ProgramData%MicrosoftCuwcoiiyeqc.exe 1 %ProgramData%MicrosoftUsmukccgoeu.exe 1 %ProgramData%MicrosoftKwgksooquck.exe 1 *See JSON for more IOCs File Hashes 003adb63e10d8d53c64359025ccc7f8e2a5c36525772877ae35fc2e9dfc99d78 0aae8828caded26a3e8215714b5ebbbfdb228c86f789b7bb41b2b0725965d332 0c1eaa52ac33764845d11706bed4e8b3f398dd7d573eac16b94536e5262ac7c5 119c1f722080cb9ff8129eb27903f61389f87ab474004752ef85f94b77889274 19fbfbf5f4e7810455b45f07f26d9a7b7f10130442afcd878a95d162cec3064d 1a0faa37c83b46952136c44760ba1369c1e72bc27157509b6d5bc8902f5fe781 1a6981f6c95c977c30e067c15e926a26cde853becf6dd54df1f4173fb312406b 233d65d1f2868180ad2d59209556bf8cc5d1e936172166df5f30f9ef270e9576 27e04e17928bbe39602b6e0c6b16645debd820117b3896b995095c0231356c25 28560fc1c09900d876e5a40c8258e000c4b1a44a3032a40076a9e4750f026d0d 2d66eb8615c2b641fa2c7e5c4ea2e23daeb07bc905aadedd09501cfcd3486022 2eeb74b557a12e2cb4963536e527e3ec341acd46b99a0999e9df4ad20916c1ec 3dc1d92c65c62d9b6a165baa2deab1c3144a7697c248cc9bdf2eb90d63f2e559 3e58922d3e088e955703bb59a30fabe4cef697768cc2d289b92801f21981c929 42678de3dc919a231ca774239ef499db0cd5cb84f7172f3e66a161f4853ebef8 4722d036e813fe5bbad2a83e8bb6871f6758d9b35918fd9fb7f54a21d24b2eb6 493fba7232a7c3bd495960a0e12eff6aaf0511ff9bd839b2f0b095a62c04ef4a 4b26d9177fd4a606c48fdda5056a14724ef947211f1331c4a0696a07921cfc0c 4c097ab0a5e6b86fb1caea5e8a12f30b9421ee26c9e2cb16df82415fe4628fde 52716a9ab3eb548b8d0acc688e48e806117ca41e692aec1a9d738a96a833bb03 562eea48e5ff05aa4e14e9d807db121a10ab09344f2c5da72fb3cc26d2b0d698 6622c8a47924a00afe87425f055587048e925019fc88f434901cf602388544ad 682f0a644524e14ab0356e72eb15bf84eb054524d9437d96eb570dfd397b3692 72b14684d28eb0df6173909d7a83e5b54c63f2d78cf46e6f60b9d60fba3828ea 7534321b000b8fb08cd68b854226eb1c7b2cf1a4654d3b2f58f4016f7fd20bb8 *See JSON for more IOCs Coverage Product Protection AMP Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Threat Grid Umbrella N/A WSA N/A Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Win.Trojan.Zusy-9883232-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samplesRegistry Keys Occurrences <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES59FA93603156820ACCEA8EEB6C50D2CD4D77AFE5 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES7C9D3483399ED27657D99C1FC9F5EE6415411E1 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATESFA14A75C398DCCEDECEB8DB8C6F147F94399265E 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES59FA93603156820ACCEA8EEB6C50D2CD4D77AFE5 Value Name: Blob 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES2E429959A7C7DA3127D0E12225F164252FA7CCF1 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATESBAC11E013ABD0662AC2C7A7B8F649346B806B53D 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATESFF97AD2341FE7688EBF9874877F8E6008DDFB93A 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES33BB27004D9105200E7E9485A76609D2C0F7CCBA 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES7C9D3483399ED27657D99C1FC9F5EE6415411E1 Value Name: Blob 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATESCFE6DDB9DAD1EFBCE181DDC5206A02799959A2A0 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATESFA14A75C398DCCEDECEB8DB8C6F147F94399265E Value Name: Blob 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES2E429959A7C7DA3127D0E12225F164252FA7CCF1 Value Name: Blob 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES5954078DB0BE70F645D8ACBE8B5DA42D5363345E 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATESBAC11E013ABD0662AC2C7A7B8F649346B806B53D Value Name: Blob 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES33BB27004D9105200E7E9485A76609D2C0F7CCBA Value Name: Blob 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES62A76DC1A8F49DDE280188C3213AF6DA0BA1DCBC 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES7FB7DE141ED1DF2FCF214B582AEDC7E3AE0D6CF5 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATESFF97AD2341FE7688EBF9874877F8E6008DDFB93A Value Name: Blob 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES98BD02E20E9060688F4E963E9439E3068211B7FF 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES2F6A61576E8383EEF4059A24110508E5CA5C2A4A 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES6420E7C397E284422DD77BA9EC03363ABBB4873A 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATESD4C0BF29BECE91F5C8194C5F2AFA462E220FD42E 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATESCFE6DDB9DAD1EFBCE181DDC5206A02799959A2A0 Value Name: Blob 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES5954078DB0BE70F645D8ACBE8B5DA42D5363345E Value Name: Blob 1 <HKLM>SOFTWAREMICROSOFTSYSTEMCERTIFICATESROOTCERTIFICATES62A76DC1A8F49DDE280188C3213AF6DA0BA1DCBC Value Name: Blob 1 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 142[.]11[.]206[.]50 25 Domain Names contacted by malware. Does not indicate maliciousness Occurrences 1[.]1[.]168[.]192[.]in-addr[.]arpa 23 localhost 23 1[.]0[.]168[.]192[.]in-addr[.]arpa 17 Files and or directories created Occurrences %ProgramData%Vhxwcgzi.tmp 24 %TEMP%tmp<random, matching [A-F0-9]{1,4}>.tmp 24 %APPDATA%MozillaFirefoxProfiles<profile ID>.defaultcert8.db 23 %APPDATA%MozillaFirefoxProfiles<profile ID>.defaultkey3.db 23 %APPDATA%MozillaFirefoxProfiles<profile ID>.defaultprefs.js 23 TEMPtmp.edb 23 %System32%LogFilesScm26f915b8-d0da-45d2-b432-bc32eb0c50a3 23 %APPDATA%MozillaFirefoxProfilesogpxv0ba.defaultprefs.js 17 %APPDATA%MozillaFirefoxProfilesogpxv0ba.defaultcert9.db 17 %APPDATA%MozillaFirefoxProfilesogpxv0ba.defaultkey4.db 17 %APPDATA%MozillaFirefoxProfiles<profile ID>.defaultcert9.db-journal 17 %APPDATA%MozillaFirefoxProfiles<profile ID>.defaultkey4.db-journal 17 %ProgramFiles(x86)%Vhxwcgzi.tmp 17 %TEMP%3785372676.tmp 1 %TEMP%3785400788.tmp 1 %TEMP%tmp722E.tmp.ps1 1 %TEMP%tmp8687.tmp.ps1 1 %TEMP%3785369587.tmp 1 %TEMP%tmpDE57.tmp.ps1 1 %TEMP%tmp92F5.tmp.ps1 1 %TEMP%tmp1253.tmp.ps1 1 %TEMP%tmp7EDB.tmp.ps1 1 %TEMP%tmp9823.tmp.ps1 1 %TEMP%tmpE9C.tmp.ps1 1 %TEMP%tmpFCEE.tmp.ps1 1 *See JSON for more IOCs File Hashes 04552b5e285a9fcfb2f52f20675e001fd8ce1a8047dcccb5d0a76e210454c681 0bf03550395ad5269605464613abdcee1e9cc7d8ad0c5a33f6112be835de910e 0d7154ad1b934c1042b1c55a39e3914c33cf607c563450207608674e9fc23955 0d9e6b1acf20992caa69b3419391d0b42b182a40332529db44c1a37b8ce80abe 10df1e1e3754d9578d96191fc4e9fda06215447e095c8f036c0953791efcdfa5 14ceac287c2a1833dcf348b627f06b3c974c725a22f28442fe852c9e188bd545 1b9e977a53e7219994fbb11b9f8f2c8632d9f900ea49ee0debef245fb3cd056b 1d7f86ec4a2a6ea4ff6524bc88a7a1de8b52b09556ad53ac70bf7adf01fba0ec 2113cc1b08d8d66a1f6af87df75713325a2a4af4365cb4a2d81ff65acefb3e1a 21ebf0a15597cf2025989348561e174ea5ec1bddf7bacfebb1eb0c77ac8ee35c 2230e8a3f5ee7812d08d3d519a1bce53a095f51e061ddac3c3a7d23c1b09518f 2351c47ba13aa93905f377c2648ed57a1d36dc694f1b19bfd82982857b4e8b75 27a49c51e73dc26ca9b12da576d6612561a9ff8bce22180f0f9d1df1afb56a35 280468dad8b329f550e4b9ae72565d821667654b66d279162af0ab90e0998f07 29c45f2439835eadff94b3e61fa8dd9197408d8b80c63cc09a2d0cce69022871 2b84ce28a36b679502ef3ecdf8d04f8a72cfd6d5fc8abe4cc9f217636b6524c9 31ef4ba41acf7b39459b0878f9c1af1b2967acab46883c8d454e6ef621cb3917 3275263afd153fea6ac7eb9782eaf15655dfb364ef3769e57c740fef5ee10914 38db7a323f7dc3350973e9b18d9e730318cc2a7dab5154b40a4a17ed8c21319a 3cb7befe1d5e97125c29c283641eac5defdb091a25065fdf3ea1ac22f1268f38 4385ef749b3490998e7243158edb6de44510d4b5669a71f347e9de2c2bed7d8c 46b1ccddd1cbbd063d3f2971c7d49f6a05cae925797b8ef0473282bc7d66756e 46cfe911e21a2e419a5d2928d0c8981772bdb6611e3fe407897462720c5c4226 48d89a8ffac52d95d703f191d185c9f9d9ff4bfd4f3b00218cb309eef4a821cd 4bdeb3338b3de1b5cc76337f58008348590032f99f5f046041f61bf0779fdfb0 *See JSON for more IOCs Coverage Product Protection AMP Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Threat Grid Umbrella N/A WSA Screenshots of Detection AMP ThreatGrid MITRE ATT&CK Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. Process hollowing detected – (13807) Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. A Microsoft Office process has started a windows utility. – (11065) A process associated with Microsoft Office, such as EXCEL.exe, OUTLOOK.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families. Excessively long PowerShell command detected – (3208) A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. Reverse tcp payload detected – (3033) An exploit payload intended to connect back to an attacker controlled host using tcp has been detected. CVE-2020-1472 exploit detected – (1991) An attempt to exploit CVE-2020-1472 has been detected. Also known as “Zerologon”. This is a privelege escalation vulnerability in Netlogon. Cobalt Strike activity detected – (1437) Cobalt Strike is a tool used by both penetration testers and malicious actors. It has been observed being used to deliver Ryuk ransomware and other payloads. Crystalbit-Apple DLL double hijack detected – (1328) Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment. Dealply adware detected – (1201) DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. Maze ransomware detected – (691) Maze ransomware has been detected injecting into rundll32.exe or regsvr32.exe. Maze can encrypt files on the victim and demand a ransom. It can also exfiltrate data back to the attacker prior to encryption. Squiblydoo application control bypass attempt detected. – (668) An attempt to bypass application control via the “Squiblydoo” technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.Cisco Talos Intelligence Group – Comprehensive Threat IntelligenceRead More